Changeset 57501 in vbox

Timestamp:

Aug 22, 2015 7:15:54 PM (9 years ago)

Author:

vboxsync

Message:

VERR_SUP_VP_NOT_BUILD_CERT_IPE: Dump the certificates. This requires message box changes in TrustedError as it would easily grow to large otherwise.

Location:

trunk/src/VBox

Files:

• Frontends/VirtualBox/src/main.cpp (modified) (5 diffs)
• HostDrivers/Support/win/SUPDrv-win.cpp (modified) (1 diff)
• HostDrivers/Support/win/SUPHardenedVerifyImage-win.cpp (modified) (2 diffs)
• HostDrivers/Support/win/SUPR3HardenedMain-win.cpp (modified) (3 diffs)

trunk/src/VBox/Frontends/VirtualBox/src/main.cpp

@@ -43 +43 @@
 
 # include <iprt/buildconfig.h>
+# include <iprt/ctype.h>
 # include <iprt/initterm.h>
 # include <iprt/process.h>
@@ -625 +626 @@
 #else  /* VBOX_WITH_HARDENING */
 
+
+/**
+ * Special entrypoint used by the hardening code when something goes south.
+ *
+ * Display an error dialog to the user.
+ *
+ * @param   pszWhere    Indicates where the error occured.
+ * @param   enmWhat     Indicates what init operation was going on at the time.
+ * @param   rc          The VBox status code corresponding to the error.
+ * @param   pszMsgFmt   The message format string.
+ * @param   va          Format arguments.
+ */
 extern "C" DECLEXPORT(void) TrustedError(const char *pszWhere, SUPINITOP enmWhat, int rc, const char *pszMsgFmt, va_list va)
 {
@@ -630 +643 @@
     ShutUpAppKit();
 # endif /* RT_OS_DARWIN */
-
-    /* We have to create QApplication anyway just to show the only one error-message.
-     * This is a bit hackish as we don't have the argument vector handy. */
+    char szMsgBuf[_16K];
+
+    /*
+     * We have to create QApplication anyway just to show the only one error-message.
+     * This is a bit hackish as we don't have the argument vector handy.
+     */
     int argc = 0;
     char *argv[2] = { NULL, NULL };
     QApplication a(argc, &argv[0]);
 
-    /* Prepare the error-message: */
-    QString strTitle = QApplication::tr("VirtualBox - Error In %1").arg(pszWhere);
-
-    char szMsgBuf[1024];
+    /*
+     * The details starts off a properly formatted rc and where/what, we use
+     * the szMsgBuf for this, thus this have to come before the actual message
+     * formatting.
+     */
+    RTStrPrintf(szMsgBuf, sizeof(szMsgBuf),
+                "<!--EOM-->"
+                "where: %s\n"
+                "what:  %d\n"
+                "%Rra\n",
+                pszWhere, enmWhat, rc);
+    QString strDetails = szMsgBuf;
+
+    /*
+     * Format the error message. Take whatever comes after a double new line as
+     * something better off in the details section.
+     */
     RTStrPrintfV(szMsgBuf, sizeof(szMsgBuf), pszMsgFmt, va);
+
+    char *pszDetails = strstr(szMsgBuf, "\n\n");
+    if (pszDetails)
+    {
+        while (RT_C_IS_SPACE(*pszDetails))
+            *pszDetails++ = '\0';
+        if (*pszDetails)
+        {
+            strDetails += "\n";
+            strDetails += pszDetails;
+        }
+        RTStrStripR(szMsgBuf);
+    }
+
     QString strText = QApplication::tr("<html><b>%1 (rc=%2)</b><br/><br/>").arg(szMsgBuf).arg(rc);
     strText.replace(QString("\n"), QString("<br>"));
 
+    /*
+     * Append possibly helpful hints to the error message.
+     */
     switch (enmWhat)
     {
@@ -681 +727 @@
     strText += "</html>";
 
+
 # ifdef RT_OS_LINUX
-    /* We have to to make sure that we display the error-message
-     * after the parent displayed its own message. */
+    /*
+     * We have to to make sure that we display the error-message
+     * after the parent displayed its own message.
+     */
     sleep(2);
-# endif /* RT_OS_LINUX */
-
-    QMessageBox::critical(0 /* parent */, strTitle, strText,
-                          QMessageBox::Abort /* 1st button */, 0 /* 2nd button */);
+# endif
+
+    /*
+     * Create the message box and show it.
+     */
+    QString strTitle = QApplication::tr("VirtualBox - Error In %1").arg(pszWhere);
+    QIMessageBox msgBox(strTitle, strText, AlertIconType_Critical, AlertButton_Ok | AlertButtonOption_Default);
+    if (!strDetails.isEmpty())
+        msgBox.setDetailsText(strDetails);
+
+    msgBox.exec();
+
     qFatal("%s", strText.toUtf8().constData());
 }
@@ -694 +751 @@
 #endif /* VBOX_WITH_HARDENING */
 
+

trunk/src/VBox/HostDrivers/Support/win/SUPDrv-win.cpp

@@ -157 +157 @@
     uint32_t        cchErrorInfo;
     /** The error info. */
-    char            szErrorInfo[2048];
+    char            szErrorInfo[16384 - sizeof(RTLISTNODE) - sizeof(HANDLE)*2 - sizeof(uint64_t) - sizeof(uint32_t) - 0x20];
 } SUPDRVNTERRORINFO;
 /** Pointer to error info. */

trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyImage-win.cpp

@@ -921 +921 @@
 
 /**
- * @callback_method_impl{RTCRPKCS7VERIFYCERTCALLBACK,
+ * @callback_method_impl{FNRTDUMPPRINTFV, Formats into RTERRINFO. }
+ */
+static DECLCALLBACK(void) supHardNtViAsn1DumpToErrInfo(void *pvUser, const char *pszFormat, va_list va)
+{
+    PRTERRINFO pErrInfo = (PRTERRINFO)pvUser;
+    RTErrInfoAddV(pErrInfo, pErrInfo->rc, pszFormat, va);
+}
+
+
+/**
+ * @callback_method_impl{FNRTCRPKCS7VERIFYCERTCALLBACK,
  * Standard code signing.  Use this for Microsoft SPC.}
  */
@@ -939 +949 @@
         if (RTCrX509Certificate_Compare(pCert, &g_BuildX509Cert) == 0) /* healthy paranoia */
             return VINF_SUCCESS;
-        return RTErrInfoSetF(pErrInfo, VERR_SUP_VP_NOT_BUILD_CERT_IPE, "Not valid kernel code signature.");
+        int rc = RTErrInfoSetF(pErrInfo, VERR_SUP_VP_NOT_BUILD_CERT_IPE, "Not valid kernel code signature (fFlags=%#x).", fFlags);
+        if (pErrInfo)
+        {
+            RTErrInfoAdd(pErrInfo, rc, "\n\nExe cert:\n");
+            RTAsn1Dump(&pCert->SeqCore.Asn1Core, 0 /*fFlags*/, 0 /*uLevel*/, supHardNtViAsn1DumpToErrInfo, pErrInfo);
+            RTErrInfoAdd(pErrInfo, rc, "\n\nBuild cert:\n");
+            RTAsn1Dump(&g_BuildX509Cert.SeqCore.Asn1Core, 0 /*fFlags*/, 0 /*uLevel*/, supHardNtViAsn1DumpToErrInfo, pErrInfo);
+        }
+        return rc;
     }
 

trunk/src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp

@@ -217 +217 @@
     char                        szWhere[80];
     /** Error message / path name string space. */
-    char                        szErrorMsg[4096];
+    char                        szErrorMsg[16384+1024];
 } SUPR3WINPROCPARAMS;
 
@@ -4365 +4365 @@
          * better chance resolving the issue.
          */
-        char szErrorInfo[_4K];
+        char szErrorInfo[16384];
         int rc = VERR_OPEN_FAILED;
         if (SUP_NT_STATUS_IS_VBOX(rcNt)) /* See VBoxDrvNtErr2NtStatus. */
@@ -4411 +4411 @@
                                   "NtCreateFile(%ls) failed: %Rrc (rcNt=%#x)%s", s_wszName, rc, rcNt,
                                   supR3HardenedWinReadErrorInfoDevice(szErrorInfo, sizeof(szErrorInfo),
-                                                                    "\nVBoxDrvStub error: "));
+                                                                      "\nVBoxDrvStub error: "));
         }
         else