diff options
author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2019-02-13 15:05:36 +0100 |
---|---|---|
committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2019-02-14 10:33:47 +0000 |
commit | e684a3455bcc29a6e3e66a004e352dea4e1141e7 (patch) | |
tree | d55b4003bde34d7d05f558f02cfd82b2a66a7aac /chromium/sandbox | |
parent | 2b94bfe47ccb6c08047959d1c26e392919550e86 (diff) | |
download | qtwebengine-chromium-e684a3455bcc29a6e3e66a004e352dea4e1141e7.tar.gz |
BASELINE: Update Chromium to 72.0.3626.110 and Ninja to 1.9.0
Change-Id: Ic57220b00ecc929a893c91f5cc552f5d3e99e922
Reviewed-by: Michael BrĂ¼ning <michael.bruning@qt.io>
Diffstat (limited to 'chromium/sandbox')
-rw-r--r-- | chromium/sandbox/linux/PRESUBMIT.py | 34 | ||||
-rw-r--r-- | chromium/sandbox/linux/integration_tests/bpf_dsl_seccomp_unittest.cc | 4 | ||||
-rw-r--r-- | chromium/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc | 2 | ||||
-rw-r--r-- | chromium/sandbox/linux/services/yama_unittests.cc | 2 | ||||
-rw-r--r-- | chromium/sandbox/linux/syscall_broker/broker_simple_message.cc | 26 | ||||
-rw-r--r-- | chromium/sandbox/mac/sandbox_logging.cc | 25 | ||||
-rw-r--r-- | chromium/sandbox/win/BUILD.gn | 2 | ||||
-rw-r--r-- | chromium/sandbox/win/src/lpc_policy_test.cc | 10 | ||||
-rw-r--r-- | chromium/sandbox/win/src/process_policy_test.cc | 9 | ||||
-rw-r--r-- | chromium/sandbox/win/src/registry_interception.cc | 68 | ||||
-rw-r--r-- | chromium/sandbox/win/src/resolver_64.cc | 28 | ||||
-rw-r--r-- | chromium/sandbox/win/src/sandbox_nt_util.cc | 32 | ||||
-rw-r--r-- | chromium/sandbox/win/src/sandbox_nt_util.h | 7 | ||||
-rw-r--r-- | chromium/sandbox/win/src/service_resolver_64.cc | 42 | ||||
-rw-r--r-- | chromium/sandbox/win/src/unload_dll_test.cc | 9 |
15 files changed, 171 insertions, 129 deletions
diff --git a/chromium/sandbox/linux/PRESUBMIT.py b/chromium/sandbox/linux/PRESUBMIT.py deleted file mode 100644 index d23105a01a1..00000000000 --- a/chromium/sandbox/linux/PRESUBMIT.py +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright 2017 The Chromium Authors. All rights reserved. -# Use of this source code is governed by a BSD-style license that can be -# found in the LICENSE file. - -def PostUploadHook(cl, change, output_api): - """git cl upload will call this hook after the issue is created/modified. - - This will add extra trybot coverage for non-default Android architectures - that have a history of breaking with Seccomp changes. - """ - def affects_seccomp(f): - seccomp_paths = [ - 'bpf_dsl/', - 'seccomp-bpf/', - 'seccomp-bpf-helpers/', - 'system_headers/', - 'tests/' - ] - # If the file path contains any of the above fragments, it affects - # the Seccomp implementation. - affected_any = map(lambda sp: sp in f.LocalPath(), seccomp_paths) - return reduce(lambda a, b: a or b, affected_any) - - if not change.AffectedFiles(file_filter=affects_seccomp): - return [] - - return output_api.EnsureCQIncludeTrybotsAreAdded( - cl, - [ - 'luci.chromium.try:android_arm64_dbg_recipe', - 'master.tryserver.chromium.android:android_compile_x64_dbg', - 'master.tryserver.chromium.android:android_compile_x86_dbg', - ], - 'Automatically added Android multi-arch compile bots to run on CQ.') diff --git a/chromium/sandbox/linux/integration_tests/bpf_dsl_seccomp_unittest.cc b/chromium/sandbox/linux/integration_tests/bpf_dsl_seccomp_unittest.cc index a984de1a781..b4b64d6aa8c 100644 --- a/chromium/sandbox/linux/integration_tests/bpf_dsl_seccomp_unittest.cc +++ b/chromium/sandbox/linux/integration_tests/bpf_dsl_seccomp_unittest.cc @@ -29,7 +29,7 @@ #include "base/macros.h" #include "base/posix/eintr_wrapper.h" #include "base/synchronization/waitable_event.h" -#include "base/sys_info.h" +#include "base/system/sys_info.h" #include "base/threading/thread.h" #include "build/build_config.h" #include "sandbox/linux/bpf_dsl/bpf_dsl.h" @@ -689,7 +689,7 @@ BPF_TEST_C(SandboxBPF, SigBus, RedirectAllSyscallsPolicy) { sa.sa_sigaction = SigBusHandler; sa.sa_flags = SA_SIGINFO; BPF_ASSERT(sigaction(SIGBUS, &sa, NULL) == 0); - raise(SIGBUS); + kill(getpid(), SIGBUS); char c = '\000'; BPF_ASSERT(read(fds[0], &c, 1) == 1); BPF_ASSERT(close(fds[0]) == 0); diff --git a/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc b/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc index 793be730250..327da2bea41 100644 --- a/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc +++ b/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions_unittests.cc @@ -15,7 +15,7 @@ #include "base/bind.h" #include "base/single_thread_task_runner.h" #include "base/synchronization/waitable_event.h" -#include "base/sys_info.h" +#include "base/system/sys_info.h" #include "base/threading/thread.h" #include "base/time/time.h" #include "build/build_config.h" diff --git a/chromium/sandbox/linux/services/yama_unittests.cc b/chromium/sandbox/linux/services/yama_unittests.cc index aaa2cb07569..0b3817e8dcc 100644 --- a/chromium/sandbox/linux/services/yama_unittests.cc +++ b/chromium/sandbox/linux/services/yama_unittests.cc @@ -14,7 +14,7 @@ #include "base/compiler_specific.h" #include "base/posix/eintr_wrapper.h" #include "base/strings/string_util.h" -#include "base/sys_info.h" +#include "base/system/sys_info.h" #include "sandbox/linux/services/scoped_process.h" #include "sandbox/linux/services/yama.h" #include "sandbox/linux/tests/unit_tests.h" diff --git a/chromium/sandbox/linux/syscall_broker/broker_simple_message.cc b/chromium/sandbox/linux/syscall_broker/broker_simple_message.cc index dd504da5d3c..970cac3768d 100644 --- a/chromium/sandbox/linux/syscall_broker/broker_simple_message.cc +++ b/chromium/sandbox/linux/syscall_broker/broker_simple_message.cc @@ -72,7 +72,7 @@ bool BrokerSimpleMessage::SendMsg(int fd, int send_fd) { msg.msg_iov = &iov; msg.msg_iovlen = 1; - const unsigned control_len = CMSG_SPACE(sizeof(int)); + const unsigned control_len = CMSG_SPACE(sizeof(send_fd)); char control_buffer[control_len]; if (send_fd >= 0) { struct cmsghdr* cmsg; @@ -81,8 +81,8 @@ bool BrokerSimpleMessage::SendMsg(int fd, int send_fd) { cmsg = CMSG_FIRSTHDR(&msg); cmsg->cmsg_level = SOL_SOCKET; cmsg->cmsg_type = SCM_RIGHTS; - cmsg->cmsg_len = CMSG_LEN(sizeof(int)); - memcpy(CMSG_DATA(cmsg), &send_fd, sizeof(int)); + cmsg->cmsg_len = CMSG_LEN(sizeof(send_fd)); + memcpy(CMSG_DATA(cmsg), &send_fd, sizeof(send_fd)); msg.msg_controllen = cmsg->cmsg_len; } @@ -108,10 +108,10 @@ ssize_t BrokerSimpleMessage::RecvMsgWithFlags(int fd, #if defined(OS_NACL_NONSFI) const size_t kControlBufferSize = - CMSG_SPACE(sizeof(int) * base::UnixDomainSocket::kMaxFileDescriptors); + CMSG_SPACE(sizeof(fd) * base::UnixDomainSocket::kMaxFileDescriptors); #else const size_t kControlBufferSize = - CMSG_SPACE(sizeof(int) * base::UnixDomainSocket::kMaxFileDescriptors) + + CMSG_SPACE(sizeof(fd) * base::UnixDomainSocket::kMaxFileDescriptors) + // The PNaCl toolchain for Non-SFI binary build does not support ucred. CMSG_SPACE(sizeof(struct ucred)); #endif // defined(OS_NACL_NONSFI) @@ -133,10 +133,10 @@ ssize_t BrokerSimpleMessage::RecvMsgWithFlags(int fd, for (cmsg = CMSG_FIRSTHDR(&msg); cmsg; cmsg = CMSG_NXTHDR(&msg, cmsg)) { const size_t payload_len = cmsg->cmsg_len - CMSG_LEN(0); if (cmsg->cmsg_level == SOL_SOCKET && cmsg->cmsg_type == SCM_RIGHTS) { - DCHECK_EQ(payload_len % sizeof(int), 0u); + DCHECK_EQ(payload_len % sizeof(fd), 0u); DCHECK_EQ(wire_fds, static_cast<void*>(nullptr)); wire_fds = reinterpret_cast<int*>(CMSG_DATA(cmsg)); - wire_fds_len = payload_len / sizeof(int); + wire_fds_len = payload_len / sizeof(fd); } #if !defined(OS_NACL_NONSFI) // The PNaCl toolchain for Non-SFI binary build does not support @@ -222,7 +222,7 @@ bool BrokerSimpleMessage::AddIntToMessage(int data) { write_only_ = true; // Message should only be written to going forward. base::CheckedNumeric<size_t> safe_length(length_); - safe_length += sizeof(int); + safe_length += sizeof(data); safe_length += sizeof(EntryType); if (!safe_length.IsValid() || safe_length.ValueOrDie() > kMaxMessageLength) { @@ -234,8 +234,8 @@ bool BrokerSimpleMessage::AddIntToMessage(int data) { memcpy(write_next_, &type, sizeof(EntryType)); write_next_ += sizeof(EntryType); - memcpy(write_next_, &data, sizeof(int)); - write_next_ += sizeof(int); + memcpy(write_next_, &data, sizeof(data)); + write_next_ += sizeof(data); length_ = write_next_ - message_; return true; @@ -295,12 +295,12 @@ bool BrokerSimpleMessage::ReadInt(int* result) { return false; } - if ((read_next_ + sizeof(int)) > (message_ + length_)) { + if ((read_next_ + sizeof(*result)) > (message_ + length_)) { broken_ = true; return false; } - memcpy(result, read_next_, sizeof(int)); - read_next_ = read_next_ + sizeof(int); + memcpy(result, read_next_, sizeof(*result)); + read_next_ = read_next_ + sizeof(*result); return true; } diff --git a/chromium/sandbox/mac/sandbox_logging.cc b/chromium/sandbox/mac/sandbox_logging.cc index 933776a2b34..4eebcea13d1 100644 --- a/chromium/sandbox/mac/sandbox_logging.cc +++ b/chromium/sandbox/mac/sandbox_logging.cc @@ -93,6 +93,12 @@ void SendAslLog(Level level, const char* message) { asl_set(asl_message.get(), ASL_KEY_LEVEL, asl_level_string.c_str()); asl_set(asl_message.get(), ASL_KEY_MSG, message); asl_send(asl_client.get(), asl_message.get()); + + if (__builtin_available(macOS 10.11, *)) { + if (level == Level::FATAL) { + abort_report_np(message); + } + } } // |error| is strerror(errno) when a P* logging function is called. Pass @@ -122,17 +128,6 @@ void DoLogging(Level level, SendAslLog(level, "warning: previous log message truncated"); } -void AnnotateCrash(const char* fmt, va_list args) { - if (__builtin_available(macOS 10.11, *)) { - char message[4096]; - int ret = vsnprintf(message, sizeof(message), fmt, args); - - if (ret >= 0) { - abort_report_np(message); - } - } -} - } // namespace void Info(const char* fmt, ...) { @@ -162,10 +157,6 @@ void Fatal(const char* fmt, ...) { DoLogging(Level::FATAL, fmt, args, nullptr); va_end(args); - va_start(args, fmt); - AnnotateCrash(fmt, args); - va_end(args); - ABORT(); } @@ -184,10 +175,6 @@ void PFatal(const char* fmt, ...) { DoLogging(Level::FATAL, fmt, args, &error); va_end(args); - va_start(args, fmt); - AnnotateCrash(fmt, args); - va_end(args); - ABORT(); } diff --git a/chromium/sandbox/win/BUILD.gn b/chromium/sandbox/win/BUILD.gn index 5b41184003c..2acc1c9a2f7 100644 --- a/chromium/sandbox/win/BUILD.gn +++ b/chromium/sandbox/win/BUILD.gn @@ -140,7 +140,7 @@ static_library("sandbox") { "src/window.h", ] - if (current_cpu == "x64") { + if (current_cpu == "x64" || current_cpu == "arm64") { sources += [ "src/interceptors_64.cc", "src/interceptors_64.h", diff --git a/chromium/sandbox/win/src/lpc_policy_test.cc b/chromium/sandbox/win/src/lpc_policy_test.cc index 224add7db86..3b3269708c7 100644 --- a/chromium/sandbox/win/src/lpc_policy_test.cc +++ b/chromium/sandbox/win/src/lpc_policy_test.cc @@ -12,6 +12,7 @@ #include <winioctl.h> #include "base/win/windows_version.h" +#include "build/build_config.h" #include "sandbox/win/src/heap_helper.h" #include "sandbox/win/src/sandbox.h" #include "sandbox/win/src/sandbox_factory.h" @@ -208,7 +209,14 @@ TEST(LpcPolicyTest, TestCanFindCsrPortHeap) { EXPECT_NE(nullptr, csr_port_handle); } -TEST(LpcPolicyTest, TestHeapFlags) { +// Fails on Windows ARM64: https://crbug.com/905328 +#if defined(ARCH_CPU_ARM64) +#define MAYBE_TestHeapFlags DISABLED_TestHeapFlags +#else +#define MAYBE_TestHeapFlags TestHeapFlags +#endif + +TEST(LpcPolicyTest, MAYBE_TestHeapFlags) { if (!CsrssDisconnectSupported()) { // This functionality has not been verified on versions before Win10. return; diff --git a/chromium/sandbox/win/src/process_policy_test.cc b/chromium/sandbox/win/src/process_policy_test.cc index 46e739873d2..8d5dcbe3fbe 100644 --- a/chromium/sandbox/win/src/process_policy_test.cc +++ b/chromium/sandbox/win/src/process_policy_test.cc @@ -11,6 +11,7 @@ #include "base/win/scoped_handle.h" #include "base/win/scoped_process_information.h" #include "base/win/windows_version.h" +#include "build/build_config.h" #include "sandbox/win/src/process_thread_interception.h" #include "sandbox/win/src/sandbox.h" #include "sandbox/win/src/sandbox_factory.h" @@ -419,7 +420,13 @@ TEST(ProcessPolicyTest, CreateProcessAW) { } // Tests that the broker correctly handles a process crashing within the job. -TEST(ProcessPolicyTest, CreateProcessCrashy) { +// Fails on Windows ARM64: https://crbug.com/905526 +#if defined(ARCH_CPU_ARM64) +#define MAYBE_CreateProcessCrashy DISABLED_CreateProcessCrashy +#else +#define MAYBE_CreateProcessCrashy CreateProcessCrashy +#endif +TEST(ProcessPolicyTest, MAYBE_CreateProcessCrashy) { TestRunner runner; EXPECT_EQ(static_cast<int>(STATUS_BREAKPOINT), runner.RunTest(L"Process_Crash")); diff --git a/chromium/sandbox/win/src/registry_interception.cc b/chromium/sandbox/win/src/registry_interception.cc index 11a77817e81..4d381a948b0 100644 --- a/chromium/sandbox/win/src/registry_interception.cc +++ b/chromium/sandbox/win/src/registry_interception.cc @@ -67,24 +67,26 @@ NTSTATUS WINAPI TargetNtCreateKey(NtCreateKeyFunction orig_CreateKey, CountedParameterSet<OpenKey> params; params[OpenKey::ACCESS] = ParamPickerMake(desired_access_uint32); - wchar_t* full_name = nullptr; - const wchar_t* name_ptr = name.get(); - - if (root_directory) { - ret = - sandbox::AllocAndGetFullPath(root_directory, name.get(), &full_name); - if (!NT_SUCCESS(ret) || !full_name) - break; - params[OpenKey::NAME] = ParamPickerMake(full_name); - } else { - params[OpenKey::NAME] = ParamPickerMake(name_ptr); + bool query_broker = false; + { + std::unique_ptr<wchar_t, NtAllocDeleter> full_name; + const wchar_t* name_ptr = name.get(); + const wchar_t* full_name_ptr = nullptr; + + if (root_directory) { + ret = sandbox::AllocAndGetFullPath(root_directory, name.get(), + &full_name); + if (!NT_SUCCESS(ret) || !full_name) + break; + full_name_ptr = full_name.get(); + params[OpenKey::NAME] = ParamPickerMake(full_name_ptr); + } else { + params[OpenKey::NAME] = ParamPickerMake(name_ptr); + } + + query_broker = QueryBroker(IPC_NTCREATEKEY_TAG, params.GetBase()); } - bool query_broker = QueryBroker(IPC_NTCREATEKEY_TAG, params.GetBase()); - - if (full_name) - operator delete(full_name, NT_ALLOC); - if (!query_broker) break; @@ -150,24 +152,26 @@ NTSTATUS WINAPI CommonNtOpenKey(NTSTATUS status, CountedParameterSet<OpenKey> params; params[OpenKey::ACCESS] = ParamPickerMake(desired_access_uint32); - wchar_t* full_name = nullptr; - const wchar_t* name_ptr = name.get(); - - if (root_directory) { - ret = - sandbox::AllocAndGetFullPath(root_directory, name.get(), &full_name); - if (!NT_SUCCESS(ret) || !full_name) - break; - params[OpenKey::NAME] = ParamPickerMake(full_name); - } else { - params[OpenKey::NAME] = ParamPickerMake(name_ptr); + bool query_broker = false; + { + std::unique_ptr<wchar_t, NtAllocDeleter> full_name; + const wchar_t* name_ptr = name.get(); + const wchar_t* full_name_ptr = nullptr; + + if (root_directory) { + ret = sandbox::AllocAndGetFullPath(root_directory, name.get(), + &full_name); + if (!NT_SUCCESS(ret) || !full_name) + break; + full_name_ptr = full_name.get(); + params[OpenKey::NAME] = ParamPickerMake(full_name_ptr); + } else { + params[OpenKey::NAME] = ParamPickerMake(name_ptr); + } + + query_broker = QueryBroker(IPC_NTOPENKEY_TAG, params.GetBase()); } - bool query_broker = QueryBroker(IPC_NTOPENKEY_TAG, params.GetBase()); - - if (full_name) - operator delete(full_name, NT_ALLOC); - if (!query_broker) break; diff --git a/chromium/sandbox/win/src/resolver_64.cc b/chromium/sandbox/win/src/resolver_64.cc index 19c4ec7604d..c6c8868832f 100644 --- a/chromium/sandbox/win/src/resolver_64.cc +++ b/chromium/sandbox/win/src/resolver_64.cc @@ -14,6 +14,8 @@ namespace { +#if defined(_M_X64) + const USHORT kMovRax = 0xB848; const USHORT kJmpRax = 0xe0ff; @@ -36,6 +38,32 @@ struct InternalThunk { }; #pragma pack(pop) +#elif defined(_M_ARM64) + +const ULONG kLdrX16Pc4 = 0x58000050; +const ULONG kBrX16 = 0xD61F0200; + +#pragma pack(push, 4) +struct InternalThunk { + // This struct contains roughly the following code: + // 00 58000050 ldr x16, pc+4 + // 04 D61F0200 br x16 + // 08 123456789ABCDEF0H + + InternalThunk() { + ldr_x16_pc4 = kLdrX16Pc4; + br_x16 = kBrX16; + interceptor_function = 0; + }; + ULONG ldr_x16_pc4; + ULONG br_x16; + ULONG_PTR interceptor_function; +}; +#pragma pack(pop) +#else +#error "Unsupported Windows 64-bit Arch" +#endif + } // namespace. namespace sandbox { diff --git a/chromium/sandbox/win/src/sandbox_nt_util.cc b/chromium/sandbox/win/src/sandbox_nt_util.cc index b4f6ab973db..f71177fd7a9 100644 --- a/chromium/sandbox/win/src/sandbox_nt_util.cc +++ b/chromium/sandbox/win/src/sandbox_nt_util.cc @@ -228,14 +228,15 @@ NTSTATUS CopyData(void* destination, const void* source, size_t bytes) { return ret; } -NTSTATUS AllocAndGetFullPath(HANDLE root, wchar_t* path, wchar_t** full_path) { +NTSTATUS AllocAndGetFullPath( + HANDLE root, + const wchar_t* path, + std::unique_ptr<wchar_t, NtAllocDeleter>* full_path) { if (!InitHeap()) return STATUS_NO_MEMORY; DCHECK_NT(full_path); DCHECK_NT(path); - *full_path = nullptr; - OBJECT_NAME_INFORMATION* handle_name = nullptr; NTSTATUS ret = STATUS_UNSUCCESSFUL; __try { do { @@ -247,14 +248,15 @@ NTSTATUS AllocAndGetFullPath(HANDLE root, wchar_t* path, wchar_t** full_path) { // Query the name information a first time to get the size of the name. ret = NtQueryObject(root, ObjectNameInformation, nullptr, 0, &size); + std::unique_ptr<OBJECT_NAME_INFORMATION, NtAllocDeleter> handle_name; if (size) { - handle_name = reinterpret_cast<OBJECT_NAME_INFORMATION*>( - new (NT_ALLOC) BYTE[size]); + handle_name.reset(reinterpret_cast<OBJECT_NAME_INFORMATION*>( + new (NT_ALLOC) BYTE[size])); // Query the name information a second time to get the name of the // object referenced by the handle. - ret = NtQueryObject(root, ObjectNameInformation, handle_name, size, - &size); + ret = NtQueryObject(root, ObjectNameInformation, handle_name.get(), + size, &size); } if (STATUS_SUCCESS != ret) @@ -263,10 +265,10 @@ NTSTATUS AllocAndGetFullPath(HANDLE root, wchar_t* path, wchar_t** full_path) { // Space for path + '\' + name + '\0'. size_t name_length = handle_name->ObjectName.Length + (wcslen(path) + 2) * sizeof(wchar_t); - *full_path = new (NT_ALLOC) wchar_t[name_length / sizeof(wchar_t)]; + full_path->reset(new (NT_ALLOC) wchar_t[name_length / sizeof(wchar_t)]); if (!*full_path) break; - wchar_t* off = *full_path; + wchar_t* off = full_path->get(); ret = CopyData(off, handle_name->ObjectName.Buffer, handle_name->ObjectName.Length); if (!NT_SUCCESS(ret)) @@ -284,16 +286,8 @@ NTSTATUS AllocAndGetFullPath(HANDLE root, wchar_t* path, wchar_t** full_path) { ret = GetExceptionCode(); } - if (!NT_SUCCESS(ret)) { - if (*full_path) { - operator delete(*full_path, NT_ALLOC); - *full_path = nullptr; - } - if (handle_name) { - operator delete(handle_name, NT_ALLOC); - handle_name = nullptr; - } - } + if (!NT_SUCCESS(ret) && *full_path) + full_path->reset(nullptr); return ret; } diff --git a/chromium/sandbox/win/src/sandbox_nt_util.h b/chromium/sandbox/win/src/sandbox_nt_util.h index 1e777c75f5c..08880d19299 100644 --- a/chromium/sandbox/win/src/sandbox_nt_util.h +++ b/chromium/sandbox/win/src/sandbox_nt_util.h @@ -60,7 +60,7 @@ void __cdecl operator delete(void* memory, namespace sandbox { -#if defined(_M_X64) +#if defined(_M_X64) || defined(_M_ARM64) #pragma intrinsic(_InterlockedCompareExchange) #pragma intrinsic(_InterlockedCompareExchangePointer) @@ -119,7 +119,10 @@ NTSTATUS AllocAndCopyName(const OBJECT_ATTRIBUTES* in_object, HANDLE* root); // Determine full path name from object root and path. -NTSTATUS AllocAndGetFullPath(HANDLE root, wchar_t* path, wchar_t** full_path); +NTSTATUS AllocAndGetFullPath( + HANDLE root, + const wchar_t* path, + std::unique_ptr<wchar_t, NtAllocDeleter>* full_path); // Initializes our ntdll level heap bool InitHeap(); diff --git a/chromium/sandbox/win/src/service_resolver_64.cc b/chromium/sandbox/win/src/service_resolver_64.cc index 56af8ba8e01..23aaed8d9c1 100644 --- a/chromium/sandbox/win/src/service_resolver_64.cc +++ b/chromium/sandbox/win/src/service_resolver_64.cc @@ -12,6 +12,7 @@ #include "sandbox/win/src/win_utils.h" namespace { +#if defined(_M_X64) #pragma pack(push, 1) const ULONG kMmovR10EcxMovEax = 0xB8D18B4C; @@ -129,6 +130,44 @@ bool IsServiceWithInt2E(const void* source) { kRet == service->ret && kRet == service->ret2); } +bool IsAnyService(const void* source) { + return IsService(source) || IsServiceW8(source) || IsServiceWithInt2E(source); +} + +#elif defined(_M_ARM64) +#pragma pack(push, 4) + +const ULONG kSvc = 0xD4000001; +const ULONG kRetNp = 0xD65F03C0; +const ULONG kServiceIdMask = 0x001FFFE0; + +struct ServiceEntry { + ULONG svc; + ULONG ret; + ULONG64 unused; +}; + +struct ServiceFullThunk { + ServiceEntry original; +}; + +#pragma pack(pop) + +bool IsService(const void* source) { + const ServiceEntry* service = reinterpret_cast<const ServiceEntry*>(source); + + return (kSvc == (service->svc & ~kServiceIdMask) && kRetNp == service->ret && + 0 == service->unused); +} + +bool IsAnyService(const void* source) { + return IsService(source); +} + +#else +#error "Unsupported Windows 64-bit Arch" +#endif + }; // namespace namespace sandbox { @@ -201,8 +240,7 @@ bool ServiceResolverThunk::IsFunctionAService(void* local_thunk) const { if (sizeof(function_code) != read) return false; - if (!IsService(&function_code) && !IsServiceW8(&function_code) && - !IsServiceWithInt2E(&function_code)) + if (!IsAnyService(&function_code)) return false; // Save the verified code. diff --git a/chromium/sandbox/win/src/unload_dll_test.cc b/chromium/sandbox/win/src/unload_dll_test.cc index dbb876fba1e..0acb178987f 100644 --- a/chromium/sandbox/win/src/unload_dll_test.cc +++ b/chromium/sandbox/win/src/unload_dll_test.cc @@ -3,6 +3,7 @@ // found in the LICENSE file. #include "base/win/scoped_handle.h" +#include "build/build_config.h" #include "sandbox/win/src/sandbox.h" #include "sandbox/win/src/sandbox_factory.h" #include "sandbox/win/src/target_services.h" @@ -40,7 +41,13 @@ SBOX_TESTS_COMMAND int SimpleOpenEvent(int argc, wchar_t** argv) { return event_open.Get() ? SBOX_TEST_SUCCEEDED : SBOX_TEST_FAILED; } -TEST(UnloadDllTest, BaselineAvicapDll) { +// Fails on Windows ARM64: https://crbug.com/905526 +#if defined(ARCH_CPU_ARM64) +#define MAYBE_BaselineAvicapDll DISABLED_BaselineAvicapDll +#else +#define MAYBE_BaselineAvicapDll BaselineAvicapDll +#endif +TEST(UnloadDllTest, MAYBE_BaselineAvicapDll) { TestRunner runner; runner.SetTestState(BEFORE_REVERT); runner.SetTimeout(2000); |