WindowsDllNopSpacePatcher fails CFG checks
Categories
(Core :: Security, defect, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox74 | --- | fixed |
People
(Reporter: away, Assigned: away)
References
Details
Attachments
(1 file)
When a nop-space hook jumps back to the original API, at ntdll!Whatever+2, that address is not a registered jump target, so we crash with a CFG failure.
I think this is just a matter of annotating operator() with __attribute__((nocf_check)).
Interestingly it doesn't happen on 64-bit hooks, I guess because mOrigFunc points into a dynamically-allocated trampoline instead of 2 bytes into a real function?
|
||
Comment 1•5 years ago
|
||
The priority flag is not set for this bug.
:wleung, could you have a look please?
For more information, please visit auto_nag documentation.
|
||
Comment 2•5 years ago
|
||
P2 since this is something I think dmajor is working on without a specific target date.
Under the stronger Control Flow Guard scheme coming in clang 10, when a nop-space hook jumps back to the original API, at ntdll!Whatever+2, that address is not a registered jump target, so we crash with a CFG failure. Since this is a deliberate violation of the rules, let's disable CFG for these calls.
Some notes about the commit: Based on my testing, this is the only place we need to use this attribute, so I placed its definition close to the use. (Had we needed more of these, I would have put it in mfbt/.) Second, to avoid -Werror'ing people with older compilers, I put in a version check. Generally the wisdom is to use a feature check with __has_attribute instead of a hardcoded version number, but since nocf is a sub-sub-attribute of __declspec, the testing machinery isn't granular enough.
|
||
Updated•5 years ago
|
|
||
Comment 6•5 years ago
|
||
| bugherder | ||
Description
•