Content process fails to start if IAT is modified after the browser process's entrypoint
Categories
(Firefox :: Launcher Process, defect, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox77 | --- | fixed |
People
(Reporter: toshi, Assigned: toshi)
References
Details
Attachments
(1 file)
The titled issue was mitigated as bug 1629361, but a user still hits the no-content-process situation once if a third-party application modifies IAT of firefox.exe after the browser process is launched. A possible solution to this problem would be to cache IAT after process creation to copy to sandbox processes.
Assignee | ||
Comment 1•4 years ago
|
||
When the browser process starts a sandbox process, we copy the executable's IAT
for ntdll.dll into the new process to prevent DLL injection via IAT tampering as
the launcher process does. However, if IAT has been modified by a module injected
via SetWindowHookEx
, the browser process cannot copy IAT because a modified IAT
is invalid in a different process, failing to start any sandbox processes.
The proposed fix is to cache IAT before COM initialization which may load
modules via SetWindowHookEx
for the first time in the process.
Pushed by ncsoregi@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/c9206ff73b5f Cache the executable's IAT for ntdll.dll before COM initialization. r=mhowell
Comment 3•4 years ago
|
||
bugherder |
Description
•