From 26a029d407be480d791972afb5975cf62c9360a6 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Fri, 19 Apr 2024 02:47:55 +0200
Subject: Adding upstream version 124.0.1.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 toolkit/xre/detect_win32k_conflicts/src/detect.rs | 165 ++++++++++++++++++++++
 1 file changed, 165 insertions(+)
 create mode 100644 toolkit/xre/detect_win32k_conflicts/src/detect.rs

(limited to 'toolkit/xre/detect_win32k_conflicts/src/detect.rs')

diff --git a/toolkit/xre/detect_win32k_conflicts/src/detect.rs b/toolkit/xre/detect_win32k_conflicts/src/detect.rs
new file mode 100644
index 0000000000..e21c80e157
--- /dev/null
+++ b/toolkit/xre/detect_win32k_conflicts/src/detect.rs
@@ -0,0 +1,165 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+//! This module contains the actual functions that explore the registry for the status
+//! of the conflicting mitigations.
+
+use super::error::DetectConflictError;
+use super::registry::{RegKey, RegValue};
+
+use std::ffi::OsStr;
+
+/// Subkey that the Windows Exploit Protection status is located in
+const EXPLOIT_PROTECTION_SUBKEY: &str =
+    "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options";
+
+/// Name of the value within that subkey that contains the exploit protection status
+const MITIGATION_VALUE_NAME: &str = "MitigationOptions";
+
+/// The bit number within the value with the StackPivot status
+const STACK_PIVOT_BIT: usize = 80;
+
+/// The bit number within the value with the CallerCheck status
+const CALLER_CHECK_BIT: usize = 84;
+
+/// The bit number within the value with the SimExec status
+const SIM_EXEC_BIT: usize = 88;
+
+/// Printable, FFI-safe structure containing the status of the conflicting mitigations
+#[repr(C)]
+#[derive(Clone, Copy, Debug, Default, PartialEq)]
+pub struct ConflictingMitigationStatus {
+    /// The status of the CallerCheck feature. 0 = disabled, 1 = enabled
+    caller_check: bool,
+    /// The status of the SimExec feature. 0 = disabled, 1 = enabled
+    sim_exec: bool,
+    /// The status of the StackPivot feature. 0 = disabled, 1 = enabled
+    stack_pivot: bool,
+}
+
+impl std::fmt::Display for ConflictingMitigationStatus {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> Result<(), std::fmt::Error> {
+        use std::fmt::Write;
+        write_status(f, "CallerCheck", self.caller_check)?;
+        f.write_char(' ')?;
+        write_status(f, "SimExec", self.sim_exec)?;
+        f.write_char(' ')?;
+        write_status(f, "StackPivot", self.stack_pivot)
+    }
+}
+
+/// Search the registry for win32k-conflicting mitigations for the given process
+///
+/// `process_name` is the name of the process that will be checked for conflicting mitigations
+/// It uses the same case-insensitive algorithm that the Windows Registry uses itself to detect
+/// whether a process needs mitigations or not
+///
+/// (This will usually be `firefox.exe`)
+///
+/// # Caveat
+///
+/// Windows allows an arbitrary number of "filters", which are subkeys of the main key
+/// that also have a `MitigationOptions` value. They are used to allow filtering by path.
+///
+/// For simplicity, we "flatten" the path filters when we figure this out, and so the
+/// returned value will be the logical "OR" of all mitigations enabled with any filter
+///
+/// So if there are two entries for "C:\Firefox\firefox.exe" with mitigations `A` and `B` enabled
+/// and another entry for "C:\Program Files\Mozilla Firefox\firefox.exe" with mitigation `C`
+/// enabled, we will return that `A`, `B`, and `C` are all enabled
+pub fn get_conflicting_mitigations(
+    process_name: impl AsRef<OsStr>,
+) -> Result<ConflictingMitigationStatus, DetectConflictError> {
+    let process_name = process_name.as_ref();
+
+    let key = RegKey::root_local_machine()
+        .try_open_subkey(EXPLOIT_PROTECTION_SUBKEY)?
+        .ok_or(DetectConflictError::ExploitProtectionKeyMissing)?;
+
+    let process_key = match key.try_open_subkey(process_name)? {
+        Some(key) => key,
+        None => {
+            log::info!(
+                "process name {:?} not found in exploit protection",
+                process_name
+            );
+            return Ok(ConflictingMitigationStatus::default());
+        }
+    };
+
+    // First get mitigation status for the root key
+    let mut status = get_conflicting_mitigations_for_key(&process_key)?;
+
+    // Then get mitigation status for each subkey and logical-or them all together
+    for subkey_name in process_key.subkey_names() {
+        let subkey_name = subkey_name?;
+
+        let subkey = process_key
+            .try_open_subkey(subkey_name)?
+            .expect("a subkey somehow doesn't exist after enumerating it");
+
+        let subkey_status = get_conflicting_mitigations_for_key(&subkey)?;
+        status.caller_check |= subkey_status.caller_check;
+        status.sim_exec |= subkey_status.sim_exec;
+        status.stack_pivot |= subkey_status.stack_pivot;
+    }
+
+    log::info!(
+        "process name {:?} has mitigation status {:?}",
+        process_name,
+        status
+    );
+
+    Ok(status)
+}
+
+/// Check a key to see if it has a "MitigationOptions" value with any conflicting mitigations
+/// enabled
+fn get_conflicting_mitigations_for_key(
+    key: &RegKey,
+) -> Result<ConflictingMitigationStatus, DetectConflictError> {
+    let value = match key.try_get_value(MITIGATION_VALUE_NAME)? {
+        Some(value) => value,
+        None => return Ok(ConflictingMitigationStatus::default()),
+    };
+
+    let bits = match value {
+        RegValue::Binary(bits) => bits,
+        _ => return Ok(ConflictingMitigationStatus::default()),
+    };
+
+    Ok(ConflictingMitigationStatus {
+        caller_check: get_bit(&bits, CALLER_CHECK_BIT)?,
+        sim_exec: get_bit(&bits, SIM_EXEC_BIT)?,
+        stack_pivot: get_bit(&bits, STACK_PIVOT_BIT)?,
+    })
+}
+
+/// Retrieve a bit from a vector-of-bitflags, which is what will be returned by the registry
+/// entry for exploit protection. The bits are numbered first by increasing value within a byte,
+/// and then by increasing index within the slice.
+///
+/// Ex: bit 0 = (index 0, mask 0x01), bit 7 = (index 0, mask 0x80), bit 8 = (index 1, mask 0x01)
+fn get_bit(bytes: &[u8], bit_idx: usize) -> Result<bool, DetectConflictError> {
+    let byte = bytes
+        .get(bit_idx / 8)
+        .ok_or(DetectConflictError::RegValueTooShort)?;
+
+    Ok(if byte & (1 << (bit_idx % 8)) != 0 {
+        true
+    } else {
+        false
+    })
+}
+
+/// Write the status of a feature to the given formatter. `bit == 0` means feature is disabled,
+/// `bit == 1` means enabled
+fn write_status(
+    f: &mut std::fmt::Formatter<'_>,
+    name: &str,
+    bit: bool,
+) -> Result<(), std::fmt::Error> {
+    let status_str = if bit { "enabled" } else { "disabled" };
+    write!(f, "{} is {}.", name, status_str)
+}
-- 
cgit v1.2.3