https://scan.coverity.com/

It supports Windows via a manual upload method. You have to download their Win64 tools (which are 438mb!) and then manually upload compilation artifacts to their servers.

I'm screwing around with /analyze, and it's picked up a couple of issues for AppJailLauncher. This may cause crashes.

At lines 52, 53, and 57, in utils.cpp, you're dereferencing a pointer that might be NULL.

Pointer p is declared struct addrinfo *p = NULL, and assigned to in the for loop:

for (p = servinfo; p != NULL; p = p->ai_next) {

If the loop terminates because p == NULL, then you're dereferencing a NULL pointer here:

	LOG(
		"Socket bound on %s:%i\n",
		InetNtop(
			p->ai_family,
			(PVOID) &((struct sockaddr_in *) p->ai_addr)->sin_addr,
			szAddr,
			sizeof(szAddr) / sizeof(_TCHAR)
			),
		htons(((struct sockaddr_in *) p->ai_addr)->sin_port)
		);

Hi,

I tested under Win 8, 8.1 and 10. CreateProcess fails to create a process for binaries compiled with /DYNAMICBASE:NO and I can't figure out what flag can fix this...

"..\Documents\Visual Studio 2015\Projects\AppJailLauncher-master\Debug\AppJailLauncher.exe" /outbound /key:flag.txt /port:4141 /timeout:1000000000000 simple_echo_x64_NO_ASLR.exe
<> Do_LaunchServer entered.
<> Assertion success!
(WSAStartup(MAKEWORD(2, 2), &wsaData) == 0) succeeded.
<> ChildFilePath: simple_echo_x64_NO_ASLR.exe
<> KeyFilePath: flag.txt
<> ServerPort: 4141
<> ChildTimeout: -1 seconds
<> NetworkEnabled: True
<> Trying to create a new AppContainer profile "simple_echo_x64_NO_ASLR.exe".
<> Profile "simple_echo_x64_NO_ASLR.exe" already exists. Retrieving SID from existing profile.
<> Assertion success!
(SUCCEEDED(DeriveAppContainerSidFromAppContainerName( pszAppContainerName, &pSid ))) succeeded.
<> AppContainer profile SID obtained.
<> Assertion success!
(GetFullPathName( pszKeyFilePath, cbFullKeyPath, pszFullKeyPath, &pszKeyFileSpec ) > 0) succeeded.
<> Assertion success!
(PathRemoveFileSpec(pszCurrentDirectory)) succeeded.
<> KeyFilePath: \Downloads\flag.txt
<> KeyCurrentDirectory: \Downloads
<> Entering Utils_AddOrRemoveAceOnFileAcl...IsRemoveOperation=0
<> Retrieving SECURITY_DESCRIPTOR for \Downloads...
<> Assertion success!
(GetFileSecurity( pszFilePath, DACL_SECURITY_INFORMATION, NULL, 0, &DescSize ) == 0) succeeded.
<> SECURITY_DESCRIPTOR size is 348
<> Allocating memory for new security descriptor
<> Assertion success!
(GetFileSecurity( pszFilePath, DACL_SECURITY_INFORMATION, pOldDesc, DescSize, &DescSize ) != 0) succeeded.
<> SECURITY_DESCRIPTOR is at 007BF120
<> Assertion success!
(InitializeSecurityDescriptor( &NewDesc, SECURITY_DESCRIPTOR_REVISION )) succeeded.
<> New SECURITY_DESCRIPTOR is initialized
<> Obtaining DACL from SECURITY_DESCRIPTOR...
<> Assertion success!
(GetSecurityDescriptorDacl( pOldDesc, &DaclPresent, &pOldDacl, &DaclDefaulted )) succeeded.
<> DACL at 007BF134 and is present.
<> Assertion success!
(GetAclInformation( pOldDacl, &AclInfo, sizeof(AclInfo), AclSizeInformation )) succeeded.
<> Allocating 376 bytes for new DACL
<> Assertion success!
(InitializeAcl( pNewDacl, cbNewDacl, ACL_REVISION )) succeeded.
<> Assertion success!
(GetAce(pOldDacl, i, &pTempAce)) succeeded.
<> Assertion success!
(AddAce(pNewDacl, ACL_REVISION, MAXDWORD, pTempAce, ((PACE_HEADER)pTempAce)->AceSize)) succeeded.
<> Assertion success!
(GetAce(pOldDacl, i, &pTempAce)) succeeded.
<> Assertion success!
(AddAce(pNewDacl, ACL_REVISION, MAXDWORD, pTempAce, ((PACE_HEADER)pTempAce)->AceSize)) succeeded.
<> Assertion success!
(GetAce(pOldDacl, i, &pTempAce)) succeeded.
<> Assertion success!
