Closed Bug 1201205 Opened 4 years ago Closed 4 years ago

WindowsDllNopSpacePatcher should allow for different protection on the nop space than the function

Categories

(Core :: XPCOM, defect)

41 Branch
defect
Not set

Tracking

()

RESOLVED FIXED
mozilla43
Tracking Status
firefox43 --- fixed

People

(Reporter: dmajor, Assigned: dmajor)

References

Details

Attachments

(2 files)

On my clang-cl build, TestDllInterceptor!rotatePayload begins on a new page (PAGE_EXECUTE_READ) and the dead zone preceding it is marked PAGE_READONLY.

When WindowsDllNopSpacePatcher::AddHook finishes, it tries to restore the original protection bits, but it thinks the entire region was originally read-only. This leads to an NX crash since we can no longer execute rotatePayload.

I propose that we use two different VirtualProtect calls, so we can restore the preceding region separately from the actual function.
Assignee: nobody → dmajor
Attachment #8656142 - Flags: review?(m_kato)
I should clarify that AddHook actually fails in my scenario, because the read-only dead zone does not contain NOP instructions. That is why it's OK to restore the read-only protection.
Attachment #8656142 - Flags: review?(m_kato) → review+
Attachment #8656143 - Flags: review?(m_kato) → review+
https://hg.mozilla.org/mozilla-central/rev/8caee6d458ec
https://hg.mozilla.org/mozilla-central/rev/7c9841d60ddc
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla43
You need to log in before you can comment on or make changes to this bug.