blob: 16eb628dbbaa9c552937968a751ea527de1a02eb [file] [log] [blame]
// Copyright 2019 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// GoogleUpdateSetup.exe is the first exe that is run when chrome is being
// installed. It has two main jobs:
// 1) unpack the resources (possibly decompressing some)
// 2) run the real installer (updater.exe) with appropriate flags (--install).
// All files needed by the updater are archived together as an uncompressed
// LZMA file, which is further compressed as one file, and inserted as a
// binary resource in the resource section of the setup program.
#include "chrome/updater/win/installer/installer.h"
// #define needed to link in RtlGenRandom(), a.k.a. SystemFunction036. See the
// "Community Additions" comment on MSDN here:
#define SystemFunction036 NTAPI SystemFunction036
#include <NTSecAPI.h>
#undef SystemFunction036
#include <sddl.h>
#include <shellapi.h>
#include <stddef.h>
#include <stdlib.h>
#include <initializer_list>
// TODO(sorin): remove the dependencies on //base/ to reduce the code size.
#include "base/files/file_path.h"
#include "base/files/file_util.h"
#include "base/files/scoped_temp_dir.h"
#include "base/path_service.h"
#include "chrome/installer/util/lzma_util.h"
#include "chrome/installer/util/self_cleaning_temp_dir.h"
#include "chrome/installer/util/util_constants.h"
#include "chrome/updater/win/installer/configuration.h"
#include "chrome/updater/win/installer/installer_constants.h"
#include "chrome/updater/win/installer/pe_resource.h"
#include "chrome/updater/win/installer/regkey.h"
namespace updater {
namespace {
// Initializes |temp_path| to "Temp" within the target directory, and
// |unpack_path| to a random directory beginning with "source" within
// |temp_path|. Returns false on error.
bool CreateTemporaryAndUnpackDirectories(
installer::SelfCleaningTempDir* temp_path, base::FilePath* unpack_path) {
DCHECK(temp_path && unpack_path);
base::FilePath temp_dir;
if (!base::PathService::Get(base::DIR_TEMP, &temp_dir)) return false;
if (!temp_path->Initialize(temp_dir, kTempPrefix)) {
PLOG(ERROR) << "Could not create temporary path.";
return false;
VLOG(1) << "Created path " << temp_path->path().value();
if (!base::CreateTemporaryDirInDir(temp_path->path(), L"source",
unpack_path)) {
PLOG(ERROR) << "Could not create temporary path for unpacked archive.";
return false;
return true;
} // namespace
using PathString = StackString<MAX_PATH>;
// This structure passes data back and forth for the processing
// of resource callbacks.
struct Context {
// Input to the call back method. Specifies the dir to save resources into.
const wchar_t* base_path = nullptr;
// First output from call back method. Specifies the path of resource archive.
PathString* updater_resource_path = nullptr;
// Calls CreateProcess with good default parameters and waits for the process to
// terminate returning the process exit code. In case of CreateProcess failure,
// returns a results object with the provided codes as follows:
// - ERROR_FILE_NOT_FOUND: (file_not_found_code, attributes of setup.exe).
// - ERROR_PATH_NOT_FOUND: (path_not_found_code, attributes of setup.exe).
// - Otherwise: (generic_failure_code, CreateProcess error code).
// In case of error waiting for the process to exit, returns a results object
// with (WAIT_FOR_PROCESS_FAILED, last error code). Otherwise, returns a results
// object with the subprocess's exit code.
ProcessExitResult RunProcessAndWait(const wchar_t* exe_path, wchar_t* cmdline) {
STARTUPINFOW si = {sizeof(si)};
if (!::CreateProcess(exe_path, cmdline, nullptr, nullptr, FALSE,
CREATE_NO_WINDOW, nullptr, nullptr, &si, &pi)) {
// Split specific failure modes. If the process couldn't be launched because
// its file/path couldn't be found, report its attributes in ExtraCode1.
// This will help diagnose the prevalence of launch failures due to Image
// File Execution Options tampering. See for more
// details.
const DWORD last_error = ::GetLastError();
const DWORD attributes = ::GetFileAttributes(exe_path);
switch (last_error) {
return ProcessExitResult(RUN_SETUP_FAILED_FILE_NOT_FOUND, attributes);
return ProcessExitResult(RUN_SETUP_FAILED_PATH_NOT_FOUND, attributes);
// Lump all other errors into a distinct failure bucket.
