Closed Bug 1755734 Opened 3 years ago Closed 3 years ago

Limit win32k lockdown for content to win10 1709 (build 16299) or later

Categories

(Core :: Security: Process Sandboxing, enhancement, P1)

Product:
Core
Component:
Security: Process Sandboxing
Platform:
All
Windows
Type:
enhancement

Tracking

()

Status:
VERIFIED FIXED
Milestone:
99 Branch
Tracking Flags:
Tracking Status
firefox98 --- verified
firefox99 --- verified

People

(Reporter: bobowen, Assigned: bobowen)

References

Details

Attachments

(1 file)

Bug 1755734: Limit win32k lockdown for content process to Win10 build 16299 or later. r=gcp!
48 bytes, text/x-phabricator-request
pascalc
: approval-mozilla-beta+
Details | Review

This is due to CoInitializeSecurity failing if user32 has loaded before it. From win10 1709 (build 16299) or later we have a work around already in place.

Pushed by bobowencode@gmail.com: https://hg.mozilla.org/integration/autoland/rev/33ac98b6c876 Limit win32k lockdown for content process to Win10 build 16299 or later. r=gcp

https://hg.mozilla.org/mozilla-central/rev/33ac98b6c876

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox99: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 99 Branch

Comment on attachment 9264192 [details]
Bug 1755734: Limit win32k lockdown for content process to Win10 build 16299 or later. r=gcp!

Beta/Release Uplift Approval Request

  • User impact if declined: Required for win32k lockdown experiments.
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Very simple change to single test from win8+ to win10 build 16299+ for enabling win32k lockdown.
  • String changes made/needed: None
Attachment #9264192 - Flags: approval-mozilla-beta?

Comment on attachment 9264192 [details]
Bug 1755734: Limit win32k lockdown for content process to Win10 build 16299 or later. r=gcp!

Approved for 98 beta 6, thanks.

Attachment #9264192 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Verified that win32k lockdown for content processes is disabled in Fx 98.0b7 and Fx 99.0a1 when manually setting pref security.sandbox.content.win32k-disable = true on Windows 8.1 build 9600.
Unable to test on other pre 16299 builds, our test machines have Windows 8.1 9600 and Window 10 19043.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: