Closed Bug 1701757 Opened 5 years ago Closed 5 years ago

Invalid Win32k use in content process [xul!nsClipboard::`dynamic initializer for 'CF_HTML|CF_CUSTOMTYPES']

Categories

(Core :: Security: Process Sandboxing, defect)

Product:
Core
Component:
Security: Process Sandboxing
Platform:
All
Windows
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
89 Branch
Tracking Flags:
Tracking Status
firefox89 --- fixed

People

(Reporter: cmartin, Assigned: cmartin)

References

Details

Attachments

(1 file)

Bug 1701757 - Change clipboard format static initializers to lazy statics
48 bytes, text/x-phabricator-request
Details | Review

win32u!NtUserRegisterWindowMessage
USER32!RegisterWindowMessageW+0x33
xul!nsClipboard::`dynamic initializer for 'CF_HTML'+0x10 [c:\moz\mozilla-central\widget\windows\nsClipboard.cpp @ 40]
xul!_GLOBAL__sub_I_Unified_cpp_widget_windows1.cpp+0x15 [c:\moz\mozilla-central\obj-x86_64-pc-mingw32\widget\windows\Unified_cpp_widget_windows1.cpp @ 0]
ucrtbase!initterm+0x43
xul!dllmain_crt_process_attach+0xae [d:\agent_work\2\s\src\vctools\crt\vcstartup\src\startup\dll_dllmain.cpp @ 66]
xul!dllmain_dispatch+0x74 [d:\agent_work\2\s\src\vctools\crt\vcstartup\src\startup\dll_dllmain.cpp @ 195]
ntdll!LdrpCallInitRoutine+0x61
ntdll!LdrpInitializeNode+0x1d3
ntdll!LdrpInitializeGraphRecurse+0x42
ntdll!LdrpPrepareModuleForExecution+0xbf
ntdll!LdrpLoadDllInternal+0x19a
ntdll!LdrpLoadDll+0xa8
ntdll!LdrLoadDll+0xe4
firefox!mozilla::interceptor::FuncHookCrossProcess<mozilla::interceptor::WindowsDllInterceptor<mozilla::interceptor::VMSharingPolicyUnique<mozilla::interceptor::MMPolicyOutOfProcess> >,long (*)(wchar_t *, unsigned long *, _UNICODE_STRING *, void **)>::operator()+0x19 [c:\moz\mozilla-central\obj-x86_64-pc-mingw32\dist\include\nsWindowsDllInterceptor.h @ 254]
firefox!mozilla::freestanding::patched_LdrLoadDll+0x50 [c:\moz\mozilla-central\browser\app\winlauncher\freestanding\DllBlocklist.cpp @ 356]
KERNELBASE!LoadLibraryExW+0x162
firefox!GetLibHandle+0x11 [c:\moz\mozilla-central\xpcom\glue\standalone\nsXPCOMGlue.cpp @ 49]
firefox!ReadDependentCB+0x1b [c:\moz\mozilla-central\xpcom\glue\standalone\nsXPCOMGlue.cpp @ 148]
firefox!ReadDependentCB+0x48 [c:\moz\mozilla-central\xpcom\glue\standalone\nsXPCOMGlue.cpp @ 160]
firefox!XPCOMGlueLoad+0x32a [c:\moz\mozilla-central\xpcom\glue\standalone\nsXPCOMGlue.cpp @ 326]
firefox!mozilla::GetBootstrap+0x3ad [c:\moz\mozilla-central\xpcom\glue\standalone\nsXPCOMGlue.cpp @ 409]
firefox!InitXPCOMGlue+0xd6 [c:\moz\mozilla-central\browser\app\nsBrowserApp.cpp @ 236]
firefox!NS_internal_main+0x27b [c:\moz\mozilla-central\browser\app\nsBrowserApp.cpp @ 305]
firefox!wmain+0x1fe [c:\moz\mozilla-central\toolkit\xre\nsWindowsWMain.cpp @ 131]
firefox!invoke_main+0x22 [d:\agent_work\2\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 90]
firefox!__scrt_common_main_seh+0x10c [d:\agent_work\2\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 288]
KERNEL32!BaseThreadInitThunk+0x14
ntdll!RtlUserThreadStart+0x21

