Use OSInfo::Kernel32Version() to select a thunk resolver

When the Windows compatibility mode is turned on, ::GetVersionEx() returns a simulated OS version instead of the real OS version. As a result, InterceptionManager selects a wrong thunk resolver, incorrectly patches ntdll's functions, and thus the process crashes when one of those incorrectly-patched functions are executed. The proposed fix is to use OSInfo::Kernel32Version() which returns the real OS version even with the compat mode to select a thunk resolver. Bug: 1053805 Test: Run 32-bit chrome.exe on 32-bit Windows 10 or 8.1 with the compat mode setting to Windows 7. Please note that the crash does not happen if you run chrome.exe on 64-bit OS. R=wfh@chromium.org Change-Id: Id39a11288cc64ff5552de0a6a273231bdeb2eeff Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2080785Reviewed-by: Will Harris <wfh@chromium.org> Commit-Queue: Will Harris <wfh@chromium.org> Cr-Commit-Position: refs/heads/master@{#747357}

Use OSInfo::Kernel32Version() to select a thunk resolver
When the Windows compatibility mode is turned on, ::GetVersionEx() returns a simulated OS version instead of the real OS version. As a result, InterceptionManager selects a wrong thunk resolver, incorrectly patches ntdll's functions, and thus the process crashes when one of those incorrectly-patched functions are executed. The proposed fix is to use OSInfo::Kernel32Version() which returns the real OS version even with the compat mode to select a thunk resolver. Bug: 1053805 Test: Run 32-bit chrome.exe on 32-bit Windows 10 or 8.1 with the compat mode setting to Windows 7. Please note that the crash does not happen if you run chrome.exe on 64-bit OS. R=wfh@chromium.org Change-Id: Id39a11288cc64ff5552de0a6a273231bdeb2eeff Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2080785Reviewed-by: Will Harris <wfh@chromium.org> Commit-Queue: Will Harris <wfh@chromium.org> Cr-Commit-Position: refs/heads/master@{#747357}
01c8afd0 · Toshihito Kikuchi · Commit Bot · 2666ad62 · 01c8afd0 · 01c8afd0
Commit 01c8afd0 authored Mar 05, 2020 by Toshihito Kikuchi Committed by Commit Bot Mar 05, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 3 deletions

AUTHORS AUTHORS +1 -0

sandbox/win/src/interception.cc sandbox/win/src/interception.cc +4 -3

No files found.
--- a/AUTHORS
+++ b/AUTHORS
@@ -963,6 +963,7 @@ Tom Callaway <tcallawa@redhat.com>
 Tom Harwood <tfh@skip.org>
 Tomas Popela <tomas.popela@gmail.com>
 Torsten Kurbad <google@tk-webart.de>
+Toshihito Kikuchi <leamovret@gmail.com>
 Trent Willis <trentmwillis@gmail.com>
 Trevor Perrin <unsafe@trevp.net>
 Tripta Gupta <tripta.g@samsung.com>

--- a/sandbox/win/src/interception.cc
+++ b/sandbox/win/src/interception.cc
@@ -449,14 +449,15 @@ ResultCode InterceptionManager::PatchClientFunctions(
  thunk.reset(new ServiceResolverThunk(child_->Process(), relaxed_));
 #else
  base::win::OSInfo* os_info = base::win::OSInfo::GetInstance();
+  base::win::Version real_os_version = os_info->Kernel32Version();
  if (os_info->wow64_status() == base::win::OSInfo::WOW64_ENABLED) {
-    if (os_info->version() >= base::win::Version::WIN10)
+    if (real_os_version >= base::win::Version::WIN10)
      thunk.reset(new Wow64W10ResolverThunk(child_->Process(), relaxed_));
-    else if (os_info->version() >= base::win::Version::WIN8)
+    else if (real_os_version >= base::win::Version::WIN8)
      thunk.reset(new Wow64W8ResolverThunk(child_->Process(), relaxed_));
    else
      thunk.reset(new Wow64ResolverThunk(child_->Process(), relaxed_));
-  } else if (os_info->version() >= base::win::Version::WIN8) {
+  } else if (real_os_version >= base::win::Version::WIN8) {
    thunk.reset(new Win8ResolverThunk(child_->Process(), relaxed_));
  } else {
    thunk.reset(new ServiceResolverThunk(child_->Process(), relaxed_));