Add sbox tests related to warming up of locales.

Warm up locales in LowerToken() after RevertToSelf() as existing warmup was not working on Win 8.1 x64. Remove existing warmup which was done outside of LowerToken(). BUG=464430 Review URL: https://codereview.chromium.org/1324523008 Cr-Commit-Position: refs/heads/master@{#347857}

Add sbox tests related to warming up of locales.
Warm up locales in LowerToken() after RevertToSelf() as existing warmup was not working on Win 8.1 x64. Remove existing warmup which was done outside of LowerToken(). BUG=464430 Review URL: https://codereview.chromium.org/1324523008 Cr-Commit-Position: refs/heads/master@{#347857}
1b10aabb · liamjm · Commit bot · 13088190 · 1b10aabb · 1b10aabb
Commit 1b10aabb authored Sep 09, 2015 by liamjm Committed by Commit bot Sep 09, 2015
9 changed files
--- a/components/nacl/loader/nacl_main_platform_delegate_win.cc
+++ b/components/nacl/loader/nacl_main_platform_delegate_win.cc
@@ -17,9 +17,6 @@ void NaClMainPlatformDelegate::EnableSandbox(
  // Cause advapi32 to load before the sandbox is turned on.
  unsigned int dummy_rand;
  rand_s(&dummy_rand);
-  // Warm up language subsystems before the sandbox is turned on.
-  ::GetUserDefaultLangID();
-  ::GetUserDefaultLCID();
  // Turn the sandbox on.
  target_services->LowerToken();

--- a/content/renderer/renderer_main_platform_delegate_win.cc
+++ b/content/renderer/renderer_main_platform_delegate_win.cc
@@ -105,9 +105,6 @@ bool RendererMainPlatformDelegate::EnableSandbox() {
    // Cause advapi32 to load before the sandbox is turned on.
    unsigned int dummy_rand;
    rand_s(&dummy_rand);
-    // Warm up language subsystems before the sandbox is turned on.
-    ::GetUserDefaultLangID();
-    ::GetUserDefaultLCID();
    target_services->LowerToken();
    return true;

--- a/sandbox/win/BUILD.gn
+++ b/sandbox/win/BUILD.gn
@@ -196,6 +196,7 @@ test("sbox_integration_tests") {
    "src/handle_policy_test.cc",
    "src/integrity_level_test.cc",
    "src/ipc_ping_test.cc",
+    "src/lpc_policy_test.cc",
    "src/named_pipe_policy_test.cc",
    "src/policy_target_test.cc",
    "src/process_mitigations_test.cc",

--- a/sandbox/win/sandbox_win.gypi
+++ b/sandbox/win/sandbox_win.gypi
@@ -225,6 +225,7 @@
        'src/handle_closer_test.cc',
        'src/integrity_level_test.cc',
        'src/ipc_ping_test.cc',
+        'src/lpc_policy_test.cc',
        'src/named_pipe_policy_test.cc',
        'src/policy_target_test.cc',
        'src/process_mitigations_test.cc',

--- a/sandbox/win/src/lpc_policy_test.cc
+++ b/sandbox/win/src/lpc_policy_test.cc
+// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+// These tests have been added to specifically tests issues arising from (A)LPC
+// lock down.
+#include <algorithm>
+#include <cctype>
+#include <windows.h>
+#include <winioctl.h>
+#include "sandbox/win/src/sandbox.h"
+#include "sandbox/win/src/sandbox_factory.h"
+#include "sandbox/win/src/sandbox_policy.h"
+#include "sandbox/win/tests/common/controller.h"
+#include "sandbox/win/tests/common/test_utils.h"
+#include "testing/gtest/include/gtest/gtest.h"
+namespace sandbox {
+// Converts LCID to std::wstring for passing to sbox tests.
+std::wstring LcidToWString(LCID lcid) {
+  wchar_t buff[10] = {0};
+  int res = swprintf_s(buff, sizeof(buff)/sizeof(buff[0]), L"%08x", lcid);
+  if (-1 != res) {
+    return std::wstring(buff);
+  }
+  return std::wstring();
+}
+// Converts LANGID to std::wstring for passing to sbox tests.
+std::wstring LangidToWString(LANGID langid) {
+  wchar_t buff[10] = {0};
+  int res = swprintf_s(buff, sizeof(buff)/sizeof(buff[0]), L"%04x", langid);
+  if (-1 != res) {
+    return std::wstring(buff);
+  }
+  return std::wstring();
+}
+SBOX_TESTS_COMMAND int Lpc_GetUserDefaultLangID(int argc, wchar_t **argv) {
+  if (argc != 1)
+    return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
+  std::wstring expected_langid_string(argv[0]);
+  // This will cause an exception if not warmed up suitably.
+  LANGID langid = ::GetUserDefaultLangID();
+  std::wstring langid_string = LangidToWString(langid);
+  if (0 == wcsncmp(langid_string.c_str(), expected_langid_string.c_str(), 4)) {
+    return SBOX_TEST_SUCCEEDED;
+  }
+  return SBOX_TEST_FAILED;
+}
+TEST(LpcPolicyTest, GetUserDefaultLangID) {
+  LANGID langid = ::GetUserDefaultLangID();
+  std::wstring cmd = L"Lpc_GetUserDefaultLangID " + LangidToWString(langid);
+  TestRunner runner;
+  EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(cmd.c_str()));
+}
+SBOX_TESTS_COMMAND int Lpc_GetUserDefaultLCID(int argc, wchar_t **argv) {
+  if (argc != 1)
+    return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
+  std::wstring expected_lcid_string(argv[0]);
+  // This will cause an exception if not warmed up suitably.
+  LCID lcid = ::GetUserDefaultLCID();
+  std::wstring lcid_string = LcidToWString(lcid);
+  if (0 == wcsncmp(lcid_string.c_str(), expected_lcid_string.c_str(), 8)) {
+    return SBOX_TEST_SUCCEEDED;
+  }
+  return SBOX_TEST_FAILED;
+}
+TEST(LpcPolicyTest, GetUserDefaultLCID) {
+  LCID lcid = ::GetUserDefaultLCID();
+  std::wstring cmd = L"Lpc_GetUserDefaultLCID " + LcidToWString(lcid);
+  TestRunner runner;
+  EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(cmd.c_str()));
+}
+SBOX_TESTS_COMMAND int Lpc_GetUserDefaultLocaleName(int argc, wchar_t **argv) {
+  if (argc != 1)
+    return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
+  std::wstring expected_locale_name(argv[0]);
+  wchar_t locale_name[LOCALE_NAME_MAX_LENGTH] = { 0 };
+  // This will cause an exception if not warmed up suitably.
+  int ret = ::GetUserDefaultLocaleName(locale_name, LOCALE_NAME_MAX_LENGTH);
+  if (!ret) {
+    return SBOX_TEST_FAILED;
+  }
+  if (!wcsnlen(locale_name, LOCALE_NAME_MAX_LENGTH)) {
+    return SBOX_TEST_FAILED;
+  }
+  if (0 == wcsncmp(locale_name,
+                   expected_locale_name.c_str(),
+                   LOCALE_NAME_MAX_LENGTH)) {
+    return SBOX_TEST_SUCCEEDED;
+  }
+  return SBOX_TEST_FAILED;
+}
+TEST(LpcPolicyTest, GetUserDefaultLocaleName) {
+  wchar_t locale_name[LOCALE_NAME_MAX_LENGTH] = { 0 };
+  int ret = ::GetUserDefaultLocaleName(locale_name, LOCALE_NAME_MAX_LENGTH);
+  EXPECT_NE(ret, 0);
+  std::wstring cmd = L"Lpc_GetUserDefaultLocaleName " + \
+      std::wstring(locale_name);
+  TestRunner runner;
+  EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(cmd.c_str()));
+}
+}  // namespace sandbox
--- a/sandbox/win/src/sandbox_policy.h
+++ b/sandbox/win/src/sandbox_policy.h
@@ -80,7 +80,7 @@ class TargetPolicy {
  //   not compatible with AppContainer, see SetAppContainer.
  // lockdown: the security level for the token that comes into force after the
  //   process calls TargetServices::LowerToken() or the process calls
-  //   ReverToSelf(). See the explanation of each level in the TokenLevel
+  //   RevertToSelf(). See the explanation of each level in the TokenLevel
  //   definition.
  // Return value: SBOX_ALL_OK if the setting succeeds and false otherwise.
  //   Returns false if the lockdown value is more permissive than the initial

