# HG changeset patch # User Greg Stoll # Date 1679671320 0 # Node ID 003b682fc8cd9836a32dbdd9a9e5061937b07b9f # Parent 6d97efe0c291bc2cd2a192a732ec5e3389626653 Bug 1818762 - update our implementation of IsValidImageSection r=yjuglaret Differential Revision: https://phabricator.services.mozilla.com/D173328 diff --git a/sandbox/win/src/sandbox_nt_util.cc b/sandbox/win/src/sandbox_nt_util.cc --- a/sandbox/win/src/sandbox_nt_util.cc +++ b/sandbox/win/src/sandbox_nt_util.cc @@ -399,16 +399,31 @@ bool IsValidImageSection(HANDLE section, VERIFY_SUCCESS(g_nt.Close(query_section)); if (!NT_SUCCESS(ret) || sizeof(basic_info) != bytes_returned) return false; if (!(basic_info.Attributes & SEC_IMAGE)) return false; + // Windows 10 2009+ may open PEs as SEC_IMAGE_NO_EXECUTE in non-dll-loading + // paths which looks identical to dll-loading unless we check if the section + // handle has execute rights. + // Avoid memset inserted by -ftrivial-auto-var-init=pattern. + STACK_UNINITIALIZED OBJECT_BASIC_INFORMATION obj_info; + ULONG obj_size_returned; + ret = g_nt.QueryObject(section, ObjectBasicInformation, &obj_info, + sizeof(obj_info), &obj_size_returned); + + if (!NT_SUCCESS(ret) || sizeof(obj_info) != obj_size_returned) + return false; + + if (!(obj_info.GrantedAccess & SECTION_MAP_EXECUTE)) + return false; + return true; } UNICODE_STRING* AnsiToUnicode(const char* string) { ANSI_STRING ansi_string; ansi_string.Length = static_cast(g_nt.strlen(string)); ansi_string.MaximumLength = ansi_string.Length + 1; ansi_string.Buffer = const_cast(string);