summaryrefslogtreecommitdiffstats
path: root/browser/app/winlauncher/freestanding
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--browser/app/winlauncher/freestanding/CheckForCaller.h36
-rw-r--r--browser/app/winlauncher/freestanding/DllBlocklist.cpp641
-rw-r--r--browser/app/winlauncher/freestanding/DllBlocklist.h39
-rw-r--r--browser/app/winlauncher/freestanding/Freestanding.h67
-rw-r--r--browser/app/winlauncher/freestanding/LoaderPrivateAPI.cpp293
-rw-r--r--browser/app/winlauncher/freestanding/LoaderPrivateAPI.h62
-rw-r--r--browser/app/winlauncher/freestanding/ModuleLoadFrame.cpp144
-rw-r--r--browser/app/winlauncher/freestanding/ModuleLoadFrame.h97
-rw-r--r--browser/app/winlauncher/freestanding/SafeThreadLocal.h96
-rw-r--r--browser/app/winlauncher/freestanding/SharedSection.cpp368
-rw-r--r--browser/app/winlauncher/freestanding/SharedSection.h212
-rw-r--r--browser/app/winlauncher/freestanding/gen_ntdll_freestanding_lib.py28
-rw-r--r--browser/app/winlauncher/freestanding/moz.build56
-rw-r--r--browser/app/winlauncher/freestanding/ntdll_freestanding.def25
14 files changed, 2164 insertions, 0 deletions
diff --git a/browser/app/winlauncher/freestanding/CheckForCaller.h b/browser/app/winlauncher/freestanding/CheckForCaller.h
new file mode 100644
index 0000000000..799d16cd1f
--- /dev/null
+++ b/browser/app/winlauncher/freestanding/CheckForCaller.h
@@ -0,0 +1,36 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_freestanding_CheckForCaller_h
+#define mozilla_freestanding_CheckForCaller_h
+
+namespace mozilla {
+
+#if defined(_MSC_VER)
+# include <intrin.h>
+# pragma intrinsic(_ReturnAddress)
+# define RETURN_ADDRESS() _ReturnAddress()
+#elif defined(__GNUC__) || defined(__clang__)
+# define RETURN_ADDRESS() \
+ __builtin_extract_return_addr(__builtin_return_address(0))
+#endif
+
+template <int N>
+bool CheckForAddress(void* aReturnAddress, const wchar_t (&aName)[N]) {
+ HMODULE callingModule;
+ if (!::GetModuleHandleExW(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS |
+ GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT,
+ reinterpret_cast<LPCWSTR>(aReturnAddress),
+ &callingModule)) {
+ return false;
+ }
+
+ return callingModule && callingModule == ::GetModuleHandleW(aName);
+}
+
+} // namespace mozilla
+
+#endif // mozilla_freestanding_CheckForCaller_h
diff --git a/browser/app/winlauncher/freestanding/DllBlocklist.cpp b/browser/app/winlauncher/freestanding/DllBlocklist.cpp
new file mode 100644
index 0000000000..105ab6d918
--- /dev/null
+++ b/browser/app/winlauncher/freestanding/DllBlocklist.cpp
@@ -0,0 +1,641 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#include "mozilla/ArrayUtils.h"
+#include "mozilla/Attributes.h"
+#include "mozilla/BinarySearch.h"
+#include "mozilla/NativeNt.h"
+#include "mozilla/Types.h"
+#include "mozilla/WindowsDllBlocklist.h"
+
+#include "CrashAnnotations.h"
+#include "DllBlocklist.h"
+#include "LoaderPrivateAPI.h"
+#include "ModuleLoadFrame.h"
+#include "SharedSection.h"
+
+using mozilla::DllBlockInfoFlags;
+
+#define DLL_BLOCKLIST_ENTRY(name, ...) \
+ {MOZ_LITERAL_UNICODE_STRING(L##name), __VA_ARGS__},
+#define DLL_BLOCKLIST_STRING_TYPE UNICODE_STRING
+
+#if defined(MOZ_LAUNCHER_PROCESS) || defined(NIGHTLY_BUILD)
+# include "mozilla/WindowsDllBlocklistLauncherDefs.h"
+#else
+# include "mozilla/WindowsDllBlocklistCommon.h"
+DLL_BLOCKLIST_DEFINITIONS_BEGIN
+DLL_BLOCKLIST_DEFINITIONS_END
+#endif
+
+using WritableBuffer = mozilla::glue::detail::WritableBuffer<1024>;
+
+class MOZ_STATIC_CLASS MOZ_TRIVIAL_CTOR_DTOR NativeNtBlockSet final {
+ struct NativeNtBlockSetEntry {
+ NativeNtBlockSetEntry() = default;
+ ~NativeNtBlockSetEntry() = default;
+ NativeNtBlockSetEntry(const UNICODE_STRING& aName, uint64_t aVersion,
+ NativeNtBlockSetEntry* aNext)
+ : mName(aName), mVersion(aVersion), mNext(aNext) {}
+ UNICODE_STRING mName;
+ uint64_t mVersion;
+ NativeNtBlockSetEntry* mNext;
+ };
+
+ public:
+ // Constructor and destructor MUST be trivial
+ constexpr NativeNtBlockSet() : mFirstEntry(nullptr) {}
+ ~NativeNtBlockSet() = default;
+
+ void Add(const UNICODE_STRING& aName, uint64_t aVersion);
+ void Write(WritableBuffer& buffer);
+
+ private:
+ static NativeNtBlockSetEntry* NewEntry(const UNICODE_STRING& aName,
+ uint64_t aVersion,
+ NativeNtBlockSetEntry* aNextEntry);
+
+ private:
+ NativeNtBlockSetEntry* mFirstEntry;
+ mozilla::nt::SRWLock mLock;
+};
+
+NativeNtBlockSet::NativeNtBlockSetEntry* NativeNtBlockSet::NewEntry(
+ const UNICODE_STRING& aName, uint64_t aVersion,
+ NativeNtBlockSet::NativeNtBlockSetEntry* aNextEntry) {
+ return mozilla::freestanding::RtlNew<NativeNtBlockSetEntry>(aName, aVersion,
+ aNextEntry);
+}
+
+void NativeNtBlockSet::Add(const UNICODE_STRING& aName, uint64_t aVersion) {
+ mozilla::nt::AutoExclusiveLock lock(mLock);
+
+ for (NativeNtBlockSetEntry* entry = mFirstEntry; entry;
+ entry = entry->mNext) {
+ if (::RtlEqualUnicodeString(&entry->mName, &aName, TRUE) &&
+ aVersion == entry->mVersion) {
+ return;
+ }
+ }
+
+ // Not present, add it
+ NativeNtBlockSetEntry* newEntry = NewEntry(aName, aVersion, mFirstEntry);
+ if (newEntry) {
+ mFirstEntry = newEntry;
+ }
+}
+
+void NativeNtBlockSet::Write(WritableBuffer& aBuffer) {
+ // NB: If this function is called, it is long after kernel32 is initialized,
+ // so it is safe to use Win32 calls here.
+ char buf[MAX_PATH];
+
+ // It would be nicer to use RAII here. However, its destructor
+ // might not run if an exception occurs, in which case we would never release
+ // the lock (MSVC warns about this possibility). So we acquire and release
+ // manually.
+ ::AcquireSRWLockExclusive(&mLock);
+
+ MOZ_SEH_TRY {
+ for (auto entry = mFirstEntry; entry; entry = entry->mNext) {
+ int convOk = ::WideCharToMultiByte(CP_UTF8, 0, entry->mName.Buffer,
+ entry->mName.Length / sizeof(wchar_t),
+ buf, sizeof(buf), nullptr, nullptr);
+ if (!convOk) {
+ continue;
+ }
+
+ // write name[,v.v.v.v];
+ aBuffer.Write(buf, convOk);
+
+ if (entry->mVersion != DllBlockInfo::ALL_VERSIONS) {
+ aBuffer.Write(",", 1);
+ uint16_t parts[4];
+ parts[0] = entry->mVersion >> 48;
+ parts[1] = (entry->mVersion >> 32) & 0xFFFF;
+ parts[2] = (entry->mVersion >> 16) & 0xFFFF;
+ parts[3] = entry->mVersion & 0xFFFF;
+ for (size_t p = 0; p < mozilla::ArrayLength(parts); ++p) {
+ _ltoa_s(parts[p], buf, sizeof(buf), 10);
+ aBuffer.Write(buf, strlen(buf));
+ if (p != mozilla::ArrayLength(parts) - 1) {
+ aBuffer.Write(".", 1);
+ }
+ }
+ }
+ aBuffer.Write(";", 1);
+ }
+ }
+ MOZ_SEH_EXCEPT(EXCEPTION_EXECUTE_HANDLER) {}
+
+ ::ReleaseSRWLockExclusive(&mLock);
+}
+
+static NativeNtBlockSet gBlockSet;
+
+extern "C" void MOZ_EXPORT
+NativeNtBlockSet_Write(CrashReporter::AnnotationWriter& aWriter) {
+ WritableBuffer buffer;
+ gBlockSet.Write(buffer);
+ aWriter.Write(CrashReporter::Annotation::BlockedDllList, buffer.Data(),
+ buffer.Length());
+}
+
+enum class BlockAction {
+ // Allow the DLL to be loaded.
+ Allow,
+ // Substitute in a different DLL to be loaded instead of this one?
+ // This is intended to be used for Layered Service Providers, which
+ // cannot be blocked in the normal way. Note that this doesn't seem
+ // to be actually implemented right now, and no entries in the blocklist
+ // use it.
+ SubstituteLSP,
+ // There was an error in determining whether we should block this DLL.
+ // It will be blocked.
+ Error,
+ // Block the DLL from loading.
+ Deny,
+ // Effectively block the DLL from loading by redirecting its DllMain
+ // to a stub version. This is needed for DLLs that add themselves to
+ // the executable's Import Table, since failing to load would mean the
+ // executable would fail to launch.
+ NoOpEntryPoint,
+};
+
+static BlockAction CheckBlockInfo(const DllBlockInfo* aInfo,
+ const mozilla::nt::PEHeaders& aHeaders,
+ uint64_t& aVersion) {
+ aVersion = DllBlockInfo::ALL_VERSIONS;
+
+ if (aInfo->mFlags & (DllBlockInfoFlags::BLOCK_WIN8_AND_OLDER |
+ DllBlockInfoFlags::BLOCK_WIN7_AND_OLDER)) {
+ RTL_OSVERSIONINFOW osv = {sizeof(osv)};
+ NTSTATUS ntStatus = ::RtlGetVersion(&osv);
+ if (!NT_SUCCESS(ntStatus)) {
+ return BlockAction::Error;
+ }
+
+ if ((aInfo->mFlags & DllBlockInfoFlags::BLOCK_WIN8_AND_OLDER) &&
+ (osv.dwMajorVersion > 6 ||
+ (osv.dwMajorVersion == 6 && osv.dwMinorVersion > 2))) {
+ return BlockAction::Allow;
+ }
+
+ if ((aInfo->mFlags & DllBlockInfoFlags::BLOCK_WIN7_AND_OLDER) &&
+ (osv.dwMajorVersion > 6 ||
+ (osv.dwMajorVersion == 6 && osv.dwMinorVersion > 1))) {
+ return BlockAction::Allow;
+ }
+ }
+
+ if ((aInfo->mFlags & DllBlockInfoFlags::CHILD_PROCESSES_ONLY) &&
+ !(gBlocklistInitFlags & eDllBlocklistInitFlagIsChildProcess)) {
+ return BlockAction::Allow;
+ }
+
+ if ((aInfo->mFlags & DllBlockInfoFlags::UTILITY_PROCESSES_ONLY) &&
+ !(gBlocklistInitFlags & eDllBlocklistInitFlagIsUtilityProcess)) {
+ return BlockAction::Allow;
+ }
+
+ if ((aInfo->mFlags & DllBlockInfoFlags::SOCKET_PROCESSES_ONLY) &&
+ !(gBlocklistInitFlags & eDllBlocklistInitFlagIsSocketProcess)) {
+ return BlockAction::Allow;
+ }
+
+ if ((aInfo->mFlags & DllBlockInfoFlags::GPU_PROCESSES_ONLY) &&
+ !(gBlocklistInitFlags & eDllBlocklistInitFlagIsGPUProcess)) {
+ return BlockAction::Allow;
+ }
+
+ if ((aInfo->mFlags & DllBlockInfoFlags::BROWSER_PROCESS_ONLY) &&
+ (gBlocklistInitFlags & eDllBlocklistInitFlagIsChildProcess)) {
+ return BlockAction::Allow;
+ }
+
+ if ((aInfo->mFlags & DllBlockInfoFlags::GMPLUGIN_PROCESSES_ONLY) &&
+ !(gBlocklistInitFlags & eDllBlocklistInitFlagIsGMPluginProcess)) {
+ return BlockAction::Allow;
+ }
+
+ if (aInfo->mMaxVersion == DllBlockInfo::ALL_VERSIONS) {
+ return BlockAction::Deny;
+ }
+
+ if (!aHeaders) {
+ return BlockAction::Error;
+ }
+
+ if (aInfo->mFlags & DllBlockInfoFlags::USE_TIMESTAMP) {
+ DWORD timestamp;
+ if (!aHeaders.GetTimeStamp(timestamp)) {
+ return BlockAction::Error;
+ }
+
+ if (timestamp > aInfo->mMaxVersion) {
+ return BlockAction::Allow;
+ }
+
+ return BlockAction::Deny;
+ }
+
+ // Else we try to get the file version information. Note that we don't have
+ // access to GetFileVersionInfo* APIs.
+ if (!aHeaders.GetVersionInfo(aVersion)) {
+ return BlockAction::Error;
+ }
+
+ if (aInfo->IsVersionBlocked(aVersion)) {
+ return BlockAction::Deny;
+ }
+
+ return BlockAction::Allow;
+}
+
+static BOOL WINAPI NoOp_DllMain(HINSTANCE, DWORD, LPVOID) { return TRUE; }
+
+// This helper function checks whether a given module is included
+// in the executable's Import Table. Because an injected module's
+// DllMain may revert the Import Table to the original state, we parse
+// the Import Table every time a module is loaded without creating a cache.
+static bool IsInjectedDependentModule(
+ const UNICODE_STRING& aModuleLeafName,
+ mozilla::freestanding::Kernel32ExportsSolver& aK32Exports) {
+ mozilla::nt::PEHeaders exeHeaders(aK32Exports.mGetModuleHandleW(nullptr));
+ if (!exeHeaders || !exeHeaders.IsImportDirectoryTampered()) {
+ // If no tampering is detected, no need to enumerate the Import Table.
+ return false;
+ }
+
+ bool isDependent = false;
+ exeHeaders.EnumImportChunks(
+ [&isDependent, &aModuleLeafName, &exeHeaders](const char* aDepModule) {
+ // If |aDepModule| is within the PE image, it's not an injected module
+ // but a legitimate dependent module.
+ if (isDependent || exeHeaders.IsWithinImage(aDepModule)) {
+ return;
+ }
+
+ UNICODE_STRING depModuleLeafName;
+ mozilla::nt::AllocatedUnicodeString depModuleName(aDepModule);
+ mozilla::nt::GetLeafName(&depModuleLeafName, depModuleName);
+ isDependent = (::RtlCompareUnicodeString(
+ &aModuleLeafName, &depModuleLeafName, TRUE) == 0);
+ });
+ return isDependent;
+}
+
+// Allowing a module to be loaded but detour the entrypoint to NoOp_DllMain
+// so that the module has no chance to interact with our code. We need this
+// technique to safely block a module injected by IAT tampering because
+// blocking such a module makes a process fail to launch.
+static bool RedirectToNoOpEntryPoint(
+ const mozilla::nt::PEHeaders& aModule,
+ mozilla::freestanding::Kernel32ExportsSolver& aK32Exports) {
+ mozilla::interceptor::WindowsDllEntryPointInterceptor interceptor(
+ aK32Exports);
+ if (!interceptor.Set(aModule, NoOp_DllMain)) {
+ return false;
+ }
+
+ return true;
+}
+
+static BlockAction DetermineBlockAction(
+ const UNICODE_STRING& aLeafName, void* aBaseAddress,
+ mozilla::freestanding::Kernel32ExportsSolver* aK32Exports) {
+ if (mozilla::nt::Contains12DigitHexString(aLeafName) ||
+ mozilla::nt::IsFileNameAtLeast16HexDigits(aLeafName)) {
+ return BlockAction::Deny;
+ }
+
+ mozilla::nt::PEHeaders headers(aBaseAddress);
+ DWORD checksum = 0;
+ DWORD timestamp = 0;
+ DWORD imageSize = 0;
+ uint64_t version = 0;
+
+ // Block some malicious DLLs known for crashing our process (bug 1841751),
+ // based on matching the combination of version number + timestamp + image
+ // size. We further reduce the chances of collision with legit DLLs by
+ // checking for a checksum of 0 and the absence of debug information, both of
+ // which are unusual for production-ready DLLs.
+ if (headers.GetCheckSum(checksum) && checksum == 0 && !headers.GetPdbInfo() &&
+ headers.GetTimeStamp(timestamp)) {
+ struct KnownMaliciousCombination {
+ uint64_t mVersion;
+ uint32_t mTimestamp;
+ uint32_t mImageSize;
+ };
+ const KnownMaliciousCombination instances[]{
+ // 1.0.0.26638
+ {0x000100000000680e, 0x570B8A90, 0x62000},
+ // 1.0.0.26793
+ {0x00010000000068a9, 0x572B4CE4, 0x62000},
+ // 1.0.0.27567
+ {0x0001000000006baf, 0x57A725AC, 0x61000},
+ // 1.0.0.29915
+ {0x00010000000074db, 0x5A115D81, 0x5D000},
+ // 1.0.0.31122
+ {0x0001000000007992, 0x5CFF88B8, 0x5D000}};
+
+ // We iterate over timestamps, because they are unique and it is a quick
+ // field to fetch
+ for (const auto& instance : instances) {
+ if (instance.mTimestamp == timestamp) {
+ // Only fetch other fields in case we have a match. Then, we can exit
+ // the loop.
+ if (headers.GetImageSize(imageSize) &&
+ instance.mImageSize == imageSize &&
+ headers.GetVersionInfo(version) && instance.mVersion == version) {
+ return BlockAction::Deny;
+ }
+ break;
+ }
+ }
+ }
+
+ DECLARE_POINTER_TO_FIRST_DLL_BLOCKLIST_ENTRY(info);
+ DECLARE_DLL_BLOCKLIST_NUM_ENTRIES(infoNumEntries);
+
+ mozilla::freestanding::DllBlockInfoComparator comp(aLeafName);
+
+ size_t match = LowerBound(info, 0, infoNumEntries, comp);
+ bool builtinListHasLowerBound = match != infoNumEntries;
+ const DllBlockInfo* entry = nullptr;
+ BlockAction checkResult = BlockAction::Allow;
+ if (builtinListHasLowerBound) {
+ // There may be multiple entries on the list. Since LowerBound() returns
+ // the first entry that matches (if there are any matches),
+ // search forward from there.
+ while (match < infoNumEntries && (comp(info[match]) == 0)) {
+ entry = &info[match];
+ checkResult = CheckBlockInfo(entry, headers, version);
+ if (checkResult != BlockAction::Allow) {
+ break;
+ }
+ ++match;
+ }
+ }
+ mozilla::DebugOnly<bool> blockedByDynamicBlocklist = false;
+ // Make sure we handle a case that older versions are blocked by the static
+ // list, but the dynamic list blocks all versions.
+ if (checkResult == BlockAction::Allow) {
+ if (!mozilla::freestanding::gSharedSection.IsDisabled()) {
+ entry = mozilla::freestanding::gSharedSection.SearchBlocklist(aLeafName);
+ if (entry) {
+ checkResult = CheckBlockInfo(entry, headers, version);
+ blockedByDynamicBlocklist = checkResult != BlockAction::Allow;
+ }
+ }
+ }
+ if (checkResult == BlockAction::Allow) {
+ return BlockAction::Allow;
+ }
+
+ gBlockSet.Add(entry->mName, version);
+
+ if ((entry->mFlags & DllBlockInfoFlags::REDIRECT_TO_NOOP_ENTRYPOINT) &&
+ aK32Exports && RedirectToNoOpEntryPoint(headers, *aK32Exports)) {
+ MOZ_ASSERT(!blockedByDynamicBlocklist, "dynamic blocklist has redirect?");
+ return BlockAction::NoOpEntryPoint;
+ }
+
+ return checkResult;
+}
+
+namespace mozilla {
+namespace freestanding {
+
+CrossProcessDllInterceptor::FuncHookType<LdrLoadDllPtr> stub_LdrLoadDll;
+
+NTSTATUS NTAPI patched_LdrLoadDll(PWCHAR aDllPath, PULONG aFlags,
+ PUNICODE_STRING aDllName,
+ PHANDLE aOutHandle) {
+ ModuleLoadFrame frame(aDllName);
+
+ NTSTATUS ntStatus = stub_LdrLoadDll(aDllPath, aFlags, aDllName, aOutHandle);
+
+ return frame.SetLoadStatus(ntStatus, aOutHandle);
+}
+
+CrossProcessDllInterceptor::FuncHookType<NtMapViewOfSectionPtr>
+ stub_NtMapViewOfSection;
+
+// All the code for patched_NtMapViewOfSection that relies on checked stack
+// buffers (e.g. mbi, sectionFileName) should be put in this helper function
+// (see bug 1733532).
+MOZ_NEVER_INLINE NTSTATUS AfterMapViewOfExecutableSection(
+ HANDLE aProcess, PVOID* aBaseAddress, NTSTATUS aStubStatus) {
+ // We don't care about mappings that aren't MEM_IMAGE.
+ MEMORY_BASIC_INFORMATION mbi;
+ NTSTATUS ntStatus =
+ ::NtQueryVirtualMemory(aProcess, *aBaseAddress, MemoryBasicInformation,
+ &mbi, sizeof(mbi), nullptr);
+ if (!NT_SUCCESS(ntStatus)) {
+ ::NtUnmapViewOfSection(aProcess, *aBaseAddress);
+ return STATUS_ACCESS_DENIED;
+ }
+ if (!(mbi.Type & MEM_IMAGE)) {
+ return aStubStatus;
+ }
+
+ // Get the section name
+ nt::MemorySectionNameBuf sectionFileName(
+ gLoaderPrivateAPI.GetSectionNameBuffer(*aBaseAddress));
+ if (sectionFileName.IsEmpty()) {
+ ::NtUnmapViewOfSection(aProcess, *aBaseAddress);
+ return STATUS_ACCESS_DENIED;
+ }
+
+ // Find the leaf name
+ UNICODE_STRING leafOnStack;
+ nt::GetLeafName(&leafOnStack, sectionFileName);
+
+ bool isInjectedDependent = false;
+ const UNICODE_STRING k32Name = MOZ_LITERAL_UNICODE_STRING(L"kernel32.dll");
+ Kernel32ExportsSolver* k32Exports = nullptr;
+ BlockAction blockAction;
+ // Trying to get the Kernel32Exports while loading kernel32.dll causes Firefox
+ // to crash. (but only during a profile-guided optimization run, oddly) We
+ // know we're never going to block kernel32.dll, so skip all this
+ if (::RtlCompareUnicodeString(&k32Name, &leafOnStack, TRUE) == 0) {
+ blockAction = BlockAction::Allow;
+ } else {
+ auto noSharedSectionReset{SharedSection::AutoNoReset()};
+ k32Exports = gSharedSection.GetKernel32Exports();
+ // Small optimization: Since loading a dependent module does not involve
+ // LdrLoadDll, we know isInjectedDependent is false if we hold a top frame.
+ if (k32Exports && !ModuleLoadFrame::ExistsTopFrame()) {
+ // Note that if a module is dependent but not injected, this means that
+ // the executable built against it, and it should be signed by Mozilla
+ // or Microsoft, so we don't need to worry about adding it to the list
+ // for CIG. (and users won't be able to block it) So the only special
+ // case here is a dependent module that has been injected.
+ isInjectedDependent = IsInjectedDependentModule(leafOnStack, *k32Exports);
+ }
+
+ if (isInjectedDependent) {
+ // Add an NT dv\path to the shared section so that a sandbox process can
+ // use it to bypass CIG. In a sandbox process, this addition fails
+ // because we cannot map the section to a writable region, but it's
+ // ignorable because the paths have been added by the browser process.
+ Unused << SharedSection::AddDependentModule(sectionFileName);
+
+ bool attemptToBlockViaRedirect;
+#if defined(NIGHTLY_BUILD)
+ // We enable automatic DLL blocking only in Nightly for now
+ // because it caused a compat issue (bug 1682304 and 1704373).
+ attemptToBlockViaRedirect = true;
+ // We will set blockAction below in the if (attemptToBlockViaRedirect)
+ // block, but I guess the compiler isn't smart enough to figure
+ // that out and complains about an uninitialized variable :-(
+ blockAction = BlockAction::NoOpEntryPoint;
+#else
+ // Check blocklist
+ blockAction =
+ DetermineBlockAction(leafOnStack, *aBaseAddress, k32Exports);
+ // If we were going to block this dependent module, try redirection
+ // instead of blocking it, since blocking it would cause the .exe not to
+ // launch.
+ // Note tht Deny and Error both end up blocking the module in a
+ // straightforward way, so those are the cases in which we need
+ // to redirect instead.
+ attemptToBlockViaRedirect =
+ blockAction == BlockAction::Deny || blockAction == BlockAction::Error;
+#endif
+ if (attemptToBlockViaRedirect) {
+ // For a dependent module, try redirection instead of blocking it.
+ // If we fail, we reluctantly allow the module for free.
+ mozilla::nt::PEHeaders headers(*aBaseAddress);
+ blockAction = RedirectToNoOpEntryPoint(headers, *k32Exports)
+ ? BlockAction::NoOpEntryPoint
+ : BlockAction::Allow;
+ }
+ } else {
+ // Check blocklist
+ blockAction =
+ DetermineBlockAction(leafOnStack, *aBaseAddress, k32Exports);
+ }
+ }
+
+ ModuleLoadInfo::Status loadStatus = ModuleLoadInfo::Status::Blocked;
+
+ switch (blockAction) {
+ case BlockAction::Allow:
+ loadStatus = ModuleLoadInfo::Status::Loaded;
+ break;
+
+ case BlockAction::NoOpEntryPoint:
+ loadStatus = ModuleLoadInfo::Status::Redirected;
+ break;
+
+ case BlockAction::SubstituteLSP:
+ // The process heap needs to be available here because
+ // NotifyLSPSubstitutionRequired below copies a given string into
+ // the heap. We use a soft assert here, assuming LSP load always
+ // occurs after the heap is initialized.
+ MOZ_ASSERT(nt::RtlGetProcessHeap());
+
+ // Notify patched_LdrLoadDll that it will be necessary to perform
+ // a substitution before returning.
+ ModuleLoadFrame::NotifyLSPSubstitutionRequired(&leafOnStack);
+ break;
+
+ default:
+ break;
+ }
+
+ if (nt::RtlGetProcessHeap()) {
+ ModuleLoadFrame::NotifySectionMap(
+ nt::AllocatedUnicodeString(sectionFileName), *aBaseAddress, aStubStatus,
+ loadStatus, isInjectedDependent);
+ }
+
+ if (loadStatus == ModuleLoadInfo::Status::Loaded ||
+ loadStatus == ModuleLoadInfo::Status::Redirected) {
+ return aStubStatus;
+ }
+
+ ::NtUnmapViewOfSection(aProcess, *aBaseAddress);
+ return STATUS_ACCESS_DENIED;
+}
+
+// To preserve compatibility with third-parties, calling into this function
+// must not use checked stack buffers when reached through Thread32Next (see
+// bug 1733532). Hence this function is declared as MOZ_NO_STACK_PROTECTOR.
+// Ideally, all code relying on stack buffers should be put in the dedicated
+// helper function AfterMapViewOfExecutableImageSection, which does not have
+// the MOZ_NO_STACK_PROTECTOR attribute. The obi variable below is an
+// exception to this rule, as it is required to collect the information that
+// lets us decide whether we really need to go through the helper function.
+NTSTATUS NTAPI patched_NtMapViewOfSection(
+ HANDLE aSection, HANDLE aProcess, PVOID* aBaseAddress, ULONG_PTR aZeroBits,
+ SIZE_T aCommitSize, PLARGE_INTEGER aSectionOffset, PSIZE_T aViewSize,
+ SECTION_INHERIT aInheritDisposition, ULONG aAllocationType,
+ ULONG aProtectionFlags) {
+ // Save off the values currently in the out-pointers for later restoration if
+ // we decide not to permit this mapping.
+ auto const rollback =
+ [
+ // Avoid taking a reference to the stack frame, mostly out of
+ // paranoia. (The values of `aBaseAddress` et al. may have been
+ // crafted to point to our return address anyway...)
+ =,
+ // `NtMapViewOfSection` itself is mildly robust to invalid pointers;
+ // we can't easily do that, but we can at least check for `nullptr`.
+ baseAddress = aBaseAddress ? *aBaseAddress : nullptr,
+ sectionOffset = aSectionOffset ? *aSectionOffset : LARGE_INTEGER{},
+ viewSize = aViewSize ? *aViewSize : 0]() {
+ if (aBaseAddress) *aBaseAddress = baseAddress;
+ if (aSectionOffset) *aSectionOffset = sectionOffset;
+ if (aViewSize) *aViewSize = viewSize;
+ };
+
+ // We always map first, then we check for additional info after.
+ NTSTATUS stubStatus = stub_NtMapViewOfSection(
+ aSection, aProcess, aBaseAddress, aZeroBits, aCommitSize, aSectionOffset,
+ aViewSize, aInheritDisposition, aAllocationType, aProtectionFlags);
+ if (!NT_SUCCESS(stubStatus)) {
+ return stubStatus;
+ }
+
+ if (aProcess != nt::kCurrentProcess) {
+ // We're only interested in mapping for the current process.
+ return stubStatus;
+ }
+
+ PUBLIC_OBJECT_BASIC_INFORMATION obi;
+ NTSTATUS ntStatus = ::NtQueryObject(aSection, ObjectBasicInformation, &obi,
+ sizeof(obi), nullptr);
+ if (!NT_SUCCESS(ntStatus)) {
+ ::NtUnmapViewOfSection(aProcess, *aBaseAddress);
+ rollback();
+ return STATUS_ACCESS_DENIED;
+ }
+
+ // We don't care about sections for which the permission to map executable
+ // views was not asked at creation time. This early exit path is notably
+ // taken for:
+ // - calls to LoadLibraryExW using LOAD_LIBRARY_AS_DATAFILE or
+ // LOAD_LIBRARY_AS_IMAGE_RESOURCE (bug 1842088), thus allowing us to load
+ // blocked DLLs for analysis without executing them;
+ // - calls to Thread32Next (bug 1733532), thus avoiding the helper function
+ // with stack cookie checks.
+ if (!(obi.GrantedAccess & SECTION_MAP_EXECUTE)) {
+ return stubStatus;
+ }
+
+ NTSTATUS rv =
+ AfterMapViewOfExecutableSection(aProcess, aBaseAddress, stubStatus);
+ if (FAILED(rv)) {
+ rollback();
+ }
+ return rv;
+}
+
+} // namespace freestanding
+} // namespace mozilla
diff --git a/browser/app/winlauncher/freestanding/DllBlocklist.h b/browser/app/winlauncher/freestanding/DllBlocklist.h
new file mode 100644
index 0000000000..c0ae1d255f
--- /dev/null
+++ b/browser/app/winlauncher/freestanding/DllBlocklist.h
@@ -0,0 +1,39 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_freestanding_DllBlocklist_h
+#define mozilla_freestanding_DllBlocklist_h
+
+#include "mozilla/Attributes.h"
+#include "mozilla/NativeNt.h"
+#include "nsWindowsDllInterceptor.h"
+#include "mozilla/WinHeaderOnlyUtils.h"
+
+namespace mozilla {
+namespace freestanding {
+
+NTSTATUS NTAPI patched_LdrLoadDll(PWCHAR aDllPath, PULONG aFlags,
+ PUNICODE_STRING aDllName, PHANDLE aOutHandle);
+
+MOZ_NO_STACK_PROTECTOR NTSTATUS NTAPI patched_NtMapViewOfSection(
+ HANDLE aSection, HANDLE aProcess, PVOID* aBaseAddress, ULONG_PTR aZeroBits,
+ SIZE_T aCommitSize, PLARGE_INTEGER aSectionOffset, PSIZE_T aViewSize,
+ SECTION_INHERIT aInheritDisposition, ULONG aAllocationType,
+ ULONG aProtectionFlags);
+
+using LdrLoadDllPtr = decltype(&::LdrLoadDll);
+
+extern CrossProcessDllInterceptor::FuncHookType<LdrLoadDllPtr> stub_LdrLoadDll;
+
+using NtMapViewOfSectionPtr = decltype(&::NtMapViewOfSection);
+
+extern CrossProcessDllInterceptor::FuncHookType<NtMapViewOfSectionPtr>
+ stub_NtMapViewOfSection;
+
+} // namespace freestanding
+} // namespace mozilla
+
+#endif // mozilla_freestanding_DllBlocklist_h
diff --git a/browser/app/winlauncher/freestanding/Freestanding.h b/browser/app/winlauncher/freestanding/Freestanding.h
new file mode 100644
index 0000000000..03999f231e
--- /dev/null
+++ b/browser/app/winlauncher/freestanding/Freestanding.h
@@ -0,0 +1,67 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_freestanding_Freestanding_h
+#define mozilla_freestanding_Freestanding_h
+
+/**
+ * This header is automatically included in all source code residing in the
+ * /browser/app/winlauncher/freestanding directory.
+ */
+
+#if defined(__STDC_HOSTED__) && __STDC_HOSTED__ == 1
+# error "This header should only be included by freestanding code"
+#endif // defined(__STDC_HOSTED__) && __STDC_HOSTED__ == 1
+
+#define MOZ_USE_LAUNCHER_ERROR
+#include "mozilla/NativeNt.h"
+
+namespace mozilla {
+namespace freestanding {
+
+/**
+ * Since this library is the only part of firefox.exe that needs special
+ * treatment with respect to the heap, we implement |RtlNew| and |RtlDelete|
+ * to be used instead of |new| and |delete| for any heap allocations inside
+ * the freestanding library.
+ */
+template <typename T, typename... Args>
+inline static T* RtlNew(Args&&... aArgs) {
+ HANDLE processHeap = nt::RtlGetProcessHeap();
+ if (!processHeap) {
+ // Handle the case where the process heap is not initialized because
+ // passing nullptr to RtlAllocateHeap crashes the process.
+ return nullptr;
+ }
+
+ void* ptr = ::RtlAllocateHeap(processHeap, 0, sizeof(T));
+ if (!ptr) {
+ return nullptr;
+ }
+
+ return new (ptr) T(std::forward<Args>(aArgs)...);
+}
+
+template <typename T>
+inline static void RtlDelete(T* aPtr) {
+ if (!aPtr) {
+ return;
+ }
+
+ aPtr->~T();
+ ::RtlFreeHeap(nt::RtlGetProcessHeap(), 0, aPtr);
+}
+
+} // namespace freestanding
+} // namespace mozilla
+
+// Initialization code for all statically-allocated data in freestanding is
+// placed into a separate section. This allows us to initialize any
+// freestanding statics without needing to initialize everything else in this
+// binary.
+#pragma init_seg(".freestd$g")
+
+#endif // mozilla_freestanding_Freestanding_h
diff --git a/browser/app/winlauncher/freestanding/LoaderPrivateAPI.cpp b/browser/app/winlauncher/freestanding/LoaderPrivateAPI.cpp
new file mode 100644
index 0000000000..266f2ec6a4
--- /dev/null
+++ b/browser/app/winlauncher/freestanding/LoaderPrivateAPI.cpp
@@ -0,0 +1,293 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#include "LoaderPrivateAPI.h"
+
+#include "mozilla/Assertions.h"
+#include "mozilla/Types.h"
+#include "mozilla/Unused.h"
+#include "../DllBlocklistInit.h"
+#include "../ErrorHandler.h"
+#include "SharedSection.h"
+
+using GlobalInitializerFn = void(__cdecl*)(void);
+
+// Allocation of static initialization section for the freestanding library
+#pragma section(".freestd$a", read)
+__declspec(allocate(".freestd$a")) static const GlobalInitializerFn
+ FreeStdStart = reinterpret_cast<GlobalInitializerFn>(0);
+
+#pragma section(".freestd$z", read)
+__declspec(allocate(".freestd$z")) static const GlobalInitializerFn FreeStdEnd =
+ reinterpret_cast<GlobalInitializerFn>(0);
+
+namespace mozilla {
+namespace freestanding {
+
+static RTL_RUN_ONCE gRunOnce = RTL_RUN_ONCE_INIT;
+
+// The contract for this callback is identical to the InitOnceCallback from
+// Win32 land; we're just using ntdll-layer types instead.
+static ULONG NTAPI DoOneTimeInit(PRTL_RUN_ONCE aRunOnce, PVOID aParameter,
+ PVOID* aContext) {
+ // Invoke every static initializer in the .freestd section
+ const GlobalInitializerFn* cur = &FreeStdStart + 1;
+ while (cur < &FreeStdEnd) {
+ if (*cur) {
+ (*cur)();
+ }
+
+ ++cur;
+ }
+
+ return TRUE;
+}
+
+/**
+ * This observer is only used until the mozglue observer connects itself.
+ * All we do here is accumulate the module loads into a vector.
+ * As soon as mozglue connects, we call |Forward| on mozglue's LoaderObserver
+ * to pass our vector on for further processing. This object then becomes
+ * defunct.
+ */
+class MOZ_ONLY_USED_TO_AVOID_STATIC_CONSTRUCTORS DefaultLoaderObserver final
+ : public nt::LoaderObserver {
+ public:
+ constexpr DefaultLoaderObserver() : mModuleLoads(nullptr) {}
+
+ void OnBeginDllLoad(void** aContext,
+ PCUNICODE_STRING aRequestedDllName) final {}
+ bool SubstituteForLSP(PCUNICODE_STRING aLSPLeafName,
+ PHANDLE aOutHandle) final {
+ return false;
+ }
+ void OnEndDllLoad(void* aContext, NTSTATUS aNtStatus,
+ ModuleLoadInfo&& aModuleLoadInfo) final;
+ void Forward(nt::LoaderObserver* aNext) final;
+ void OnForward(ModuleLoadInfoVec&& aInfo) final {
+ MOZ_ASSERT_UNREACHABLE("Not valid in freestanding::DefaultLoaderObserver");
+ }
+
+ private:
+ mozilla::nt::SRWLock mLock;
+ ModuleLoadInfoVec* mModuleLoads;
+};
+
+class MOZ_ONLY_USED_TO_AVOID_STATIC_CONSTRUCTORS LoaderPrivateAPIImp final
+ : public LoaderPrivateAPI {
+ public:
+ // LoaderAPI
+ ModuleLoadInfo ConstructAndNotifyBeginDllLoad(
+ void** aContext, PCUNICODE_STRING aRequestedDllName) final;
+ bool SubstituteForLSP(PCUNICODE_STRING aLSPLeafName,
+ PHANDLE aOutHandle) final;
+ void NotifyEndDllLoad(void* aContext, NTSTATUS aLoadNtStatus,
+ ModuleLoadInfo&& aModuleLoadInfo) final;
+ nt::AllocatedUnicodeString GetSectionName(void* aSectionAddr) final;
+ nt::LoaderAPI::InitDllBlocklistOOPFnPtr GetDllBlocklistInitFn() final;
+ nt::LoaderAPI::HandleLauncherErrorFnPtr GetHandleLauncherErrorFn() final;
+ nt::SharedSection* GetSharedSection() final;
+
+ // LoaderPrivateAPI
+ void NotifyBeginDllLoad(void** aContext,
+ PCUNICODE_STRING aRequestedDllName) final;
+ void NotifyBeginDllLoad(ModuleLoadInfo& aModuleLoadInfo, void** aContext,
+ PCUNICODE_STRING aRequestedDllName) final;
+ void SetObserver(nt::LoaderObserver* aNewObserver) final;
+ bool IsDefaultObserver() const final;
+ nt::MemorySectionNameBuf GetSectionNameBuffer(void* aSectionAddr) final;
+};
+
+static void Init() {
+ DebugOnly<NTSTATUS> ntStatus =
+ ::RtlRunOnceExecuteOnce(&gRunOnce, &DoOneTimeInit, nullptr, nullptr);
+ MOZ_ASSERT(NT_SUCCESS(ntStatus));
+}
+
+} // namespace freestanding
+} // namespace mozilla
+
+static mozilla::freestanding::DefaultLoaderObserver gDefaultObserver;
+static mozilla::freestanding::LoaderPrivateAPIImp gPrivateAPI;
+
+static mozilla::nt::SRWLock gLoaderObserverLock;
+static mozilla::nt::LoaderObserver* gLoaderObserver = &gDefaultObserver;
+
+namespace mozilla {
+namespace freestanding {
+
+LoaderPrivateAPI& gLoaderPrivateAPI = gPrivateAPI;
+
+void DefaultLoaderObserver::OnEndDllLoad(void* aContext, NTSTATUS aNtStatus,
+ ModuleLoadInfo&& aModuleLoadInfo) {
+ // If the DLL load failed, or if the DLL was loaded by a previous request
+ // and thus was not mapped by this request, we do not save the ModuleLoadInfo.
+ if (!NT_SUCCESS(aNtStatus) || !aModuleLoadInfo.WasMapped()) {
+ return;
+ }
+
+ nt::AutoExclusiveLock lock(mLock);
+ if (!mModuleLoads) {
+ mModuleLoads = RtlNew<ModuleLoadInfoVec>();
+ if (!mModuleLoads) {
+ return;
+ }
+ }
+
+ Unused << mModuleLoads->emplaceBack(
+ std::forward<ModuleLoadInfo>(aModuleLoadInfo));
+}
+
+/**
+ * Pass mModuleLoads's data off to |aNext| for further processing.
+ */
+void DefaultLoaderObserver::Forward(nt::LoaderObserver* aNext) {
+ MOZ_ASSERT(aNext);
+ if (!aNext) {
+ return;
+ }
+
+ ModuleLoadInfoVec* moduleLoads = nullptr;
+
+ { // Scope for lock
+ nt::AutoExclusiveLock lock(mLock);
+ moduleLoads = mModuleLoads;
+ mModuleLoads = nullptr;
+ }
+
+ if (!moduleLoads) {
+ return;
+ }
+
+ aNext->OnForward(std::move(*moduleLoads));
+ RtlDelete(moduleLoads);
+}
+
+ModuleLoadInfo LoaderPrivateAPIImp::ConstructAndNotifyBeginDllLoad(
+ void** aContext, PCUNICODE_STRING aRequestedDllName) {
+ ModuleLoadInfo loadInfo(aRequestedDllName);
+
+ NotifyBeginDllLoad(loadInfo, aContext, aRequestedDllName);
+
+ return loadInfo;
+}
+
+bool LoaderPrivateAPIImp::SubstituteForLSP(PCUNICODE_STRING aLSPLeafName,
+ PHANDLE aOutHandle) {
+ nt::AutoSharedLock lock(gLoaderObserverLock);
+ return gLoaderObserver->SubstituteForLSP(aLSPLeafName, aOutHandle);
+}
+
+void LoaderPrivateAPIImp::NotifyEndDllLoad(void* aContext,
+ NTSTATUS aLoadNtStatus,
+ ModuleLoadInfo&& aModuleLoadInfo) {
+ aModuleLoadInfo.SetEndLoadTimeStamp();
+
+ if (NT_SUCCESS(aLoadNtStatus)) {
+ aModuleLoadInfo.CaptureBacktrace();
+ }
+
+ nt::AutoSharedLock lock(gLoaderObserverLock);
+
+ // We need to notify the observer that the DLL load has ended even when
+ // |aLoadNtStatus| indicates a failure. This is to ensure that any resources
+ // acquired by the observer during OnBeginDllLoad are cleaned up.
+ gLoaderObserver->OnEndDllLoad(aContext, aLoadNtStatus,
+ std::move(aModuleLoadInfo));
+}
+
+nt::AllocatedUnicodeString LoaderPrivateAPIImp::GetSectionName(
+ void* aSectionAddr) {
+ const HANDLE kCurrentProcess = reinterpret_cast<HANDLE>(-1);
+
+ nt::MemorySectionNameBuf buf;
+ NTSTATUS ntStatus =
+ ::NtQueryVirtualMemory(kCurrentProcess, aSectionAddr, MemorySectionName,
+ &buf, sizeof(buf), nullptr);
+ if (!NT_SUCCESS(ntStatus)) {
+ return nt::AllocatedUnicodeString();
+ }
+
+ return nt::AllocatedUnicodeString(&buf.mSectionFileName);
+}
+
+nt::LoaderAPI::InitDllBlocklistOOPFnPtr
+LoaderPrivateAPIImp::GetDllBlocklistInitFn() {
+ return &InitializeDllBlocklistOOP;
+}
+
+nt::LoaderAPI::HandleLauncherErrorFnPtr
+LoaderPrivateAPIImp::GetHandleLauncherErrorFn() {
+ return &HandleLauncherError;
+}
+
+nt::SharedSection* LoaderPrivateAPIImp::GetSharedSection() {
+ return &gSharedSection;
+}
+
+nt::MemorySectionNameBuf LoaderPrivateAPIImp::GetSectionNameBuffer(
+ void* aSectionAddr) {
+ const HANDLE kCurrentProcess = reinterpret_cast<HANDLE>(-1);
+
+ nt::MemorySectionNameBuf buf;
+ NTSTATUS ntStatus =
+ ::NtQueryVirtualMemory(kCurrentProcess, aSectionAddr, MemorySectionName,
+ &buf, sizeof(buf), nullptr);
+ if (!NT_SUCCESS(ntStatus)) {
+ return nt::MemorySectionNameBuf();
+ }
+
+ return buf;
+}
+
+void LoaderPrivateAPIImp::NotifyBeginDllLoad(
+ void** aContext, PCUNICODE_STRING aRequestedDllName) {
+ nt::AutoSharedLock lock(gLoaderObserverLock);
+ gLoaderObserver->OnBeginDllLoad(aContext, aRequestedDllName);
+}
+
+void LoaderPrivateAPIImp::NotifyBeginDllLoad(
+ ModuleLoadInfo& aModuleLoadInfo, void** aContext,
+ PCUNICODE_STRING aRequestedDllName) {
+ NotifyBeginDllLoad(aContext, aRequestedDllName);
+ aModuleLoadInfo.SetBeginLoadTimeStamp();
+}
+
+void LoaderPrivateAPIImp::SetObserver(nt::LoaderObserver* aNewObserver) {
+ nt::LoaderObserver* prevLoaderObserver = nullptr;
+
+ nt::AutoExclusiveLock lock(gLoaderObserverLock);
+
+ MOZ_ASSERT(aNewObserver);
+ if (!aNewObserver) {
+ // This is unlikely, but we always want a valid observer, so use the
+ // gDefaultObserver if necessary.
+ gLoaderObserver = &gDefaultObserver;
+ return;
+ }
+
+ prevLoaderObserver = gLoaderObserver;
+ gLoaderObserver = aNewObserver;
+
+ MOZ_ASSERT(prevLoaderObserver);
+ if (!prevLoaderObserver) {
+ return;
+ }
+
+ // Now that we have a new observer, the previous observer must forward its
+ // data on to the new observer for processing.
+ prevLoaderObserver->Forward(aNewObserver);
+}
+
+bool LoaderPrivateAPIImp::IsDefaultObserver() const {
+ nt::AutoSharedLock lock(gLoaderObserverLock);
+ return gLoaderObserver == &gDefaultObserver;
+}
+
+void EnsureInitialized() { Init(); }
+
+} // namespace freestanding
+} // namespace mozilla
diff --git a/browser/app/winlauncher/freestanding/LoaderPrivateAPI.h b/browser/app/winlauncher/freestanding/LoaderPrivateAPI.h
new file mode 100644
index 0000000000..f21472d689
--- /dev/null
+++ b/browser/app/winlauncher/freestanding/LoaderPrivateAPI.h
@@ -0,0 +1,62 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_freestanding_LoaderPrivateAPI_h
+#define mozilla_freestanding_LoaderPrivateAPI_h
+
+#include "mozilla/LoaderAPIInterfaces.h"
+
+namespace mozilla {
+namespace freestanding {
+
+/**
+ * This part of the API is available only to the launcher process.
+ */
+class NS_NO_VTABLE LoaderPrivateAPI : public nt::LoaderAPI {
+ public:
+ /**
+ * Notify the nt::LoaderObserver that a module load is beginning
+ */
+ virtual void NotifyBeginDllLoad(void** aContext,
+ PCUNICODE_STRING aRequestedDllName) = 0;
+ /**
+ * Notify the nt::LoaderObserver that a module load is beginning and set the
+ * begin load timestamp on |aModuleLoadInfo|.
+ */
+ virtual void NotifyBeginDllLoad(ModuleLoadInfo& aModuleLoadInfo,
+ void** aContext,
+ PCUNICODE_STRING aRequestedDllName) = 0;
+
+ /**
+ * Set a new nt::LoaderObserver to be used by the launcher process. NB: This
+ * should only happen while the current process is still single-threaded!
+ */
+ virtual void SetObserver(nt::LoaderObserver* aNewObserver) = 0;
+
+ /**
+ * Returns true if the current nt::LoaderObserver is the launcher process's
+ * built-in observer.
+ */
+ virtual bool IsDefaultObserver() const = 0;
+
+ /**
+ * Returns the name of a given mapped section address as a local instance of
+ * nt::MemorySectionNameBuf. This does not involve heap allocation.
+ */
+ virtual nt::MemorySectionNameBuf GetSectionNameBuffer(void* aSectionAddr) = 0;
+};
+
+/**
+ * Ensures that any statics in the freestanding library are initialized.
+ */
+void EnsureInitialized();
+
+extern LoaderPrivateAPI& gLoaderPrivateAPI;
+
+} // namespace freestanding
+} // namespace mozilla
+
+#endif // mozilla_freestanding_LoaderPrivateAPI_h
diff --git a/browser/app/winlauncher/freestanding/ModuleLoadFrame.cpp b/browser/app/winlauncher/freestanding/ModuleLoadFrame.cpp
new file mode 100644
index 0000000000..3aa043b8c7
--- /dev/null
+++ b/browser/app/winlauncher/freestanding/ModuleLoadFrame.cpp
@@ -0,0 +1,144 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#include "ModuleLoadFrame.h"
+
+#include "LoaderPrivateAPI.h"
+
+namespace mozilla {
+namespace freestanding {
+
+ModuleLoadFrame::ModuleLoadFrame(PCUNICODE_STRING aRequestedDllName)
+ : mPrev(sTopFrame.get()),
+ mContext(nullptr),
+ mLSPSubstitutionRequired(false),
+ mLoadNtStatus(STATUS_UNSUCCESSFUL),
+ mLoadInfo(aRequestedDllName) {
+ EnsureInitialized();
+ sTopFrame.set(this);
+
+ gLoaderPrivateAPI.NotifyBeginDllLoad(mLoadInfo, &mContext, aRequestedDllName);
+}
+
+ModuleLoadFrame::ModuleLoadFrame(nt::AllocatedUnicodeString&& aSectionName,
+ const void* aMapBaseAddr, NTSTATUS aNtStatus,
+ ModuleLoadInfo::Status aLoadStatus,
+ bool aIsDependent)
+ : mPrev(sTopFrame.get()),
+ mContext(nullptr),
+ mLSPSubstitutionRequired(false),
+ mLoadNtStatus(aNtStatus),
+ mLoadInfo(std::move(aSectionName), aMapBaseAddr, aLoadStatus,
+ aIsDependent) {
+ sTopFrame.set(this);
+
+ gLoaderPrivateAPI.NotifyBeginDllLoad(&mContext, mLoadInfo.mSectionName);
+}
+
+ModuleLoadFrame::~ModuleLoadFrame() {
+ gLoaderPrivateAPI.NotifyEndDllLoad(mContext, mLoadNtStatus,
+ std::move(mLoadInfo));
+ sTopFrame.set(mPrev);
+}
+
+/* static */
+void ModuleLoadFrame::NotifyLSPSubstitutionRequired(
+ PCUNICODE_STRING aLeafName) {
+ ModuleLoadFrame* topFrame = sTopFrame.get();
+ if (!topFrame) {
+ return;
+ }
+
+ topFrame->SetLSPSubstitutionRequired(aLeafName);
+}
+
+void ModuleLoadFrame::SetLSPSubstitutionRequired(PCUNICODE_STRING aLeafName) {
+ MOZ_ASSERT(!mLoadInfo.mBaseAddr);
+ if (mLoadInfo.mBaseAddr) {
+ // If mBaseAddr is not null then |this| has already seen a module load. This
+ // should not be the case for a LSP substitution, so we bail.
+ return;
+ }
+
+ // Save aLeafName, as it will be used by SetLoadStatus when invoking
+ // SubstituteForLSP
+ mLoadInfo.mRequestedDllName = aLeafName;
+ mLSPSubstitutionRequired = true;
+}
+
+/* static */
+void ModuleLoadFrame::NotifySectionMap(
+ nt::AllocatedUnicodeString&& aSectionName, const void* aMapBaseAddr,
+ NTSTATUS aMapNtStatus, ModuleLoadInfo::Status aLoadStatus,
+ bool aIsDependent) {
+ ModuleLoadFrame* topFrame = sTopFrame.get();
+ if (!topFrame) {
+ // The only time that this data is useful is during initial mapping of
+ // the executable's dependent DLLs. If mozglue is present then
+ // IsDefaultObserver will return false, indicating that we are beyond
+ // initial process startup.
+ if (gLoaderPrivateAPI.IsDefaultObserver()) {
+ OnBareSectionMap(std::move(aSectionName), aMapBaseAddr, aMapNtStatus,
+ aLoadStatus, aIsDependent);
+ }
+ return;
+ }
+
+ topFrame->OnSectionMap(std::move(aSectionName), aMapBaseAddr, aMapNtStatus,
+ aLoadStatus, aIsDependent);
+}
+
+/* static */
+bool ModuleLoadFrame::ExistsTopFrame() { return !!sTopFrame.get(); }
+
+void ModuleLoadFrame::OnSectionMap(nt::AllocatedUnicodeString&& aSectionName,
+ const void* aMapBaseAddr,
+ NTSTATUS aMapNtStatus,
+ ModuleLoadInfo::Status aLoadStatus,
+ bool aIsDependent) {
+ if (mLoadInfo.mBaseAddr) {
+ // If mBaseAddr is not null then |this| has already seen a module load. This
+ // means that we are witnessing a bare section map.
+ OnBareSectionMap(std::move(aSectionName), aMapBaseAddr, aMapNtStatus,
+ aLoadStatus, aIsDependent);
+ return;
+ }
+
+ mLoadInfo.mSectionName = std::move(aSectionName);
+ mLoadInfo.mBaseAddr = aMapBaseAddr;
+ mLoadInfo.mStatus = aLoadStatus;
+}
+
+/* static */
+void ModuleLoadFrame::OnBareSectionMap(
+ nt::AllocatedUnicodeString&& aSectionName, const void* aMapBaseAddr,
+ NTSTATUS aMapNtStatus, ModuleLoadInfo::Status aLoadStatus,
+ bool aIsDependent) {
+ // We call the special constructor variant that is used for bare mappings.
+ ModuleLoadFrame frame(std::move(aSectionName), aMapBaseAddr, aMapNtStatus,
+ aLoadStatus, aIsDependent);
+}
+
+NTSTATUS ModuleLoadFrame::SetLoadStatus(NTSTATUS aNtStatus,
+ PHANDLE aOutHandle) {
+ mLoadNtStatus = aNtStatus;
+
+ if (!mLSPSubstitutionRequired) {
+ return aNtStatus;
+ }
+
+ if (!gLoaderPrivateAPI.SubstituteForLSP(mLoadInfo.mRequestedDllName,
+ aOutHandle)) {
+ return aNtStatus;
+ }
+
+ return STATUS_SUCCESS;
+}
+
+SafeThreadLocal<ModuleLoadFrame*> ModuleLoadFrame::sTopFrame;
+
+} // namespace freestanding
+} // namespace mozilla
diff --git a/browser/app/winlauncher/freestanding/ModuleLoadFrame.h b/browser/app/winlauncher/freestanding/ModuleLoadFrame.h
new file mode 100644
index 0000000000..51a179db99
--- /dev/null
+++ b/browser/app/winlauncher/freestanding/ModuleLoadFrame.h
@@ -0,0 +1,97 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_freestanding_ModuleLoadFrame_h
+#define mozilla_freestanding_ModuleLoadFrame_h
+
+#include "mozilla/LoaderAPIInterfaces.h"
+#include "mozilla/NativeNt.h"
+#include "mozilla/ThreadLocal.h"
+
+#include "SafeThreadLocal.h"
+
+namespace mozilla {
+namespace freestanding {
+
+/**
+ * This class holds information about a DLL load at a particular frame in the
+ * current thread's stack. Each instance adds itself to a thread-local linked
+ * list of ModuleLoadFrames, enabling us to query information about the
+ * previous module load on the stack.
+ */
+class MOZ_RAII ModuleLoadFrame final {
+ public:
+ /**
+ * This constructor is for use by the LdrLoadDll hook.
+ */
+ explicit ModuleLoadFrame(PCUNICODE_STRING aRequestedDllName);
+ ~ModuleLoadFrame();
+
+ static void NotifyLSPSubstitutionRequired(PCUNICODE_STRING aLeafName);
+
+ /**
+ * This static method is called by the NtMapViewOfSection hook.
+ */
+ static void NotifySectionMap(nt::AllocatedUnicodeString&& aSectionName,
+ const void* aMapBaseAddr, NTSTATUS aMapNtStatus,
+ ModuleLoadInfo::Status aLoadStatus,
+ bool aIsDependent);
+ static bool ExistsTopFrame();
+
+ /**
+ * Called by the LdrLoadDll hook to indicate the status of the load and for
+ * us to provide a substitute output handle if necessary.
+ */
+ NTSTATUS SetLoadStatus(NTSTATUS aNtStatus, PHANDLE aOutHandle);
+
+ ModuleLoadFrame(const ModuleLoadFrame&) = delete;
+ ModuleLoadFrame(ModuleLoadFrame&&) = delete;
+ ModuleLoadFrame& operator=(const ModuleLoadFrame&) = delete;
+ ModuleLoadFrame& operator=(ModuleLoadFrame&&) = delete;
+
+ private:
+ /**
+ * Called by OnBareSectionMap to construct a frame for a bare load.
+ */
+ ModuleLoadFrame(nt::AllocatedUnicodeString&& aSectionName,
+ const void* aMapBaseAddr, NTSTATUS aNtStatus,
+ ModuleLoadInfo::Status aLoadStatus, bool aIsDependent);
+
+ void SetLSPSubstitutionRequired(PCUNICODE_STRING aLeafName);
+ void OnSectionMap(nt::AllocatedUnicodeString&& aSectionName,
+ const void* aMapBaseAddr, NTSTATUS aMapNtStatus,
+ ModuleLoadInfo::Status aLoadStatus, bool aIsDependent);
+
+ /**
+ * A "bare" section mapping is one that was mapped without the code passing
+ * through a call to ntdll!LdrLoadDll. This method is invoked when we detect
+ * that condition.
+ */
+ static void OnBareSectionMap(nt::AllocatedUnicodeString&& aSectionName,
+ const void* aMapBaseAddr, NTSTATUS aMapNtStatus,
+ ModuleLoadInfo::Status aLoadStatus,
+ bool aIsDependent);
+
+ private:
+ // Link to the previous frame
+ ModuleLoadFrame* mPrev;
+ // Pointer to context managed by the nt::LoaderObserver implementation
+ void* mContext;
+ // Set to |true| when we need to block a WinSock LSP
+ bool mLSPSubstitutionRequired;
+ // NTSTATUS code from the |LdrLoadDll| call
+ NTSTATUS mLoadNtStatus;
+ // Telemetry information that will be forwarded to the nt::LoaderObserver
+ ModuleLoadInfo mLoadInfo;
+
+ // Head of the linked list
+ static SafeThreadLocal<ModuleLoadFrame*> sTopFrame;
+};
+
+} // namespace freestanding
+} // namespace mozilla
+
+#endif // mozilla_freestanding_ModuleLoadFrame_h
diff --git a/browser/app/winlauncher/freestanding/SafeThreadLocal.h b/browser/app/winlauncher/freestanding/SafeThreadLocal.h
new file mode 100644
index 0000000000..e4b869f649
--- /dev/null
+++ b/browser/app/winlauncher/freestanding/SafeThreadLocal.h
@@ -0,0 +1,96 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_freestanding_SafeThreadLocal_h
+#define mozilla_freestanding_SafeThreadLocal_h
+
+#include <type_traits>
+
+#include "mozilla/NativeNt.h"
+#include "mozilla/ThreadLocal.h"
+
+namespace mozilla {
+namespace freestanding {
+
+// We cannot fall back to the Tls* APIs because kernel32 might not have been
+// loaded yet.
+#if defined(__MINGW32__) && !defined(HAVE_THREAD_TLS_KEYWORD)
+# error "This code requires the compiler to have native TLS support"
+#endif // defined(__MINGW32__) && !defined(HAVE_THREAD_TLS_KEYWORD)
+
+/**
+ * This class holds data as a thread-local variable, or as a global variable
+ * if the thread local storage is not initialized yet. It should be safe
+ * because in that early stage we assume there is no more than a single thread.
+ */
+template <typename T>
+class SafeThreadLocal final {
+ static MOZ_THREAD_LOCAL(T) sThreadLocal;
+ static T sGlobal;
+ static bool sIsTlsUsed;
+
+ // In normal cases, TLS is always available and the class uses sThreadLocal
+ // without changing sMainThreadId. So sMainThreadId is likely to be 0.
+ //
+ // If TLS is not available, we use sGlobal instead and update sMainThreadId
+ // so that that thread keeps using sGlobal even after TLS is initialized
+ // later.
+ static DWORD sMainThreadId;
+
+ // Need non-inline accessors to prevent the compiler from generating code
+ // accessing sThreadLocal before checking a condition.
+ MOZ_NEVER_INLINE static void SetGlobalValue(T aValue) { sGlobal = aValue; }
+ MOZ_NEVER_INLINE static T GetGlobalValue() { return sGlobal; }
+
+ public:
+ static void set(T aValue) {
+ static_assert(std::is_pointer_v<T>,
+ "SafeThreadLocal must be used with a pointer");
+
+ if (sMainThreadId == mozilla::nt::RtlGetCurrentThreadId()) {
+ SetGlobalValue(aValue);
+ } else if (sIsTlsUsed) {
+ MOZ_ASSERT(mozilla::nt::RtlGetThreadLocalStoragePointer(),
+ "Once TLS is used, TLS should be available till the end.");
+ sThreadLocal.set(aValue);
+ } else if (mozilla::nt::RtlGetThreadLocalStoragePointer()) {
+ sIsTlsUsed = true;
+ sThreadLocal.set(aValue);
+ } else {
+ MOZ_ASSERT(sMainThreadId == 0,
+ "A second thread cannot be created before TLS is available.");
+ sMainThreadId = mozilla::nt::RtlGetCurrentThreadId();
+ SetGlobalValue(aValue);
+ }
+ }
+
+ static T get() {
+ if (sMainThreadId == mozilla::nt::RtlGetCurrentThreadId()) {
+ return GetGlobalValue();
+ } else if (sIsTlsUsed) {
+ return sThreadLocal.get();
+ }
+ return GetGlobalValue();
+ }
+};
+
+template <typename T>
+MOZ_THREAD_LOCAL(T)
+SafeThreadLocal<T>::sThreadLocal;
+
+template <typename T>
+T SafeThreadLocal<T>::sGlobal = nullptr;
+
+template <typename T>
+bool SafeThreadLocal<T>::sIsTlsUsed = false;
+
+template <typename T>
+DWORD SafeThreadLocal<T>::sMainThreadId = 0;
+
+} // namespace freestanding
+} // namespace mozilla
+
+#endif // mozilla_freestanding_SafeThreadLocal_h
diff --git a/browser/app/winlauncher/freestanding/SharedSection.cpp b/browser/app/winlauncher/freestanding/SharedSection.cpp
new file mode 100644
index 0000000000..eab0074f60
--- /dev/null
+++ b/browser/app/winlauncher/freestanding/SharedSection.cpp
@@ -0,0 +1,368 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#include "SharedSection.h"
+
+#include <algorithm>
+#include "CheckForCaller.h"
+#include "mozilla/BinarySearch.h"
+
+namespace {
+
+bool AddString(mozilla::Span<wchar_t> aBuffer, const UNICODE_STRING& aStr) {
+ size_t offsetElements = 0;
+ while (offsetElements < aBuffer.Length()) {
+ UNICODE_STRING uniStr;
+ ::RtlInitUnicodeString(&uniStr, aBuffer.data() + offsetElements);
+
+ if (uniStr.Length == 0) {
+ // Reached to the array's last item.
+ break;
+ }
+
+ if (::RtlCompareUnicodeString(&uniStr, &aStr, TRUE) == 0) {
+ // Already included in the array.
+ return true;
+ }
+
+ // Go to the next string.
+ offsetElements += uniStr.MaximumLength / sizeof(wchar_t);
+ }
+
+ // Ensure enough space including the last empty string at the end.
+ if (offsetElements * sizeof(wchar_t) + aStr.Length + sizeof(wchar_t) +
+ sizeof(wchar_t) >
+ aBuffer.LengthBytes()) {
+ return false;
+ }
+
+ auto newStr = aBuffer.Subspan(offsetElements);
+ memcpy(newStr.data(), aStr.Buffer, aStr.Length);
+ memset(newStr.data() + aStr.Length / sizeof(wchar_t), 0, sizeof(wchar_t));
+ return true;
+}
+
+} // anonymous namespace
+
+namespace mozilla {
+namespace freestanding {
+
+SharedSection gSharedSection;
+
+// Why don't we use ::GetProcAddress?
+// If the export table of kernel32.dll is tampered in the current process,
+// we cannot transfer an RVA because the function pointed by the RVA may not
+// exist in a target process.
+// We can use ::GetProcAddress with additional check to detect tampering, but
+// FindExportAddressTableEntry fits perfectly here because it returns nullptr
+// if the target entry is outside the image, which means it's tampered or
+// forwarded to another DLL.
+#define INIT_FUNCTION(exports, name) \
+ do { \
+ auto rvaToFunction = exports.FindExportAddressTableEntry(#name); \
+ if (!rvaToFunction) { \
+ return; \
+ } \
+ m##name = reinterpret_cast<decltype(m##name)>(*rvaToFunction); \
+ } while (0)
+
+#define RESOLVE_FUNCTION(base, name) \
+ m##name = reinterpret_cast<decltype(m##name)>( \
+ base + reinterpret_cast<uintptr_t>(m##name))
+
+void Kernel32ExportsSolver::Init() {
+ interceptor::MMPolicyInProcess policy;
+ auto k32Exports = nt::PEExportSection<interceptor::MMPolicyInProcess>::Get(
+ ::GetModuleHandleW(L"kernel32.dll"), policy);
+ if (!k32Exports) {
+ return;
+ }
+
+ // Please make sure these functions are not forwarded to another DLL.
+ INIT_FUNCTION(k32Exports, FlushInstructionCache);
+ INIT_FUNCTION(k32Exports, GetModuleHandleW);
+ INIT_FUNCTION(k32Exports, GetSystemInfo);
+ INIT_FUNCTION(k32Exports, VirtualProtect);
+}
+
+bool Kernel32ExportsSolver::Resolve() {
+ const UNICODE_STRING k32Name = MOZ_LITERAL_UNICODE_STRING(L"kernel32.dll");
+
+ // We cannot use GetModuleHandleW because this code can be called
+ // before IAT is resolved.
+ auto k32Module = nt::GetModuleHandleFromLeafName(k32Name);
+ if (k32Module.isErr()) {
+ // Probably this is called before kernel32.dll is loaded.
+ return false;
+ }
+
+ uintptr_t k32Base =
+ nt::PEHeaders::HModuleToBaseAddr<uintptr_t>(k32Module.unwrap());
+
+ RESOLVE_FUNCTION(k32Base, FlushInstructionCache);
+ RESOLVE_FUNCTION(k32Base, GetModuleHandleW);
+ RESOLVE_FUNCTION(k32Base, GetSystemInfo);
+ RESOLVE_FUNCTION(k32Base, VirtualProtect);
+
+ return true;
+}
+
+HANDLE SharedSection::sSectionHandle = nullptr;
+SharedSection::Layout* SharedSection::sWriteCopyView = nullptr;
+RTL_RUN_ONCE SharedSection::sEnsureOnce = RTL_RUN_ONCE_INIT;
+nt::SRWLock SharedSection::sLock;
+
+void SharedSection::Reset(HANDLE aNewSectionObject) {
+ nt::AutoExclusiveLock{sLock};
+ if (sWriteCopyView) {
+ nt::AutoMappedView view(sWriteCopyView);
+ sWriteCopyView = nullptr;
+ ::RtlRunOnceInitialize(&sEnsureOnce);
+ }
+
+ if (sSectionHandle != aNewSectionObject) {
+ if (sSectionHandle) {
+ ::CloseHandle(sSectionHandle);
+ }
+ sSectionHandle = aNewSectionObject;
+ }
+}
+
+void SharedSection::ConvertToReadOnly() {
+ if (!sSectionHandle) {
+ return;
+ }
+
+ HANDLE readonlyHandle;
+ if (!::DuplicateHandle(nt::kCurrentProcess, sSectionHandle,
+ nt::kCurrentProcess, &readonlyHandle, GENERIC_READ,
+ FALSE, 0)) {
+ return;
+ }
+
+ Reset(readonlyHandle);
+}
+
+LauncherVoidResult SharedSection::Init() {
+ static_assert(
+ kSharedViewSize >= sizeof(Layout),
+ "kSharedViewSize is too small to represent SharedSection::Layout.");
+
+ HANDLE section =
+ ::CreateFileMappingW(INVALID_HANDLE_VALUE, nullptr, PAGE_READWRITE, 0,
+ kSharedViewSize, nullptr);
+ if (!section) {
+ return LAUNCHER_ERROR_FROM_LAST();
+ }
+ Reset(section);
+
+ // The initial contents of the pages in a file mapping object backed by
+ // the operating system paging file are 0 (zero). No need to zero it out
+ // ourselves.
