Closed Bug 1527823 Opened 6 years ago Closed 3 years ago

Remove any further instantiations of single-threaded apartments in content processes

Categories

(Core :: IPC: MSCOM, enhancement)

Product:
Core
Component:
IPC: MSCOM
Platform:
Unspecified
Windows
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox67 --- affected

People

(Reporter: bugzilla, Unassigned)

References

Details

(I am filing this under MSCOM even though this bug isn't really about the mscom library itself)

We need to audit any occurrences of the following functions being called in sandboxed content processes and remove them, while providing adequate alternatives as necessary to ensure that we don't break anything:

  • OleInitialize
  • CoInitialize
  • CoInitializeEx when invoked with the COINIT_APARTMENTTHREADED parameter.

To further improve our detection of this scenario, we might want to consider calling CoRegisterInitializeSpy to register a callback that could assert when an STA is being created in content: this would help us identify any single-threaded apartments being created by code that we don't control. (Though I really hope that nothing is actually doing that!)

I haven't seen any instances of OleInitialize or CoInitialize yet, but this stack (and a few similar ones) for CoInitializeEx came up today.

I can't for certain say if it was invoked with COINIT_APARTMENTTHREADED, however.

22 - win32u!NtUserRegisterClassExWOW
    win32u!NtUserRegisterClassExWOW
    user32!RegisterClassExWOWW+0x2f5
    user32!RegisterClassW+0x6f
    combase!RegisterOleWndClass+0x63
    combase!ThreadFirstInitialize+0x1f7
    combase!_CoInitializeEx+0x1a1
    combase!CoInitializeEx+0x36
    xul!mozilla::mscom::ApartmentRegion::Init+0x87
    xul!mozilla::mscom::ProcessRuntime::ProcessRuntime+0x177
    xul!mozilla::mscom::ProcessRuntime::ProcessRuntime+0x24

Okay, so that stack will go away once Win32k lockdown is turned on. (Until it is, we still do it the old way, which is via COINIT_APARTMENTTHREADED.)

This should be fixed by the parent bug. Waiting on new logs to confirm.

See Also: → 1711545
Depends on: 1711545
See Also: 1711545

We believe this is fixed, will reopen if we turn out to be wrong.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.