MEM_RESERVE regions are not accessible by ReadProcessMemory()

Sadly this code did not survive a collision with the real world. In probing for the environment block there's a MEM_COMMIT region followed directly by a MEM_RESERVE region (past the end of the environment block). Update region checker to correctly treat MEM_RESERVE as inaccessible. R=mark@chromium.org BUG=crashpad:20, crashpad:46, crashpad:59 Review URL: https://codereview.chromium.org/1370063005 .
2025-03-09 14:06:33 +00:00 · 2015-10-01 15:28:40 -07:00 · 2015-10-01 15:28:40 -07:00 · ccd5ec6404
commit ccd5ec6404
parent 23ab86bc19
2 changed files with 159 additions and 14 deletions
--- a/util/win/process_info.cc
+++ b/util/win/process_info.cc
@ -107,11 +107,10 @@ bool ReadStruct(HANDLE process, WinVMAddress at, T* into) {
  return true;
 }
-bool RegionIsInaccessible(const ProcessInfo::MemoryInfo& memory_info) {
+bool RegionIsAccessible(const ProcessInfo::MemoryInfo& memory_info) {
-  return memory_info.state == MEM_FREE ||
+  return memory_info.state == MEM_COMMIT &&
-         (memory_info.state == MEM_COMMIT &&
+         (memory_info.protect & PAGE_NOACCESS) == 0 &&
-          ((memory_info.protect & PAGE_NOACCESS) ||
+         (memory_info.protect & PAGE_GUARD) == 0;
           (memory_info.protect & PAGE_GUARD)));
 }
 }  // namespace
@ -468,7 +467,7 @@ std::vector<CheckedRange<WinVMAddress, WinVMSize>> GetReadableRangesOfMemoryMap(
  overlapping.erase(std::remove_if(overlapping.begin(),
                                   overlapping.end(),
                                   [](const ProcessInfo::MemoryInfo& mi) {
-                                     return RegionIsInaccessible(mi);
+                                     return !RegionIsAccessible(mi);
                                   }),
                    overlapping.end());
  if (overlapping.empty())
--- a/util/win/process_info_test.cc
+++ b/util/win/process_info_test.cc
@ -19,6 +19,7 @@
 #include <wchar.h>
 #include "base/files/file_path.h"
 #include "base/memory/scoped_ptr.h"
 #include "build/build_config.h"
 #include "gtest/gtest.h"
 #include "test/paths.h"
@ -228,7 +229,7 @@ TEST(ProcessInfo, AccessibleRangesOneInside) {
      GetReadableRangesOfMemoryMap(CheckedRange<WinVMAddress, WinVMSize>(2, 4),
                                   memory_info);
-  ASSERT_EQ(result.size(), 1u);
+  ASSERT_EQ(1u, result.size());
  EXPECT_EQ(2, result[0].base());
  EXPECT_EQ(4, result[0].size());
 }
@ -251,7 +252,7 @@ TEST(ProcessInfo, AccessibleRangesOneTruncatedSize) {
      GetReadableRangesOfMemoryMap(CheckedRange<WinVMAddress, WinVMSize>(5, 10),
                                   memory_info);
-  ASSERT_EQ(result.size(), 1u);
+  ASSERT_EQ(1u, result.size());
  EXPECT_EQ(5, result[0].base());
  EXPECT_EQ(5, result[0].size());
 }
@ -274,7 +275,80 @@ TEST(ProcessInfo, AccessibleRangesOneMovedStart) {
      GetReadableRangesOfMemoryMap(CheckedRange<WinVMAddress, WinVMSize>(5, 10),
                                   memory_info);
-  ASSERT_EQ(result.size(), 1u);
+  ASSERT_EQ(1u, result.size());
  EXPECT_EQ(10, result[0].base());
  EXPECT_EQ(5, result[0].size());
 }
 TEST(ProcessInfo, ReserveIsInaccessible) {
  std::vector<ProcessInfo::MemoryInfo> memory_info;
  MEMORY_BASIC_INFORMATION mbi = {0};
  mbi.BaseAddress = 0;
  mbi.RegionSize = 10;
  mbi.State = MEM_RESERVE;
  memory_info.push_back(ProcessInfo::MemoryInfo(mbi));
  mbi.BaseAddress = reinterpret_cast<void*>(10);
  mbi.RegionSize = 20;
  mbi.State = MEM_COMMIT;
  memory_info.push_back(ProcessInfo::MemoryInfo(mbi));
  std::vector<CheckedRange<WinVMAddress, WinVMSize>> result =
      GetReadableRangesOfMemoryMap(CheckedRange<WinVMAddress, WinVMSize>(5, 10),
                                   memory_info);
  ASSERT_EQ(1u, result.size());
  EXPECT_EQ(10, result[0].base());
  EXPECT_EQ(5, result[0].size());
 }
 TEST(ProcessInfo, PageGuardIsInaccessible) {
  std::vector<ProcessInfo::MemoryInfo> memory_info;
  MEMORY_BASIC_INFORMATION mbi = {0};
  mbi.BaseAddress = 0;
  mbi.RegionSize = 10;
  mbi.State = MEM_COMMIT;
  mbi.Protect = PAGE_GUARD;
  memory_info.push_back(ProcessInfo::MemoryInfo(mbi));
  mbi.BaseAddress = reinterpret_cast<void*>(10);
  mbi.RegionSize = 20;
  mbi.State = MEM_COMMIT;
  mbi.Protect = 0;
  memory_info.push_back(ProcessInfo::MemoryInfo(mbi));
  std::vector<CheckedRange<WinVMAddress, WinVMSize>> result =
      GetReadableRangesOfMemoryMap(CheckedRange<WinVMAddress, WinVMSize>(5, 10),
                                   memory_info);
  ASSERT_EQ(1u, result.size());
  EXPECT_EQ(10, result[0].base());
  EXPECT_EQ(5, result[0].size());
 }
 TEST(ProcessInfo, PageNoAccessIsInaccessible) {
  std::vector<ProcessInfo::MemoryInfo> memory_info;
  MEMORY_BASIC_INFORMATION mbi = {0};
  mbi.BaseAddress = 0;
  mbi.RegionSize = 10;
  mbi.State = MEM_COMMIT;
  mbi.Protect = PAGE_NOACCESS;
  memory_info.push_back(ProcessInfo::MemoryInfo(mbi));
  mbi.BaseAddress = reinterpret_cast<void*>(10);
  mbi.RegionSize = 20;
  mbi.State = MEM_COMMIT;
  mbi.Protect = 0;
  memory_info.push_back(ProcessInfo::MemoryInfo(mbi));
  std::vector<CheckedRange<WinVMAddress, WinVMSize>> result =
      GetReadableRangesOfMemoryMap(CheckedRange<WinVMAddress, WinVMSize>(5, 10),
                                   memory_info);
  ASSERT_EQ(1u, result.size());
  EXPECT_EQ(10, result[0].base());
  EXPECT_EQ(5, result[0].size());
 }
@ -295,14 +369,14 @@ TEST(ProcessInfo, AccessibleRangesCoalesced) {
  mbi.BaseAddress = reinterpret_cast<void*>(12);
  mbi.RegionSize = 5;
-  mbi.State = MEM_RESERVE;
+  mbi.State = MEM_COMMIT;
  memory_info.push_back(ProcessInfo::MemoryInfo(mbi));
  std::vector<CheckedRange<WinVMAddress, WinVMSize>> result =
      GetReadableRangesOfMemoryMap(CheckedRange<WinVMAddress, WinVMSize>(11, 4),
                                   memory_info);
-  ASSERT_EQ(result.size(), 1u);
+  ASSERT_EQ(1u, result.size());
  EXPECT_EQ(11, result[0].base());
  EXPECT_EQ(4, result[0].size());
 }
@ -330,7 +404,7 @@ TEST(ProcessInfo, AccessibleRangesMiddleUnavailable) {
      GetReadableRangesOfMemoryMap(CheckedRange<WinVMAddress, WinVMSize>(5, 45),
                                   memory_info);
-  ASSERT_EQ(result.size(), 2u);
+  ASSERT_EQ(2u, result.size());
  EXPECT_EQ(5, result[0].base());
  EXPECT_EQ(5, result[0].size());
  EXPECT_EQ(15, result[1].base());
@ -350,7 +424,7 @@ TEST(ProcessInfo, RequestedBeforeMap) {
      GetReadableRangesOfMemoryMap(CheckedRange<WinVMAddress, WinVMSize>(5, 10),
                                   memory_info);
-  ASSERT_EQ(result.size(), 1u);
