Add test that verifies CFG loader config is generated correctly.

This CL adds a test that creates a callback from operating system
code to a module that has CFG enabled where the callback is not
listed as a valid indirect target.

Note: this test does not require dispatch guards to be present
in chromium code, just for them to be present in OS code and
for the CFG load config to be generated correctly.

BUG=584575

Change-Id: Id6f5f4061f7237c23f08c8fe1b7471ea200f0628
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2308854
Commit-Queue: Will Harris <wfh@chromium.org>
Reviewed-by: Alex Gough <ajgo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#790587}

sandbox/win/BUILD.gn

@@ -217,6 +217,7 @@ test("sbox_integration_tests") {
     "tests/common/controller.h",
     "tests/common/test_utils.cc",
     "tests/common/test_utils.h",
+    "tests/integration_tests/cfi_unittest.cc",
     "tests/integration_tests/integration_tests.cc",
     "tests/integration_tests/integration_tests_common.h",
     "tests/integration_tests/integration_tests_test.cc",

sandbox/win/tests/integration_tests/cfi_unittest.cc

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+#include <intrin.h>
+
+#include <windows.h>
+
+#include "base/files/file_path.h"
+#include "base/files/scoped_temp_dir.h"
+#include "base/path_service.h"
+#include "base/win/windows_version.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+namespace sandbox {
+
+// ASLR must be enabled for CFG to be enabled, and ASLR is disabled in debug
+// builds.
+#if !defined(_DEBUG)
+
+namespace {
+
+DWORD CopyProgressRoutine(LARGE_INTEGER total_file_size,
+                          LARGE_INTEGER total_bytes_transferred,
+                          LARGE_INTEGER stream_size,
+                          LARGE_INTEGER stream_bytes_transferred,
+                          DWORD stream_number,
+                          DWORD callback_reason,
+                          HANDLE source_file,
+                          HANDLE destination_file,
+                          LPVOID context) {
+  __asm {
+     nop
+     nop
+     ret
+  }
+  return PROGRESS_CONTINUE;
+}
+
+}  // namespace
+
+// Make sure Microsoft binaries compiled with CFG cannot call indirect pointers
+// not listed in the loader config for this test binary.
+TEST(CFGSupportTests, MsIndirectFailure) {
+  // CFG is only supported on >= Win8.1 Update 3.
+  // Not checking for update, since test infra is updated and it would add
+  // a lot of complexity.
+  if (base::win::GetVersion() < base::win::Version::WIN8_1)
+    return;
+
+  base::FilePath exe_path;
+  ASSERT_TRUE(base::PathService::Get(base::FILE_EXE, &exe_path));
+
+  using ProcessCallbackRoutineType = decltype(&CopyProgressRoutine);
+
+  // Create a bad callback pointer to midway into the callback function. This
+  // should cause a CFG violation in MS code.
+  auto bad_callback_func = reinterpret_cast<ProcessCallbackRoutineType>(
+      (reinterpret_cast<uintptr_t>(CopyProgressRoutine)) + 0x1);
+
+  base::ScopedTempDir temp_dir;
+  ASSERT_TRUE(temp_dir.CreateUniqueTempDir());
+  base::FilePath temp_file_path = temp_dir.GetPath().AppendASCII("file.dat");
+  EXPECT_EXIT(
+      // CopyFileEx calls back into our code.
+      CopyFileExW(exe_path.value().c_str(), temp_file_path.value().c_str(),
+                  bad_callback_func, nullptr, FALSE, 0),
+      ::testing::ExitedWithCode(STATUS_STACK_BUFFER_OVERRUN), "");
+}
+
+#endif  // !defined(_DEBUG)
+
+}  // namespace sandbox