DWORD wr = ::WaitForSingleObject(pi.hProcess, INFINITE);
if (WAIT_OBJECT_0 != wr || !::GetExitCodeProcess(pi.hProcess, &exit_code)) {
// Note: We've assumed that WAIT_OBJCT_0 != wr means a failure. The call
// could return a different object but since we never spawn more than one
// sub-process at a time that case should never happen.
return ProcessExitResult(WAIT_FOR_PROCESS_FAILED, ::GetLastError());
return ProcessExitResult(exit_code);
// Windows defined callback used in the EnumResourceNames call. For each
// matching resource found, the callback is invoked and at this point we write
// it to disk. We expect resource names to start with the 'updater' prefix.
// Any other name is treated as an error.
BOOL CALLBACK OnResourceFound(HMODULE module, const wchar_t* type,
wchar_t* name, LONG_PTR context) {
Context* ctx = reinterpret_cast<Context*>(context);
if (!ctx) return FALSE;
if (!StrStartsWith(name, kUpdaterArchivePrefix)) return FALSE;
PEResource resource(name, type, module);
if (!resource.IsValid() || resource.Size() < 1) return FALSE;
PathString full_path;
if (!full_path.assign(ctx->base_path) || !full_path.append(name) ||
!resource.WriteToDisk(full_path.get())) {
return FALSE;
if (!ctx->updater_resource_path->assign(full_path.get())) return FALSE;
return TRUE;
// Finds and writes to disk resources of type 'B7' (7zip archive). Returns false
// if there is a problem in writing any resource to disk.
ProcessExitResult UnpackBinaryResources(const Configuration& configuration,
HMODULE module,
const wchar_t* base_path,
PathString* archive_path) {
// Prepare the input to OnResourceFound method that needs a location where
// it will write all the resources.
Context context = {base_path, archive_path};
// Get the resources of type 'B7' (7zip archive).
if (!::EnumResourceNames(module, kLZMAResourceType, OnResourceFound,
reinterpret_cast<LONG_PTR>(&context))) {
return ProcessExitResult(UNABLE_TO_EXTRACT_ARCHIVE, ::GetLastError());
if (archive_path->length() == 0)
return ProcessExitResult(UNABLE_TO_EXTRACT_ARCHIVE);
ProcessExitResult exit_code = ProcessExitResult(SUCCESS_EXIT_CODE);
return exit_code;
// Executes updater.exe, waits for it to finish and returns the exit code.
ProcessExitResult RunSetup(const Configuration& configuration,
const wchar_t* setup_path) {
PathString setup_exe;
if (*setup_path != L'\0') {
if (!setup_exe.assign(setup_path))
return ProcessExitResult(COMMAND_STRING_OVERFLOW);
CommandString cmd_line;
// Put the quoted path to setup.exe in cmd_line first.
if (!cmd_line.assign(L"\"") || !cmd_line.append(setup_exe.get()) ||
!cmd_line.append(L"\"")) {
return ProcessExitResult(COMMAND_STRING_OVERFLOW);
if (!cmd_line.append(L" --install --enable-logging --v=1"))
return ProcessExitResult(COMMAND_STRING_OVERFLOW);
return RunProcessAndWait(setup_exe.get(), cmd_line.get());
// Returns true if the supplied path supports ACLs.
bool IsAclSupportedForPath(const wchar_t* path) {
PathString volume;
DWORD flags = 0;
return ::GetVolumePathName(path, volume.get(),
static_cast<DWORD>(volume.capacity())) &&
::GetVolumeInformation(volume.get(), nullptr, 0, nullptr, nullptr,
&flags, nullptr, 0) &&
// Retrieves the SID of the default owner for objects created by this user
// token (accounting for different behavior under UAC elevation, etc.).
// NOTE: On success the |sid| parameter must be freed with LocalFree().
bool GetCurrentOwnerSid(wchar_t** sid) {
HANDLE token;
if (!::OpenProcessToken(::GetCurrentProcess(), TOKEN_QUERY, &token))
return false;
DWORD size = 0;
bool result = false;
// We get the TokenOwner rather than the TokenUser because e.g. under UAC
// elevation we want the admin to own the directory rather than the user.
::GetTokenInformation(token, TokenOwner, nullptr, 0, &size);
if (size && GetLastError() == ERROR_INSUFFICIENT_BUFFER) {
if (TOKEN_OWNER* owner =
reinterpret_cast<TOKEN_OWNER*>(::LocalAlloc(LPTR, size))) {
if (::GetTokenInformation(token, TokenOwner, owner, size, &size))
result = !!::ConvertSidToStringSid(owner->Owner, sid);
return result;
// Populates |sd| suitable for use when creating directories within |path| with
// ACLs allowing access to only the current owner, admin, and system.
// NOTE: On success the |sd| parameter must be freed with LocalFree().
bool SetSecurityDescriptor(const wchar_t* path, PSECURITY_DESCRIPTOR* sd) {
*sd = nullptr;
// We succeed without doing anything if ACLs aren't supported.
if (!IsAclSupportedForPath(path)) return true;
wchar_t* sid = nullptr;
if (!GetCurrentOwnerSid(&sid)) return false;
// The largest SID is under 200 characters, so 300 should give enough slack.
StackString<300> sddl;
bool result = sddl.append(
L"D:PAI" // Protected, auto-inherited DACL.
L"(A;;FA;;;BA)" // Admin: Full control.
L"(A;;FA;;;SY)" // System: Full control.
L"(A;OIIOCI;GA;;;CO)" // Owner: Full control.
L"(A;;FA;;;") &&
sddl.append(sid) && sddl.append(L")");
if (result) {
result = !!::ConvertStringSecurityDescriptorToSecurityDescriptor(
sddl.get(), SDDL_REVISION_1, sd, nullptr);
return result;
// Creates a temporary directory under |base_path| and returns the full path
// of created directory in |work_dir|. If successful return true, otherwise
// false. When successful, the returned |work_dir| will always have a trailing
// backslash and this function requires that |base_path| always includes a
// trailing backslash as well.
// We do not use GetTempFileName here to avoid running into AV software that
// might hold on to the temp file as soon as we create it and then we can't
// delete it and create a directory in its place. So, we use our own mechanism
// for creating a directory with a hopefully-unique name. In the case of a
// collision, we retry a few times with a new name before failing.
bool CreateWorkDir(const wchar_t* base_path, PathString* work_dir,
ProcessExitResult* exit_code) {
*exit_code = ProcessExitResult(PATH_STRING_OVERFLOW);
if (!work_dir->assign(base_path) || !work_dir->append(kTempPrefix))
return false;
// Store the location where we'll append the id.
size_t end = work_dir->length();
// Check if we'll have enough buffer space to continue.
// The name of the directory will use up 11 chars and then we need to append
// the trailing backslash and a terminator. We've already added the prefix
// to the buffer, so let's just make sure we've got enough space for the rest.
if ((work_dir->capacity() - end) < (_countof("fffff.tmp") + 1)) return false;
// Add an ACL if supported by the filesystem. Otherwise system-level installs
// are potentially vulnerable to file squatting attacks.
sa.nLength = sizeof(SECURITY_ATTRIBUTES);
if (!SetSecurityDescriptor(base_path, &sa.lpSecurityDescriptor)) {
*exit_code =
ProcessExitResult(UNABLE_TO_SET_DIRECTORY_ACL, ::GetLastError());
return false;
unsigned int id;
*exit_code = ProcessExitResult(UNABLE_TO_GET_WORK_DIRECTORY);
for (int max_attempts = 10; max_attempts; --max_attempts) {
::RtlGenRandom(&id, sizeof(id)); // Try a different name.
// This converts 'id' to a string in the format "78563412" on windows
// because of little endianness, but we don't care since it's just
// a name. Since we checked capacity at the front end, we don't need to
// duplicate it here.
HexEncode(&id, sizeof(id), work_dir->get() + end,
work_dir->capacity() - end);
// We only want the first 5 digits to remain within the 8.3 file name
// format (compliant with previous implementation).
work_dir->truncate_at(end + 5);
// for consistency with the previous implementation which relied on
// GetTempFileName, we append the .tmp extension.
if (::CreateDirectory(work_dir->get(),
sa.lpSecurityDescriptor ? &sa : nullptr)) {
// Yay! Now let's just append the backslash and we're done.
*exit_code = ProcessExitResult(SUCCESS_EXIT_CODE);
if (sa.lpSecurityDescriptor) LocalFree(sa.lpSecurityDescriptor);
return exit_code->IsSuccess();
// Creates and returns a temporary directory in |work_dir| that can be used to
// extract updater payload. |work_dir| ends with a path separator.
bool GetWorkDir(HMODULE module, PathString* work_dir,
ProcessExitResult* exit_code) {
PathString base_path;
DWORD len =
::GetTempPath(static_cast<DWORD>(base_path.capacity()), base_path.get());
if (!len || len >= base_path.capacity() ||
!CreateWorkDir(base_path.get(), work_dir, exit_code)) {
// Problem creating the work dir under TEMP path, so try using the
// current directory as the base path.
len = ::GetModuleFileName(module, base_path.get(),
if (len >= base_path.capacity() || !len)
return false; // Can't even get current directory? Return an error.
wchar_t* name = GetNameFromPathExt(base_path.get(), len);
if (name == base_path.get())
return false; // There was no directory in the string! Bail out.
*name = L'\0';
*exit_code = ProcessExitResult(SUCCESS_EXIT_CODE);
return CreateWorkDir(base_path.get(), work_dir, exit_code);
return true;
// Returns true for ".." and "." directories.
bool IsCurrentOrParentDirectory(const wchar_t* dir) {
return dir && dir[0] == L'.' &&
(dir[1] == L'\0' || (dir[1] == L'.' && dir[2] == L'\0'));
ProcessExitResult WMain(HMODULE module) {
ProcessExitResult exit_code = ProcessExitResult(SUCCESS_EXIT_CODE);
// Parse configuration from the command line and resources.
Configuration configuration;
if (!configuration.Initialize(module))
return ProcessExitResult(GENERIC_INITIALIZATION_FAILURE, ::GetLastError());
// Exit early if an invalid switch was found on the command line.
if (configuration.has_invalid_switch())
return ProcessExitResult(INVALID_OPTION);
// First get a path where we can extract the resource payload, which is
// a compressed LZMA archive of a single file.
base::ScopedTempDir base_path_owner;
PathString base_path;
if (!GetWorkDir(module, &base_path, &exit_code)) return exit_code;
if (!base_path_owner.Set(base::FilePath(base_path.get()))) {
return ProcessExitResult(static_cast<DWORD>(installer::TEMP_DIR_FAILED));
PathString compressed_archive;
exit_code = UnpackBinaryResources(configuration, module, base_path.get(),
// Create a temp folder where the archives are unpacked.
base::FilePath unpack_path;
installer::SelfCleaningTempDir temp_path;
if (!CreateTemporaryAndUnpackDirectories(&temp_path, &unpack_path))
return ProcessExitResult(static_cast<DWORD>(installer::TEMP_DIR_FAILED));
// Unpack the compressed archive to extract the uncompressed archive file.
UnPackStatus unpack_status = UNPACK_NO_ERROR;
int32_t ntstatus = 0;
auto lzma_result =
UnPackArchive(base::FilePath(compressed_archive.get()), unpack_path,
nullptr, &unpack_status, &ntstatus);
if (lzma_result)
return ProcessExitResult(static_cast<DWORD>(installer::UNPACKING_FAILED));
// Unpack the uncompressed archive to extract the updater files.
base::FilePath uncompressed_archive =
lzma_result = UnPackArchive(uncompressed_archive, unpack_path, nullptr,
&unpack_status, &ntstatus);
if (lzma_result)
return ProcessExitResult(static_cast<DWORD>(installer::UNPACKING_FAILED));
// While unpacking the binaries, we paged in a whole bunch of memory that
// we don't need anymore. Let's give it back to the pool before running
// setup.
::SetProcessWorkingSetSize(::GetCurrentProcess(), static_cast<SIZE_T>(-1),
PathString setup_path;
if (!setup_path.assign(unpack_path.value().c_str()) ||
!setup_path.append(L"\\bin\\updater.exe")) {
exit_code = ProcessExitResult(PATH_STRING_OVERFLOW);
if (exit_code.IsSuccess())
exit_code = RunSetup(configuration, setup_path.get());
return exit_code;
} // namespace updater