+ // https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-createfilemappingw
+ nt::AutoMappedView writableView(sSectionHandle, PAGE_READWRITE);
+ if (!writableView) {
+ return LAUNCHER_ERROR_FROM_LAST();
+ }
+
+ Layout* view = writableView.as<Layout>();
+ view->mK32Exports.Init();
+ view->mState = Layout::State::kInitialized;
+ // Leave view->mDependentModulePathArrayStart to be zero to indicate
+ // we can add blocklist entries
+ return Ok();
+}
+
+LauncherVoidResult SharedSection::AddDependentModule(PCUNICODE_STRING aNtPath) {
+ nt::AutoMappedView writableView(sSectionHandle, PAGE_READWRITE);
+ if (!writableView) {
+ return LAUNCHER_ERROR_FROM_WIN32(::RtlGetLastWin32Error());
+ }
+
+ Layout* view = writableView.as<Layout>();
+ if (!view->mDependentModulePathArrayStart) {
+ // This is the first time AddDependentModule is called. We set the initial
+ // value to mDependentModulePathArrayStart, which *closes* the blocklist.
+ // After this, AddBlocklist is no longer allowed.
+ view->mDependentModulePathArrayStart =
+ FIELD_OFFSET(Layout, mFirstBlockEntry) + sizeof(DllBlockInfo);
+ }
+
+ if (!AddString(view->GetDependentModules(), *aNtPath)) {
+ return LAUNCHER_ERROR_FROM_WIN32(ERROR_INSUFFICIENT_BUFFER);
+ }
+
+ return Ok();
+}
+
+LauncherVoidResult SharedSection::SetBlocklist(
+ const DynamicBlockList& aBlocklist, bool isDisabled) {
+ if (!aBlocklist.GetPayloadSize()) {
+ return Ok();
+ }
+
+ nt::AutoMappedView writableView(sSectionHandle, PAGE_READWRITE);
+ if (!writableView) {
+ return LAUNCHER_ERROR_FROM_WIN32(::RtlGetLastWin32Error());
+ }
+
+ Layout* view = writableView.as<Layout>();
+ if (view->mDependentModulePathArrayStart > 0) {
+ // If the dependent module array is already available, we must not update
+ // the blocklist.
+ return LAUNCHER_ERROR_FROM_WIN32(ERROR_INVALID_STATE);
+ }
+
+ view->mBlocklistIsDisabled = isDisabled ? 1 : 0;
+ uintptr_t bufferEnd = reinterpret_cast<uintptr_t>(view) + kSharedViewSize;
+ size_t bytesCopied = aBlocklist.CopyTo(
+ view->mFirstBlockEntry,
+ bufferEnd - reinterpret_cast<uintptr_t>(view->mFirstBlockEntry));
+ if (!bytesCopied) {
+ return LAUNCHER_ERROR_FROM_WIN32(ERROR_INSUFFICIENT_BUFFER);
+ }
+
+ // Setting mDependentModulePathArrayStart to a non-zero value means
+ // we no longer accept blocklist entries
+ // Just to be safe, make sure we don't overwrite mFirstBlockEntry even
+ // if there are no entries.
+ view->mDependentModulePathArrayStart =
+ FIELD_OFFSET(Layout, mFirstBlockEntry) +
+ std::max(bytesCopied, sizeof(DllBlockInfo));
+ return Ok();
+}
+
+/* static */
+ULONG NTAPI SharedSection::EnsureWriteCopyViewOnce(PRTL_RUN_ONCE, PVOID,
+ PVOID*) {
+ if (!sWriteCopyView) {
+ nt::AutoMappedView view(sSectionHandle, PAGE_WRITECOPY);
+ if (!view) {
+ return TRUE;
+ }
+ sWriteCopyView = view.as<Layout>();
+ view.release();
+ }
+ return sWriteCopyView->Resolve() ? TRUE : FALSE;
+}
+
+SharedSection::Layout* SharedSection::EnsureWriteCopyView(
+ bool requireKernel32Exports /*= false */) {
+ ::RtlRunOnceExecuteOnce(&sEnsureOnce, &EnsureWriteCopyViewOnce, nullptr,
+ nullptr);
+ if (!sWriteCopyView) {
+ return nullptr;
+ }
+ auto requiredState = requireKernel32Exports
+ ? Layout::State::kResolved
+ : Layout::State::kLoadedDynamicBlocklistEntries;
+ return sWriteCopyView->mState >= requiredState ? sWriteCopyView : nullptr;
+}
+
+bool SharedSection::Layout::Resolve() {
+ if (mState == State::kResolved) {
+ return true;
+ }
+ if (mState == State::kUninitialized) {
+ return false;
+ }
+ if (mState == State::kInitialized) {
+ if (!mNumBlockEntries) {
+ uintptr_t arrayBase = reinterpret_cast<uintptr_t>(mFirstBlockEntry);
+ uint32_t numEntries = 0;
+ for (DllBlockInfo* entry = mFirstBlockEntry;
+ entry->mName.Length && numEntries < GetMaxNumBlockEntries();
+ ++entry) {
+ entry->mName.Buffer = reinterpret_cast<wchar_t*>(
+ arrayBase + reinterpret_cast<uintptr_t>(entry->mName.Buffer));
+ ++numEntries;
+ }
+ mNumBlockEntries = numEntries;
+ // Sort by name so that we can binary-search
+ std::sort(mFirstBlockEntry, mFirstBlockEntry + mNumBlockEntries,
+ [](const DllBlockInfo& a, const DllBlockInfo& b) {
+ return ::RtlCompareUnicodeString(&a.mName, &b.mName, TRUE) <
+ 0;
+ });
+ }
+ mState = State::kLoadedDynamicBlocklistEntries;
+ }
+
+ if (!mK32Exports.Resolve()) {
+ return false;
+ }
+
+ mState = State::kResolved;
+ return true;
+}
+
+Span<wchar_t> SharedSection::Layout::GetDependentModules() {
+ if (!mDependentModulePathArrayStart) {
+ return nullptr;
+ }
+ return Span<wchar_t>(
+ reinterpret_cast<wchar_t*>(reinterpret_cast<uintptr_t>(this) +
+ mDependentModulePathArrayStart),
+ (kSharedViewSize - mDependentModulePathArrayStart) / sizeof(wchar_t));
+}
+
+bool SharedSection::Layout::IsDisabled() const {
+ return !!mBlocklistIsDisabled;
+}
+
+const DllBlockInfo* SharedSection::Layout::SearchBlocklist(
+ const UNICODE_STRING& aLeafName) const {
+ MOZ_ASSERT(mState >= State::kLoadedDynamicBlocklistEntries);
+ DllBlockInfoComparator comp(aLeafName);
+ size_t match;
+ if (!BinarySearchIf(mFirstBlockEntry, 0, mNumBlockEntries, comp, &match)) {
+ return nullptr;
+ }
+ return &mFirstBlockEntry[match];
+}
+
+Kernel32ExportsSolver* SharedSection::GetKernel32Exports() {
+ Layout* writeCopyView = EnsureWriteCopyView(true);
+ return writeCopyView ? &writeCopyView->mK32Exports : nullptr;
+}
+
+Span<const wchar_t> SharedSection::GetDependentModules() {
+ Layout* writeCopyView = EnsureWriteCopyView();
+ return writeCopyView ? writeCopyView->GetDependentModules() : nullptr;
+}
+
+Span<const DllBlockInfo> SharedSection::GetDynamicBlocklist() {
+ Layout* writeCopyView = EnsureWriteCopyView();
+ return writeCopyView ? writeCopyView->GetModulePathArray() : nullptr;
+}
+
+const DllBlockInfo* SharedSection::SearchBlocklist(
+ const UNICODE_STRING& aLeafName) {
+ Layout* writeCopyView = EnsureWriteCopyView();
+ return writeCopyView ? writeCopyView->SearchBlocklist(aLeafName) : nullptr;
+}
+
+bool SharedSection::IsDisabled() {
+ Layout* writeCopyView = EnsureWriteCopyView();
+ return writeCopyView ? writeCopyView->IsDisabled() : false;
+}
+
+LauncherVoidResult SharedSection::TransferHandle(
+ nt::CrossExecTransferManager& aTransferMgr, DWORD aDesiredAccess,
+ HANDLE* aDestinationAddress) {
+ HANDLE remoteHandle;
+ if (!::DuplicateHandle(nt::kCurrentProcess, sSectionHandle,
+ aTransferMgr.RemoteProcess(), &remoteHandle,
+ aDesiredAccess, FALSE, 0)) {
+ return LAUNCHER_ERROR_FROM_LAST();
+ }
+
+ return aTransferMgr.Transfer(aDestinationAddress, &remoteHandle,
+ sizeof(remoteHandle));
+}
+
+} // namespace freestanding
+} // namespace mozilla
diff --git a/browser/app/winlauncher/freestanding/SharedSection.h b/browser/app/winlauncher/freestanding/SharedSection.h
new file mode 100644
index 0000000000..4c3d1b8ef8
--- /dev/null
+++ b/browser/app/winlauncher/freestanding/SharedSection.h
@@ -0,0 +1,212 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_freestanding_SharedSection_h
+#define mozilla_freestanding_SharedSection_h
+
+#include "mozilla/DynamicBlocklist.h"
+#include "mozilla/glue/SharedSection.h"
+#include "mozilla/NativeNt.h"
+#include "mozilla/interceptor/MMPolicies.h"
+
+// clang-format off
+#define MOZ_LITERAL_UNICODE_STRING(s) \
+ { \
+ /* Length of the string in bytes, less the null terminator */ \
+ sizeof(s) - sizeof(wchar_t), \
+ /* Length of the string in bytes, including the null terminator */ \
+ sizeof(s), \
+ /* Pointer to the buffer */ \
+ const_cast<wchar_t*>(s) \
+ }
+// clang-format on
+
+namespace mozilla {
+namespace freestanding {
+class SharedSectionTestHelper;
+
+struct DllBlockInfoComparator {
+ explicit DllBlockInfoComparator(const UNICODE_STRING& aTarget)
+ : mTarget(&aTarget) {}
+
+ int operator()(const DllBlockInfo& aVal) const {
+ return static_cast<int>(
+ ::RtlCompareUnicodeString(mTarget, &aVal.mName, TRUE));
+ }
+
+ PCUNICODE_STRING mTarget;
+};
+
+// This class calculates RVAs of kernel32's functions and transfers them
+// to a target process, where the transferred RVAs are resolved into
+// function addresses so that the target process can use them after
+// kernel32.dll is loaded and before IAT is resolved.
+struct MOZ_TRIVIAL_CTOR_DTOR Kernel32ExportsSolver final
+ : interceptor::MMPolicyInProcessEarlyStage::Kernel32Exports {
+ void Init();
+ bool Resolve();
+};
+
+// This class manages a section which is created in the launcher process and
+// mapped in the browser process and the sandboxed processes. The section's
+// layout is represented as SharedSection::Layout.
+//
+// (1) Kernel32's functions required for MMPolicyInProcessEarlyStage
+// Formatted as Kernel32ExportsSolver.
+//
+// (2) Various flags and offsets
+//
+// (3) Entries in the dynamic blocklist, in DllBlockInfo format. There
+// are mNumBlockEntries of these, followed by one that has mName.Length
+// of 0. Note that the strings that contain
+// the names of the entries in the blocklist are stored concatenated
+// after the last entry. The mName pointers in each DllBlockInfo point
+// to these strings correctly in Resolve(), so clients don't need
+// to do anything special to read these strings.
+//
+// (4) Array of NT paths of the executable's dependent modules
+// Formatted as a null-delimited wide-character string set ending with
+// an empty string. These entries start at offset
+// mDependentModulePathArrayStart (in bytes) from the beginning
+// of the structure
+//
+// +--------------------------------------------------------------+
+// | (1) | FlushInstructionCache |
+// | | GetModuleHandleW |
+// | | GetSystemInfo |
+// | | VirtualProtect |
+// | | State [kUninitialized|kInitialized|kResolved] |
+// +--------------------------------------------------------------+
+// | (2) | (flags and offsets) |
+// +--------------------------------------------------------------+
+// | (3) | <DllBlockInfo for first entry in dynamic blocklist> |
+// | | <DllBlockInfo for second entry in dynamic blocklist> |
+// | | ... |
+// | | <DllBlockInfo for last entry in dynamic blocklist> |
+// | | <DllBlockInfo with mName.Length of 0> |
+// | | L"string1.dllstring2.dll...stringlast.dll" |
+// +--------------------------------------------------------------+
+// | (4) | L"NT path 1" |
+// | | L"NT path 2" |
+// | | ... |
+// | | L"" |
+// +--------------------------------------------------------------+
+class MOZ_TRIVIAL_CTOR_DTOR SharedSection final : public nt::SharedSection {
+ struct Layout final {
+ enum class State {
+ kUninitialized,
+ kInitialized,
+ kLoadedDynamicBlocklistEntries,
+ kResolved,
+ } mState;
+
+ Kernel32ExportsSolver mK32Exports;
+ // 1 if the blocklist is disabled, 0 otherwise.
+ // If the blocklist is disabled, the entries are still loaded to make it
+ // easy for the user to remove any they don't want, but none of the DLLs
+ // here are actually blocked.
+ // Stored as a uint32_t for alignment reasons.
+ uint32_t mBlocklistIsDisabled;
+ // The offset, in bytes, from the beginning of the Layout structure to the
+ // first dependent module entry.
+ // When the Layout object is created, this value is 0, indicating that no
+ // dependent modules have been added and it is safe to add DllBlockInfo
+ // entries.
+ // After this value is set to something non-0, no more DllBlockInfo entries
+ // can be added.
+ uint32_t mDependentModulePathArrayStart;
+ // The number of blocklist entries.
+ uint32_t mNumBlockEntries;
+ DllBlockInfo mFirstBlockEntry[1];
+
+ Span<DllBlockInfo> GetModulePathArray() {
+ return Span<DllBlockInfo>(
+ mFirstBlockEntry,
+ (kSharedViewSize - (reinterpret_cast<uintptr_t>(mFirstBlockEntry) -
+ reinterpret_cast<uintptr_t>(this))) /
+ sizeof(DllBlockInfo));
+ }
+ // Can be used to make sure we don't step past the end of the shared memory
+ // section.
+ static constexpr uint32_t GetMaxNumBlockEntries() {
+ return (kSharedViewSize - (offsetof(Layout, mFirstBlockEntry))) /
+ sizeof(DllBlockInfo);
+ }
+ Layout() = delete; // disallow instantiation
+ bool Resolve();
+ bool IsDisabled() const;
+ const DllBlockInfo* SearchBlocklist(const UNICODE_STRING& aLeafName) const;
+ Span<wchar_t> GetDependentModules();
+ };
+
+ // As we define a global variable of this class and use it in our blocklist
+ // which is excuted in a process's early stage. If we have a complex dtor,
+ // the static initializer tries to register that dtor with onexit() of
+ // ucrtbase.dll which is not loaded yet, resulting in crash. Thus, we have
+ // a raw handle and a pointer as a static variable and manually release them
+ // by calling Reset() where possible.
+ static HANDLE sSectionHandle;
+ static Layout* sWriteCopyView;
+ static RTL_RUN_ONCE sEnsureOnce;
+
+ // The sLock lock guarantees that while it is held, sSectionHandle will not
+ // change nor get closed, sEnsureOnce will not get reinitialized, and
+ // sWriteCopyView will not change nor get unmapped once initialized. We take
+ // sLock on paths that could run concurrently with ConvertToReadOnly(). This
+ // method is only called on the main process, and very early, so the only
+ // real risk here should be threads started by third-party products reaching
+ // our patched_NtMapViewOfSection (see bug 1850969).
+ static nt::SRWLock sLock;
+
+ static ULONG NTAPI EnsureWriteCopyViewOnce(PRTL_RUN_ONCE, PVOID, PVOID*);
+ static Layout* EnsureWriteCopyView(bool requireKernel32Exports = false);
+
+ static constexpr size_t kSharedViewSize = 0x1000;
+
+ // For test use only
+ friend class SharedSectionTestHelper;
+
+ public:
+ // Replace |sSectionHandle| with a given handle.
+ static void Reset(HANDLE aNewSectionObject = sSectionHandle);
+
+ static inline nt::AutoSharedLock AutoNoReset() {
+ return nt::AutoSharedLock{sLock};
+ }
+
+ // Replace |sSectionHandle| with a new readonly handle.
+ static void ConvertToReadOnly();
+
+ // Create a new writable section and initialize the Kernel32ExportsSolver
+ // part.
+ static LauncherVoidResult Init();
+
+ // Append a new string to the |sSectionHandle|
+ static LauncherVoidResult AddDependentModule(PCUNICODE_STRING aNtPath);
+ static LauncherVoidResult SetBlocklist(const DynamicBlockList& aBlocklist,
+ bool isDisabled);
+
+ // Map |sSectionHandle| to a copy-on-write page and return a writable pointer
+ // to each structure, or null if Layout failed to resolve exports.
+ Kernel32ExportsSolver* GetKernel32Exports();
+ Span<const wchar_t> GetDependentModules() final override;
+ Span<const DllBlockInfo> GetDynamicBlocklist() final override;
+
+ static bool IsDisabled();
+ static const DllBlockInfo* SearchBlocklist(const UNICODE_STRING& aLeafName);
+
+ // Transfer |sSectionHandle| to a process associated with |aTransferMgr|.
+ static LauncherVoidResult TransferHandle(
+ nt::CrossExecTransferManager& aTransferMgr, DWORD aDesiredAccess,
+ HANDLE* aDestinationAddress = &sSectionHandle);
+};
+
+extern SharedSection gSharedSection;
+
+} // namespace freestanding
+} // namespace mozilla
+
+#endif // mozilla_freestanding_SharedSection_h
diff --git a/browser/app/winlauncher/freestanding/gen_ntdll_freestanding_lib.py b/browser/app/winlauncher/freestanding/gen_ntdll_freestanding_lib.py
new file mode 100644
index 0000000000..d9fe86d78e
--- /dev/null
+++ b/browser/app/winlauncher/freestanding/gen_ntdll_freestanding_lib.py
@@ -0,0 +1,28 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+import os
+import subprocess
+import tempfile
+
+
+def main(output_fd, def_file, llvm_dlltool, *llvm_dlltool_args):
+ # llvm-dlltool can't output to stdout, so we create a temp file, use that
+ # to write out the lib, and then copy it over to output_fd
+ (tmp_fd, tmp_output) = tempfile.mkstemp()
+ os.close(tmp_fd)
+
+ try:
+ cmd = [llvm_dlltool]
+ cmd.extend(llvm_dlltool_args)
+ cmd += ["-d", def_file, "-l", tmp_output]
+
+ subprocess.check_call(cmd)
+
+ with open(tmp_output, "rb") as tmplib:
+ output_fd.write(tmplib.read())
+ finally:
+ os.remove(tmp_output)
diff --git a/browser/app/winlauncher/freestanding/moz.build b/browser/app/winlauncher/freestanding/moz.build
new file mode 100644
index 0000000000..7a43d9a104
--- /dev/null
+++ b/browser/app/winlauncher/freestanding/moz.build
@@ -0,0 +1,56 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+Library("winlauncher-freestanding")
+
+FORCE_STATIC_LIB = True
+
+# Our patched NtMapViewOfSection can be called before the process's import
+# table is populated. Don't let the compiler insert any instrumentation
+# that might call an import.
+NO_PGO = True
+
+UNIFIED_SOURCES += [
+ "DllBlocklist.cpp",
+ "LoaderPrivateAPI.cpp",
+ "ModuleLoadFrame.cpp",
+ "SharedSection.cpp",
+]
+
+# This library must be compiled in a freestanding environment, as its code must
+# not assume that it has access to any runtime libraries.
+if CONFIG["CC_TYPE"] == "clang-cl":
+ CXXFLAGS += ["-Xclang"]
+
+CXXFLAGS += [
+ "-ffreestanding",
+]
+
+# Forcibly include Freestanding.h into all source files in this library.
+if CONFIG["CC_TYPE"] == "clang-cl":
+ CXXFLAGS += ["-FI"]
+else:
+ CXXFLAGS += ["-include"]
+
+CXXFLAGS += [SRCDIR + "/Freestanding.h"]
+
+OS_LIBS += [
+ "ntdll",
+ "ntdll_freestanding",
+]
+
+if CONFIG["COMPILE_ENVIRONMENT"] and CONFIG["LLVM_DLLTOOL"]:
+ GeneratedFile(
+ "%sntdll_freestanding.%s" % (CONFIG["LIB_PREFIX"], CONFIG["LIB_SUFFIX"]),
+ script="gen_ntdll_freestanding_lib.py",
+ inputs=["ntdll_freestanding.def"],
+ flags=[CONFIG["LLVM_DLLTOOL"]] + CONFIG["LLVM_DLLTOOL_FLAGS"],
+ )
+
+DisableStlWrapping()
+
+with Files("**"):
+ BUG_COMPONENT = ("Firefox", "Launcher Process")
diff --git a/browser/app/winlauncher/freestanding/ntdll_freestanding.def b/browser/app/winlauncher/freestanding/ntdll_freestanding.def
new file mode 100644
index 0000000000..6e5e2685fe
--- /dev/null
+++ b/browser/app/winlauncher/freestanding/ntdll_freestanding.def
@@ -0,0 +1,25 @@
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+LIBRARY ntdll
+
+; When we compile with -freestanding, the compiler still requires implementation
+; of the four functions listed below.
+;
+; We could implement our own naive versions of these functions, but that
+; solution is less than ideal since the implementations must be extern and are
+; thus picked up by the entire firefox.exe binary. This denies the rest of
+; firefox.exe the benefit of optimized implementations. On Windows the
+; sandbox is linked into firefox.exe, so we cannot just shrug and
+; assume that a naive implementation will not have any effect on anything.
+;
+; There are, however, optimized implementations of these functions that are
+; exported by ntdll.dll. OTOH, they are not included in the ntdll.lib
+; import library. This .def file is used to build an import library that "fills
+; in the blanks" and allows us to link into the ntdll implementations.
+EXPORTS
+ memcmp
+ memcpy
+ memmove
+ memset