--- a/sandbox/win/src/sandbox_types.h
+++ b/sandbox/win/src/sandbox_types.h
@@ -61,6 +61,7 @@ enum TerminationCodes {
  SBOX_FATAL_CLOSEHANDLES = 7010,    // Failed to close pending handles.
  SBOX_FATAL_MITIGATION = 7011,      // Could not set the mitigation policy.
  SBOX_FATAL_MEMORY_EXCEEDED = 7012, // Exceeded the job memory limit.
+  SBOX_FATAL_WARMUP = 7013,          // Failed to warmup.
  SBOX_FATAL_LAST
 };

--- a/sandbox/win/src/target_services.cc
+++ b/sandbox/win/src/target_services.cc
@@ -59,6 +59,22 @@ bool CloseOpenHandles(bool* is_csrss_connected) {
  return true;
 }
+// Warm up language subsystems before the sandbox is turned on.
+// Tested on Win8.1 x64:
+// This needs to happen after RevertToSelf() is called, because (at least) in
+// the case of GetUserDefaultLCID() it checks the TEB to see if the process is
+// impersonating (TEB!IsImpersonating). If it is, the cached locale information
+// is not used, nor is it set. Therefore, calls after RevertToSelf() will not
+// have warmed-up values to use.
+bool WarmupWindowsLocales() {
+  // NOTE(liamjm): When last checked (Win 8.1 x64) it wasn't necessary to
+  // warmup all of these functions, but let's not assume that.
+  ::GetUserDefaultLangID();
+  ::GetUserDefaultLCID();
+  wchar_t localeName[LOCALE_NAME_MAX_LENGTH] = { 0 };
+  return (0 != ::GetUserDefaultLocaleName(
+      localeName, LOCALE_NAME_MAX_LENGTH * sizeof(wchar_t)));
+}
 // Used as storage for g_target_services, because other allocation facilities
 // are not available early. We can't use a regular function static because on
@@ -97,6 +113,8 @@ void TargetServicesBase::LowerToken() {
    ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_FLUSHANDLES);
  if (ERROR_SUCCESS != ::RegDisablePredefinedCache())
    ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_CACHEDISABLE);
+  if (!WarmupWindowsLocales())
+      ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_WARMUP);
  bool is_csrss_connected = true;
  if (!CloseOpenHandles(&is_csrss_connected))
    ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_CLOSEHANDLES);

--- a/tools/metrics/histograms/histograms.xml
+++ b/tools/metrics/histograms/histograms.xml
@@ -55078,6 +55078,7 @@ http://cs/file:chrome/histograms.xml - but prefer this file for new entries.
  <int value="7010" label="SBOX_FATAL_CLOSEHANDLES"/>
  <int value="7011" label="SBOX_FATAL_MITIGATION"/>
  <int value="7012" label="SBOX_FATAL_MEMORY_EXCEEDED"/>
+  <int value="7013" label="SBOX_FATAL_WARMUP"/>
  <int value="529697949" label="CPP_EH_EXCEPTION"/>
  <int value="533692099" label="STATUS_GUARD_PAGE_VIOLATION"/>
  <int value="1073740791" label="STATUS_STACK_BUFFER_OVERRUN"/>