Reland "Reland "Add test that verifies CFG loader config is generated correctly.""

This is a reland of f56c8f8e Original change's description: > Reland "Add test that verifies CFG loader config is generated correctly." > > This is a reland of c2b6797f > > Fixed to add CALLBACK in front of the callback function. > > Original change's description: > > Add test that verifies CFG loader config is generated correctly. > > > > This CL adds a test that creates a callback from operating system > > code to a module that has CFG enabled where the callback is not > > listed as a valid indirect target. > > > > Note: this test does not require dispatch guards to be present > > in chromium code, just for them to be present in OS code and > > for the CFG load config to be generated correctly. > > > > BUG=584575 > > > > Change-Id: Id6f5f4061f7237c23f08c8fe1b7471ea200f0628 > > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2308854 > > Commit-Queue: Will Harris <wfh@chromium.org> > > Reviewed-by: Alex Gough <ajgo@chromium.org> > > Cr-Commit-Position: refs/heads/master@{#790587} > > Bug: 584575 > Cq-Include-Trybots: luci.chromium.try:win7-rel > Change-Id: Ie721a3f3aebcb3ff1eaae711e588ba1ec8a6e507 > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2311038 > Reviewed-by: Alex Gough <ajgo@chromium.org> > Commit-Queue: Will Harris <wfh@chromium.org> > Cr-Commit-Position: refs/heads/master@{#790690} Bug: 584575,1108222 Change-Id: Ifda66b80f5832178f3e8fe5c6f55b95d7e00281a Cq-Include-Trybots: luci.chromium.try:win7-rel,win-asan Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2314017Reviewed-by: Alex Gough <ajgo@chromium.org> Commit-Queue: Will Harris <wfh@chromium.org> Cr-Commit-Position: refs/heads/master@{#791003}

Reland "Reland "Add test that verifies CFG loader config is generated correctly.""
This is a reland of f56c8f8e Original change's description: > Reland "Add test that verifies CFG loader config is generated correctly." > > This is a reland of c2b6797f > > Fixed to add CALLBACK in front of the callback function. > > Original change's description: > > Add test that verifies CFG loader config is generated correctly. > > > > This CL adds a test that creates a callback from operating system > > code to a module that has CFG enabled where the callback is not > > listed as a valid indirect target. > > > > Note: this test does not require dispatch guards to be present > > in chromium code, just for them to be present in OS code and > > for the CFG load config to be generated correctly. > > > > BUG=584575 > > > > Change-Id: Id6f5f4061f7237c23f08c8fe1b7471ea200f0628 > > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2308854 > > Commit-Queue: Will Harris <wfh@chromium.org> > > Reviewed-by: Alex Gough <ajgo@chromium.org> > > Cr-Commit-Position: refs/heads/master@{#790587} > > Bug: 584575 > Cq-Include-Trybots: luci.chromium.try:win7-rel > Change-Id: Ie721a3f3aebcb3ff1eaae711e588ba1ec8a6e507 > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2311038 > Reviewed-by: Alex Gough <ajgo@chromium.org> > Commit-Queue: Will Harris <wfh@chromium.org> > Cr-Commit-Position: refs/heads/master@{#790690} Bug: 584575,1108222 Change-Id: Ifda66b80f5832178f3e8fe5c6f55b95d7e00281a Cq-Include-Trybots: luci.chromium.try:win7-rel,win-asan Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2314017Reviewed-by: Alex Gough <ajgo@chromium.org> Commit-Queue: Will Harris <wfh@chromium.org> Cr-Commit-Position: refs/heads/master@{#791003}
b09d1f9c · Will Harris · Commit Bot · e418c60c · b09d1f9c · b09d1f9c
Commit b09d1f9c authored Jul 22, 2020 by Will Harris Committed by Commit Bot Jul 22, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 75 additions and 0 deletions

sandbox/win/BUILD.gn sandbox/win/BUILD.gn +1 -0

sandbox/win/tests/integration_tests/cfi_unittest.cc sandbox/win/tests/integration_tests/cfi_unittest.cc +74 -0

No files found.
--- a/sandbox/win/BUILD.gn
+++ b/sandbox/win/BUILD.gn
@@ -217,6 +217,7 @@ test("sbox_integration_tests") {
    "tests/common/controller.h",
    "tests/common/test_utils.cc",
    "tests/common/test_utils.h",
+    "tests/integration_tests/cfi_unittest.cc",
    "tests/integration_tests/integration_tests.cc",
    "tests/integration_tests/integration_tests_common.h",
    "tests/integration_tests/integration_tests_test.cc",

--- a/sandbox/win/tests/integration_tests/cfi_unittest.cc
+++ b/sandbox/win/tests/integration_tests/cfi_unittest.cc
+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+#include <intrin.h>
+#include <windows.h>
+#include "base/files/file_path.h"
+#include "base/files/scoped_temp_dir.h"
+#include "base/path_service.h"
+#include "base/win/windows_version.h"
+#include "testing/gtest/include/gtest/gtest.h"
+namespace sandbox {
+// ASLR must be enabled for CFG to be enabled, and ASLR is disabled in debug
+// builds.
+// Test cannot run with ASAN builds as CFI linker is currently disabled because
+// of perf issues caused by https://crbug.com/846966.
+#if !defined(_DEBUG) && !defined(ADDRESS_SANITIZER)
+namespace {
+DWORD CALLBACK CopyProgressRoutine(LARGE_INTEGER total_file_size,
+                                   LARGE_INTEGER total_bytes_transferred,
+                                   LARGE_INTEGER stream_size,
+                                   LARGE_INTEGER stream_bytes_transferred,
+                                   DWORD stream_number,
+                                   DWORD callback_reason,
+                                   HANDLE source_file,
+                                   HANDLE destination_file,
+                                   LPVOID context) {
+  __asm {
+     nop
+     nop
+     ret
+  }
+  return PROGRESS_CONTINUE;
+}
+}  // namespace
+// Make sure Microsoft binaries compiled with CFG cannot call indirect pointers
+// not listed in the loader config for this test binary.
+TEST(CFGSupportTests, MsIndirectFailure) {
+  // CFG is only supported on >= Win8.1 Update 3.
+  // Not checking for update, since test infra is updated and it would add
+  // a lot of complexity.
+  if (base::win::GetVersion() < base::win::Version::WIN8_1)
+    return;
+  base::FilePath exe_path;
+  ASSERT_TRUE(base::PathService::Get(base::FILE_EXE, &exe_path));
+  using ProcessCallbackRoutineType = decltype(&CopyProgressRoutine);
+  // Create a bad callback pointer to midway into the callback function. This
+  // should cause a CFG violation in MS code.
+  auto bad_callback_func = reinterpret_cast<ProcessCallbackRoutineType>(
+      (reinterpret_cast<uintptr_t>(CopyProgressRoutine)) + 0x1);
+  base::ScopedTempDir temp_dir;
+  ASSERT_TRUE(temp_dir.CreateUniqueTempDir());
+  base::FilePath temp_file_path = temp_dir.GetPath().AppendASCII("file.dat");
+  EXPECT_EXIT(
+      // CopyFileEx calls back into our code.
+      CopyFileExW(exe_path.value().c_str(), temp_file_path.value().c_str(),
+                  bad_callback_func, nullptr, FALSE, 0),
+      ::testing::ExitedWithCode(STATUS_STACK_BUFFER_OVERRUN), "");
+}
+#endif  // !defined(_DEBUG) && !defined(ADDRESS_SANITIZER)
+}  // namespace sandbox