Closed Bug 1546545 Opened 8 months ago Closed 8 months ago

DLL Interceptor fails to clear trampoline when running under MITIGATION_DYNAMIC_CODE_POLICY

Categories

(Core :: mozglue, defect, P1)

Unspecified
Windows
defect

Tracking

()

RESOLVED FIXED
mozilla68
Tracking Status
firefox68 --- fixed

People

(Reporter: handyman, Assigned: handyman)

References

(Blocks 1 open bug)

Details

Attachments

(2 files)

Bug 1533808 attempted to fix an issue with the new IOInterposer code where the Chromium sandbox was interfering with our trampoline writing. That fix exposed a failure in media mochitests that turned out to be due to the RDD process sandbox using the MITIGATION_DYNAMIC_CODE_POLICY, which blocks the process from writing to executable memory. That is obviously a problem for the DLL interceptor.

We only wish to be able to write to executable memory because we need to clean up the trampoline on shutdown. Actual trampoline writing should be (and is) done before sandbox lockdown. Since cleaning up at shutdown isn't a critical activity, we can skip it in this case as cleanup is impossible.

These patches also include a small fix for bug 1533808, which was not storing the pointer to the trampoline function with the trampoline's data.

Bug 1533808 introduced code to intercept DLL methods that the Chromium sandbox had already intercepted. That patch did not store the the pointer to the intercepted function in the trampoline data, as is done when intercepting other methods.

TrampolineCollection iterates over an array of Trampolines that it has set 'write' permissions for. If this happens in a process whose sandbox forbids dynamic code then these permissions cannot be set. This patch detects that condition and returns an empty TrampolineCollection in that case. We ASSERT if we fail to set permissions for any other reason.

Depends on D28612

Blocks: 1535704
Pushed by daparks@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/8c9f054168c3
Part 1 - Properly store pointer to sandboxed DLL intercepted method r=aklotz
Pushed by daparks@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/17c0c0c8627c
Part 2 - Create empty TrampolineCollection if the process sandbox forbids dynamic code r=aklotz
Status: NEW → RESOLVED
Closed: 8 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
You need to log in before you can comment on or make changes to this bug.