// Copyright (c) 2013 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "components/policy/core/common/preg_parser.h" #include #include #include #include #include #include #include #include #include #include "base/files/file_path.h" #include "base/files/memory_mapped_file.h" #include "base/logging.h" #include "base/macros.h" #include "base/memory/ptr_util.h" #include "base/strings/string16.h" #include "base/strings/string_split.h" #include "base/strings/string_util.h" #include "base/strings/stringprintf.h" #include "base/strings/utf_string_conversions.h" #include "base/sys_byteorder.h" #include "base/values.h" #include "components/policy/core/common/registry_dict.h" #if defined(OS_WIN) #include #else // Registry data type constants. #define REG_NONE 0 #define REG_SZ 1 #define REG_EXPAND_SZ 2 #define REG_BINARY 3 #define REG_DWORD_LITTLE_ENDIAN 4 #define REG_DWORD_BIG_ENDIAN 5 #define REG_LINK 6 #define REG_MULTI_SZ 7 #define REG_RESOURCE_LIST 8 #define REG_FULL_RESOURCE_DESCRIPTOR 9 #define REG_RESOURCE_REQUIREMENTS_LIST 10 #define REG_QWORD_LITTLE_ENDIAN 11 #endif using RegistryDict = policy::RegistryDict; namespace { // Maximum PReg file size we're willing to accept. const int64_t kMaxPRegFileSize = 1024 * 1024 * 16; static_assert(kMaxPRegFileSize <= std::numeric_limits::max(), "Max PReg file size too large."); // Maximum number of components in registry key names. This corresponds to the // maximum nesting level of RegistryDict trees. const size_t kMaxKeyNameComponents = 1024; // Constants for PReg file delimiters. const base::char16 kDelimBracketOpen = L'['; const base::char16 kDelimBracketClose = L']'; const base::char16 kDelimSemicolon = L';'; // Registry path separator. const base::char16 kRegistryPathSeparator[] = {L'\\', L'\0'}; // Magic strings for the PReg value field to trigger special actions. const char kActionTriggerPrefix[] = "**"; const char kActionTriggerDeleteValues[] = "deletevalues"; const char kActionTriggerDel[] = "del."; const char kActionTriggerDelVals[] = "delvals"; const char kActionTriggerDeleteKeys[] = "deletekeys"; const char kActionTriggerSecureKey[] = "securekey"; const char kActionTriggerSoft[] = "soft"; // Returns the character at |cursor| and increments it, unless the end is here // in which case -1 is returned. The calling code must guarantee that // end - *cursor does not overflow ptrdiff_t. int NextChar(const uint8_t** cursor, const uint8_t* end) { // Only read the character if a full base::char16 is available. // This comparison makes sure no overflow can happen. if (*cursor >= end || end - *cursor < static_cast(sizeof(base::char16))) return -1; int result = **cursor | (*(*cursor + 1) << 8); *cursor += sizeof(base::char16); return result; } // Reads a fixed-size field from a PReg file. The calling code must guarantee // that both end - *cursor and size do not overflow ptrdiff_t. bool ReadFieldBinary(const uint8_t** cursor, const uint8_t* end, uint32_t size, uint8_t* data) { if (size == 0) return true; // Be careful to prevent possible overflows here (don't do *cursor + size). if (*cursor >= end || end - *cursor < static_cast(size)) return false; const uint8_t* field_end = *cursor + size; std::copy(*cursor, field_end, data); *cursor = field_end; return true; } bool ReadField32(const uint8_t** cursor, const uint8_t* end, uint32_t* data) { uint32_t value = 0; if (!ReadFieldBinary(cursor, end, sizeof(uint32_t), reinterpret_cast(&value))) { return false; } *data = base::ByteSwapToLE32(value); return true; } // Reads a string field from a file. bool ReadFieldString(const uint8_t** cursor, const uint8_t* end, base::string16* str) { int current = -1; while ((current = NextChar(cursor, end)) > 0x0000) *str += current; return current == L'\0'; } // Converts the UTF16 |data| to an UTF8 string |value|. Returns false if the // resulting UTF8 string contains invalid characters. bool DecodePRegStringValue(const