Bug 1956398 - Avoid duplicating pseudo-handles in ipc_channel_win.cc. r=nika a=dmeehan

Differential Revision: https://phabricator.services.mozilla.com/D243189

Bug 1956398 - Avoid duplicating pseudo-handles in ipc_channel_win.cc. r=nika a=dmeehan
dbc65808 · Yannis Juglaret · aa7b351b · dbc65808
Commit dbc65808 authored 5 months ago by Yannis Juglaret
--- a/ipc/chromium/src/chrome/common/ipc_channel_win.cc
+++ b/ipc/chromium/src/chrome/common/ipc_channel_win.cc
@@ -27,6 +27,34 @@

 using namespace mozilla::ipc;

+namespace {
+
+// This logic is borrowed from Chromium's `base/win/win_util.h`. It allows us
+// to distinguish pseudo-handle values, such as returned by GetCurrentProcess()
+// (-1), GetCurrentThread() (-2), and potentially more. The code there claims
+// that fuzzers have found issues up until -12 with DuplicateHandle.
+//
+// https://source.chromium.org/chromium/chromium/src/+/36dbbf38697dd1e23ef8944bb9e57f6e0b3d41ec:base/win/win_util.h
+inline bool IsPseudoHandle(HANDLE handle) {
+  auto handleValue = static_cast<int32_t>(reinterpret_cast<uintptr_t>(handle));
+  return -12 <= handleValue && handleValue < 0;
+}
+
+// A real handle is a handle that is not a pseudo-handle. Always preferably use
+// this variant over ::DuplicateHandle. Only use stock ::DuplicateHandle if you
+// explicitly need the ability to duplicate a pseudo-handle.
+inline bool DuplicateRealHandle(HANDLE source_process, HANDLE source_handle,
+                                HANDLE target_process, LPHANDLE target_handle,
+                                DWORD desired_access, BOOL inherit_handle,
+                                DWORD options) {
+  MOZ_RELEASE_ASSERT(!IsPseudoHandle(source_handle));
+  return static_cast<bool>(::DuplicateHandle(
+      source_process, source_handle, target_process, target_handle,
+      desired_access, inherit_handle, options));
+}
+
+}  // namespace
+
 namespace IPC {
 //------------------------------------------------------------------------------

@@ -732,8 +760,8 @@ bool Channel::ChannelImpl::AcceptHandles(Message& msg) {
        CHROMIUM_LOG(ERROR) << "other_process_ is invalid in AcceptHandles";
        return false;
      }
-      if (!::DuplicateHandle(other_process_, handle, GetCurrentProcess(),
-                             &handle, 0, FALSE,
+      if (!::DuplicateRealHandle(
+              other_process_, handle, GetCurrentProcess(), &handle, 0, FALSE,
              DUPLICATE_SAME_ACCESS | DUPLICATE_CLOSE_SOURCE)) {
        CHROMIUM_LOG(ERROR) << "DuplicateHandle failed for handle " << handle
                            << " in AcceptHandles";
@@ -787,8 +815,8 @@ bool Channel::ChannelImpl::TransferHandles(Message& msg) {
        CHROMIUM_LOG(ERROR) << "other_process_ is invalid in TransferHandles";
        return false;
      }
-      if (!::DuplicateHandle(GetCurrentProcess(), handle, other_process_,
-                             &handle, 0, FALSE,
+      if (!::DuplicateRealHandle(
+              GetCurrentProcess(), handle, other_process_, &handle, 0, FALSE,
              DUPLICATE_SAME_ACCESS | DUPLICATE_CLOSE_SOURCE)) {
        CHROMIUM_LOG(ERROR) << "DuplicateHandle failed for handle " << handle
                            << " in TransferHandles";