Changeset 97024 in vbox for trunk/src/VBox/Main

Timestamp:

Oct 6, 2022 8:26:17 AM (2 years ago)

Author:

vboxsync

Message:

Main/glue: Applied the out-of-process restrictions to the IDLLHost interface (COM internal) as well. bugref:10294

File:

• trunk/src/VBox/Main/glue/initterm.cpp (modified) (4 diffs)

trunk/src/VBox/Main/glue/initterm.cpp

@@ -245 +245 @@
 
 /**
+ * Replacement function for the InvokeStub method for the IDLLHost stub.
+ */
+static HRESULT STDMETHODCALLTYPE
+DLLHost_InvokeStub(IRpcStubBuffer *pThis, RPCOLEMESSAGE *pMsg, IRpcChannelBuffer *pBuf) RT_NOTHROW_DEF
+{
+    /*
+     * Our mission here is to prevent remote calls to this interface as method #3
+     * contain a raw pointer an DllGetClassObject function.  There are only that
+     * method in addition to the IUnknown stuff, and it's ASSUMED that it's
+     * process internal only (cross apartment stuff).
+     */
+    uint32_t const iMethod = pMsg->iMethod & 0xffff; /* Uncertain, but there are hints that the upper bits are flags. */
+    HRESULT        hrc;
+    if (pMsg->rpcFlags & RPCFLG_LOCAL_CALL)
+        hrc = CStdStubBuffer_Invoke(pThis, pMsg, pBuf);
+    else
+    {
+        LogRel(("DLLHost_InvokeStub: Rejected call to CDLLHost::%s: rpcFlags=%#x cbBuffer=%#x dataRepresentation=%d buffer=%p:{%.*Rhxs} reserved1=%p reserved2={%p,%p,%p,%p,%p}\n",
+                pMsg->iMethod == 0 ? "QueryInterface" :
+                pMsg->iMethod == 1 ? "AddRef" :
+                pMsg->iMethod == 2 ? "ReleaseRef" :
+                pMsg->iMethod == 3 ? "DllGetClassObject" : "Unknown", pMsg->rpcFlags, pMsg->cbBuffer,
+                pMsg->dataRepresentation, pMsg->Buffer, RT_VALID_PTR(pMsg->Buffer) ? pMsg->cbBuffer : 0, pMsg->Buffer,
+                pMsg->reserved1, pMsg->reserved2[0], pMsg->reserved2[1], pMsg->reserved2[2], pMsg->reserved2[3], pMsg->reserved2[4]));
+        hrc = E_ACCESSDENIED;
+    }
+    return hrc;
+}
+
+/**
  * Replaces the IRundown InvokeStub method with Rundown_InvokeStub so we can
  * reject remote calls to a couple of misdesigned methods.
+ *
+ * Also replaces the IDLLHost for the same reasons.
  */
 void PatchComBugs(void)
@@ -283 +315 @@
      */
     static const IID s_IID_Rundown = {0x00000134,0x0000,0x0000,{0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46}};
+    static const IID s_IID_DLLHost = {0x00000141,0x0000,0x0000,{0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46}};
     decltype(CStdStubBuffer_Invoke) *pfnInvoke = (decltype(pfnInvoke))GetProcAddress(hmod, "CStdStubBuffer_Invoke");
     if (!pfnInvoke)
@@ -319 +352 @@
                             cAlreadyPatched++;
                     }
+                    else if (IsEqualIID(*piid, s_IID_DLLHost))
+                    {
+                        if (pCurStub->Vtbl.Invoke == pfnInvoke)
+                        {
+                            DWORD fOld = 0;
+                            if (VirtualProtect(&pCurStub->Vtbl.Invoke, sizeof(pCurStub->Vtbl.Invoke), PAGE_READWRITE, &fOld))
+                            {
+                                pCurStub->Vtbl.Invoke = DLLHost_InvokeStub;
+                                VirtualProtect(&pCurStub->Vtbl.Invoke, sizeof(pCurStub->Vtbl.Invoke), fOld, &fOld);
+                                cPatched++;
+                            }
+                            else
+                                AssertMsgFailed(("%d\n", GetLastError()));
+                        }
+                        else
+                            cAlreadyPatched++;
+                    }
                 }
             }
@@ -338 +388 @@
                         ("last error: %u; Rundown_InvokeStub=%p\n", GetLastError(), Rundown_InvokeStub));
     }
-    else
-        AssertLogRelMsg(cAlreadyPatched > 0, ("COM patching of IRundown failed!\n"));
+    AssertLogRelMsg(cAlreadyPatched + cPatched >= 2,
+                    ("COM patching of IRundown/IDLLHost failed! (%d+%d)\n", cAlreadyPatched, cPatched));
 }