Closed Bug 1314183 Opened 8 years ago Closed 8 years ago

TestDllInterceptor crash relocating an IP-relative instruction

Categories

(Core :: General, defect)

Product:
Core
Component:
General
Platform:
x86_64
Windows 10
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla52
Tracking Flags:
Tracking Status
firefox51 --- unaffected
firefox52 --- fixed

People

(Reporter: away, Unassigned)

References

Details

(Keywords: crash)

Attachments

(1 file)

Bug 1314183: Ensure that nsWindowsDllInterceptor does not accept RIP-relative displacements on amd64;
58 bytes, text/x-review-board-request
away
: review+
Details 
With Win64 ASan, TestDllInterceptor!rotatePayload contains this instruction:

00007ff7`bb52100a 488b05ff7a0000  mov     rax,qword ptr [TestDllInterceptor!__asan_shadow_memory_dynamic_address (00007ff7`bb528b10)]

The address of __asan_shadow_memory_dynamic_address is given as IP-relative. CreateTrampoline and CountModRmSib accept this instruction and relocate it, without fixup, leading to a crash.

Since there's no code in CreateTrampoline that does fixup on anything but jumps, is there any reason why CountModRmSib should accept IP-relative instructions?
Flags: needinfo?(aklotz)
(Just to be clear, I'd be totally fine with CreateTrampoline simply rejecting this sequence; I can deal with the test failure. I don't think we need to properly relocate this instruction unless "real" code needs it.)
Blocks: support-win64
status-firefox51: --- → unaffected
status-firefox52: --- → affected
Keywords: crash
OS: Unspecified → Windows 10
Hardware: Unspecified → x86_64
Good catch. Patch forthcoming, I'm testing it right now.
Flags: needinfo?(aklotz)
Comment on attachment 8806534 [details]
Bug 1314183: Ensure that nsWindowsDllInterceptor does not accept RIP-relative displacements on amd64;

https://reviewboard.mozilla.org/r/89928/#review89440

::: xpcom/build/nsWindowsDllInterceptor.h:520
(Diff revision 1)
>        case kModNoRegDisp:
> -        if ((*aModRm & kMaskRm) == kRmNoRegDispDisp32 ||
> -            ((*aModRm & kMaskRm) == kRmNeedSib &&
> +        if ((*aModRm & kMaskRm) == kRmNoRegDispDisp32) {
> +#if defined(_M_X64)
> +          // RIP-relative on amd64, currently unsupported
> +          return -1;
> +#else

It would be good to mention that the x86 equivalent is ok because it uses an absolute address.
Attachment #8806534 - Flags: review?(dmajor) → review+
Pushed by aklotz@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/e7e0a189b16a
Ensure that nsWindowsDllInterceptor does not accept RIP-relative displacements on amd64; r=dmajor
https://hg.mozilla.org/mozilla-central/rev/e7e0a189b16a
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox52: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: