Disable CIG under ASAN.

ASAN has not yet fully initialized by the time the CIG intercepts
execute. Most of the code works fine but the call to
std::unique_ptr ends up hitting an uninitialized instrumentation
and crashing.

Various options were considered including:

 * Add all of the std::unique_ptr calls used in the interception
   code to the exclusion list.
 * Implement our own smart pointers in the interception.
 * Just use stack allocations and/or dumb pointers in interception.

It seemed, upon reflection, the best use of engineering resources
to just disable CIG on ASAN builds.

BUG=995986

Change-Id: I5078a21c70864d7e14a8196ec05bb217b3251f41
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1763095Reviewed-by: James Forshaw <forshaw@chromium.org>
Commit-Queue: Will Harris <wfh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#689208}

chrome/browser/chrome_content_browser_client.cc

@@ -684,13 +684,14 @@ const char* const kPredefinedAllowedSocketOrigins[] = {
 };
 #endif
 
-#if defined(OS_WIN) && !defined(COMPONENT_BUILD)
+#if defined(OS_WIN) && !defined(COMPONENT_BUILD) && !defined(ADDRESS_SANITIZER)
 // Enables pre-launch Code Integrity Guard (CIG) for Chrome renderers, when
 // running on Windows 10 1511 and above. See
 // https://blogs.windows.com/blog/tag/code-integrity-guard/.
 const base::Feature kRendererCodeIntegrity{"RendererCodeIntegrity",
                                            base::FEATURE_ENABLED_BY_DEFAULT};
-#endif  // defined(OS_WIN) && !defined(COMPONENT_BUILD)
+#endif  // defined(OS_WIN) && !defined(COMPONENT_BUILD) &&
+        // !defined(ADDRESS_SANITIZER)
 
 enum AppLoadedInTabSource {
   // A platform app page tried to load one of its own URLs in a tab.
@@ -1027,7 +1028,7 @@ void MaybeAppendSecureOriginsAllowlistSwitch(base::CommandLine* cmdline) {
   }
 }
 
-#if defined(OS_WIN) && !defined(COMPONENT_BUILD)
+#if defined(OS_WIN) && !defined(COMPONENT_BUILD) && !defined(ADDRESS_SANITIZER)
 // Returns the full path to |module_name|. Both dev builds (where |module_name|
 // is in the current executable's directory) and proper installs (where
 // |module_name| is in a versioned sub-directory of the current executable's
@@ -1049,7 +1050,8 @@ base::FilePath GetModulePath(base::StringPiece16 module_name) {
   // directory. This is the expected location of modules for dev builds.
   return exe_dir.Append(module_name);
 }
-#endif  // defined(OS_WIN) && !defined(COMPONENT_BUILD)
+#endif  // defined(OS_WIN) && !defined(COMPONENT_BUILD) &&
+        // !defined(ADDRESS_SANITIZER)
 
 }  // namespace
 
@@ -3612,7 +3614,11 @@ bool ChromeContentBrowserClient::PreSpawnRenderer(
   if (result != sandbox::SBOX_ALL_OK)
     return false;
 
-#if !defined(COMPONENT_BUILD)
+// Does not work under component build because all the component DLLs would need
+// to be manually added and maintained. Does not work under ASAN build because
+// ASAN has not yet fully initialized its instrumentation by the time the CIG
+// intercepts run.
+#if !defined(COMPONENT_BUILD) && !defined(ADDRESS_SANITIZER)
   if (!base::FeatureList::IsEnabled(kRendererCodeIntegrity))
     return true;
 
@@ -3645,7 +3651,7 @@ bool ChromeContentBrowserClient::PreSpawnRenderer(
     if (result != sandbox::SBOX_ALL_OK)
       return false;
   }
-#endif  // !defined(COMPONENT_BUILD)
+#endif  // !defined(COMPONENT_BUILD) && !defined(ADDRESS_SANITIZER)
 
   return true;
 }

sandbox/win/src/process_mitigations_unittest.cc

@@ -829,9 +829,23 @@ TEST(ProcessMitigationsTest, CheckWin10MsSigned_Failure) {
                     false /* add_directory_permission */);
 }
 
+// ASAN doesn't initialize early enough for the intercepts in NtCreateSection to
+// be able to use std::unique_ptr, so disable pre-launch CIG on ASAN builds.
+#if !defined(ADDRESS_SANITIZER)
+#define MAYBE_CheckWin10MsSignedWithIntercept_Success \
+  CheckWin10MsSignedWithIntercept_Success
+#define MAYBE_CheckWin10MsSigned_FailurePreSpawn \
+  CheckWin10MsSigned_FailurePreSpawn
+#else
+#define MAYBE_CheckWin10MsSignedWithIntercept_Success \
+  DISABLED_CheckWin10MsSignedWithIntercept_Success
+#define MAYBE_CheckWin10MsSigned_FailurePreSpawn \
+  DISABLED_CheckWin10MsSigned_FailurePreSpawn
+#endif
+
 // This test validates that setting the MITIGATION_FORCE_MS_SIGNED_BINS
 // mitigation allows the loading of an unsigned DLL if intercept in place.
-TEST(ProcessMitigationsTest, CheckWin10MsSignedWithIntercept_Success) {
+TEST(ProcessMitigationsTest, MAYBE_CheckWin10MsSignedWithIntercept_Success) {
   if (base::win::GetVersion() < base::win::Version::WIN10_TH2)
     return;
 
@@ -858,7 +872,7 @@ TEST(ProcessMitigationsTest, CheckWin10MsSignedWithIntercept_Success) {
 
 // This test validates that setting the MITIGATION_FORCE_MS_SIGNED_BINS
 // mitigation pre-load prevents the loading of an unsigned DLL.
-TEST(ProcessMitigationsTest, CheckWin10MsSigned_FailurePreSpawn) {
+TEST(ProcessMitigationsTest, MAYBE_CheckWin10MsSigned_FailurePreSpawn) {
   if (base::win::GetVersion() < base::win::Version::WIN10_TH2)
     return;
 

sandbox/win/src/signed_interception.cc

@@ -15,10 +15,6 @@
 #include "sandbox/win/src/sharedmem_ipc_client.h"
 #include "sandbox/win/src/target_services.h"
 
-#if defined(ADDRESS_SANITIZER)
-extern "C" void* __asan_shadow_memory_dynamic_address;
-#endif
-
 namespace sandbox {
 
 NTSTATUS WINAPI
@@ -31,12 +27,6 @@ TargetNtCreateSection(NtCreateSectionFunction orig_CreateSection,
                       ULONG allocation_attributes,
                       HANDLE file_handle) {
   do {
-    // If the shadow memory is not fully initialized then the call below to
-    // create a std::unique_ptr will fail, so just abort early in this case.
-#if defined(ADDRESS_SANITIZER)
-    if (!__asan_shadow_memory_dynamic_address)
-      break;
-#endif
     // The section only needs to have SECTION_MAP_EXECUTE, but the permissions
     // vary depending on the OS. Windows 1903 and higher requests (SECTION_QUERY
     // | SECTION_MAP_READ | SECTION_MAP_EXECUTE) while previous OS versions also