Changeset 52431 in vbox for trunk/src/VBox/HostDrivers

Timestamp:

Aug 20, 2014 12:31:03 PM (10 years ago)

Author:

vboxsync

Message:

SUP: Process the WinVerityTrust todo list from LdrLoadDll, avoid doing it from under NtCreateSection as to avoid messing up the loader. Simplified the WinVerifyTrust redo code in supR3HardenedScreenImage.

File:

• trunk/src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp (modified) (17 diffs)

trunk/src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp

@@ -137 +137 @@
     /** The verification result. */
     int                     rc;
+    /** The validation flags (for WinVerifyTrust retry). */
+    uint32_t                fFlags;
     /** Whether IndexNumber is valid  */
     bool                    fIndexNumberValid;
@@ -204 +206 @@
 static NTSTATUS (NTAPI *    g_pfnLdrLoadDllReal)(PWSTR, PULONG, PUNICODE_STRING, PHANDLE);
 /** The hash table of verifier cache . */
-static VERIFIERCACHEENTRY * volatile g_apVerifierCache[128];
+static PVERIFIERCACHEENTRY  volatile g_apVerifierCache[128];
 /** Queue of cached images which needs WinVerifyTrust to check them. */
-static VERIFIERCACHEENTRY * volatile g_pVerifierCacheTodoWvt = NULL;
+static PVERIFIERCACHEENTRY  volatile g_pVerifierCacheTodoWvt = NULL;
 /** Queue of cached images which needs their imports checked. */
-static VERIFIERCACHEIMPORT * volatile g_pVerifierCacheTodoImports = NULL;
+static PVERIFIERCACHEIMPORT volatile g_pVerifierCacheTodoImports = NULL;
 /** @ */
 
@@ -222 +224 @@
 *******************************************************************************/
 static NTSTATUS supR3HardenedScreenImage(HANDLE hFile, bool fImage, PULONG pfAccess, PULONG pfProtect,
-                                         bool *pfCallRealApi, const char *pszCaller);
+                                         bool *pfCallRealApi, const char *pszCaller, bool fAvoidWinVerifyTrust);
 
 #ifdef RT_ARCH_AMD64
@@ -490 +492 @@
  * @param   rc                  The verifier result.
  * @param   fWinVerifyTrust     Whether verified by WinVerifyTrust or not.
- */
-static void supR3HardenedWinVerifyCacheInsert(PCUNICODE_STRING pUniStr, HANDLE hFile, int rc, bool fWinVerifyTrust)
+ * @param   fFlags              The image verification flags.
+ */
+static void supR3HardenedWinVerifyCacheInsert(PCUNICODE_STRING pUniStr, HANDLE hFile, int rc,
+                                              bool fWinVerifyTrust, uint32_t fFlags)
 {
     /*
@@ -505 +509 @@
         pEntry->rc              = rc;
         pEntry->uHash           = supR3HardenedWinVerifyCacheHashPath(pUniStr);
+        pEntry->fFlags          = fFlags;
         pEntry->fWinVerifyTrust = fWinVerifyTrust;
         pEntry->cbPath          = pUniStr->Length;
@@ -534 +539 @@
             if (   pOther->uHash  == pEntry->uHash
                 && pOther->cbPath == pEntry->cbPath
-                && memcmp(pOther->wszPath, pEntry->wszPath, pEntry->cbPath) == 0)
+                && supR3HardenedWinVerifyCacheIsMatch(pOther->wszPath, pEntry->wszPath, pEntry->cbPath))
                 break;
             ppEntry = &pOther->pNext;
         }
 
-        /* Duplicate entry. */
-#ifdef DEBUG_bird
-        __debugbreak();
-#endif
+        /* Duplicate entry (may happen due to races). */
         HeapFree(GetProcessHeap(), 0 /* dwFlags*/, pEntry);
     }
@@ -864 +866 @@
                     ULONG fProtect = 0;
                     bool  fCallRealApi = false;
-                    rcNt = supR3HardenedScreenImage(hFile, true /*fImage*/, &fAccess, &fProtect, &fCallRealApi, "Imports");
+                    rcNt = supR3HardenedScreenImage(hFile, true /*fImage*/, &fAccess, &fProtect, &fCallRealApi,
+                                                    "Imports", false /*fAvoidWinVerifyTrust*/);
                     NtClose(hFile);
                 }
@@ -875 +878 @@
             HeapFree(GetProcessHeap(), 0 /* dwFlags*/, pCur);
         } while (pTodo);
+    }
+}
+
+
+/**
+ * Processes the list of WinVerifyTrust todos.
+ */
+static void supR3HardenedWinVerifyCacheProcessWvtTodos(void)
+{
+    PVERIFIERCACHEENTRY  pReschedule = NULL;
+    PVERIFIERCACHEENTRY volatile *ppReschedLastNext = NULL;
+
+    /*
+     * Work until we've got nothing more todo.
+     */
+    for (;;)
+    {
+        if (!supHardenedWinIsWinVerifyTrustCallable())
+            break;
+        PVERIFIERCACHEENTRY pTodo = ASMAtomicXchgPtrT(&g_pVerifierCacheTodoWvt, NULL, PVERIFIERCACHEENTRY);
+        if (!pTodo)
+            break;
+        do
+        {
+            PVERIFIERCACHEENTRY pCur = pTodo;
+            pTodo = pTodo->pNextTodoWvt;
+            pCur->pNextTodoWvt = NULL;
+
+            if (   !pCur->fWinVerifyTrust
+                && RT_SUCCESS(pCur->rc))
+            {
+                bool fWinVerifyTrust = false;
+                int rc = supHardenedWinVerifyImageTrust(pCur->hFile, pCur->wszPath, pCur->fFlags, pCur->rc,
+                                                        &fWinVerifyTrust, NULL /* pErrInfo*/);
+                if (RT_FAILURE(rc) || fWinVerifyTrust)
+                {
+                    SUP_DPRINTF(("supR3HardenedWinVerifyCacheProcessWvtTodos: %d (was %d) fWinVerifyTrust=%d for '%ls'\n",
+                                 rc, pCur->rc, fWinVerifyTrust, pCur->wszPath));
+                    pCur->fWinVerifyTrust = true;
+                    pCur->rc = rc;
+                }
+                else
+                {
+                    /* Retry it at a later time. */
+                    SUP_DPRINTF(("supR3HardenedWinVerifyCacheProcessWvtTodos: %d (was %d) fWinVerifyTrust=%d for '%ls' [rescheduled]\n",
+                                 rc, pCur->rc, fWinVerifyTrust, pCur->wszPath));
+                    if (!pReschedule)
+                        ppReschedLastNext = &pCur->pNextTodoWvt;
+                    pCur->pNextTodoWvt = pReschedule;
+                }
+            }
+            /* else: already processed. */
+        } while (pTodo);
+    }
+
+    /*
+     * Anything to reschedule.
+     */
+    if (pReschedule)
+    {
+        do
+            *ppReschedLastNext = g_pVerifierCacheTodoWvt;
+        while (!ASMAtomicCmpXchgPtr(&g_pVerifierCacheTodoWvt, pReschedule, *ppReschedLastNext));
     }
 }
@@ -1024 +1090 @@
 
 static NTSTATUS supR3HardenedScreenImage(HANDLE hFile, bool fImage, PULONG pfAccess, PULONG pfProtect,
-                                         bool *pfCallRealApi, const char *pszCaller)
+                                         bool *pfCallRealApi, const char *pszCaller, bool fAvoidWinVerifyTrust)
 {
     *pfCallRealApi = false;
@@ -1056 +1122 @@
     /*
      * Check the cache.
-     * If we haven't done the WinVerifyTrust thing, do it if we can.
      */
     PVERIFIERCACHEENTRY pCacheHit = supR3HardenedWinVerifyCacheLookup(&uBuf.UniStr, hFile);
-    if (   pCacheHit
-        && (   pCacheHit->fWinVerifyTrust
-            || RT_FAILURE(pCacheHit->rc)
-            || g_enmSupR3HardenedMainState < SUPR3HARDENEDMAINSTATE_VERIFY_TRUST_READY
-            || !supHardenedWinIsWinVerifyTrustCallable() ) )
-    {
-        SUP_DPRINTF(("supR3HardenedScreenImage/%s: cache hit (%Rrc) on %ls\n", pszCaller, pCacheHit->rc, pCacheHit->wszPath));
+    if (pCacheHit)
+    {
+        /* If we haven't done the WinVerifyTrust thing, do it if we can. */
+        if (   !pCacheHit->fWinVerifyTrust
+            && RT_SUCCESS(pCacheHit->rc)
+            && supHardenedWinIsWinVerifyTrustCallable() )
+        {
+            if (!fAvoidWinVerifyTrust)
+            {
+                SUP_DPRINTF(("supR3HardenedScreenImage/%s: cache hit (%Rrc) on %ls [redoing WinVerifyTrust]\n",
+                             pszCaller, pCacheHit->rc, pCacheHit->wszPath));
+
+                bool fWinVerifyTrust = false;
+                int rc = supHardenedWinVerifyImageTrust(pCacheHit->hFile, pCacheHit->wszPath, pCacheHit->fFlags, pCacheHit->rc,
+                                                        &fWinVerifyTrust, NULL /* pErrInfo*/);
+                if (RT_FAILURE(rc) || fWinVerifyTrust)
+                {
+                    SUP_DPRINTF(("supR3HardenedScreenImage/%s: %d (was %d) fWinVerifyTrust=%d for '%ls'\n",
+                                 pszCaller, rc, pCacheHit->rc, fWinVerifyTrust, pCacheHit->wszPath));
+                    pCacheHit->fWinVerifyTrust = true;
+                    pCacheHit->rc = rc;
+                }
+                else
+                    SUP_DPRINTF(("supR3HardenedScreenImage/%s: WinVerifyTrust not available, rescheduling %ls\n",
+                                 pszCaller, pCacheHit->wszPath));
+            }
+            else
+                SUP_DPRINTF(("supR3HardenedScreenImage/%s: cache hit (%Rrc) on %ls [avoiding WinVerifyTrust]\n",
+                             pszCaller, pCacheHit->rc, pCacheHit->wszPath));
+        }
+        else
+            SUP_DPRINTF(("supR3HardenedScreenImage/%s: cache hit (%Rrc) on %ls%s\n",
+                         pszCaller, pCacheHit->rc, pCacheHit->wszPath, pCacheHit->fWinVerifyTrust ? "" : " [lacks WinVerifyTrust]"));
+
+        /* Return the cached value. */
         if (RT_SUCCESS(pCacheHit->rc))
         {
@@ -1256 +1349 @@
     int  rc;
     bool fWinVerifyTrust = false;
-    if (!pCacheHit)
-        rc = supHardenedWinVerifyImageByHandle(hMyFile, uBuf.UniStr.Buffer, fFlags, &fWinVerifyTrust, &ErrInfo);
-    else
-    {
-        rc = supHardenedWinVerifyImageTrust(hMyFile, uBuf.UniStr.Buffer, fFlags, pCacheHit->rc, &fWinVerifyTrust, &ErrInfo);
-        SUP_DPRINTF(("supR3HardenedScreenImage/%s: supHardenedWinVerifyImageTrust returns %d (was %d) fWinVerifyTrust=%d\n",
-                     pszCaller, rc, pCacheHit->rc, fWinVerifyTrust));
-    }
+    rc = supHardenedWinVerifyImageByHandle(hMyFile, uBuf.UniStr.Buffer, fFlags, &fWinVerifyTrust, &ErrInfo);
     if (RT_FAILURE(rc))
     {
@@ -1275 +1361 @@
 
