Closed Bug 1630281 Opened 4 years ago Closed 4 years ago

Content process fails to start if IAT is modified after the browser process's entrypoint

Categories

(Firefox :: Launcher Process, defect, P3)

Product:
Firefox
Component:
Launcher Process
Platform:
Unspecified
Windows
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Firefox 77
Tracking Flags:
Tracking Status
firefox77 --- fixed

People

(Reporter: toshi, Assigned: toshi)

References

Details

Attachments

(1 file)

Bug 1630281 - Cache the executable's IAT for ntdll.dll before COM initialization. r=mhowell
47 bytes, text/x-phabricator-request
Details | Review

The titled issue was mitigated as bug 1629361, but a user still hits the no-content-process situation once if a third-party application modifies IAT of firefox.exe after the browser process is launched. A possible solution to this problem would be to cache IAT after process creation to copy to sandbox processes.

When the browser process starts a sandbox process, we copy the executable's IAT
for ntdll.dll into the new process to prevent DLL injection via IAT tampering as
the launcher process does. However, if IAT has been modified by a module injected
via SetWindowHookEx, the browser process cannot copy IAT because a modified IAT
is invalid in a different process, failing to start any sandbox processes.

The proposed fix is to cache IAT before COM initialization which may load
modules via SetWindowHookEx for the first time in the process.

Pushed by ncsoregi@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/c9206ff73b5f
Cache the executable's IAT for ntdll.dll before COM initialization.  r=mhowell

https://hg.mozilla.org/mozilla-central/rev/c9206ff73b5f

Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox77: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 77
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: