Closed Bug 1509748 Opened 2 years ago Closed 2 months ago
[Windows 10 1809] EAF Crash
47 bytes, text/x-phabricator-request
|Details | Review|
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0 Steps to reproduce: 1. Install Windows 10 1809 2. Under "Exploit Protection" enable "Export Address Filtering (EAF)" for firefox.exe Actual results: Firefox will randomly crash anywhere between 1 minute or an hour (depending on usage). In the event logs, the following gets logged under "Applications and Services Logs" -> "Microsoft" -> "Windows" -> "Security-Mitigations" -> "User Mode": Process 'C:\Program Files\Mozilla Firefox\firefox.exe' (PID 7884) was blocked from accessing the Export Address Table for module 'C:\WINDOWS\SYSTEM32\ntdll.dll'. Expected results: The process should not have crashed. This has been working fine on Windows 10 1803 until the OS was updated to version 1809. Microsoft seems to have improved their EAF filtering which has broken firefox.
From the Application logs: Faulting application name: firefox.exe, version: 220.127.116.1192, time stamp: 0x5beca9c3 Faulting module name: PayloadRestrictions.dll, version: 10.0.17763.1, time stamp: 0x7885c70a Exception code: 0xc0000409 Fault offset: 0x000000000003b614 Faulting process id: 0x1ecc Faulting application start time: 0x01d484fd6a12ba4e Faulting application path: C:\Program Files\Mozilla Firefox\firefox.exe Faulting module path: C:\WINDOWS\SYSTEM32\PayloadRestrictions.dll Report Id: a76936ba-2041-43a5-a02a-4e27a7d35a73 Faulting package full name: Faulting package-relative application ID:
I'm not entirely sure on which component this issue should belong to, but as an initial triage tentative, let's triage it in Security.
Component: Untriaged → Security
Product: Firefox → Core
See Also: → 1483752
Priority: -- → P5
Crash Signature: [@ LdrpSnapModule]
Attachment #9151933 - Attachment description: Bug 1509748 - Do not touch ntdll's PE header directly if EAF+ is enabled. r=mhowell → Bug 1509748 - Do not touch ntdll's PE header directly if EAF+ is enabled. r=mhowell,mstange
Pushed by firstname.lastname@example.org: https://hg.mozilla.org/integration/autoland/rev/34c3a4a251e8 Do not touch ntdll's PE header directly if EAF+ is enabled. r=mhowell,mstange
You need to log in before you can comment on or make changes to this bug.