Assignee: nobody → cmartin
Status: NEW → ASSIGNED
Component: General → Security: Process Sandboxing
Product: Toolkit → Core

Second stack of a related nsClipboard static initializer:

win32u!NtUserRegisterWindowMessage
USER32!RegisterWindowMessageW+0x33
xul!nsClipboard::`dynamic initializer for 'CF_CUSTOMTYPES'+0x9 [c:\moz\mozilla-central\widget\windows\nsClipboard.cpp @ 42]
xul!_GLOBAL__sub_I_Unified_cpp_widget_windows1.cpp+0x24 [c:\moz\mozilla-central\obj-x86_64-pc-mingw32\widget\windows\Unified_cpp_widget_windows1.cpp @ 0]
ucrtbase!initterm+0x43
xul!dllmain_crt_process_attach+0xae [d:\agent_work\2\s\src\vctools\crt\vcstartup\src\startup\dll_dllmain.cpp @ 66]
xul!dllmain_dispatch+0x74 [d:\agent_work\2\s\src\vctools\crt\vcstartup\src\startup\dll_dllmain.cpp @ 195]
ntdll!LdrpCallInitRoutine+0x61
ntdll!LdrpInitializeNode+0x1d3
ntdll!LdrpInitializeGraphRecurse+0x42
ntdll!LdrpPrepareModuleForExecution+0xbf
ntdll!LdrpLoadDllInternal+0x19a
ntdll!LdrpLoadDll+0xa8
ntdll!LdrLoadDll+0xe4
firefox!mozilla::interceptor::FuncHookCrossProcess<mozilla::interceptor::WindowsDllInterceptor<mozilla::interceptor::VMSharingPolicyUnique<mozilla::interceptor::MMPolicyOutOfProcess> >,long (*)(wchar_t *, unsigned long *, _UNICODE_STRING *, void **)>::operator()+0x19 [c:\moz\mozilla-central\obj-x86_64-pc-mingw32\dist\include\nsWindowsDllInterceptor.h @ 254]
firefox!mozilla::freestanding::patched_LdrLoadDll+0x50 [c:\moz\mozilla-central\browser\app\winlauncher\freestanding\DllBlocklist.cpp @ 356]
KERNELBASE!LoadLibraryExW+0x162
firefox!GetLibHandle+0x11 [c:\moz\mozilla-central\xpcom\glue\standalone\nsXPCOMGlue.cpp @ 49]
firefox!ReadDependentCB+0x1b [c:\moz\mozilla-central\xpcom\glue\standalone\nsXPCOMGlue.cpp @ 148]
firefox!ReadDependentCB+0x48 [c:\moz\mozilla-central\xpcom\glue\standalone\nsXPCOMGlue.cpp @ 160]
firefox!XPCOMGlueLoad+0x32a [c:\moz\mozilla-central\xpcom\glue\standalone\nsXPCOMGlue.cpp @ 326]
firefox!mozilla::GetBootstrap+0x3ad [c:\moz\mozilla-central\xpcom\glue\standalone\nsXPCOMGlue.cpp @ 409]
firefox!InitXPCOMGlue+0xd6 [c:\moz\mozilla-central\browser\app\nsBrowserApp.cpp @ 236]
firefox!NS_internal_main+0x27b [c:\moz\mozilla-central\browser\app\nsBrowserApp.cpp @ 305]
firefox!wmain+0x1fe [c:\moz\mozilla-central\toolkit\xre\nsWindowsWMain.cpp @ 131]
firefox!invoke_main+0x22 [d:\agent_work\2\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 90]
firefox!__scrt_common_main_seh+0x10c [d:\agent_work\2\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 288]
KERNEL32!BaseThreadInitThunk+0x14
ntdll!RtlUserThreadStart+0x21

I know :bobowen already has a fix for this. I just think it might be good to have bugs to track the individual issues.

Pushed by cmartin@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/95d81d2cbfbc Change clipboard format static initializers to lazy statics r=tkikuchi,bobowen

https://hg.mozilla.org/mozilla-central/rev/95d81d2cbfbc

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox89: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 89 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: