Closed Bug 1659398 Opened 10 months ago Closed 9 months ago

Running TestDllInterceptor.exe on W8 64bit causes Firefox to stop working

Categories

(Core :: mozglue, defect)

Product:
Core
Component:
mozglue
Version:
Firefox 81
Platform:
x86_64
Windows 8
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
82 Branch
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox-esr78 --- unaffected
firefox79 --- unaffected
firefox80 --- wontfix
firefox81 --- wontfix
firefox82 --- verified

People

(Reporter: bogdan_maris, Assigned: toshi)

References

(Regression)

Details

(Keywords: regression)

Attachments

(2 files)

Screencast showing the issue
882.84 KB, video/mp4
Details
Bug 1659398 - Don't resolve redirecion of JMP for DuplicateHandle. r=handyman
47 bytes, text/x-phabricator-request
Details | Review

Affected versions

  • Firefox 80.0b8
  • Firefox 81.0a1

Affected platforms

  • Windows 8 64bit

Unaffected platforms

  • Windows 8.1 64bit
  • Windows 10 64bit

Steps to reproduce

  1. Download target.cppunittest.tests.tar.gz from todays Nightly or from latest Beta.
  2. Unzip the content.
  3. Copy mozglue.dll from target.zip in the unziped file from above.
  4. Open CMD in the folder the content was extracted in the previous step.
  5. Type 'TestDllInterceptor.exe' and hit Enter.

Expected result

  • All the tests pass without failure.

Actual result

  • Tests are completed but a Windows pop-ul appears saying that Nightly has stopped working, see the attached screencast.

Regression range

  • Not sure if this is a regression or not, it will be pretty hard and time consuming to find out since I'll have to go manually through builds from treeherder to catch something out, let me know if that helps I could make some time and do that.

Additional notes

  • I'm using a fresh VM with Windows 8 64bit and Virtual C++ 2015-2019 installed.
  • Here is the complete output from CMD:
C:\Users\test\Desktop\DLL\cppunittest>TestDllInterceptor.exe
TEST-PASS | WindowsDllInterceptor | Hook added
TEST-PASS | WindowsDllInterceptor | Hook called
TEST-PASS | WindowsDllInterceptor | Hook works properly
TEST-PASS | WindowsDllInterceptor | Hook was called after unregistration
TEST-PASS | WindowsDllInterceptor | Original function worked properly
TEST-PASS | WindowsDllInterceptor | Executed hooked function NtMapViewOfSection
from ntdll.dll
TEST-PASS | WindowsDllInterceptor | MovPushRet
TEST-PASS | WindowsDllInterceptor | MovRaxJump
TEST-PASS | WindowsDllInterceptor | DoubleJump
TEST-PASS | WindowsDllInterceptor | NearJump
TEST-PASS | WindowsDllInterceptor | MovPushRet
TEST-PASS | WindowsDllInterceptor | MovRaxJump
TEST-PASS | WindowsDllInterceptor | DoubleJump
TEST-PASS | WindowsDllInterceptor | Could hook NtCreateFile from ntdll.dll
TEST-PASS | WindowsDllInterceptor | Executed hooked function NtCreateFile from n
tdll.dll
TEST-PASS | WindowsDllInterceptor | Could hook NtReadFile from ntdll.dll
TEST-PASS | WindowsDllInterceptor | Executed hooked function NtReadFile from ntd
ll.dll
TEST-PASS | WindowsDllInterceptor | Could hook NtReadFileScatter from ntdll.dll
TEST-PASS | WindowsDllInterceptor | Executed hooked function NtReadFileScatter f
rom ntdll.dll
TEST-PASS | WindowsDllInterceptor | Could hook NtWriteFile from ntdll.dll
TEST-PASS | WindowsDllInterceptor | Executed hooked function NtWriteFile from nt
dll.dll
TEST-PASS | WindowsDllInterceptor | Could hook NtWriteFileGather from ntdll.dll
TEST-PASS | WindowsDllInterceptor | Executed hooked function NtWriteFileGather f
rom ntdll.dll
TEST-PASS | WindowsDllInterceptor | Could hook NtQueryFullAttributesFile from nt
dll.dll
TEST-PASS | WindowsDllInterceptor | Executed hooked function NtQueryFullAttribut
esFile from ntdll.dll
TEST-PASS | WindowsDllInterceptor | Could detour LdrLoadDll from ntdll.dll
TEST-SKIPPED | WindowsDllInterceptor | Will not attempt to execute patched LdrLo
adDll.
TEST-PASS | WindowsDllInterceptor | Could hook LdrUnloadDll from ntdll.dll
TEST-PASS | WindowsDllInterceptor | Executed hooked function LdrUnloadDll from n
tdll.dll
TEST-PASS | WindowsDllInterceptor | Could hook LdrResolveDelayLoadedAPI from ntd
ll.dll
TEST-SKIPPED | WindowsDllInterceptor | Will not attempt to execute patched LdrRe
solveDelayLoadedAPI.
TEST-PASS | WindowsDllInterceptor | Could hook ApiSetQueryApiSetPresence from Ap
i-ms-win-core-apiquery-l1-1-0.dll
TEST-PASS | WindowsDllInterceptor | Executed hooked function ApiSetQueryApiSetPr
esence from Api-ms-win-core-apiquery-l1-1-0.dll
TEST-PASS | WindowsDllInterceptor | Could hook QueryDosDeviceW from kernelbase.d
ll
TEST-PASS | WindowsDllInterceptor | Executed hooked function QueryDosDeviceW fro
m kernelbase.dll
TEST-PASS | WindowsDllInterceptor | Could hook GetFileAttributesW from kernel32.
dll
TEST-PASS | WindowsDllInterceptor | Executed hooked function GetFileAttributesW
from kernel32.dll
TEST-PASS | WindowsDllInterceptor | Could hook SetUnhandledExceptionFilter from
kernel32.dll
TEST-PASS | WindowsDllInterceptor | Executed hooked function SetUnhandledExcepti
onFilter from kernel32.dll
TEST-PASS | WindowsDllInterceptor | Could hook CreateFileA from kernel32.dll
TEST-PASS | WindowsDllInterceptor | Executed hooked function CreateFileA from ke
rnel32.dll
TEST-PASS | WindowsDllInterceptor | Could hook TlsAlloc from kernel32.dll
TEST-PASS | WindowsDllInterceptor | Executed hooked function TlsAlloc from kerne
l32.dll
TEST-PASS | WindowsDllInterceptor | Could hook TlsFree from kernel32.dll
TEST-PASS | WindowsDllInterceptor | Executed hooked function TlsFree from kernel
32.dll
TEST-PASS | WindowsDllInterceptor | Could hook CloseHandle from kernel32.dll
TEST-PASS | WindowsDllInterceptor | Executed hooked function CloseHandle from ke
rnel32.dll
TEST-PASS | WindowsDllInterceptor | Could hook DuplicateHandle from kernel32.dll

TEST-PASS | WindowsDllInterceptor | Executed hooked function DuplicateHandle fro
m kernel32.dll
TEST-PASS | WindowsDllInterceptor | Could detour BaseThreadInitThunk from kernel
32.dll
TEST-SKIPPED | WindowsDllInterceptor | Will not attempt to execute patched BaseT
hreadInitThunk.
TEST-SKIPPED | WindowsDllInterceptor | Skipped hook test for RtlInstallFunctionT
ableCallback from kernel32.dll
TEST-PASS | WindowsDllInterceptor | Could hook GetKeyState from user32.dll
TEST-PASS | WindowsDllInterceptor | Executed hooked function GetKeyState from us
er32.dll
TEST-PASS | WindowsDllInterceptor | Could hook GetWindowInfo from user32.dll
TEST-PASS | WindowsDllInterceptor | Executed hooked function GetWindowInfo from
user32.dll
TEST-PASS | WindowsDllInterceptor | Could hook TrackPopupMenu from user32.dll
TEST-PASS | WindowsDllInterceptor | Executed hooked function TrackPopupMenu from
 user32.dll
TEST-PASS | WindowsDllInterceptor | Could detour CreateWindowExW from user32.dll

TEST-PASS | WindowsDllInterceptor | Executed hooked function CreateWindowExW fro
m user32.dll
TEST-PASS | WindowsDllInterceptor | Could hook InSendMessageEx from user32.dll
TEST-PASS | WindowsDllInterceptor | Executed hooked function InSendMessageEx fro
m user32.dll
TEST-PASS | WindowsDllInterceptor | Could hook SendMessageTimeoutW from user32.d
ll
TEST-PASS | WindowsDllInterceptor | Executed hooked function SendMessageTimeoutW
 from user32.dll
TEST-PASS | WindowsDllInterceptor | Could hook SetCursorPos from user32.dll
TEST-PASS | WindowsDllInterceptor | Executed hooked function SetCursorPos from u
ser32.dll
TEST-PASS | WindowsDllInterceptor | Could hook ImmGetContext from imm32.dll
TEST-PASS | WindowsDllInterceptor | Executed hooked function ImmGetContext from
imm32.dll
TEST-PASS | WindowsDllInterceptor | Could hook ImmGetCompositionStringW from imm
32.dll
TEST-PASS | WindowsDllInterceptor | Executed hooked function ImmGetCompositionSt
ringW from imm32.dll
TEST-PASS | WindowsDllInterceptor | Could hook ImmSetCandidateWindow from imm32.
dll
TEST-SKIPPED | WindowsDllInterceptor | Will not attempt to execute patched ImmSe
tCandidateWindow.
TEST-PASS | WindowsDllInterceptor | Could hook ImmNotifyIME from imm32.dll
TEST-PASS | WindowsDllInterceptor | Executed hooked function ImmNotifyIME from i
mm32.dll
TEST-PASS | WindowsDllInterceptor | Could hook GetSaveFileNameW from comdlg32.dl
l
TEST-PASS | WindowsDllInterceptor | Executed hooked function GetSaveFileNameW fr
om comdlg32.dll
TEST-PASS | WindowsDllInterceptor | Could hook GetOpenFileNameW from comdlg32.dl
l
TEST-PASS | WindowsDllInterceptor | Executed hooked function GetOpenFileNameW fr
om comdlg32.dll
TEST-PASS | WindowsDllInterceptor | Could hook PrintDlgW from comdlg32.dll
TEST-PASS | WindowsDllInterceptor | Executed hooked function PrintDlgW from comd
lg32.dll
TEST-PASS | WindowsDllInterceptor | Could hook ProcessCaretEvents from tiptsf.dl
l
TEST-PASS | WindowsDllInterceptor | Executed hooked function ProcessCaretEvents
from tiptsf.dll
TEST-PASS | WindowsDllInterceptor | Could hook InternetOpenA from wininet.dll

C:\Users\test\Desktop\DLL\cppunittest>

Suggested severity

  • Not sure what severity should this bug have, Engineering would know best.
Has Regression Range: --- → no
Has STR: --- → yes

Thank you for filing a new bug. I'll look into this next week.

Assignee: nobody → tkikuchi
Regressed by: 1642626

Win8's KERNELBASE!DuplicateHandle has jump instructions whose destination is
within the region where we move instructions to a trampoline.

In the example below, the address 000007fe0618271c is a destination of the
JMP instructions, but when we detour KERNELBASE!DuplicateHandle, we move
the original instructions to a trampoline, and that address will point to
an invalid instruction.

A proposed fix is to detour KERNEL32!DuplicateHandle without resolving redirection,
that is the behavior before bug 1642626.

KERNELBASE!DuplicateHandle:
000007fe`06182710 4883ec48        sub     rsp,48h
000007fe`06182714 4c8bd1          mov     r10,rcx
000007fe`06182717 83faf4          cmp     edx,0FFFFFFF4h
000007fe`0618271a 733b            jae     KERNELBASE!DuplicateHandle+0x43 (000007fe`06182757)
000007fe`0618271c 8b842480000000  mov     eax,dword ptr [rsp+80h]
...
000007fe`0623f0de 65488b042560000000 mov   rax,qword ptr gs:[60h]
000007fe`0623f0e7 488b5020        mov     rdx,qword ptr [rax+20h]
000007fe`0623f0eb 488b5220        mov     rdx,qword ptr [rdx+20h]
000007fe`0623f0ef e92836f4ff      jmp     KERNELBASE!DuplicateHandle+0xc (000007fe`0618271c)
000007fe`0623f0f4 65488b042560000000 mov   rax,qword ptr gs:[60h]
000007fe`0623f0fd 488b5020        mov     rdx,qword ptr [rax+20h]
000007fe`0623f101 488b5228        mov     rdx,qword ptr [rdx+28h]
000007fe`0623f105 e91236f4ff      jmp     KERNELBASE!DuplicateHandle+0xc (000007fe`0618271c)
000007fe`0623f10a 65488b042560000000 mov   rax,qword ptr gs:[60h]
000007fe`0623f113 488b5020        mov     rdx,qword ptr [rax+20h]
000007fe`0623f117 488b5230        mov     rdx,qword ptr [rdx+30h]
000007fe`0623f11b e9fc35f4ff      jmp     KERNELBASE!DuplicateHandle+0xc (000007fe`0618271c)
...

Pushed by cbrindusan@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/84d533ce303c
Don't resolve redirecion of JMP for DuplicateHandle. r=handyman

https://hg.mozilla.org/mozilla-central/rev/84d533ce303c

Status: NEW → RESOLVED
Closed: 9 months ago
status-firefox82: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 82 Branch

I can successfully run the tests on W8 64bit using latest Nightly 82.0a1 without any issues now, thanks Toshihito!

Status: RESOLVED → VERIFIED
status-firefox82: fixedverified

Thank for catching this bug. I was too lazy to test Win8!

Is this likely to have a real-world impact on users that would make us want to consider Beta uplift? Please nominate if so.

Flags: needinfo?(tkikuchi)

This happens only when the system is Win8 and MOZ_ENABLE_HANDLE_VERIFIER is set. Wontfix'ing for Beta.

status-firefox81: fix-optionalwontfix
Flags: needinfo?(tkikuchi)
You need to log in before you can comment on or make changes to this bug.