Bug 1689398 p1: Add MITIGATION_CET_STRICT_MODE to chromium sandbox code. r=handyman

The patch for the chromium changes doesn't include the updates to
windows_version, because these are already in the release version of chromium
and so will be picked up when we next update.

Differential Revision: https://phabricator.services.mozilla.com/D103473

security/sandbox/chromium-shim/base/win/sdkdecls.h

@@ -301,6 +301,17 @@ DeriveAppContainerSidFromAppContainerName(
 #define PROCESS_CREATION_MITIGATION_POLICY2_RESTRICT_INDIRECT_BRANCH_PREDICTION_ALWAYS_OFF  (0x00000002ui64 << 16)
 #define PROCESS_CREATION_MITIGATION_POLICY2_RESTRICT_INDIRECT_BRANCH_PREDICTION_RESERVED    (0x00000003ui64 << 16)
 
+//
+// Define the user-mode shadow stack mitigation policy options.
+//
+
+#define PROCESS_CREATION_MITIGATION_POLICY2_CET_USER_SHADOW_STACKS_MASK                    (0x00000003ui64 << 28)
+#define PROCESS_CREATION_MITIGATION_POLICY2_CET_USER_SHADOW_STACKS_DEFER                   (0x00000000ui64 << 28)
+#define PROCESS_CREATION_MITIGATION_POLICY2_CET_USER_SHADOW_STACKS_ALWAYS_ON               (0x00000001ui64 << 28)
+#define PROCESS_CREATION_MITIGATION_POLICY2_CET_USER_SHADOW_STACKS_ALWAYS_OFF              (0x00000002ui64 << 28)
+#define PROCESS_CREATION_MITIGATION_POLICY2_CET_USER_SHADOW_STACKS_RESERVED                (0x00000003ui64 << 28)
+#define PROCESS_CREATION_MITIGATION_POLICY2_CET_USER_SHADOW_STACKS_STRICT_MODE             (0x00000003ui64 << 28)
+
 //
 // Define Attribute to disable creation of child process
 //
@@ -343,6 +354,15 @@ IsWow64Process2(
     _Out_opt_ USHORT* pNativeMachine
     );
 
+WINBASEAPI
+BOOL
+WINAPI
+IsUserCetAvailableInEnvironment(
+    _In_ DWORD UserCetEnvironment
+    );
+
+#define USER_CET_ENVIRONMENT_WIN32_PROCESS        0x00000000
+
 #endif // (_WIN32_WINNT < 0x0A00)
 
 #if defined(__MINGW32__)

security/sandbox/chromium-shim/patches/with_update/add_CET_STRICT_MODE.patch

@@ -0,0 +1,94 @@
+# HG changeset patch
+# User Bob Owen <bobowencode@gmail.com>
+# Date 1611849321 0
+#      Thu Jan 28 15:55:21 2021 +0000
+# Node ID c9195d88e6c67ef2c23c12e307bc16b94d696f50
+# Parent  37557864a6845bb8068904e44e8a7dd16746d211
+Bug 1689398 p1: Add MITIGATION_CET_STRICT_MODE to chromium sandbox code. r=handyman!
+
+diff --git a/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc b/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc
+--- a/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc
++++ b/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc
+@@ -80,16 +80,37 @@ bool IsRunning32bitEmulatedOnArm64() {
+   if (!retval)
+     return false;
+   if (native_machine == IMAGE_FILE_MACHINE_ARM64)
+     return true;
+ #endif  // defined(ARCH_CPU_X86)
+   return false;
+ }
+ 
++// Returns true if user-mode Hardware-enforced Stack Protection is available for
++// the Win32 environment.
++bool IsUserCetWin32Available() {
++  static bool cetAvailable = []() -> bool {
++    using IsUserCetAvailableInEnvironmentFunction =
++      decltype(&IsUserCetAvailableInEnvironment);
++
++    IsUserCetAvailableInEnvironmentFunction is_user_cet_available =
++        reinterpret_cast<IsUserCetAvailableInEnvironmentFunction>(
++            ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"),
++                             "IsUserCetAvailableInEnvironment"));
++    if (!is_user_cet_available) {
++      return false;
++    }
++
++    return is_user_cet_available(USER_CET_ENVIRONMENT_WIN32_PROCESS);
++  }();
++
++  return cetAvailable;
++}
++
+ }  // namespace
+ 
+ namespace sandbox {
+ 
+ bool ApplyProcessMitigationsToCurrentProcess(MitigationFlags flags) {
+   if (!CanSetProcessMitigationsPostStartup(flags))
+     return false;
+ 
+@@ -487,16 +508,25 @@ void ConvertProcessMitigationsToPolicy(M
+     //       the underlying hardware does not support the implementation.
+     //       Windows just does its best under the hood for the given hardware.
+     if (flags & MITIGATION_RESTRICT_INDIRECT_BRANCH_PREDICTION) {
+       *policy_value_2 |=
+           PROCESS_CREATION_MITIGATION_POLICY2_RESTRICT_INDIRECT_BRANCH_PREDICTION_ALWAYS_ON;
+     }
+   }
+ 
++  // Mitigations >= Win10 20H1
++  //----------------------------------------------------------------------------
++  if (version >= base::win::Version::WIN10_20H1) {
++    if (flags & MITIGATION_CET_STRICT_MODE && IsUserCetWin32Available()) {
++      *policy_value_2 |=
++          PROCESS_CREATION_MITIGATION_POLICY2_CET_USER_SHADOW_STACKS_STRICT_MODE;
++    }
++  }
++
+   // When done setting policy flags, sanity check supported policies on this
+   // machine, and then update |size|.
+ 
+   const ULONG64* supported = GetSupportedMitigations();
+ 
+   *policy_value_1 = *policy_value_1 & supported[0];
+   *policy_value_2 = *policy_value_2 & supported[1];
+ 
+diff --git a/security/sandbox/chromium/sandbox/win/src/security_level.h b/security/sandbox/chromium/sandbox/win/src/security_level.h
+--- a/security/sandbox/chromium/sandbox/win/src/security_level.h
++++ b/security/sandbox/chromium/sandbox/win/src/security_level.h
+@@ -286,11 +286,15 @@ const MitigationFlags MITIGATION_RESTRIC
+ // Working down from the high bit to avoid conflict with new upstream flags.
+ 
+ // Disable Control Flow Guard. This may seem more like an anti-mitigation, but
+ // this flag allows code to make targeted changes to CFG to avoid bugs, while
+ // leaving it enabled in the common case. Corresponds to
+ // PROCESS_CREATION_MITIGATION_POLICY_CONTROL_FLOW_GUARD_ALWAYS_ON.
+ const MitigationFlags MITIGATION_CONTROL_FLOW_GUARD_DISABLE = 0x80000000;
+ 
++// Corresponds to
++// PROCESS_CREATION_MITIGATION_POLICY2_CET_USER_SHADOW_STACKS_STRICT_MODE.
++const MitigationFlags MITIGATION_CET_STRICT_MODE = 0x40000000;
++
+ }  // namespace sandbox
+ 
+ #endif  // SANDBOX_SRC_SECURITY_LEVEL_H_

security/sandbox/chromium-shim/patches/with_update/patch_order.txt

@@ -26,3 +26,4 @@ remove_unused_functions_from_StrtodTrimmed.patch
 remove_extraneous_backslash_introduced_by_clang_tidy.patch
 remove_include_delayimp_h_from_pe_image_cc.patch
 lower_SDK_version_requirement.patch
+add_CET_STRICT_MODE.patch

security/sandbox/chromium/base/win/windows_version.cc

@@ -257,6 +257,8 @@ OSInfo::WOW64Status OSInfo::GetWOW64StatusForProcess(HANDLE process_handle) {
 // static
 Version OSInfo::MajorMinorBuildToVersion(int major, int minor, int build) {
   if (major == 10) {
+    if (build >= 19041)
+      return Version::WIN10_20H1;
     if (build >= 18362)
       return Version::WIN10_19H1;
     if (build >= 17763)

security/sandbox/chromium/base/win/windows_version.h

@@ -50,6 +50,7 @@ enum class Version {
   WIN10_RS4 = 12,   // Redstone 4: Version 1803, Build 17134.
   WIN10_RS5 = 13,   // Redstone 5: Version 1809, Build 17763.
   WIN10_19H1 = 14,  // 19H1: Version 1903, Build 18362.
+  WIN10_20H1 = 15,  // 20H1: Version 2004, Build 19041.
   // On edit, update tools\metrics\histograms\enums.xml "WindowsVersion" and
   // "GpuBlacklistFeatureTestResultsWindows2".
   WIN_LAST,  // Indicates error condition.

security/sandbox/chromium/sandbox/win/src/process_mitigations.cc

@@ -85,6 +85,27 @@ bool IsRunning32bitEmulatedOnArm64() {
   return false;
 }
 
+// Returns true if user-mode Hardware-enforced Stack Protection is available for
+// the Win32 environment.
+bool IsUserCetWin32Available() {
+  static bool cetAvailable = []() -> bool {
+    using IsUserCetAvailableInEnvironmentFunction =
+      decltype(&IsUserCetAvailableInEnvironment);
+
+    IsUserCetAvailableInEnvironmentFunction is_user_cet_available =
+        reinterpret_cast<IsUserCetAvailableInEnvironmentFunction>(
+            ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"),
+                             "IsUserCetAvailableInEnvironment"));
+    if (!is_user_cet_available) {
+      return false;
+    }
+
+    return is_user_cet_available(USER_CET_ENVIRONMENT_WIN32_PROCESS);
+  }();
+
+  return cetAvailable;
+}
+
 }  // namespace
 
 namespace sandbox {
@@ -492,6 +513,15 @@ void ConvertProcessMitigationsToPolicy(MitigationFlags flags,
     }
   }
 
+  // Mitigations >= Win10 20H1
+  //----------------------------------------------------------------------------
+  if (version >= base::win::Version::WIN10_20H1) {
+    if (flags & MITIGATION_CET_STRICT_MODE && IsUserCetWin32Available()) {
+      *policy_value_2 |=
+          PROCESS_CREATION_MITIGATION_POLICY2_CET_USER_SHADOW_STACKS_STRICT_MODE;
+    }
+  }
+
   // When done setting policy flags, sanity check supported policies on this
   // machine, and then update |size|.
 

security/sandbox/chromium/sandbox/win/src/security_level.h

@@ -291,6 +291,10 @@ const MitigationFlags MITIGATION_RESTRICT_INDIRECT_BRANCH_PREDICTION =
 // PROCESS_CREATION_MITIGATION_POLICY_CONTROL_FLOW_GUARD_ALWAYS_ON.
 const MitigationFlags MITIGATION_CONTROL_FLOW_GUARD_DISABLE = 0x80000000;
 
+// Corresponds to
+// PROCESS_CREATION_MITIGATION_POLICY2_CET_USER_SHADOW_STACKS_STRICT_MODE.
+const MitigationFlags MITIGATION_CET_STRICT_MODE = 0x40000000;
+
 }  // namespace sandbox
 
 #endif  // SANDBOX_SRC_SECURITY_LEVEL_H_