Closed Bug 1696387 Opened 4 years ago Closed 3 months ago

DWrite caching can break and not be able to reconnect with a strong sandbox.

Categories

(Core :: Security: Process Sandboxing, enhancement, P1)

Product:
Core
Component:
Security: Process Sandboxing
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
129 Branch
Tracking Flags:
Tracking Status
firefox129 --- fixed

People

(Reporter: bobowen, Assigned: bobowen)

References

(Blocks 1 open bug)

Details

Attachments

(1 file, 2 obsolete files)

Bug 1696387: Don't add user's SID as deny only for restricted tokens. r=handyman!
48 bytes, text/x-phabricator-request
Details | Review

This is a problem that chromium has a fix for and is probably caused by using USER_RESTRICTED (or better), untrusted integrity and possibly win32k lockdown.

Their fix hook and effectively disables certain service manager calls from dwrite.dll that causes DWrite to use a fallback path that does work within the sandbox.

We want to reimplement the same fix uses our own IAT patching.

Blocks: 1383524
No longer blocks: win32k-lockdown

This includes a reimplementation of PatchServiceManagerCalls from chromium code:
content/child/font_warmup_win.cc

Depends on D107482

Finally got round to pushing this to try to test performance impact.
Unfortunately it does appear to have some serious regressions, as well as big reductions in file IO.
I'm not actually sure we need this for win32k lockdown, I think it might only be needed for USER_LOCKDOWN and/or untrusted integrity.
Either way we need to investigate the regressions.

https://treeherder.mozilla.org/perfherder/compare?originalProject=try&originalRevision=497f608088fcdb60c90066e04005090f7a685598&newProject=try&newRevision=6f3e54bdefeb58b7f64d1dc339815938aeb06833&framework=1

Blocks: win32k-lockdown
No longer blocks: 1383524
No longer blocks: win32k-lockdown
Blocks: 1900175
Attachment #9207486 - Attachment is obsolete: true
Attachment #9207485 - Attachment is obsolete: true

The DirectWrite cache opens our process under impersonation.
While the access check for this passes for the restricted SIDs list, it fails
for the non-resticted SIDs.
Not adding the user's SID as deny only means it passes for both and the overall
access check works.
This shouldn't weaken the sandbox, because the user's SID is not in the
restricted list and both checks have to pass.

Pushed by bobowencode@gmail.com: https://hg.mozilla.org/integration/autoland/rev/9fd577310e02 Don't add user's SID as deny only for restricted tokens. r=handyman

https://hg.mozilla.org/mozilla-central/rev/9fd577310e02

Status: ASSIGNED → RESOLVED
Closed: 3 months ago
status-firefox129: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 129 Branch
Regressions: 1905863
No longer regressions: 1905863
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: