DWrite caching can break and not be able to reconnect with a strong sandbox.
Categories
(Core :: Security: Process Sandboxing, enhancement, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox129 | --- | fixed |
People
(Reporter: bobowen, Assigned: bobowen)
References
(Blocks 1 open bug)
Details
Attachments
(1 file, 2 obsolete files)
This is a problem that chromium has a fix for and is probably caused by using USER_RESTRICTED (or better), untrusted integrity and possibly win32k lockdown.
Their fix hook and effectively disables certain service manager calls from dwrite.dll that causes DWrite to use a fallback path that does work within the sandbox.
We want to reimplement the same fix uses our own IAT patching.
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 1•4 years ago
|
||
Assignee | ||
Comment 2•4 years ago
|
||
This includes a reimplementation of PatchServiceManagerCalls from chromium code:
content/child/font_warmup_win.cc
Depends on D107482
Assignee | ||
Comment 3•4 years ago
|
||
Assignee | ||
Comment 4•4 years ago
|
||
Finally got round to pushing this to try to test performance impact.
Unfortunately it does appear to have some serious regressions, as well as big reductions in file IO.
I'm not actually sure we need this for win32k lockdown, I think it might only be needed for USER_LOCKDOWN and/or untrusted integrity.
Either way we need to investigate the regressions.
Assignee | ||
Updated•3 years ago
|
Assignee | ||
Updated•3 years ago
|
Updated•4 months ago
|
Updated•4 months ago
|
Assignee | ||
Comment 5•3 months ago
|
||
The DirectWrite cache opens our process under impersonation.
While the access check for this passes for the restricted SIDs list, it fails
for the non-resticted SIDs.
Not adding the user's SID as deny only means it passes for both and the overall
access check works.
This shouldn't weaken the sandbox, because the user's SID is not in the
restricted list and both checks have to pass.
Comment 7•3 months ago
|
||
bugherder |
Description
•