Consider enabling Windows' HeapEnableTerminationOnCorruption for browser and plugin-container

RESOLVED FIXED in Firefox 55

Status

()

defect
RESOLVED FIXED
7 years ago
2 years ago

People

(Reporter: cpeterson, Assigned: Alex_Gaynor)

Tracking

(Blocks 1 bug)

Trunk
mozilla55
All
Windows Vista
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox55 fixed)

Details

Attachments

(1 attachment)

Reporter

Description

7 years ago
Even though Firefox uses the jemalloc allocator, enabling HeapEnableTerminationOnCorruption for the default process heap could detect problems from system libraries or third-party plugins that use Microsoft's malloc() or HeapAlloc(). Win64 enables HeapEnableTerminationOnCorruption by default for 64-bit applications, but not for 32-bit applications.

The "Reversing on Windows" security blog demonstrates that Chrome and IE enable this mitigation feature on Windows, but Firefox does not:

http://reversingonwindows.blogspot.com/2012/05/test-for-termination-on-heap-corruption.html

WebKit enables HeapEnableTerminationOnCorruption here:

https://code.google.com/searchframe#OAMlx_jo-ck/src/third_party/WebKit/Source/WebKit2/WebProcess/WebKitMain.cpp&l=116

Firefox could enable HeapEnableTerminationOnCorruption for the browser and plugin-container processes here:

https://mxr.mozilla.org/mozilla-central/source/toolkit/xre/nsAppRunner.cpp#4038
Assignee

Comment 1

2 years ago
With the sandbox, this mitigation is actually enabled for content processes (all kinds), so this is really just applicable to the chrome process.
Assignee

Updated

2 years ago
Assignee

Updated

2 years ago
Assignee: nobody → agaynor
Comment hidden (mozreview-request)
Assignee

Updated

2 years ago
Attachment #8853397 - Flags: review?(tom)
Attachment #8853397 - Flags: review?(dkeeler)
Assignee

Comment 3

2 years ago
Submitted a review attempting to implement this. I'm not familiar with this area of the code, so I attempted to place it at the location suggested originally.
This looks good to me, but I'm not familiar with Windows APIs in general. Redirecting to Matt for that. Also, I imagine you should get review from a toolkit/browser peer.
Attachment #8853397 - Flags: review?(dkeeler) → review?(mhowell)
Assignee

Comment 5

2 years ago
Thanks for the redirect! (For context, I'd r?'d you since you were the triage owner, which in my head seemed relevant :-))

Comment 6

2 years ago
mozreview-review
Comment on attachment 8853397 [details]
Bug 805173 - Enable HeapEnableTerminationOnCorruption for chrome processes on Windows.

https://reviewboard.mozilla.org/r/125508/#review128180
Attachment #8853397 - Flags: review?(tom) → review+

Comment 7

2 years ago
I'm not sure my review counts for much but LGTM.

Comment 8

2 years ago
mozreview-review
Comment on attachment 8853397 [details]
Bug 805173 - Enable HeapEnableTerminationOnCorruption for chrome processes on Windows.

https://reviewboard.mozilla.org/r/125508/#review128202

r+ with comments.

::: toolkit/xre/nsAppRunner.cpp:3718
(Diff revision 1)
>    }
>  #endif /* DEBUG */
>  
> +#if defined(XP_WIN)
> +  // Enable the HeapEnableTerminationOnCorruption exploit mitigation. We ignore
> +  // the return code because this function always succeeds on recent Windows,

I don't see a guarantee that this function always succeeds, but there's no useful handling we can do if it fails, so oh well.

::: toolkit/xre/nsAppRunner.cpp:3719
(Diff revision 1)
>  #endif /* DEBUG */
>  
> +#if defined(XP_WIN)
> +  // Enable the HeapEnableTerminationOnCorruption exploit mitigation. We ignore
> +  // the return code because this function always succeeds on recent Windows,
> +  // and always fails on Windows older than XP SP3.

MSDN documents that the function returns success (but has no effect) even on < XP SP3. We're not really interested in the behavior of < XP SP3, but I don't want the comment to be misleading.
Attachment #8853397 - Flags: review?(mhowell) → review+
Comment hidden (mozreview-request)
Comment hidden (mozreview-request)
Assignee

Updated

2 years ago
Keywords: checkin-needed

Comment 11

2 years ago
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/50413067c552
Enable HeapEnableTerminationOnCorruption for chrome processes on Windows. r=mhowell,tjr
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/50413067c552
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
You need to log in before you can comment on or make changes to this bug.