Reserve the bottom of the address space to prevent predictable alocations.

BUG=113891 

Review URL: http://codereview.chromium.org/9447078

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@123920 0039d316-1c4b-4281-b951-d872f2087c98

sandbox/src/target_process.cc

@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -39,6 +39,27 @@ void CopyPolicyToTarget(const void* source, size_t size, void* dest) {
   }
 }
 
+// Reserve a random range at the bottom of the address space in the target
+// process to prevent predictable alocations at low addresses.
+void PoisonLowerAddressRange(HANDLE process) {
+  unsigned int limit;
+  rand_s(&limit);
+  char* ptr = 0;
+  const size_t kMask64k = 0xFFFF;
+  // Random range (512k-4.5mb) in 64k steps.
+  const char* end = ptr + ((((limit % 4096) + 512) * 1024) & ~kMask64k);
+  while (ptr < end) {
+    MEMORY_BASIC_INFORMATION memory_info;
+    if (!::VirtualQueryEx(process, ptr, &memory_info, sizeof(memory_info)))
+      break;
+    size_t size = std::min((memory_info.RegionSize + kMask64k) & ~kMask64k,
+                           static_cast<SIZE_T>(end - ptr));
+    if (ptr && memory_info.State == MEM_FREE)
+      ::VirtualAllocEx(process, ptr, size, MEM_RESERVE, PAGE_NOACCESS);
+    ptr += size;
+  }
+}
+
 }
 
 namespace sandbox {
@@ -152,6 +173,8 @@ DWORD TargetProcess::Create(const wchar_t* exe_path,
     return ::GetLastError();
   }
 
+  PoisonLowerAddressRange(process_info.hProcess);
+
   DWORD win_result = ERROR_SUCCESS;
 
   // Assign the suspended target to the windows job object