Setup IPC pipes correctly on Windows

trailofbits · krx · Jul 18, 2017 · Jan 6, 2017 · Jan 6, 2017 · Jan 6, 2017
commit b91255fb5d75dde82183d447318c854d01a3cc42
diff --git a/include/libcgc_win.c b/include/libcgc_win.c
@@ -5,6 +5,7 @@
 #define WIN32_LEAN_AND_MEAN
 #include <windows.h>
 #include <stdio.h>
+#include <fcntl.h>
 
 #define MIN(a, b) (((a) < (b)) ? (a) : (b))
 #define MAX(a, b) (((a) < (b)) ? (b) : (a))
@@ -207,11 +208,57 @@ static void cgc_initialize_flag_page(void) {
     cgc_aes_get_bytes(cgc_internal_prng, PAGE_SIZE, flag_addr);
 }
 
+/**
+ * Helper to parse values out of the env
+ * All values are expected to be positive + nonzero
+ * Returns 0 on any error
+ */
+unsigned int cgc_getenv_uint(char *varname) {
+    char *val = getenv(varname);
+    if (val) {
+        int res = atoi(val);
+        if (res > 0) return res;
+    }
+    return 0;
+}
+
+// Up to 2 digits, should really never go past ~20 anyway
+#define MAX_IPC_PIPES 99
+#define MAX_NAME_LEN 8 // "PIPE_##\0"
+
+/**
+ * Initialize all the pipes necessary for IPC
+ */
+void cgc_init_ipc_pipes() {
+    char name_buf[MAX_NAME_LEN] = {0};
+    HANDLE pipe_hndl = NULL;
+    int pipe_fd = 0;
+
+    // Get the number of pipes we need to set up
+    int numpipes = cgc_getenv_uint("PIPE_COUNT");
+    if (numpipes > MAX_IPC_PIPES) numpipes = MAX_IPC_PIPES;
+
+    // Open all pipe HANDLEs in the correct fds
+    for (unsigned int i = 0; i < numpipes; ++i) {
+        // Get the next HANDLE from the env
+        snprintf(name_buf, MAX_NAME_LEN, "PIPE_%d", i);
+        pipe_hndl = (HANDLE) cgc_getenv_uint(name_buf);
+
+        if (pipe_hndl) {
+            // Assign the pipe to the correct fd
+            pipe_fd = _open_osfhandle(pipe_hndl, O_RDONLY | O_APPEND);
+            if (pipe_fd != 3 + i) { // First pipe is at fd 3
+                _dup2(pipe_fd, 3 + i);
+            }
+        }
+    }
+}
+
 BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) {
-    if (fdwReason == DLL_PROCESS_ATTACH) {
-        // __attribute__((constructor))
+    if (fdwReason == DLL_PROCESS_ATTACH) { // __attribute__((constructor))
         setvbuf(stdout, NULL, _IONBF, 0);  // We *may* not need this, not sure yet
         cgc_initialize_flag_page();
+        cgc_init_ipc_pipes();
     }
     return TRUE;
 }
diff --git a/tools/challenge_runner.py b/tools/challenge_runner.py
@@ -31,6 +31,8 @@ def run(challenges, timeout, seed, logfunc):
     Returns:
         (list): all processes that were started
     """
+    cb_env = {'seed': seed}  # Environment variables for all challenges
+
     # This is the first fd after all of the challenges
     last_fd = 2 * len(challenges) + 3
 
@@ -58,9 +60,21 @@ def run(challenges, timeout, seed, logfunc):
             # Done with the temporary dup
             os.close(rpipe_tmp)
 
-    # Start all challenges
-    cb_env = {'seed': seed}
+        # None of the above file descriptors will actually be inherited on Windows
+        # Prepare the environment so libcgc can regenerate this setup
+        # with the inherited HANDLEs
+        if IS_WINDOWS:
+            import msvcrt
+
+            # Store the number of pipes that need to be set up
+            numpipes = len(challenges) * 2  # Pipe pair for each
+            cb_env['PIPE_COUNT'] = str(numpipes)
 
+            # Store the HANDLE for each of the pipes
+            for i in xrange(len(challenges) * 2):
+                cb_env['PIPE_{}'.format(i)] = str(msvcrt.get_osfhandle(3 + i))  # First pipe is at 3
+
+    # Start all challenges
     # Launch the main binary first
     mainchal, otherchals = challenges[0], challenges[1:]
     procs = [sp.Popen(mainchal, env=cb_env, stdin=sp.PIPE,
@@ -110,18 +124,18 @@ def chal_watcher(paths, procs, timeout, log):
     for path, proc in zip(paths, procs):
         pid, sig = proc.pid, abs(proc.returncode)
         if sig not in [None, 0, signal.SIGTERM]:
-            log('[DEBUG] pid: {}, sig: {}\n'.format(pid, sig))
+            log('[DEBUG] pid: {}, sig: {}'.format(pid, sig))
 
             # Attempt to get register values
             regs = get_core_dump_regs(path, pid, log)
             if regs is not None:
                 # If a core dump was generated, report this as a crash
                 # log('Process generated signal (pid: {}, signal: {}) - {}\n'.format(pid, sig, testpath))
-                log('Process generated signal (pid: {}, signal: {})\n'.format(pid, sig))
+                log('Process generated signal (pid: {}, signal: {})'.format(pid, sig))
 
                 # Report the register states
                 reg_str = ' '.join(['{}:{}'.format(reg, val) for reg, val in regs.iteritems()])
-                log('register states - {}\n'.format(reg_str))
+                log('register states - {}'.format(reg_str))
 
     # Final cleanup
     clean_cores(paths, procs)
@@ -175,7 +189,7 @@ def get_core_dump_regs(path, pid, log):
     ]
 
     if any(err in dbg_out for err in errs):
-        log('Core dump not found, are they enabled on your system?\n')
+        log('Core dump not found, are they enabled on your system?')
         return
 
     # Parse out registers/values