std::vector& data, std::string* value) { size_t len = data.size() / sizeof(base::char16); if (len <= 0) { value->clear(); return true; } const base::char16* chars = reinterpret_cast(data.data()); base::string16 utf16_str; std::transform(chars, chars + len - 1, std::back_inserter(utf16_str), base::ByteSwapToLE16); // Note: UTF16ToUTF8() only checks whether all chars are valid code points, // but not whether they're valid characters. IsStringUTF8(), however, does. *value = base::UTF16ToUTF8(utf16_str); if (!base::IsStringUTF8(*value)) { LOG(ERROR) << "String '" << *value << "' is not a valid UTF8 string"; value->clear(); return false; } return true; } // Decodes a value from a PReg file given as a uint8_t vector. bool DecodePRegValue(uint32_t type, const std::vector& data, std::unique_ptr* value) { std::string data_utf8; switch (type) { case REG_SZ: case REG_EXPAND_SZ: if (!DecodePRegStringValue(data, &data_utf8)) return false; value->reset(new base::Value(data_utf8)); return true; case REG_DWORD_LITTLE_ENDIAN: case REG_DWORD_BIG_ENDIAN: if (data.size() == sizeof(uint32_t)) { uint32_t val = *reinterpret_cast(data.data()); if (type == REG_DWORD_BIG_ENDIAN) val = base::NetToHost32(val); else val = base::ByteSwapToLE32(val); value->reset(new base::Value(static_cast(val))); return true; } else { LOG(ERROR) << "Bad data size " << data.size(); } break; case REG_NONE: case REG_LINK: case REG_MULTI_SZ: case REG_RESOURCE_LIST: case REG_FULL_RESOURCE_DESCRIPTOR: case REG_RESOURCE_REQUIREMENTS_LIST: case REG_QWORD_LITTLE_ENDIAN: default: LOG(ERROR) << "Unsupported registry data type " << type; } return false; } // Returns true if the registry key |key_name| belongs to the sub-tree specified // by the key |root|. bool KeyRootEquals(const base::string16& key_name, const base::string16& root) { if (root.empty()) return true; if (!base::StartsWith(key_name, root, base::CompareCase::INSENSITIVE_ASCII)) return false; // Handle the case where |root| == "ABC" and |key_name| == "ABCDE\FG". This // should not be interpreted as a match. return key_name.length() == root.length() || key_name.at(root.length()) == kRegistryPathSeparator[0]; } // Adds |value| and |data| to |dict| or an appropriate sub-dictionary indicated // by |key_name|. Creates sub-dictionaries if necessary. Also handles special // action triggers, see |kActionTrigger*|, that can, for instance, remove an // existing value. void HandleRecord(const base::string16& key_name, const base::string16& value, uint32_t type, const std::vector& data, RegistryDict* dict) { // Locate/create the dictionary to place the value in. std::vector path; std::vector key_name_components = base::SplitStringPiece(key_name, kRegistryPathSeparator, base::KEEP_WHITESPACE, base::SPLIT_WANT_NONEMPTY); if (key_name_components.size() > kMaxKeyNameComponents) { LOG(ERROR) << "Encountered a key which has more than " << kMaxKeyNameComponents << " components."; return; } for (const base::StringPiece16& key_name_component : key_name_components) { if (key_name_component.empty()) continue; const std::string name = base::UTF16ToUTF8(key_name_component); RegistryDict* subdict = dict->GetKey(name); if (!subdict) { subdict = new RegistryDict(); dict->SetKey(name, base::WrapUnique(subdict)); } dict = subdict; } if (value.empty()) return; std::string value_name(base::UTF16ToUTF8(value)); if (!base::StartsWith(value_name, kActionTriggerPrefix, base::CompareCase::SENSITIVE)) { std::unique_ptr value; if (DecodePRegValue(type, data, &value)) dict->SetValue(value_name, std::move(value)); return; } std::string data_utf8; std::string action_trigger(base::ToLowerASCII( value_name.substr(arraysize(kActionTriggerPrefix) - 1))); if (action_trigger == kActionTriggerDeleteValues) { if (DecodePRegStringValue(data, &data_utf8)) { for (const std::string& value : base::SplitString(data_utf8, ";", base::KEEP_WHITESPACE, base::SPLIT_WANT_NONEMPTY)) dict->RemoveValue(value); } } else if (base::StartsWith(action_trigger, kActionTriggerDeleteKeys, base::CompareCase::SENSITIVE)) { if (DecodePRegStringValue(data, &data_utf8)) { for (const std::string& key : base::SplitString(data_utf8, ";", base::KEEP_WHITESPACE, base::SPLIT_WANT_NONEMPTY)) dict->RemoveKey(key); } } else if (base::StartsWith(action_trigger, kActionTriggerDel, base::CompareCase::SENSITIVE)) { dict->RemoveValue(value_name.substr(arraysize(kActionTriggerPrefix) - 1 + arraysize(kActionTriggerDel) - 1)); } else if (base::StartsWith(action_trigger, kActionTriggerDelVals, base::CompareCase::SENSITIVE)) { // Delete all values. dict->ClearValues(); } else if (base::StartsWith(action_trigger, kActionTriggerSecureKey, base::CompareCase::SENSITIVE) || base::StartsWith(action_trigger, kActionTriggerSoft, base::CompareCase::SENSITIVE)) { // Doesn't affect values. } else { LOG(ERROR) << "Bad action trigger " << value_name; } } } // namespace namespace policy { namespace preg_parser { const char kPRegFileHeader[8] = {'P', 'R', 'e', 'g', '\x01', '\x00', '\x00', '\x00'}; bool ReadFile(const base::FilePath& file_path, const base::string16& root, RegistryDict* dict, PolicyLoadStatusSampler* status) { base::MemoryMappedFile mapped_file; if (!mapped_file.Initialize(file_path) || !mapped_file.IsValid()) { PLOG(ERROR) << "Failed to map " << file_path.value(); status->Add(POLICY_LOAD_STATUS_READ_ERROR); return false; } return ReadDataInternal( mapped_file.data(), mapped_file.length(), root, dict, status, base::StringPrintf("file '%" PRIsFP "'", file_path.value().c_str())); } POLICY_EXPORT bool ReadDataInternal(const uint8_t* preg_data, size_t preg_data_size, const base::string16& root, RegistryDict* dict, PolicyLoadStatusSampler* status, const std::string& debug_name) { DCHECK(status); DCHECK(root.empty() || root.back() != kRegistryPathSeparator[0]); // Check data size. if (preg_data_size > kMaxPRegFileSize) { LOG(ERROR) << "PReg " << debug_name << " too large: " << preg_data_size; status->Add(POLICY_LOAD_STATUS_TOO_BIG); return false; } // Check the header. const int kHeaderSize = arraysize(kPRegFileHeader); if (!preg_data || preg_data_size < kHeaderSize || memcmp(kPRegFileHeader, preg_data, kHeaderSize) != 0) { LOG(ERROR) << "Bad PReg " << debug_name; status->Add(POLICY_LOAD_STATUS_PARSE_ERROR); return false; } // Parse data, which is expected to be UCS-2 and little-endian. The latter I // couldn't find documentation on, but the example I saw were all // little-endian. It'd be interesting to check on big-endian hardware. const uint8_t* cursor = preg_data + kHeaderSize; const uint8_t* end = preg_data + preg_data_size; while (true) { if (cursor == end) return true; if (NextChar(&cursor, end) != kDelimBracketOpen) break; // Read the record fields. base::string16 key_name; base::string16 value; uint32_t type = 0; uint32_t size = 0; std::vector data; if (!ReadFieldString(&cursor, end, &key_name)) break; int current = NextChar(&cursor, end); if (current == kDelimSemicolon) { if (!ReadFieldString(&cursor, end, &value)) break; current = NextChar(&cursor, end); } if (current == kDelimSemicolon) { if (!ReadField32(&cursor, end, &type)) break; current = NextChar(&cursor, end); } if (current == kDelimSemicolon) { if (!ReadField32(&cursor, end, &size)) break; current = NextChar(&cursor, end); } if (current == kDelimSemicolon) { if (size > kMaxPRegFileSize) break; data.resize(size); if (!ReadFieldBinary(&cursor, end, size, data.data())) break; current = NextChar(&cursor, end); } if (current != kDelimBracketClose) break; // Process the record if it is within the |root| subtree. if (KeyRootEquals(key_name, root)) HandleRecord(key_name.substr(root.size()), value, type, data, dict); } LOG(ERROR) << "Error parsing PReg " << debug_name << " at offset " << (reinterpret_cast(cursor - 1) - preg_data); status->Add(POLICY_LOAD_STATUS_PARSE_ERROR); return false; } } // namespace preg_parser } // namespace policy