Fix small race in the sandbox

DuplicateHandle with DUPLICATE_CLOSE_SOURCE always closes the handle, right now on failure we close it which means we are closing an invalid handle or closing some other handle in the small race window. Reported by Ashutosh Mehra from Adobe. BUG=233251 TEST=none Review URL: https://chromiumcodereview.appspot.com/13912024 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@195029 0039d316-1c4b-4281-b951-d872f2087c98

Fix small race in the sandbox
DuplicateHandle with DUPLICATE_CLOSE_SOURCE always closes the handle, right now on failure we close it which means we are closing an invalid handle or closing some other handle in the small race window. Reported by Ashutosh Mehra from Adobe. BUG=233251 TEST=none Review URL: https://chromiumcodereview.appspot.com/13912024 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@195029 0039d316-1c4b-4281-b951-d872f2087c98
8c13c443 · cpu@chromium.org · e8b51952 · 8c13c443 · 8c13c443 · 8c13c443
Commit 8c13c443 authored Apr 19, 2013 by cpu@chromium.org
4 changed files
--- a/sandbox/win/src/filesystem_policy.cc
+++ b/sandbox/win/src/filesystem_policy.cc
@@ -49,7 +49,6 @@ NTSTATUS NtCreateFileInTarget(HANDLE* target_file_handle,
  if (!::DuplicateHandle(::GetCurrentProcess(), local_handle,
                         target_process, target_file_handle, 0, FALSE,
                         DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS)) {
-    ::CloseHandle(local_handle);
    return STATUS_ACCESS_DENIED;
  }
  return STATUS_SUCCESS;

--- a/sandbox/win/src/named_pipe_policy.cc
+++ b/sandbox/win/src/named_pipe_policy.cc
@@ -28,10 +28,10 @@ HANDLE CreateNamedPipeHelper(HANDLE target_process, LPCWSTR pipe_name,
    return pipe;
  HANDLE new_pipe;
-  if (!::DuplicateHandle(::GetCurrentProcess(), pipe, target_process, &new_pipe,
+  if (!::DuplicateHandle(::GetCurrentProcess(), pipe,
-                         0, FALSE, DUPLICATE_CLOSE_SOURCE |
+                         target_process, &new_pipe,
-                             DUPLICATE_SAME_ACCESS)) {
+                         0, FALSE,
-    ::CloseHandle(pipe);
+                         DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS)) {
    return INVALID_HANDLE_VALUE;
  }

--- a/sandbox/win/src/registry_policy.cc
+++ b/sandbox/win/src/registry_policy.cc
@@ -78,7 +78,6 @@ NTSTATUS NtCreateKeyInTarget(HANDLE* target_key_handle,
  if (!::DuplicateHandle(::GetCurrentProcess(), local_handle,
                         target_process, target_key_handle, 0, FALSE,
                         DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS)) {
-    ::CloseHandle(local_handle);
    return STATUS_ACCESS_DENIED;
  }
  return STATUS_SUCCESS;
@@ -106,7 +105,6 @@ NTSTATUS NtOpenKeyInTarget(HANDLE* target_key_handle,
  if (!::DuplicateHandle(::GetCurrentProcess(), local_handle,
                         target_process, target_key_handle, 0, FALSE,
                         DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS)) {
-    ::CloseHandle(local_handle);
    return STATUS_ACCESS_DENIED;
  }
  return STATUS_SUCCESS;

--- a/sandbox/win/src/sync_policy.cc
+++ b/sandbox/win/src/sync_policy.cc
@@ -80,7 +80,6 @@ DWORD SyncPolicy::CreateEventAction(EvalResult eval_result,
  if (!::DuplicateHandle(::GetCurrentProcess(), local_handle,
                         client_info.process, handle, 0, FALSE,
                         DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS)) {
-    ::CloseHandle(local_handle);
    return ERROR_ACCESS_DENIED;
  }
  return ERROR_SUCCESS;
@@ -105,7 +104,6 @@ DWORD SyncPolicy::OpenEventAction(EvalResult eval_result,
  if (!::DuplicateHandle(::GetCurrentProcess(), local_handle,
                         client_info.process, handle, 0, inherit_handle,
                         DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS)) {
-    ::CloseHandle(local_handle);
    return ERROR_ACCESS_DENIED;
  }
  return ERROR_SUCCESS;