+  ASSERT_EQ(1u, result.size());
  EXPECT_EQ(10, result[0].base());
  EXPECT_EQ(5, result[0].size());
 }
@ -368,11 +442,83 @@ TEST(ProcessInfo, RequestedAfterMap) {
      GetReadableRangesOfMemoryMap(
          CheckedRange<WinVMAddress, WinVMSize>(15, 100), memory_info);
-  ASSERT_EQ(result.size(), 1u);
+  ASSERT_EQ(1u, result.size());
  EXPECT_EQ(15, result[0].base());
  EXPECT_EQ(5, result[0].size());
 }
 TEST(ProcessInfo, ReadableRanges) {
  SYSTEM_INFO system_info;
  GetSystemInfo(&system_info);
  const size_t kBlockSize = system_info.dwPageSize;
  // Allocate 6 pages, and then commit the second, fourth, and fifth, and mark
  // two as committed, but PAGE_NOACCESS, so we have a setup like this:
  // 0       1       2       3       4       5
  // +-----------------------------------------------+
  // | ????? |       | xxxxx |       |       | ????? |
  // +-----------------------------------------------+
  void* reserve_region =
      VirtualAlloc(nullptr, kBlockSize * 6, MEM_RESERVE, PAGE_READWRITE);
  ASSERT_TRUE(reserve_region);
  uintptr_t reserved_as_int = reinterpret_cast<uintptr_t>(reserve_region);
  void* readable1 =
      VirtualAlloc(reinterpret_cast<void*>(reserved_as_int + kBlockSize),
                   kBlockSize,
                   MEM_COMMIT,
                   PAGE_READWRITE);
  ASSERT_TRUE(readable1);
  void* readable2 =
      VirtualAlloc(reinterpret_cast<void*>(reserved_as_int + (kBlockSize * 3)),
                   kBlockSize * 2,
                   MEM_COMMIT,
                   PAGE_READWRITE);
  ASSERT_TRUE(readable2);
  void* no_access =
      VirtualAlloc(reinterpret_cast<void*>(reserved_as_int + (kBlockSize * 2)),
                   kBlockSize,
                   MEM_COMMIT,
                   PAGE_NOACCESS);
  ASSERT_TRUE(no_access);
  HANDLE current_process = GetCurrentProcess();
  ProcessInfo info;
  info.Initialize(current_process);
  auto ranges = info.GetReadableRanges(
      CheckedRange<WinVMAddress, WinVMSize>(reserved_as_int, kBlockSize * 6));
  ASSERT_EQ(2u, ranges.size());
  EXPECT_EQ(reserved_as_int + kBlockSize, ranges[0].base());
  EXPECT_EQ(kBlockSize, ranges[0].size());
  EXPECT_EQ(reserved_as_int + (kBlockSize * 3), ranges[1].base());
  EXPECT_EQ(kBlockSize * 2, ranges[1].size());
  // Also make sure what we think we can read corresponds with what we can
  // actually read.
  scoped_ptr<unsigned char[]> into(new unsigned char[kBlockSize * 6]);
  SIZE_T bytes_read;
  EXPECT_TRUE(ReadProcessMemory(
      current_process, readable1, into.get(), kBlockSize, &bytes_read));
  EXPECT_EQ(kBlockSize, bytes_read);
  EXPECT_TRUE(ReadProcessMemory(
      current_process, readable2, into.get(), kBlockSize * 2, &bytes_read));
  EXPECT_EQ(kBlockSize * 2, bytes_read);
  EXPECT_FALSE(ReadProcessMemory(
      current_process, no_access, into.get(), kBlockSize, &bytes_read));
  EXPECT_FALSE(ReadProcessMemory(
      current_process, reserve_region, into.get(), kBlockSize, &bytes_read));
  EXPECT_FALSE(ReadProcessMemory(current_process,
                                 reserve_region,
                                 into.get(),
                                 kBlockSize * 6,
                                 &bytes_read));
 }
 }  // namespace
 }  // namespace test
 }  // namespace crashpad