Closed Bug 1240589 Opened 4 years ago Closed 4 years ago

Import Chromium's upstream rand_util_win.cc to avoid rand_s() crash

Categories

(Core :: IPC, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla46
Tracking Status
firefox43 --- wontfix
firefox44 --- wontfix
firefox45 --- fixed
firefox46 --- fixed

People

(Reporter: cpeterson, Assigned: cpeterson)

References

Details

(Keywords: crash)

Attachments

(1 file)

Bug 1167248 has the long backstory, but the short story is the Windows' rand_s() can crash when some bad third-party software injects advapi32.dll hooks and Firefox has been built with VS2013. rand_s() just loads advapi32.dll and calls RtlGenRandom(). Instead we can just call RtlGenRandom() ourselves. Chrome did this with https://crbug.com/348400 and we did this in SpiderMonkey with bug 1167248.

bp-a74be01f-edd6-432f-a19f-eae272160108 is one example of a crash in ipc/chromium's call to rand_s(). This patch imports the latest snapshot of Chromium's rand_util_win.cc, which no longer calls rand_s(), and copies the RandBytes() function prototype from rand_util.h.

https://chromium.googlesource.com/chromium/src.git/+/8c37218a4cfa8725c0617db940f2d90b844f5023
Attachment #8709147 - Flags: review?(jld)
Assignee: nobody → cpeterson
Comment on attachment 8709147 [details] [diff] [review]
import-RtlGenRandom-fix.patch

Review of attachment 8709147 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good to me.
Attachment #8709147 - Flags: review?(jld) → review+
Thanks, Jed!

Because this will fix some crashes seen in the field, I will ask for uplift after this change baked on Nightly for a couple days.
https://hg.mozilla.org/mozilla-central/rev/a5abb03da5a4
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla46
Comment on attachment 8709147 [details] [diff] [review]
import-RtlGenRandom-fix.patch

Approval Request Comment

I fixed this crash in Nightly 46. I'd like to uplift this fix to 45, wherever that may be: Aurora 45 or Beta 45. :)

[Feature/regressing bug #]: None

[User impact if declined]: There were only 6 instances of this crash in the last 28 days, possibly from just 2 users. It is admittedly a very low frequency crash.

https://crash-stats.mozilla.com/report/list?product=Firefox&range_unit=days&range_value=28&signature=invalid_parameter_noinfo+|+rand_s#tab-reports

[Describe test coverage new/current, TreeHerder]: This patch has been baking on Nightly for 3 days. This crash happens in our mozilla-central fork of Chromium's IPC code. This patch just imports the latest snapshot of two short files from Chromium's upstream repo, where Google has worked around the crash.

[Risks and why]: I think this is a low risk because this patch just imports Google's tested fix.

[String/UUID change made/needed]: None
Attachment #8709147 - Flags: approval-mozilla-beta?
Attachment #8709147 - Flags: approval-mozilla-aurora?
Comment on attachment 8709147 [details] [diff] [review]
import-RtlGenRandom-fix.patch

Fix a crash, taking it.
Attachment #8709147 - Flags: approval-mozilla-beta?
Attachment #8709147 - Flags: approval-mozilla-aurora?
Attachment #8709147 - Flags: approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.