     /*
-     * Insert or update the cache.
-     */
-    if (!pCacheHit)
-    {
-        if (hMyFile != hFile)
-            supR3HardenedWinVerifyCacheInsert(&uBuf.UniStr, hMyFile, rc, fWinVerifyTrust);
-    }
-    else
-    {
-        if (fWinVerifyTrust)
-            pCacheHit->fWinVerifyTrust = fWinVerifyTrust;
-        if (hMyFile != hFile)
-            NtClose(hMyFile);
-    }
+     * Insert into the cache.
+     */
+    if (hMyFile != hFile)
+        supR3HardenedWinVerifyCacheInsert(&uBuf.UniStr, hMyFile, rc, fWinVerifyTrust, fFlags);
 
     *pfCallRealApi = true;
@@ -1338 +1414 @@
     bool  fCallRealApi;
     //SUP_DPRINTF(("supR3HardenedWinVerifyCachePreload: scanning %ls\n", pwszName));
-    supR3HardenedScreenImage(hFile, false, &fAccess, &fProtect, &fCallRealApi, "preload");
+    supR3HardenedScreenImage(hFile, false, &fAccess, &fProtect, &fCallRealApi, "preload", false /*fAvoidWinVerifyTrust*/);
     //SUP_DPRINTF(("supR3HardenedWinVerifyCachePreload: done %ls\n", pwszName));
 
@@ -1375 +1451 @@
             bool fCallRealApi;
             //SUP_DPRINTF(("supR3HardenedMonitor_NtCreateSection: 1\n"));
-            NTSTATUS rcNt = supR3HardenedScreenImage(hFile, fImage, &fAccess, &fProtect, &fCallRealApi, "NtCreateSection");
+            NTSTATUS rcNt = supR3HardenedScreenImage(hFile, fImage, &fAccess, &fProtect, &fCallRealApi,
+                                                     "NtCreateSection", true /*fAvoidWinVerifyTrust*/);
             //SUP_DPRINTF(("supR3HardenedMonitor_NtCreateSection: 2 rcNt=%#x fCallRealApi=%#x\n", rcNt, fCallRealApi));
 
@@ -1417 +1494 @@
 {
     DWORD dwSavedLastError = GetLastError();
+
+    /*
+     * Process WinVerifyTrust todo before and after.
+     */
+    supR3HardenedWinVerifyCacheProcessWvtTodos();
 
     /*
@@ -1559 +1641 @@
             ULONG fProtect = 0;
             bool  fCallRealApi = false;
-            rcNt = supR3HardenedScreenImage(hFile, true /*fImage*/, &fAccess, &fProtect, &fCallRealApi, "LdrLoadDll");
+            rcNt = supR3HardenedScreenImage(hFile, true /*fImage*/, &fAccess, &fProtect, &fCallRealApi,
+                                            "LdrLoadDll", false /*fAvoidWinVerifyTrust*/);
             NtClose(hFile);
             if (!NT_SUCCESS(rcNt))
@@ -1588 +1671 @@
     else
         SUP_DPRINTF(("supR3HardenedMonitor_LdrLoadDll: returns rcNt=%#x '%ls'\n", rcNt, wszPath));
+    supR3HardenedWinVerifyCacheProcessWvtTodos();
     SetLastError(dwSavedLastError);