From 78466ca3ae3a630d1dbe7126651286e69a1cac4f Mon Sep 17 00:00:00 2001
From: Derek Bruening <bruening@google.com>
Date: Mon, 7 Mar 2016 20:07:16 -0500
Subject: [PATCH] i#1898 legacy child: avoid crash and warn of missing child

Avoids a crash for a legacy NtCreateProcess{,Ex} call on Vista+ by aborting
on the attempt to inject at process creation time with no context and early
injection disabled.  Issues a warning, as we may miss the child -- which
seems to be the case in certain instances on Windows 10 which need further
investigation.

Review-URL: https://codereview.appspot.com/292820043
---
 core/win32/os.c | 24 +++++++++++++++++-------
 1 file changed, 17 insertions(+), 7 deletions(-)

diff --git a/core/win32/os.c b/core/win32/os.c
index fad35576e8a..76aa8a17a98 100644
--- a/core/win32/os.c
+++ b/core/win32/os.c
@@ -3228,13 +3228,23 @@ maybe_inject_into_process(dcontext_t *dcontext, HANDLE process_handle,
 
         if (should_inject_into_process(dcontext, process_handle,
                                        &rununder_mask, &should_inject)) {
-            injected = true; /* attempted, at least */
-            ASSERT(cxt != NULL || DYNAMO_OPTION(early_inject));
-            /* FIXME : if not -early_inject, we are going to read and write
-             * to cxt, which may be unsafe */
-            if (inject_into_process(dcontext, process_handle, cxt,
-                                    should_inject)) {
-                check_for_run_once(process_handle, rununder_mask);
+            if (cxt == NULL && !DYNAMO_OPTION(early_inject)) {
+                /* On Vista+ a legacy NtCreateProcess* syscall is being used, and
+                 * without -early_inject and without a context we're forced to
+                 * wait and assume NtCreateThread will be called later.
+                 * FIXME i#1898: on win10 for heap crash handling we hit this, and
+                 * we are currently missing the child.
+                 */
+                SYSLOG_INTERNAL_WARNING("legacy process creation detected: may miss child");
+            } else {
+                injected = true; /* attempted, at least */
+                ASSERT(cxt != NULL || DYNAMO_OPTION(early_inject));
+                /* FIXME : if not -early_inject, we are going to read and write
+                 * to cxt, which may be unsafe */
+                if (inject_into_process(dcontext, process_handle, cxt,
+                                        should_inject)) {
+                    check_for_run_once(process_handle, rununder_mask);
+                }
             }
         }
     }