Closed Bug 1314183 Opened 9 years ago Closed 9 years ago

TestDllInterceptor crash relocating an IP-relative instruction

Categories

(Core :: General, defect)

Product:
Core
Component:
General
Platform:
x86_64
Windows 10
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla52
Tracking Flags:
Tracking Status
firefox51 --- unaffected
firefox52 --- fixed

People

(Reporter: away, Unassigned)

References

Details

(Keywords: crash)

Attachments

(1 file)

Bug 1314183: Ensure that nsWindowsDllInterceptor does not accept RIP-relative displacements on amd64;
58 bytes, text/x-review-board-request
away
: review+
Details
With Win64 ASan, TestDllInterceptor!rotatePayload contains this instruction: 00007ff7`bb52100a 488b05ff7a0000 mov rax,qword ptr [TestDllInterceptor!__asan_shadow_memory_dynamic_address (00007ff7`bb528b10)] The address of __asan_shadow_memory_dynamic_address is given as IP-relative. CreateTrampoline and CountModRmSib accept this instruction and relocate it, without fixup, leading to a crash. Since there's no code in CreateTrampoline that does fixup on anything but jumps, is there any reason why CountModRmSib should accept IP-relative instructions?
Flags: needinfo?(aklotz)
(Just to be clear, I'd be totally fine with CreateTrampoline simply rejecting this sequence; I can deal with the test failure. I don't think we need to properly relocate this instruction unless "real" code needs it.)
Blocks: support-win64
status-firefox51: --- → unaffected
status-firefox52: --- → affected
Keywords: crash
OS: Unspecified → Windows 10
Hardware: Unspecified → x86_64
Good catch. Patch forthcoming, I'm testing it right now.
Flags: needinfo?(aklotz)
Comment on attachment 8806534 [details] Bug 1314183: Ensure that nsWindowsDllInterceptor does not accept RIP-relative displacements on amd64; https://reviewboard.mozilla.org/r/89928/#review89440 ::: xpcom/build/nsWindowsDllInterceptor.h:520 (Diff revision 1) > case kModNoRegDisp: > - if ((*aModRm & kMaskRm) == kRmNoRegDispDisp32 || > - ((*aModRm & kMaskRm) == kRmNeedSib && > + if ((*aModRm & kMaskRm) == kRmNoRegDispDisp32) { > +#if defined(_M_X64) > + // RIP-relative on amd64, currently unsupported > + return -1; > +#else It would be good to mention that the x86 equivalent is ok because it uses an absolute address.
Attachment #8806534 - Flags: review?(dmajor) → review+
Pushed by aklotz@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/e7e0a189b16a Ensure that nsWindowsDllInterceptor does not accept RIP-relative displacements on amd64; r=dmajor
https://hg.mozilla.org/mozilla-central/rev/e7e0a189b16a
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox52: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: