windows: Enable heap terminate-on-corruption #17916

fanquake commented at 8:54 AM on January 13, 2020: member

This PR is currently two separate changes:

Enable heap terminate-on-corruption

This is default behavior from Windows 8 onwards, however we still support Windows 7, so it should make sense to explicitly enable this. This is also done by projects like tor, chromium etc.

Enables the terminate-on-corruption feature. If the heap manager detects an error in any heap used by the process, it calls the Windows Error Reporting service and terminates the process. After a process enables this feature, it cannot be disabled.

More info here.

Remove call to SetProcessDEPPolicy()

DEP is always enabled on 64-bit Windows processes, and SetProcessDEPPolicy() only works when called from a 32-bit process. I've tested that our current usage always fails (as expected) with ERROR_NOT_SUPPORTED.

Please don't add a "Needs gitian build" tag here yet.

windows: Enable heap terminate-on-corruption

This is default behavior from Windows 8 onwards, however we still support
Windows 7, so it should make sense to explicitly enable this.

More info:
https://docs.microsoft.com/en-us/windows/win32/api/heapapi/nf-heapapi-heapsetinformation

f2645c2601

windows: remove call to SetProcessDEPPolicy

SetProcessDEPPolicy() is only supported by 32-bit Windows processes. On 64-bit
Windows it fails with ERROR_NOT_SUPPORTED (DEP is always enabled on 64-bit).

More info:
https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-setprocessdeppolicy

3d5d7aad26

fanquake added the label Windows on Jan 13, 2020

fanquake added the label Needs Conceptual Review on Jan 13, 2020

laanwj commented at 9:02 AM on January 13, 2020: member

Concept ACK

sipsorcery commented at 9:09 AM on January 13, 2020: member

Setting HeapEnableTerminationOnCorruption seems like a sensible idea (trusting that it doesn't generate false positives like some of the debug memory monitoring tools).

But why remove the SetProcessDEPPolicy(PROCESS_DEP_ENABLE); call? It still has an effect on x86 builds. Or is this in anticipation of deprecating x86 support?

practicalswift commented at 12:58 PM on January 13, 2020: contributor

Concept ACK: enabling mitigations is good, ~~but it seems PROCESS_DEP_ENABLE should not be removed unless defined(_WIN64)?~~

Perhaps Chromium's ApplyProcessMitigationsToCurrentProcess(MitigationFlags flags) in win/src/process_mitigations.cc can serve as inspiration for our Windows mitigation strategies.

fanquake commented at 1:59 AM on January 14, 2020: member

But why remove the SetProcessDEPPolicy(PROCESS_DEP_ENABLE); call? It still has an effect on x86 builds. Or is this in anticipation of deprecating x86 support?

We stopped shipping 32-bit windows binaries as part of the 0.18.0 release, and have been removing windows 32-bit support from our build system (see #15939, #17756 etc).

can serve as inspiration for our Windows mitigation strategies.

Yep, as mentioned in the PR body, I have been looking at what other projects like tor, chromium etc are doing.

sipsorcery commented at 8:05 AM on January 14, 2020: member

ACK 3d5d7aad269c7afe7e36677d3e76c6579e1b8aba.

fanquake removed the label Needs Conceptual Review on Jan 15, 2020

fanquake commented at 3:59 AM on January 15, 2020: member

If anyone would like to test/verify these changes, here are a couple things you can look at.

Process Explorer

Using Process Explorer, you can inspect Bitcoin Core while it's running and check that DEP is enabled. In the "Image File" tab for the process, you are looking for DEP Status: Enabled (Permanent) along with ASLR: High Entropy, Bottom Up etc. Below is the output for the 0.17.1 32-bit, 0.19.0.1 (release binaries) and 0.19.99.0 (this PR, built using WSL).

0 17 1

0 19 0 1

this_Pr

dumpbin

You can use dumpbin to dump the header info for the Bitcoin Core executables. You are looking for the DLL Characteristics and NX compatible. For example

dumpbin /headers bitcoind.exe (0.17.1 32-bit)
...
             140 DLL characteristics
                   Dynamic base
                   NX compatible

dumpbin /headers bitcoind.exe (0.19.99.0 this PR)
...
             160 DLL characteristics
                   High Entropy Virtual Addresses
                   Dynamic base
                   NX compatible

Verify ERROR_NOT_SUPPORTED

You could also test that our current call to SetProcessDEPPolicy() fails with ERROR_NOT_SUPPORTED.

diff --git a/src/init.cpp b/src/init.cpp
index dc0f2ce05..cf7d6e89f 100644
--- a/src/init.cpp
+++ b/src/init.cpp
@@ -879,6 +879,8 @@ bool AppInitBasicSetup()
 #ifdef WIN32
     // Enable Data Execution Prevention (DEP)
     SetProcessDEPPolicy(PROCESS_DEP_ENABLE);
+    std::cout << "Failed to SetProcessDEPPolicy with: " << GetLastError() << "\n\n";
+    std::abort();
 #endif

laanwj commented at 7:55 PM on January 20, 2020: member

ACK 3d5d7aad269c7afe7e36677d3e76c6579e1b8aba

laanwj referenced this in commit 631df3ee87 on Jan 20, 2020

laanwj merged this on Jan 20, 2020

laanwj closed this on Jan 20, 2020

fanquake deleted the branch on Jan 20, 2020

sidhujag referenced this in commit 0f24363b2d on Jan 24, 2020

luke-jr referenced this in commit 1ba03d023c on Feb 9, 2020

MarkLTZ referenced this in commit 3ec6a5c547 on Apr 9, 2020

luke-jr referenced this in commit 30317158ac on Jun 9, 2020

sidhujag referenced this in commit 7043069d53 on Nov 10, 2020

luke-jr referenced this in commit fd8c075356 on Nov 17, 2020

luke-jr referenced this in commit 8aceb82b8b on Nov 25, 2020

luke-jr referenced this in commit 753db84f47 on Oct 6, 2021

DrahtBot locked this on Feb 15, 2022