Closed Bug 1701791 Opened 5 years ago Closed 4 years ago

Invalid Win32k use in content process [xul!mozilla::image::IOThreadIniter::Run]

Categories

(Core :: Security: Process Sandboxing, defect, P2)

Product:
Core
Component:
Security: Process Sandboxing
Platform:
All
Windows
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
90 Branch
Tracking Flags:
Tracking Status
firefox90 --- fixed

People

(Reporter: cmartin, Assigned: bobowen)

References

Details

Attachments

(2 files)

Bug 1701791 p1: Don't enable win32k lockdown for the file content process. r=handyman!
48 bytes, text/x-phabricator-request
Details | Review
Bug 1701791 p2: Don't initialize COM on the image IO thread when win32k is locked down. r=gijs!
48 bytes, text/x-phabricator-request
Details | Review

COM is initialized here

Call stack:

win32u!NtUserGetThreadState
USER32!LoadIcoCur+0x1db
USER32!RegisterIMEClass+0x9f
USER32!VerNtUserCreateWindowEx+0x26f
USER32!CreateWindowInternal+0x1a4
USER32!CreateWindowExW+0x82
combase!InitMainThreadWnd+0x57 [onecore\com\combase\objact\mainthrd.cxx @ 148]
combase!ThreadFirstInitialize+0x213 [onecore\com\combase\class\compobj.cxx @ 3460]
combase!_CoInitializeEx+0x1d0 [onecore\com\combase\class\compobj.cxx @ 3745]
combase!CoInitializeEx+0x58 [onecore\com\combase\class\compobj.cxx @ 3835]
xul!mozilla::image::IOThreadIniter::Run+0xc [c:\moz\mozilla-central\image\DecodePool.cpp @ 82]
xul!nsThread::ProcessNextEvent+0x964 [c:\moz\mozilla-central\xpcom\threads\nsThread.cpp @ 1149]
xul!NS_ProcessNextEvent+0x65 [c:\moz\mozilla-central\xpcom\threads\nsThreadUtils.cpp @ 548]
xul!mozilla::ipc::MessagePumpForNonMainThreads::Run+0xb6 [c:\moz\mozilla-central\ipc\glue\MessagePump.cpp @ 303]
xul!MessageLoop::RunInternal+0x16 [c:\moz\mozilla-central\ipc\chromium\src\base\message_loop.cc @ 335]
xul!MessageLoop::RunHandler+0x50 [c:\moz\mozilla-central\ipc\chromium\src\base\message_loop.cc @ 329]
xul!MessageLoop::Run+0x58 [c:\moz\mozilla-central\ipc\chromium\src\base\message_loop.cc @ 311]
xul!nsThread::ThreadFunc+0xed [c:\moz\mozilla-central\xpcom\threads\nsThread.cpp @ 393]
nss3!_PR_NativeRunThread+0x147 [c:\moz\mozilla-central\nsprpub\pr\src\threads\combined\pruthr.c @ 421]
nss3!pr_root+0x11 [c:\moz\mozilla-central\nsprpub\pr\src\md\windows\w95thred.c @ 140]
ucrtbase!thread_start<unsigned int (__cdecl*)(void *),1>+0x42
KERNEL32!BaseThreadInitThunk+0x14
ntdll!RtlUserThreadStart+0x21

Assignee: nobody → cmartin
Status: NEW → ASSIGNED
Severity: -- → S4
Priority: -- → P2
Assignee: cmartin → bobowencode

Win32k is required for moz-icon in the file content process and we don't want to
block enabling for web content processes on this and other uses that may only be
in the file content process.

COM is required for calls to SHGetFileInfo for moz-icon, but we only currently
require that for the file content process. We may want to use it in the future
for the privileged about content process, in which case we will have to forgo
win32k lockdown there unless moz-icon is remoted.

Depends on D112960

Pushed by bobowencode@gmail.com: https://hg.mozilla.org/integration/autoland/rev/f62e0e4073bd p1: Don't enable win32k lockdown for the file content process. r=handyman https://hg.mozilla.org/integration/autoland/rev/fb5037e7bf9b p2: Don't initialize COM on the image IO thread when win32k is locked down. r=tnikkel

https://hg.mozilla.org/mozilla-central/rev/f62e0e4073bd
https://hg.mozilla.org/mozilla-central/rev/fb5037e7bf9b

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox90: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 90 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: