Skip to content

/rust

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable HeapEnableTerminationOnCorruption for all Windows Rust programs #56054

Closed
cpeterso opened this Issue Nov 19, 2018 · 2 comments

Comments

Assignees
No one assigned
Labels
A-security C-enhancement O-windows
Projects
None yet
Milestone
No milestone
4 participants
@cpeterso @pitdicker @jonas-schievink @csmoe
@cpeterso
Copy link
Contributor

cpeterso commented Nov 19, 2018
edited

To help protect against heap exploits and bugs in unsafe or third-party code, the Rust compiler should emit code to enable Windows' HeapEnableTerminationOnCorruption feature for all Windows Rust programs.

With HeapEnableTerminationOnCorruption enabled, if the Windows heap manager detects an error in any system heap used by the process, it terminates the process. After a process enables this feature, it cannot be disabled. This feature should not cause any compatibility problems for correct programs.

See MSDN for HeapSetInformation and HeapEnableTerminationOnCorruption:

https://docs.microsoft.com/en-us/windows/desktop/api/heapapi/nf-heapapi-heapsetinformation

Here is how Firefox enables HeapEnableTerminationOnCorruption for its processes:

https://searchfox.org/mozilla-central/rev/5117a4c4e29fcf80a627fecf899a62f117368abf/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc#60-67

https://searchfox.org/mozilla-central/rev/5117a4c4e29fcf80a627fecf899a62f117368abf/toolkit/xre/nsAppRunner.cpp#3912-3917

@csmoe csmoe added the O-windows label Nov 19, 2018

@jonas-schievink jonas-schievink added C-enhancement A-security labels Jan 27, 2019

@pitdicker

This comment has been minimized.

Sign in to view
Copy link
Contributor

pitdicker commented Feb 1, 2019

I took a stab at implementing this, by adding HeapSetInformation to std::rt::lang_start_internal. But it turned out to be already enabled by default. See https://blogs.msdn.microsoft.com/oldnewthing/20131227-00/?p=2243.

On 64-bit it is already always enabled. On 32-bit it also is when the subsystem major version is 6 or higher. Which is the default, and I am not sure this can be changed to something lower for Rust binaries. We only support the subsystems console and windows, and not setting a version.

Tested with this snippid:

extern crate libc;

fn main() {
    unsafe {
        let ptr = libc::malloc(80);
        libc::free(ptr);
        libc::free(ptr);
    }
}

with as result STATUS_HEAP_CORRUPTION for both 32- and 64-bit:

error: process didn't exit successfully: `target\i686-pc-windows-msvc\debug\windows_mitigations.exe` (exit code: 0xc0000374, STATUS_HEAP_CORRUPTION)

Seems like there is nothing to be done here?
@cpeterso

This comment has been minimized.

Sign in to view
Copy link
Contributor Author

cpeterso commented Feb 1, 2019

Awesome! In that case, I'll close this issue then. Thanks for investigating.

@cpeterso cpeterso closed this Feb 1, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.