Closed Bug 1839463 Opened 11 months ago Closed 11 months ago

Update TargetNtSetInformationThread to match chromium and hook NtImpersonateAnonymousToken to block before LowerToken

Categories

(Core :: Security: Process Sandboxing, enhancement, P1)

Product:
Core
Component:
Security: Process Sandboxing
Platform:
All
Windows
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
117 Branch
Tracking Flags:
Tracking Status
firefox117 --- fixed

People

(Reporter: bobowen, Assigned: bobowen)

References

Details

Attachments

(2 files)

Bug 1839463 p1: Hook NtImpersonateAnonymousToken to block before LowerToken. r=handyman!
48 bytes, text/x-phabricator-request
Details | Review
Bug 1839463 p2: Add TargetNtImpersonateAnonymousToken and remove TargetNtSetInformationThread patch. r=handyman!
48 bytes, text/x-phabricator-request
Details | Review

We have an older version of the chromium process sandbox code for the NtSetInformationThread hook TargetNtSetInformationThread.

There is some suspicion that this older version might be causing us to have an incorrect impersonation token in some circumstances, which might be causing bug 1825290.

We have this older version because we use non-restricted tokens when we are running from a network drive, because they automatically block access and our DLLs fail to load.

This means that during CoInitializeSecurity a call to NtImpersonateAnonymousToken is not blocked like it is for restricted tokens and without the older TargetNtSetInformationThread code we block the call that sets our impersonation token back on the main thread.
This is all a bit fortunate, because the RevertToSelf call that is supposed to revert the anonymous logon token in CoInitializeSecurity fails and it is only because there is a later call to resume the impersonation further up the stack that saves us.

A better solution should be to block NtImpersonateAnonymousToken before LowerToken is called in the same way that it is with a restricted token.
We can then have the latest version of TargetNtSetInformationThread, which blocks all impersonation token sets.

This also reverts the change to TargetNtSetInformationThread.

Pushed by bobowencode@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/429ad02d111c
p1: Hook NtImpersonateAnonymousToken to block before LowerToken. r=handyman
https://hg.mozilla.org/integration/autoland/rev/3afcc1296ba1
p2: Add TargetNtImpersonateAnonymousToken and remove TargetNtSetInformationThread patch. r=handyman

https://hg.mozilla.org/mozilla-central/rev/429ad02d111c
https://hg.mozilla.org/mozilla-central/rev/3afcc1296ba1

Status: ASSIGNED → RESOLVED
Closed: 11 months ago
status-firefox117: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 117 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: