New issue
Advanced search Search tips

Issue 645050 link

Starred by 2 users
Status: Fixed
Owner:
forshaw@chromium.org
Closed: Sep 2016
Cc:
wfh@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 3
Type: Bug



Sign in to add a comment

Replace Windows Sandbox GetBaseAddress Implementation

Project Member Reported by forshaw@chromium.org, Sep 8 2016 
The current implementation of GetBaseAddress in the sandbox uses the initial thread context and relies on undocumented behavior that RCX or EAX just happen to point to the entry point of the executable. We've observed in the production that there's errors in launch resulting in ERROR_NOACCESS, it's possible that this is due to the base address being incorrect and we fail to copy parameters to the new process using WriteProcessMemory. Also we've observed failures to set the lowbox token, one of the ways this could happen is if some third party code is starting the process temporarily (say to inject its hooks). If that's the case then the thread context could contain almost anything, and annoyingly it could be just down to a race condition that it works or it doesn't.

I propose that we replace the implementation with one which walks the virtual memory map of the new process until we find the image section for the exe file. This shouldn't result in any significant performance hit as the memory map of the new process should be sparse. Also this is entirely documented, we can use QueryFullProcessImageName and GetMappedFileName to find the corresponding image section.
Project Member

Comment 1 by bugdroid1@chromium.org, Sep 8 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/cd115ae669e4475f9478600506e2130c7dc4b98a

commit cd115ae669e4475f9478600506e2130c7dc4b98a
Author: forshaw <forshaw@chromium.org>
Date: Thu Sep 08 20:25:46 2016

Implement new method to get process base address in Windows sandbox.
This CL implements a new method of getting the base address of a new
process. It's not clear if the old method of using the thread context is
reliable in the face of third party software, so this implementation
instead uses only documented functionality to acheive the same thing.

BUG= 645050 
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.win:win10_chromium_x64_rel_ng

Review-Url: https://codereview.chromium.org/2323443003
Cr-Commit-Position: refs/heads/master@{#417381}

[modify] https://crrev.com/cd115ae669e4475f9478600506e2130c7dc4b98a/sandbox/win/src/sandbox_types.h
[modify] https://crrev.com/cd115ae669e4475f9478600506e2130c7dc4b98a/sandbox/win/src/target_process.cc
[modify] https://crrev.com/cd115ae669e4475f9478600506e2130c7dc4b98a/sandbox/win/src/win_utils.cc
[modify] https://crrev.com/cd115ae669e4475f9478600506e2130c7dc4b98a/sandbox/win/src/win_utils.h
[modify] https://crrev.com/cd115ae669e4475f9478600506e2130c7dc4b98a/sandbox/win/src/win_utils_unittest.cc
[modify] https://crrev.com/cd115ae669e4475f9478600506e2130c7dc4b98a/tools/metrics/histograms/histograms.xml

Comment 2 by forshaw@chromium.org, Sep 8 2016

Status: Fixed (was: Started)

Comment 3 by wfh@chromium.org, Sep 13 2016 

Process.Sandbox.Launch.Error is the code to look for in bucket 0n998 (ERROR_NOACCESS)

https://uma.googleplex.com/p/chrome/timeline_v2?sid=91fc31b7e5408b0b5aafdc369828928b

launch failures seem down since this change.

Comment 4 by wfh@chromium.org, Sep 13 2016 

initially in 55.0.2855.0

Sign in to add a comment