XPCOM component loading is rejected because of either advapi32 or shlwapi in Windows XP dont have ASLR set

RESOLVED FIXED in Firefox 13

Status

()

Core
Security
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: moz, Assigned: khuey)

Tracking

13 Branch
mozilla15
x86
Windows XP
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox12 unaffected, firefox13+ verified, firefox14+ fixed, firefox15 fixed, firefox-esr10 unaffected)

Details

(Whiteboard: [qa-])

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0
Build ID: 20120425123149

Steps to reproduce:

Loading an XPCOM component importing advapi32.dll and shlwapi.dll under Windows XP
On Nightly 13.0 2012-05-02-mozilla-beta
Does not happen with 12.0 release


Actual results:

Firefox refuses to load the XPCOM component even with ASLR enabled (/dynamicbase)
Only on Windows XP SP3, same works fine on Win 7 (said dlls dont have ASLR enabled in WinXP)

LdrLoadDll: Blocking load of 'advapi32.dll'.  XPCOM components must support ASLR.
or
LdrLoadDll: Blocking load of 'shlwapi.dll'.  XPCOM components must support ASLR.

DllMain() of the XPCOM component is never called


Expected results:

The component should be loaded. Can't do anything about the windows DLLs
(Reporter)

Updated

5 years ago
OS: Windows 7 → Windows XP
Hardware: x86_64 → x86
Component: Untriaged → Security
Product: Firefox → Core
QA Contact: untriaged → toolkit
OMG!!!

perhaps we should disable this check on XP?  Can someone from QA please verify which versions of XP (SP2 and above, x86 and x64) has ASLR enabled on the system DLLs?
Keywords: qawanted
To the uninitiated, how does one check if ASLR is enabled on system DLLs?
Adding dependency bug 728429.
Blocks: 728429

Comment 4

5 years ago
(In reply to Anthony Hughes, Mozilla QA (irc: ashughes) from comment #2)
> To the uninitiated, how does one check if ASLR is enabled on system DLLs?

If you have dumpbin (comes with Visual Studio and possible Debugging Tools for Windows) or a similar tool, you can check the PE headers of a DLL (with dumpbin it's dumpbin /HEADERS <dll>) the DYNAMICBASE flag is the one that opts in a DLL to ASLR
Process Explorer is the easiest way for someone without a debugging environment.

http://blog.didierstevens.com/2011/01/18/quickpost-checking-aslr/

Comment 6

5 years ago
(In reply to Kyle Huey [:khuey] (khuey@mozilla.com) from comment #5)
> Process Explorer is the easiest way for someone without a debugging
> environment.
> 
> http://blog.didierstevens.com/2011/01/18/quickpost-checking-aslr/

oh awesome - thanks Kyle. I was just looking at Process Explorer and found I could see if ASLR was enabled for a process but not for DLLs - i wouldn't have thought of adding the ASLR column !
(In reply to Kyle Huey [:khuey] (khuey@mozilla.com) from comment #5)
> Process Explorer is the easiest way for someone without a debugging
> environment.
> 
> http://blog.didierstevens.com/2011/01/18/quickpost-checking-aslr/

I can't seem to enable the ASLR column, it's greyed out.

http://i49.tinypic.com/lv9c1.png

Comment 8

5 years ago
You could also use CFF Explorer from http://www.ntcore.com/exsuite.php 
Under "Optional Header" click on "Click here" of the "DllCharacteristics" entry and see whether "DLL can move" is checked.
status-firefox13: --- → affected
tracking-firefox13: --- → ?
Created attachment 621690 [details] [diff] [review]
Patch

ZeroMemory is a macro, and GetVersionEx is in kernel32, so this is safe to do in LdrLoadDll.
Assignee: nobody → khuey
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attachment #621690 - Flags: review?(benjamin)
Comment on attachment 621690 [details] [diff] [review]
Patch

Ehsan should approve this also.
Attachment #621690 - Flags: review?(ehsan)
Attachment #621690 - Flags: review?(benjamin)
Attachment #621690 - Flags: review+
Attachment #621690 - Flags: review?(ehsan) → review+
Comment on attachment 621690 [details] [diff] [review]
Patch

Let's sneak this into b3 so that addon devs can test properly.
Attachment #621690 - Flags: approval-mozilla-beta?
Attachment #621690 - Flags: approval-mozilla-aurora?
http://hg.mozilla.org/mozilla-central/rev/c24b721ca5c9
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
status-firefox12: --- → unaffected
status-firefox14: --- → affected
status-firefox15: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla15
tracking-firefox13: ? → +
tracking-firefox14: --- → +
Kyle had to land a couple follow-ups to fix xpcshell orange.
https://hg.mozilla.org/mozilla-central/rev/3e3e37d05c59
https://hg.mozilla.org/mozilla-central/rev/4ea766f922ab
Flags: in-testsuite+
Comment on attachment 621690 [details] [diff] [review]
Patch

Approval for landing, let's get this in today for beta 3 go to build
Attachment #621690 - Flags: approval-mozilla-beta?
Attachment #621690 - Flags: approval-mozilla-beta+
Attachment #621690 - Flags: approval-mozilla-aurora?
Attachment #621690 - Flags: approval-mozilla-aurora+
https://hg.mozilla.org/releases/mozilla-aurora/rev/3005a05986d9
https://hg.mozilla.org/releases/mozilla-beta/rev/aa323b98df36
status-firefox-esr10: --- → unaffected
status-firefox13: affected → fixed
status-firefox14: affected → fixed
(In reply to [Baboo] from comment #8)
> You could also use CFF Explorer from http://www.ntcore.com/exsuite.php 
> Under "Optional Header" click on "Click here" of the "DllCharacteristics"
> entry and see whether "DLL can move" is checked.

firefox.exe for Firefox 13.0b2 is "DLL can move" CHECKED
shlwapi.dll is "DLL can move" UNCHECKED

Is this correct? Should I be looking for something else?
Whiteboard: [qa+]

Updated

5 years ago
Assignee: khuey → nobody

Updated

5 years ago
Assignee: nobody → khuey
Removing qawanted as this now falls into our regular verification work. Can someone please respond to comment 16 and clarify the testcase for our contractors verifying this fix?

Thanks
Keywords: qawanted
In order to verify, we would need a XPCOM component which would load the 2 system files (as in comment 0).
(In reply to Virgil Dicu [:virgil] [QA] from comment #18)
> In order to verify, we would need a XPCOM component which would load the 2
> system files (as in comment 0).

Do we know of any add-ons which do this?
I don't know of any cases, and I think the Add-ons MXR wouldn't help for this.

Comment 21

5 years ago
in a Windows build, there's objdir-dbg\_tests\xpcshell\xpcom\tests\unit\testcomponent.dll - testcomponent.manifest is in the same dir - but this doesn't use those libraries - it could be modified to load them perhaps ?
Can the reporter of this bug please help out with the verification? Assuming you can reproduce this bug since you filed it. I think this is beyond what QA can verify in time for release.

Thanks a lot.
Whiteboard: [qa+] → [qa-]
(Reporter)

Comment 23

5 years ago
Works with Firefox 13b6 (XP SP3, Win7 SP1). Thanks guys.
status-firefox13: fixed → verified
You need to log in before you can comment on or make changes to this bug.