Closed Bug 1711551 Opened 3 years ago Closed 3 years ago

Invalid Win32k use in content process [xul!mozilla::CanCreateMFTDecoder]

Categories

(Core :: Security: Process Sandboxing, defect, P1)

Product:
Core
Component:
Security: Process Sandboxing
Platform:
All
Windows
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
94 Branch
Tracking Flags:
Tracking Status
firefox94 --- fixed

People

(Reporter: cmartin, Assigned: bobowen)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Bug 1711551: Don't init or check for WMF in content process when decoded remotely. r=bryce!
48 bytes, text/x-phabricator-request
Details | Review

Call stack:

00 000000b5`ccffd4b8 00007ffc`33a681c7 win32u!NtUserGetThreadState
01 000000b5`ccffd4c0 00007ffc`0fb4a2d3 USER32!InSendMessage+0x37
02 000000b5`ccffd4f0 00007ffc`0fb4ab4c RTWorkQ!CPlatform::FinalShutdown+0xf3
03 000000b5`ccffd550 00007ffc`0fb4aab0 RTWorkQ!CPlatform::Shutdown+0x8c
04 000000b5`ccffd5a0 00007ffc`0fc35c49 RTWorkQ!RtwqShutdown+0x10
05 000000b5`ccffd5d0 00007ffb`c512b567 mfplat!MFShutdown+0x29
06 (Inline Function) --------`-------- xul!mozilla::wmf::MFShutdown::<unnamed-tag>::operator()+0xd [c:\moz\mozilla-central\dom\media\platforms\wmf\WMFUtils.cpp @ 265] 
07 (Inline Function) --------`-------- xul!mozilla::mscom::EnsureMTA::EnsureMTA+0x16 [c:\moz\mozilla-central\obj-x86_64-pc-mingw32\dist\include\mozilla\mscom\EnsureMTA.h @ 71] 
08 000000b5`ccffd630 00007ffb`c5131439 xul!mozilla::wmf::MFShutdown+0x77 [c:\moz\mozilla-central\dom\media\platforms\wmf\WMFUtils.cpp @ 265] 
09 (Inline Function) --------`-------- xul!mozilla::CanCreateMFTDecoder::<unnamed-tag>::operator()+0xa0 [c:\moz\mozilla-central\dom\media\platforms\wmf\WMFDecoderModule.cpp @ 110] 
0a (Inline Function) --------`-------- xul!mozilla::mscom::EnsureMTA::EnsureMTA+0xad [c:\moz\mozilla-central\obj-x86_64-pc-mingw32\dist\include\mozilla\mscom\EnsureMTA.h @ 71] 
0b 000000b5`ccffd6a0 00007ffb`c5131019 xul!mozilla::CanCreateMFTDecoder+0xd9 [c:\moz\mozilla-central\dom\media\platforms\wmf\WMFDecoderModule.cpp @ 104] 
0c 000000b5`ccffd720 00007ffb`c50f4f20 xul!mozilla::WMFDecoderModule::Init+0x1a9 [c:\moz\mozilla-central\dom\media\platforms\wmf\WMFDecoderModule.cpp @ 148] 
0d (Inline Function) --------`-------- xul!mozilla::PDMInitializer::InitContentPDMs+0xe [c:\moz\mozilla-central\dom\media\platforms\PDMFactory.cpp @ 107] 
0e 000000b5`ccffd7c0 00007ffb`c50f51cd xul!mozilla::PDMInitializer::InitPDMs+0x110 [c:\moz\mozilla-central\dom\media\platforms\PDMFactory.cpp @ 165] 
0f 000000b5`ccffd7f0 00007ffb`c52d3a64 xul!mozilla::PDMFactory::PDMFactory+0x3d [c:\moz\mozilla-central\dom\media\platforms\PDMFactory.cpp @ 255] 
10 000000b5`ccffd830 00007ffb`c4edb37b xul!mozilla::MP4Decoder::IsSupportedType+0x1f4 [c:\moz\mozilla-central\dom\media\mp4\MP4Decoder.cpp @ 167] 
11 000000b5`ccffd920 00007ffb`c4ef9b19 xul!mozilla::CanHandleMediaType+0x24b [c:\moz\mozilla-central\dom\media\DecoderTraits.cpp @ 177] 
12 000000b5`ccffda30 00007ffb`c4e6a01a xul!mozilla::ChannelMediaDecoder::Create+0x19 [c:\moz\mozilla-central\dom\media\ChannelMediaDecoder.cpp @ 175] 
13 000000b5`ccffda70 00007ffb`c4e69818 xul!mozilla::dom::HTMLMediaElement::InitializeDecoderForChannel+0x3fa [c:\moz\mozilla-central\dom\html\HTMLMediaElement.cpp @ 4977] 
14 000000b5`ccffe110 00007ffb`c35b00a2 xul!mozilla::dom::HTMLMediaElement::MediaLoadListener::OnStartRequest+0x438 [c:\moz\mozilla-central\dom\html\HTMLMediaElement.cpp @ 1320] 
15 000000b5`ccffe3b0 00007ffb`c35aff2b xul!mozilla::net::HttpChannelChild::DoOnStartRequest+0xb2 [c:\moz\mozilla-central\netwerk\protocol\http\HttpChannelChild.cpp @ 575] 
16 000000b5`ccffe400 00007ffb`c35d6d0e xul!mozilla::net::HttpChannelChild::OnStartRequest+0x7ab [c:\moz\mozilla-central\netwerk\protocol\http\HttpChannelChild.cpp @ 507] 
17 (Inline Function) --------`-------- xul!mozilla::net::HttpChannelChild::ProcessOnStartRequest::<unnamed-tag>::operator()+0x2a [c:\moz\mozilla-central\netwerk\protocol\http\HttpChannelChild.cpp @ 368]
Assignee: nobody → cmartin
Status: NEW → ASSIGNED

Do you have STR for this, my impression was that all of this had moved to RDD or GPU?

Flags: needinfo?(cmartin)
Severity: -- → S4
Priority: -- → P2

Sorry about the delay, :bobowen.

Steps to Reproduce:

  1. Enable Win32k Lockdown in the Nightly Experiments menu on Firefox Nightly
  2. Run Firefox with Win32k logging using WinDBG and the "win32k-tracing.js" script
  3. Navigate to https://www.youtube.com/watch?v=Hp_Eg8NMfT0
  4. Observe many callstacks similar to above in "tab" processes

It appears that this is happening because of a query about support for a codec, rather than any actual attempt to play video/audio with the codec.

Flags: needinfo?(cmartin)
Assignee: cmartin → bobowencode
Priority: P2 → P1

The availability check is not compatible with win32k lock down.

Depends on D124935

Pushed by bobowencode@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/727ebbaee874
Don't init or check for WMF in content process when decoded remotely. r=bryce

https://hg.mozilla.org/mozilla-central/rev/727ebbaee874

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox94: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 94 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: