Closed Bug 1820535 Opened 3 years ago Closed 3 years ago

CIG DCHECK failure on MSIX utility sandbox policy setup

Categories

(Core :: Security: Process Sandboxing, defect, P1)

All
Windows
defect

Tracking

()

RESOLVED FIXED
112 Branch
Tracking Status
firefox-esr102 --- unaffected
firefox110 --- unaffected
firefox111 --- wontfix
firefox112 --- fixed

People

(Reporter: bobowen, Assigned: bobowen)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression)

Attachments

(1 file)

No description provided.

Set release status flags based on info from the regressing bug 1704500

This moves the configuration into a separate function to simplify the main
policy settings functions and ensure that mitigations and policy rules are set
in the correct order.

Pushed by bobowencode@gmail.com: https://hg.mozilla.org/integration/autoland/rev/b4d727abf8e6 Refactor CIG sandbox policy set up. r=handyman

Backed out for causing Gtest assertions and crashes.

[task 2023-03-07T11:38:51.941Z] 11:38:51     INFO -  TEST-START | TestCookie.TestCookieMain
[task 2023-03-07T11:38:52.050Z] 11:38:52     INFO -  [Parent 7264, Main Thread] WARNING: Couldn't get the user appdata directory, crash dumps will go in an unusual location: file /builds/worker/checkouts/gecko/toolkit/crashreporter/nsExceptionHandler.cpp:2966
[task 2023-03-07T11:38:52.171Z] 11:38:52     INFO -  Assertion failure: get() (dereferencing a UniquePtr containing nullptr with ->), at /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:280
[task 2023-03-07T11:38:52.417Z] 11:38:52     INFO -  Initializing stack-fixing for the first stack frame, this may take a while...
[task 2023-03-07T11:39:27.333Z] 11:39:27     INFO -  #01: mozilla::AllowProxyLoadFromBinDir(sandbox::TargetPolicy*) [security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp:479]
[task 2023-03-07T11:39:27.346Z] 11:39:27     INFO -  #02: mozilla::AddCigToPolicy(sandbox::TargetPolicy*, bool) [security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp:518]
[task 2023-03-07T11:39:27.346Z] 11:39:27     INFO -  #03: mozilla::SandboxBroker::SetSecurityLevelForSocketProcess() [security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp:1198]
[task 2023-03-07T11:39:27.346Z] 11:39:27     INFO -  #04: mozilla::ipc::WindowsProcessLauncher::DoSetup() [ipc/glue/GeckoChildProcessHost.cpp:1494]
[task 2023-03-07T11:39:27.347Z] 11:39:27     INFO -  #05: mozilla::ipc::BaseProcessLauncher::PerformAsyncLaunch() [ipc/glue/GeckoChildProcessHost.cpp:1052]
[task 2023-03-07T11:39:27.347Z] 11:39:27     INFO -  #06: mozilla::detail::ProxyRunnable<mozilla::MozPromise<mozilla::ipc::LaunchResults,mozilla::ipc::LaunchError,1>,RefPtr<mozilla::MozPromise<mozilla::ipc::LaunchResults,mozilla::ipc::LaunchError,1> > (mozilla::ipc::BaseProcessLauncher::*)(),mozilla::ipc::BaseProcessLauncher>::Run() [xpcom/threads/MozPromise.h:1568]
[task 2023-03-07T11:39:27.347Z] 11:39:27     INFO -  #07: mozilla::TaskQueue::Runner::Run() [xpcom/threads/TaskQueue.cpp:266]
[task 2023-03-07T11:39:27.348Z] 11:39:27     INFO -  #08: nsThread::ProcessNextEvent(bool, bool*) [xpcom/threads/nsThread.cpp:1234]
[task 2023-03-07T11:39:27.348Z] 11:39:27     INFO -  #09: NS_ProcessNextEvent(nsIThread*, bool) [xpcom/threads/nsThreadUtils.cpp:477]
[task 2023-03-07T11:39:27.348Z] 11:39:27     INFO -  #10: mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) [ipc/glue/MessagePump.cpp:330]
[task 2023-03-07T11:39:27.348Z] 11:39:27     INFO -  #11: MessageLoop::RunHandler() [ipc/chromium/src/base/message_loop.cc:375]
[task 2023-03-07T11:39:27.348Z] 11:39:27     INFO -  #12: MessageLoop::Run() [ipc/chromium/src/base/message_loop.cc:357]
[task 2023-03-07T11:39:27.348Z] 11:39:27     INFO -  #13: nsThread::ThreadFunc(void*) [xpcom/threads/nsThread.cpp:393]
[task 2023-03-07T11:39:27.594Z] 11:39:27     INFO -  #14: _PR_NativeRunThread(void*) [nsprpub/pr/src/threads/combined/pruthr.c:408]
[task 2023-03-07T11:39:27.609Z] 11:39:27     INFO -  #15: pr_root(void*) [nsprpub/pr/src/md/windows/w95thred.c:140]
[task 2023-03-07T11:39:27.621Z] 11:39:27     INFO -  fix-stacks: error: failed to read debug info file `ucrtbase.pdb` for `C:\Windows\System32\ucrtbase.dll`
[task 2023-03-07T11:39:27.623Z] 11:39:27     INFO -  fix-stacks: note: this is expected and harmless for all PDB files on opt automation runs
[task 2023-03-07T11:39:27.623Z] 11:39:27     INFO -  fix-stacks: The system cannot find the file specified. (os error 2)
[task 2023-03-07T11:39:27.624Z] 11:39:27     INFO -  #16: configthreadlocale [C:\Windows\System32\ucrtbase.dll + 0x21bb2]
[task 2023-03-07T11:39:27.626Z] 11:39:27     INFO -  fix-stacks: error: failed to read debug info file `wkernel32.pdb` for `C:\Windows\System32\KERNEL32.DLL`
[task 2023-03-07T11:39:27.626Z] 11:39:27     INFO -  fix-stacks: note: this is expected and harmless for all PDB files on opt automation runs
[task 2023-03-07T11:39:27.626Z] 11:39:27     INFO -  fix-stacks: The system cannot find the file specified. (os error 2)
[task 2023-03-07T11:39:27.627Z] 11:39:27     INFO -  #17: BaseThreadInitThunk [C:\Windows\System32\KERNEL32.DLL + 0x17034]
[task 2023-03-07T11:39:27.771Z] 11:39:27     INFO -  #18: patched_BaseThreadInitThunk(int, void*, void*) [toolkit/xre/dllservices/mozglue/WindowsDllBlocklist.cpp:592]
[task 2023-03-07T11:39:27.784Z] 11:39:27     INFO -  fix-stacks: error: failed to read debug info file `wntdll.pdb` for `C:\Windows\SYSTEM32\ntdll.dll`
[task 2023-03-07T11:39:27.790Z] 11:39:27     INFO -  fix-stacks: note: this is expected and harmless for all PDB files on opt automation runs
[task 2023-03-07T11:39:27.790Z] 11:39:27     INFO -  fix-stacks: The system cannot find the file specified. (os error 2)
[task 2023-03-07T11:39:27.790Z] 11:39:27     INFO -  #19: RtlUserThreadStart [C:\Windows\SYSTEM32\ntdll.dll + 0x52651]
[task 2023-03-07T11:39:27.790Z] 11:39:27     INFO -  gtest INFO | gtest | process wait complete, returncode=1
Flags: needinfo?(bobowencode)

Seems like there are still tests where GeckoDependentInitialize hasn't been called when it should have been.
I think we should fix that, but I don't want to delay this fix, so I've reverted that part of the change as it not required to fix this:
https://treeherder.mozilla.org/jobs?repo=try&revision=8e2b219bbce4b59e73fd6f5f4db926145473b8eb

Flags: needinfo?(bobowencode)
Component: Widget: Win32 → Security: Process Sandboxing
Pushed by bobowencode@gmail.com: https://hg.mozilla.org/integration/autoland/rev/eb60b87c6876 Refactor CIG sandbox policy set up. r=handyman
Blocks: 1821081
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 112 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: