Closed Bug 1716024 Opened 3 years ago Closed 3 years ago

Change CET support to compatible modules only

Tracking

()

Status:

RESOLVED FIXED

Milestone:

92 Branch

Tracking Flags:

Tracking

Status

firefox92

---

fixed

People

(Reporter: bobowen, Assigned: bobowen)

References

Details

Attachments

(2 files)

Bug 1716024 p1: Change CET support to compatible modules only. r=handyman! 3 years ago Bob Owen (:bobowen) 48 bytes, text/x-phabricator-request		Details \| Review
Bug 1716024 p2: Flag all binaries apart from firefox, xpcshell and plugin-container as CET compatible. r=glandium! 3 years ago Bob Owen (:bobowen) 48 bytes, text/x-phabricator-request		Details \| Review

Bob Owen (:bobowen)

Assignee

Description

•

3 years ago

Bug 1689398 added support for CET User Shadow Stack strict mode, but we have decided that a safer initial approach is to use compatible modules only mode.
This guards against any non-Mozilla DLLs (either loaded by us or injected into the process) causing CET crashes.

Bob Owen (:bobowen)

Assignee

Comment 1

•

3 years ago

Attached file Bug 1716024 p1: Change CET support to compatible modules only. r=handyman! — Details

Bob Owen (:bobowen)

Assignee

Comment 2

•

3 years ago

Attached file Bug 1716024 p2: Flag all binaries apart from firefox, xpcshell and plugin-container as CET compatible. r=glandium! — Details

We will only run the processes in CET compatible modules only mode when not
using the JIT code. So marking xul.dll as compatible should be OK.

Depends on D117550

Phabricator Automation

Updated

•

3 years ago

Attachment #9226572 - Attachment description: Bug 1716024 p2: Flag xul.dll and mozglue.dll as CET compatible. r=glandium! → Bug 1716024 p2: Flag all binaries apart from firefox and plugin-container as CET compatible. r=glandium!

Phabricator Automation

Updated

•

3 years ago

Attachment #9226572 - Attachment description: Bug 1716024 p2: Flag all binaries apart from firefox and plugin-container as CET compatible. r=glandium! → Bug 1716024 p2: Flag all binaries apart from firefox, xpcshell and plugin-container as CET compatible. r=glandium!

Pulsebot

Comment 3

•

3 years ago

Pushed by bobowencode@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/4c5225386044
p1: Change CET support to compatible modules only. r=handyman
https://hg.mozilla.org/integration/autoland/rev/181a2776e265
p2: Flag all binaries apart from firefox, xpcshell and plugin-container as CET compatible. r=glandium

Atila Butkovits

Comment 4

•

3 years ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/4c5225386044
https://hg.mozilla.org/mozilla-central/rev/181a2776e265

Status: ASSIGNED → RESOLVED

Closed: 3 years ago

status-firefox92: --- → fixed

Resolution: --- → FIXED

Target Milestone: --- → 92 Branch

Richard Marti (:Paenglab)

Updated

•

3 years ago

Blocks: 1721226

Bob Owen (:bobowen)

Assignee

Updated

•

3 years ago

Blocks: 1722326

Bob Owen (:bobowen)

Assignee

Updated

•

3 years ago

Blocks: 1724195

Matthew Gaudet (he/him) [:mgaudet]

Updated

•

2 years ago

Regressions: 1753775

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

Change CET support to compatible modules only

Categories

(Core :: Security: Process Sandboxing, enhancement, P1)

Tracking

()

People

(Reporter: bobowen, Assigned: bobowen)

References

Details

Crash Data

Security

(public)

User Story

Attachments

(2 files)

Description

Comment 1

Comment 2

Updated

Updated

Comment 3

Comment 4

Updated

Updated

Updated

Updated

Attachment

General

Description

File Name

Content Type