Closed Bug 1701788 Opened 4 years ago Closed 4 years ago

Win32k Lockdown - Don't call DPI-related APIs in content process

Categories

(Core :: Security: Process Sandboxing, defect, P2)

Product:
Core
Component:
Security: Process Sandboxing
Platform:
All
Windows
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox91 --- fixed

People

(Reporter: cmartin, Assigned: cmartin)

References

Details

WinUtils::Initialize has quite a few DPI-related Win32k calls in it. It's loaded from XUL's DllMain()

Assignee: nobody → cmartin
Status: NEW → ASSIGNED

Call stack:

win32u!NtUserGetThreadState
USER32!GetThreadDpiAwarenessContext+0x20918
xul!mozilla::widget::WinUtils::Initialize+0x127 [c:\moz\mozilla-central\widget\windows\WinUtils.cpp @ 444]
xul!DllMain+0x12 [c:\moz\mozilla-central\toolkit\library\nsDllMain.cpp @ 19]
xul!dllmain_dispatch+0x8f [d:\agent_work\2\s\src\vctools\crt\vcstartup\src\startup\dll_dllmain.cpp @ 200]
ntdll!LdrpCallInitRoutine+0x61
ntdll!LdrpInitializeNode+0x1d3
ntdll!LdrpInitializeGraphRecurse+0x42
ntdll!LdrpPrepareModuleForExecution+0xbf
ntdll!LdrpLoadDllInternal+0x19a
ntdll!LdrpLoadDll+0xa8
ntdll!LdrLoadDll+0xe4
firefox!mozilla::interceptor::FuncHookCrossProcess<mozilla::interceptor::WindowsDllInterceptor<mozilla::interceptor::VMSharingPolicyUnique<mozilla::interceptor::MMPolicyOutOfProcess> >,long (*)(wchar_t *, unsigned long *, _UNICODE_STRING *, void **)>::operator()+0x19 [c:\moz\mozilla-central\obj-x86_64-pc-mingw32\dist\include\nsWindowsDllInterceptor.h @ 254]
firefox!mozilla::freestanding::patched_LdrLoadDll+0x50 [c:\moz\mozilla-central\browser\app\winlauncher\freestanding\DllBlocklist.cpp @ 356]
KERNELBASE!LoadLibraryExW+0x162
firefox!GetLibHandle+0x11 [c:\moz\mozilla-central\xpcom\glue\standalone\nsXPCOMGlue.cpp @ 49]
firefox!ReadDependentCB+0x1b [c:\moz\mozilla-central\xpcom\glue\standalone\nsXPCOMGlue.cpp @ 148]
firefox!ReadDependentCB+0x48 [c:\moz\mozilla-central\xpcom\glue\standalone\nsXPCOMGlue.cpp @ 160]
firefox!XPCOMGlueLoad+0x32a [c:\moz\mozilla-central\xpcom\glue\standalone\nsXPCOMGlue.cpp @ 326]
firefox!mozilla::GetBootstrap+0x3ad [c:\moz\mozilla-central\xpcom\glue\standalone\nsXPCOMGlue.cpp @ 409]
firefox!InitXPCOMGlue+0xd6 [c:\moz\mozilla-central\browser\app\nsBrowserApp.cpp @ 236]
firefox!NS_internal_main+0x27b [c:\moz\mozilla-central\browser\app\nsBrowserApp.cpp @ 305]
firefox!wmain+0x1fe [c:\moz\mozilla-central\toolkit\xre\nsWindowsWMain.cpp @ 131]
firefox!invoke_main+0x22 [d:\agent_work\2\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 90]
firefox!__scrt_common_main_seh+0x10c [d:\agent_work\2\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 288]
KERNEL32!BaseThreadInitThunk+0x14
ntdll!RtlUserThreadStart+0x21

Severity: -- → S4
Priority: -- → P2

Looks like this was fixed as part of bug 1701770.

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Depends on: 1701770
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.