25_add_CET_STRICT_MODE.patch (3765B)
1 # HG changeset patch 2 # User Bob Owen <bobowencode@gmail.com> 3 # Date 1611849321 0 4 # Thu Jan 28 15:55:21 2021 +0000 5 # Node ID c9195d88e6c67ef2c23c12e307bc16b94d696f50 6 # Parent 37557864a6845bb8068904e44e8a7dd16746d211 7 Bug 1716024 p1: Add MITIGATION_CET_COMPAT_MODE to chromium sandbox code. r=handyman! 8 9 diff --git a/sandbox/win/src/process_mitigations.cc b/sandbox/win/src/process_mitigations.cc 10 --- a/sandbox/win/src/process_mitigations.cc 11 +++ b/sandbox/win/src/process_mitigations.cc 12 @@ -81,16 +81,37 @@ bool IsRunning32bitEmulatedOnArm64() { 13 bool IsRunning32bitEmulatedOnArm64() { 14 #if defined(ARCH_CPU_X86) 15 return base::win::OSInfo::IsRunningEmulatedOnArm64(); 16 #else 17 return false; 18 #endif // defined(ARCH_CPU_X86) 19 } 20 21 +// Returns true if user-mode Hardware-enforced Stack Protection is available for 22 +// the Win32 environment. 23 +bool IsUserCetWin32Available() { 24 + static bool cetAvailable = []() -> bool { 25 + using IsUserCetAvailableInEnvironmentFunction = 26 + decltype(&IsUserCetAvailableInEnvironment); 27 + 28 + IsUserCetAvailableInEnvironmentFunction is_user_cet_available = 29 + reinterpret_cast<IsUserCetAvailableInEnvironmentFunction>( 30 + ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"), 31 + "IsUserCetAvailableInEnvironment")); 32 + if (!is_user_cet_available) { 33 + return false; 34 + } 35 + 36 + return is_user_cet_available(USER_CET_ENVIRONMENT_WIN32_PROCESS); 37 + }(); 38 + 39 + return cetAvailable; 40 +} 41 + 42 bool SetProcessMitigationPolicyInternal(PROCESS_MITIGATION_POLICY policy, 43 PVOID lpBuffer, 44 SIZE_T dwLength) { 45 PCHECK(::SetProcessMitigationPolicy(policy, lpBuffer, dwLength)) 46 << "SetProcessMitigationPolicy failed with Policy: " << policy; 47 48 return true; 49 } 50 @@ -506,16 +527,21 @@ void ConvertProcessMitigationsToPolicy(M 51 } 52 53 if (flags & MITIGATION_CET_STRICT_MODE) { 54 DCHECK(!(flags & MITIGATION_CET_DISABLED)) 55 << "Cannot enable CET strict mode if CET is disabled."; 56 *policy_value_2 |= 57 PROCESS_CREATION_MITIGATION_POLICY2_CET_USER_SHADOW_STACKS_STRICT_MODE; 58 } 59 + 60 + if (flags & MITIGATION_CET_COMPAT_MODE && IsUserCetWin32Available()) { 61 + *policy_value_2 |= 62 + PROCESS_CREATION_MITIGATION_POLICY2_CET_USER_SHADOW_STACKS_ALWAYS_ON; 63 + } 64 65 if (flags & MITIGATION_CET_ALLOW_DYNAMIC_APIS) { 66 DCHECK(!(flags & MITIGATION_CET_DISABLED)) 67 << "Cannot enable in-process CET apis if CET is disabled."; 68 DCHECK(!(flags & MITIGATION_DYNAMIC_CODE_DISABLE)) 69 << "Cannot enable in-process CET apis if dynamic code is disabled."; 70 *policy_value_2 |= 71 PROCESS_CREATION_MITIGATION_POLICY2_CET_DYNAMIC_APIS_OUT_OF_PROC_ONLY_ALWAYS_OFF; 72 diff --git a/sandbox/win/src/security_level.h b/sandbox/win/src/security_level.h 73 --- a/sandbox/win/src/security_level.h 74 +++ b/sandbox/win/src/security_level.h 75 @@ -286,11 +286,15 @@ const MitigationFlags MITIGATION_RESTRIC 76 // Working down from the high bit to avoid conflict with new upstream flags. 77 78 // Disable Control Flow Guard. This may seem more like an anti-mitigation, but 79 // this flag allows code to make targeted changes to CFG to avoid bugs, while 80 // leaving it enabled in the common case. Corresponds to 81 // PROCESS_CREATION_MITIGATION_POLICY_CONTROL_FLOW_GUARD_ALWAYS_ON. 82 const MitigationFlags MITIGATION_CONTROL_FLOW_GUARD_DISABLE = 0x80000000; 83 84 +// This enables CET User Shadow Stack for compatible modules and corresponds to 85 +// PROCESS_CREATION_MITIGATION_POLICY2_CET_USER_SHADOW_STACKS_ALWAYS_ON. 86 +const MitigationFlags MITIGATION_CET_COMPAT_MODE = 0x40000000; 87 + 88 } // namespace sandbox 89 90 #endif // SANDBOX_WIN_SRC_SECURITY_LEVEL_H_