Strengthen MITIGATION_DLL_SEARCH_ORDER on non-component builds.

Also, add this mitigation to the browser process. BUG=870463 Change-Id: I1e749a4ede0b41cca69f60262fd878c57ed35564 Reviewed-on: https://chromium-review.googlesource.com/1162581Reviewed-by: Penny MacNeil <pennymac@chromium.org> Commit-Queue: Will Harris <wfh@chromium.org> Cr-Commit-Position: refs/heads/master@{#581067}

Strengthen MITIGATION_DLL_SEARCH_ORDER on non-component builds.
Also, add this mitigation to the browser process. BUG=870463 Change-Id: I1e749a4ede0b41cca69f60262fd878c57ed35564 Reviewed-on: https://chromium-review.googlesource.com/1162581Reviewed-by: Penny MacNeil <pennymac@chromium.org> Commit-Queue: Will Harris <wfh@chromium.org> Cr-Commit-Position: refs/heads/master@{#581067}
58443848 · Will Harris · Commit Bot · 8fcf3c87 · 58443848 · 58443848
Commit 58443848 authored Aug 07, 2018 by Will Harris Committed by Commit Bot Aug 07, 2018
3 changed files
--- a/content/app/sandbox_helper_win.cc
+++ b/content/app/sandbox_helper_win.cc
@@ -17,7 +17,8 @@ void InitializeSandboxInfo(sandbox::SandboxInterfaceInfo* info) {
    // Ensure the proper mitigations are enforced for the browser process.
    sandbox::ApplyProcessMitigationsToCurrentProcess(
        sandbox::MITIGATION_DEP | sandbox::MITIGATION_DEP_NO_ATL_THUNK |
-        sandbox::MITIGATION_HARDEN_TOKEN_IL_POLICY);
+        sandbox::MITIGATION_HARDEN_TOKEN_IL_POLICY |
+        sandbox::MITIGATION_DLL_SEARCH_ORDER);
    // Note: these mitigations are "post-startup".  Some mitigations that need
    // to be enabled sooner (e.g. MITIGATION_EXTENSION_POINT_DISABLE) are done
    // so in Chrome_ELF.

--- a/sandbox/win/src/process_mitigations.cc
+++ b/sandbox/win/src/process_mitigations.cc
@@ -77,7 +77,16 @@ bool ApplyProcessMitigationsToCurrentProcess(MitigationFlags flags) {
    // Check for SetDefaultDllDirectories since it requires KB2533623.
    if (set_default_dll_directories) {
-      if (!set_default_dll_directories(LOAD_LIBRARY_SEARCH_DEFAULT_DIRS) &&
+#if defined(COMPONENT_BUILD)
+      const DWORD directory_flags = LOAD_LIBRARY_SEARCH_DEFAULT_DIRS;
+#else
+      // In a non-component build, all DLLs will be loaded manually, or via
+      // manifest definition, so these flags can be stronger. This prevents DLL
+      // planting in the application directory.
+      const DWORD directory_flags =
+          LOAD_LIBRARY_SEARCH_SYSTEM32 | LOAD_LIBRARY_SEARCH_USER_DIRS;
+#endif
+      if (!set_default_dll_directories(directory_flags) &&
          ERROR_ACCESS_DENIED != ::GetLastError()) {
        return false;
      }

--- a/sandbox/win/src/security_level.h
+++ b/sandbox/win/src/security_level.h
@@ -197,10 +197,15 @@ const MitigationFlags MITIGATION_HIGH_ENTROPY_ASLR = 0x00000080;
 // PROCESS_CREATION_MITIGATION_POLICY_STRICT_HANDLE_CHECKS_ALWAYS_ON.
 const MitigationFlags MITIGATION_STRICT_HANDLE_CHECKS = 0x00000100;
-// Sets the DLL search order to LOAD_LIBRARY_SEARCH_DEFAULT_DIRS. Additional
+// Strengthens the DLL search order. See
-// directories can be added via the Windows AddDllDirectory() function.
+// http://msdn.microsoft.com/en-us/library/windows/desktop/hh310515. In a
-// http://msdn.microsoft.com/en-us/library/windows/desktop/hh310515
+// component build - sets this to LOAD_LIBRARY_SEARCH_DEFAULT_DIRS allowing
-// Must be enabled after startup.
+// additional directories to be added via Windows AddDllDirectory() function,
+// but preserving current load order. In a non-component build, all DLLs should
+// be loaded manually, so strenthen to LOAD_LIBRARY_SEARCH_SYSTEM32 |
+// LOAD_LIBRARY_SEARCH_USER_DIRS, removing LOAD_LIBRARY_SEARCH_APPLICATION_DIR,
+// preventing DLLs being implicitly loaded from the application path. Must be
+// enabled after startup.
 const MitigationFlags MITIGATION_DLL_SEARCH_ORDER = 0x00000200;
 // Changes the mandatory integrity level policy on the current process' token