(AddAce(pNewDacl, ACL_REVISION, MAXDWORD, pTempAce, ((PACE_HEADER)pTempAce)->AceSize)) succeeded.
<> Assertion success!
(GetAce(pOldDacl, i, &pTempAce)) succeeded.
<> Assertion success!
(AddAce(pNewDacl, ACL_REVISION, MAXDWORD, pTempAce, ((PACE_HEADER)pTempAce)->AceSize)) succeeded.
<> Assertion success!
(GetAce(pOldDacl, i, &pTempAce)) succeeded.
<> Assertion success!
(AddAce(pNewDacl, ACL_REVISION, MAXDWORD, pTempAce, ((PACE_HEADER)pTempAce)->AceSize)) succeeded.
<> Assertion success!
(GetAce(pOldDacl, i, &pTempAce)) succeeded.
<> Assertion success!
(AddAce(pNewDacl, ACL_REVISION, MAXDWORD, pTempAce, ((PACE_HEADER)pTempAce)->AceSize)) succeeded.
<> Assertion success!
(GetAce(pOldDacl, i, &pTempAce)) succeeded.
<> Adding ACE into key parent directory's ACL failed because ACE already exists.
<> Entering Utils_AddOrRemoveAceOnFileAcl...IsRemoveOperation=0
<> Retrieving SECURITY_DESCRIPTOR for \Downloads\flag.txt...
<> Assertion success!
(GetFileSecurity( pszFilePath, DACL_SECURITY_INFORMATION, NULL, 0, &DescSize ) == 0) succeeded.
<> SECURITY_DESCRIPTOR size is 348
<> Allocating memory for new security descriptor
<> Assertion success!
(GetFileSecurity( pszFilePath, DACL_SECURITY_INFORMATION, pOldDesc, DescSize, &DescSize ) != 0) succeeded.
<> SECURITY_DESCRIPTOR is at 007BF120
<> Assertion success!
(InitializeSecurityDescriptor( &NewDesc, SECURITY_DESCRIPTOR_REVISION )) succeeded.
<> New SECURITY_DESCRIPTOR is initialized
<> Obtaining DACL from SECURITY_DESCRIPTOR...
<> Assertion success!
(GetSecurityDescriptorDacl( pOldDesc, &DaclPresent, &pOldDacl, &DaclDefaulted )) succeeded.
<> DACL at 007BF134 and is present.
<> Assertion success!
(GetAclInformation( pOldDacl, &AclInfo, sizeof(AclInfo), AclSizeInformation )) succeeded.
<> Allocating 376 bytes for new DACL
<> Assertion success!
(InitializeAcl( pNewDacl, cbNewDacl, ACL_REVISION )) succeeded.
<> Assertion success!
(GetAce(pOldDacl, i, &pTempAce)) succeeded.
<> Assertion success!
(AddAce(pNewDacl, ACL_REVISION, MAXDWORD, pTempAce, ((PACE_HEADER)pTempAce)->AceSize)) succeeded.
<> Assertion success!
(GetAce(pOldDacl, i, &pTempAce)) succeeded.
<> Assertion success!
(AddAce(pNewDacl, ACL_REVISION, MAXDWORD, pTempAce, ((PACE_HEADER)pTempAce)->AceSize)) succeeded.
<> Assertion success!
(GetAce(pOldDacl, i, &pTempAce)) succeeded.
<> Assertion success!
(AddAce(pNewDacl, ACL_REVISION, MAXDWORD, pTempAce, ((PACE_HEADER)pTempAce)->AceSize)) succeeded.
<> Assertion success!
(GetAce(pOldDacl, i, &pTempAce)) succeeded.
<> Assertion success!
(AddAce(pNewDacl, ACL_REVISION, MAXDWORD, pTempAce, ((PACE_HEADER)pTempAce)->AceSize)) succeeded.
<> Assertion success!
(GetAce(pOldDacl, i, &pTempAce)) succeeded.
<> Assertion success!
(AddAce(pNewDacl, ACL_REVISION, MAXDWORD, pTempAce, ((PACE_HEADER)pTempAce)->AceSize)) succeeded.
<> Assertion success!
(GetAce(pOldDacl, i, &pTempAce)) succeeded.
<> Assertion success!
(AddAce(pNewDacl, ACL_REVISION, MAXDWORD, pTempAce, ((PACE_HEADER)pTempAce)->AceSize)) succeeded.
<> Assertion success!
(GetAce(pOldDacl, i, &pTempAce)) succeeded.
<> Adding ACE into key's ACL failed because ACE already exists.
<> Network access is enabled in child process.
<> Creating job object for limiting processing time.
<> Trying to create a new job object with timeout of -1 seconds.
<> Assertion success!
(hJob != INVALID_HANDLE_VALUE) succeeded.
<> New job object created with handle 000002E0
<> Setting job object information.
<> Assertion success!
(SetInformationJobObject( hJob, JobObjectBasicLimitInformation, &bli, sizeof(bli) )) succeeded.
<> Job information set.
<> Creating and listening on new socket on port 4141.
<> Assertion success!
(getaddrinfo(NULL, szPort, &hints, &servinfo) == 0) succeeded.
<> Assertion success!
(setsockopt( s, SOL_SOCKET, SO_REUSEADDR, (const char ) &yes, sizeof(yes) ) == 0) succeeded.
<> Socket bound on 0.0.0.0:4141
<> Listening for new connections...
<> Setting listening socket to not inheritable.
<> Assertion success!
(SetHandleInformation( (HANDLE)serverSocket, HANDLE_FLAG_INHERIT, 0)) succeeded.
<> Creating WSA events.
<> Assertion success!
(hAcceptEvent != WSA_INVALID_EVENT) succeeded.
<> Assertion success!
(g_hQuitListenEvent != WSA_INVALID_EVENT) succeeded.
<> Setting WSAEventSelect.
<> Assertion success!
(WSAEventSelect( serverSocket, hAcceptEvent, FD_ACCEPT ) != SOCKET_ERROR) succeeded.
<> Installing Ctrl-C handler.
<> Assertion success!
(SetConsoleCtrlHandler(HandleCtrlCPress, TRUE)) succeeded.
Listening for incoming connections on port 4141...
<> Sensed new client connection.
Client connection from 10.10.225.170 accepted.
<> pszCapabilities is not NULL, counting items.
<> Found 1 capabilities.
<> Creating capabilities attribute list for 1 capabilities.
<> Assertion success!
(ConvertStringSidToSid(pszCapabilities[i], &pSid)) succeeded.
<> Assertion success!
(!InitializeProcThreadAttributeList( NULL, 1, 0, &dwAttributeListSize )) succeeded.
<> Allocating memory for AttributeList (32 bytes)
<> Initializing AttributeList at 0x 007A78B0
<> Assertion success!
(InitializeProcThreadAttributeList( AttributeList, 1, 0, &dwAttributeListSize )) succeeded.
<> Updating AttributeList with security capabilities.
<> Assertion success!
(UpdateProcThreadAttribute( AttributeList, 0, PROC_THREAD_ATTRIBUTE_SECURITY_CAPABILITIES, &SecurityCapabilities, sizeof(SecurityCapabilities), NULL, NULL)) succeeded.
<> si.StartupInfo.cb = 72
<> Redirecting STDIN/STDOUT/STDERR of the new application.
<> Copying pszChildFilePath to pszCommandLine.
<> Launching new process "simple_echo_x64_NO_ASLR.exe".
[\documents\visual studio 2015\projects\appjaillauncher-master\appjaillauncher\utils.cpp:542] <!>
Assertion failed. GetLastError() = 623
(CreateProcess( NULL, pszCommandLine, NULL, NULL, TRUE, dwCreationFlags, NULL, pszCurrentDirectory, (LPSTARTUPINFO) &si, &pi )) resolved to FALSE.
<> Failed to launch jailed process.
<> Sensed new client connection.
Client connection from 127.0.0.1 accepted.
<> pszCapabilities is not NULL, counting items.
<> Found 1 capabilities.
<> Creating capabilities attribute list for 1 capabilities.
<> Assertion success!
(ConvertStringSidToSid(pszCapabilities[i], &pSid)) succeeded.
<> Assertion success!
(!InitializeProcThreadAttributeList( NULL, 1, 0, &dwAttributeListSize )) succeeded.
<> Allocating memory for AttributeList (32 bytes)
<> Initializing AttributeList at 0x 007A78B0
<> Assertion success!
(InitializeProcThreadAttributeList( AttributeList, 1, 0, &dwAttributeListSize )) succeeded.
<> Updating AttributeList with security capabilities.
<> Assertion success!
(UpdateProcThreadAttribute( AttributeList, 0, PROC_THREAD_ATTRIBUTE_SECURITY_CAPABILITIES, &SecurityCapabilities, sizeof(SecurityCapabilities), NULL, NULL)) succeeded.
<> si.StartupInfo.cb = 72
<> Redirecting STDIN/STDOUT/STDERR of the new application.
<> Copying pszChildFilePath to pszCommandLine.
<> Launching new process "simple_echo_x64_NO_ASLR.exe".
[\documents\visual studio 2015\projects\appjaillauncher-master\appjaillauncher\utils.cpp:542] <!>
Assertion failed. GetLastError() = 623
(CreateProcess( NULL, pszCommandLine, NULL, NULL, TRUE, dwCreationFlags, NULL, pszCurrentDirectory, (LPSTARTUPINFO) &si, &pi )) resolved to FALSE.
<> Failed to launch jailed process.

Translated error message:
***** ERROR *****
simple_echo_x64_NO_ASLR.exe failed with error 623: {Illegal System DLL Relocation}
The system DLL %hs was relocated in memory. The application will not run properly.
The relocation occurred because the DLL %hs occupied an address range reserved for Windows system DLLs. The vendor supplying the DLL should be contacted for a new DLL.

The sandboxed target binary is just a simple test that prints back input via fgets.

Thanks,

I'm screwing around with /analyze, and it's picked up a couple of issues for AppJailLauncher. This one is unlikely to cause any trouble, but it still violates the InetNtop API contract, and technically could cause a buffer overrun.

At line 419 in AppJailLauncher.cpp you call it with sizeof(clientIpAddr) for the StringBufSize parameter:

					InetNtop(
					((struct sockaddr_in *) &clientAddr)->sin_family,
					(PVOID)&((struct sockaddr_in *) &clientAddr)->sin_addr,
					clientIpAddr,
					sizeof(clientIpAddr)
					)

...where clientIpAddr is declared as _TCHAR clientIpAddr[64] ...and the docs for StringBufSize say:

StringBufSize [in]
On input, the length, in characters, of the buffer pointed to by the pStringBuf parameter.

...so all is fine if you're compiling for a target where sizeof(TCHAR) == 1), but not where it's a typedef wchar_t _TCHAR.

It's unlikely to cause any trouble because of this note in the docs:

pStringBuf [out]
A pointer to a buffer in which to store the NULL-terminated string representation of the IP address.
For an IPv4 address, this buffer should be large enough to hold at least 16 characters.
For an IPv6 address, this buffer should be large enough to hold at least 46 characters.

For now, the child process should have a mechanism to terminate itself after a specified amount of time.

I'm screwing around with /analyze, and it's picked up a couple of issues for AppJailLauncher. Good software development on your part means this bug won't cause any bad behavior, but you might be confused if you're debugging.

At line 344 in utils.cpp you check the return value of CreateJobObject against INVALID_HANDLE_VALUE:

	hJob = CreateJobObject(NULL, NULL);
	W32_ASSERT(hJob != INVALID_HANDLE_VALUE, Exit);
	LOG("New job object created with handle %016p\n", hJob);

...but the docs say CreateJobObject returns NULL on failure:

If the function fails, the return value is NULL. To get extended error information, call GetLastError.

When CreateJobObject fails and you don't catch it here, it's not a big deal, because SetInformationJobObject should also fail. Because you properly check that return value, CreateLimitProcessTimeJobObject then returns E_FAIL, and the program exits with -1.