Closed Bug 1546545 Opened 6 years ago Closed 6 years ago

DLL Interceptor fails to clear trampoline when running under MITIGATION_DYNAMIC_CODE_POLICY

Categories

(Core :: mozglue, defect, P1)

Product:
Core
Component:
mozglue
Platform:
Unspecified
Windows
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla68
Tracking Flags:
Tracking Status
firefox68 --- fixed

People

(Reporter: handyman, Assigned: handyman)

References

(Blocks 1 open bug)

Details

Attachments

(2 files)

Bug 1546545: Part 1 - Properly store pointer to sandboxed DLL intercepted method r=aklotz
47 bytes, text/x-phabricator-request
Details | Review
Bug 1546545: Part 2 - Create empty TrampolineCollection if the process sandbox forbids dynamic code r=aklotz
47 bytes, text/x-phabricator-request
Details | Review

Bug 1533808 attempted to fix an issue with the new IOInterposer code where the Chromium sandbox was interfering with our trampoline writing. That fix exposed a failure in media mochitests that turned out to be due to the RDD process sandbox using the MITIGATION_DYNAMIC_CODE_POLICY, which blocks the process from writing to executable memory. That is obviously a problem for the DLL interceptor.

We only wish to be able to write to executable memory because we need to clean up the trampoline on shutdown. Actual trampoline writing should be (and is) done before sandbox lockdown. Since cleaning up at shutdown isn't a critical activity, we can skip it in this case as cleanup is impossible.

These patches also include a small fix for bug 1533808, which was not storing the pointer to the trampoline function with the trampoline's data.

Bug 1533808 introduced code to intercept DLL methods that the Chromium sandbox had already intercepted. That patch did not store the the pointer to the intercepted function in the trampoline data, as is done when intercepting other methods.

TrampolineCollection iterates over an array of Trampolines that it has set 'write' permissions for. If this happens in a process whose sandbox forbids dynamic code then these permissions cannot be set. This patch detects that condition and returns an empty TrampolineCollection in that case. We ASSERT if we fail to set permissions for any other reason.

Depends on D28612

Pushed by daparks@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/8c9f054168c3 Part 1 - Properly store pointer to sandboxed DLL intercepted method r=aklotz
Pushed by daparks@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/17c0c0c8627c Part 2 - Create empty TrampolineCollection if the process sandbox forbids dynamic code r=aklotz

https://hg.mozilla.org/mozilla-central/rev/8c9f054168c3
https://hg.mozilla.org/mozilla-central/rev/17c0c0c8627c

Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox68: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: