diff options
Diffstat (limited to '')
14 files changed, 2164 insertions, 0 deletions
diff --git a/browser/app/winlauncher/freestanding/CheckForCaller.h b/browser/app/winlauncher/freestanding/CheckForCaller.h new file mode 100644 index 0000000000..799d16cd1f --- /dev/null +++ b/browser/app/winlauncher/freestanding/CheckForCaller.h @@ -0,0 +1,36 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at https://mozilla.org/MPL/2.0/. */ + +#ifndef mozilla_freestanding_CheckForCaller_h +#define mozilla_freestanding_CheckForCaller_h + +namespace mozilla { + +#if defined(_MSC_VER) +# include <intrin.h> +# pragma intrinsic(_ReturnAddress) +# define RETURN_ADDRESS() _ReturnAddress() +#elif defined(__GNUC__) || defined(__clang__) +# define RETURN_ADDRESS() \ + __builtin_extract_return_addr(__builtin_return_address(0)) +#endif + +template <int N> +bool CheckForAddress(void* aReturnAddress, const wchar_t (&aName)[N]) { + HMODULE callingModule; + if (!::GetModuleHandleExW(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS | + GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT, + reinterpret_cast<LPCWSTR>(aReturnAddress), + &callingModule)) { + return false; + } + + return callingModule && callingModule == ::GetModuleHandleW(aName); +} + +} // namespace mozilla + +#endif // mozilla_freestanding_CheckForCaller_h diff --git a/browser/app/winlauncher/freestanding/DllBlocklist.cpp b/browser/app/winlauncher/freestanding/DllBlocklist.cpp new file mode 100644 index 0000000000..105ab6d918 --- /dev/null +++ b/browser/app/winlauncher/freestanding/DllBlocklist.cpp @@ -0,0 +1,641 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at https://mozilla.org/MPL/2.0/. */ + +#include "mozilla/ArrayUtils.h" +#include "mozilla/Attributes.h" +#include "mozilla/BinarySearch.h" +#include "mozilla/NativeNt.h" +#include "mozilla/Types.h" +#include "mozilla/WindowsDllBlocklist.h" + +#include "CrashAnnotations.h" +#include "DllBlocklist.h" +#include "LoaderPrivateAPI.h" +#include "ModuleLoadFrame.h" +#include "SharedSection.h" + +using mozilla::DllBlockInfoFlags; + +#define DLL_BLOCKLIST_ENTRY(name, ...) \ + {MOZ_LITERAL_UNICODE_STRING(L##name), __VA_ARGS__}, +#define DLL_BLOCKLIST_STRING_TYPE UNICODE_STRING + +#if defined(MOZ_LAUNCHER_PROCESS) || defined(NIGHTLY_BUILD) +# include "mozilla/WindowsDllBlocklistLauncherDefs.h" +#else +# include "mozilla/WindowsDllBlocklistCommon.h" +DLL_BLOCKLIST_DEFINITIONS_BEGIN +DLL_BLOCKLIST_DEFINITIONS_END +#endif + +using WritableBuffer = mozilla::glue::detail::WritableBuffer<1024>; + +class MOZ_STATIC_CLASS MOZ_TRIVIAL_CTOR_DTOR NativeNtBlockSet final { + struct NativeNtBlockSetEntry { + NativeNtBlockSetEntry() = default; + ~NativeNtBlockSetEntry() = default; + NativeNtBlockSetEntry(const UNICODE_STRING& aName, uint64_t aVersion, + NativeNtBlockSetEntry* aNext) + : mName(aName), mVersion(aVersion), mNext(aNext) {} + UNICODE_STRING mName; + uint64_t mVersion; + NativeNtBlockSetEntry* mNext; + }; + + public: + // Constructor and destructor MUST be trivial + constexpr NativeNtBlockSet() : mFirstEntry(nullptr) {} + ~NativeNtBlockSet() = default; + + void Add(const UNICODE_STRING& aName, uint64_t aVersion); + void Write(WritableBuffer& buffer); + + private: + static NativeNtBlockSetEntry* NewEntry(const UNICODE_STRING& aName, + uint64_t aVersion, + NativeNtBlockSetEntry* aNextEntry); + + private: + NativeNtBlockSetEntry* mFirstEntry; + mozilla::nt::SRWLock mLock; +}; + +NativeNtBlockSet::NativeNtBlockSetEntry* NativeNtBlockSet::NewEntry( + const UNICODE_STRING& aName, uint64_t aVersion, + NativeNtBlockSet::NativeNtBlockSetEntry* aNextEntry) { + return mozilla::freestanding::RtlNew<NativeNtBlockSetEntry>(aName, aVersion, + aNextEntry); +} + +void NativeNtBlockSet::Add(const UNICODE_STRING& aName, uint64_t aVersion) { + mozilla::nt::AutoExclusiveLock lock(mLock); + + for (NativeNtBlockSetEntry* entry = mFirstEntry; entry; + entry = entry->mNext) { + if (::RtlEqualUnicodeString(&entry->mName, &aName, TRUE) && + aVersion == entry->mVersion) { + return; + } + } + + // Not present, add it + NativeNtBlockSetEntry* newEntry = NewEntry(aName, aVersion, mFirstEntry); + if (newEntry) { + mFirstEntry = newEntry; + } +} + +void NativeNtBlockSet::Write(WritableBuffer& aBuffer) { + // NB: If this function is called, it is long after kernel32 is initialized, + // so it is safe to use Win32 calls here. + char buf[MAX_PATH]; + + // It would be nicer to use RAII here. However, its destructor + // might not run if an exception occurs, in which case we would never release + // the lock (MSVC warns about this possibility). So we acquire and release + // manually. + ::AcquireSRWLockExclusive(&mLock); + + MOZ_SEH_TRY { + for (auto entry = mFirstEntry; entry; entry = entry->mNext) { + int convOk = ::WideCharToMultiByte(CP_UTF8, 0, entry->mName.Buffer, + entry->mName.Length / sizeof(wchar_t), + buf, sizeof(buf), nullptr, nullptr); + if (!convOk) { + continue; + } + + // write name[,v.v.v.v]; + aBuffer.Write(buf, convOk); + + if (entry->mVersion != DllBlockInfo::ALL_VERSIONS) { + aBuffer.Write(",", 1); + uint16_t parts[4]; + parts[0] = entry->mVersion >> 48; + parts[1] = (entry->mVersion >> 32) & 0xFFFF; + parts[2] = (entry->mVersion >> 16) & 0xFFFF; + parts[3] = entry->mVersion & 0xFFFF; + for (size_t p = 0; p < mozilla::ArrayLength(parts); ++p) { + _ltoa_s(parts[p], buf, sizeof(buf), 10); + aBuffer.Write(buf, strlen(buf)); + if (p != mozilla::ArrayLength(parts) - 1) { + aBuffer.Write(".", 1); + } + } + } + aBuffer.Write(";", 1); + } + } + MOZ_SEH_EXCEPT(EXCEPTION_EXECUTE_HANDLER) {} + + ::ReleaseSRWLockExclusive(&mLock); +} + +static NativeNtBlockSet gBlockSet; + +extern "C" void MOZ_EXPORT +NativeNtBlockSet_Write(CrashReporter::AnnotationWriter& aWriter) { + WritableBuffer buffer; + gBlockSet.Write(buffer); + aWriter.Write(CrashReporter::Annotation::BlockedDllList, buffer.Data(), + buffer.Length()); +} + +enum class BlockAction { + // Allow the DLL to be loaded. + Allow, + // Substitute in a different DLL to be loaded instead of this one? + // This is intended to be used for Layered Service Providers, which + // cannot be blocked in the normal way. Note that this doesn't seem + // to be actually implemented right now, and no entries in the blocklist + // use it. + SubstituteLSP, + // There was an error in determining whether we should block this DLL. + // It will be blocked. + Error, + // Block the DLL from loading. + Deny, + // Effectively block the DLL from loading by redirecting its DllMain + // to a stub version. This is needed for DLLs that add themselves to + // the executable's Import Table, since failing to load would mean the + // executable would fail to launch. + NoOpEntryPoint, +}; + +static BlockAction CheckBlockInfo(const DllBlockInfo* aInfo, + const mozilla::nt::PEHeaders& aHeaders, + uint64_t& aVersion) { + aVersion = DllBlockInfo::ALL_VERSIONS; + + if (aInfo->mFlags & (DllBlockInfoFlags::BLOCK_WIN8_AND_OLDER | + DllBlockInfoFlags::BLOCK_WIN7_AND_OLDER)) { + RTL_OSVERSIONINFOW osv = {sizeof(osv)}; + NTSTATUS ntStatus = ::RtlGetVersion(&osv); + if (!NT_SUCCESS(ntStatus)) { + return BlockAction::Error; + } + + if ((aInfo->mFlags & DllBlockInfoFlags::BLOCK_WIN8_AND_OLDER) && + (osv.dwMajorVersion > 6 || + (osv.dwMajorVersion == 6 && osv.dwMinorVersion > 2))) { + return BlockAction::Allow; + } + + if ((aInfo->mFlags & DllBlockInfoFlags::BLOCK_WIN7_AND_OLDER) && + (osv.dwMajorVersion > 6 || + (osv.dwMajorVersion == 6 && osv.dwMinorVersion > 1))) { + return BlockAction::Allow; + } + } + + if ((aInfo->mFlags & DllBlockInfoFlags::CHILD_PROCESSES_ONLY) && + !(gBlocklistInitFlags & eDllBlocklistInitFlagIsChildProcess)) { + return BlockAction::Allow; + } + + if ((aInfo->mFlags & DllBlockInfoFlags::UTILITY_PROCESSES_ONLY) && + !(gBlocklistInitFlags & eDllBlocklistInitFlagIsUtilityProcess)) { + return BlockAction::Allow; + } + + if ((aInfo->mFlags & DllBlockInfoFlags::SOCKET_PROCESSES_ONLY) && + !(gBlocklistInitFlags & eDllBlocklistInitFlagIsSocketProcess)) { + return BlockAction::Allow; + } + + if ((aInfo->mFlags & DllBlockInfoFlags::GPU_PROCESSES_ONLY) && + !(gBlocklistInitFlags & eDllBlocklistInitFlagIsGPUProcess)) { + return BlockAction::Allow; + } + + if ((aInfo->mFlags & DllBlockInfoFlags::BROWSER_PROCESS_ONLY) && + (gBlocklistInitFlags & eDllBlocklistInitFlagIsChildProcess)) { + return BlockAction::Allow; + } + + if ((aInfo->mFlags & DllBlockInfoFlags::GMPLUGIN_PROCESSES_ONLY) && + !(gBlocklistInitFlags & eDllBlocklistInitFlagIsGMPluginProcess)) { + return BlockAction::Allow; + } + + if (aInfo->mMaxVersion == DllBlockInfo::ALL_VERSIONS) { + return BlockAction::Deny; + } + + if (!aHeaders) { + return BlockAction::Error; + } + + if (aInfo->mFlags & DllBlockInfoFlags::USE_TIMESTAMP) { + DWORD timestamp; + if (!aHeaders.GetTimeStamp(timestamp)) { + return BlockAction::Error; + } + + if (timestamp > aInfo->mMaxVersion) { + return BlockAction::Allow; + } + + return BlockAction::Deny; + } + + // Else we try to get the file version information. Note that we don't have + // access to GetFileVersionInfo* APIs. + if (!aHeaders.GetVersionInfo(aVersion)) { + return BlockAction::Error; + } + + if (aInfo->IsVersionBlocked(aVersion)) { + return BlockAction::Deny; + } + + return BlockAction::Allow; +} + +static BOOL WINAPI NoOp_DllMain(HINSTANCE, DWORD, LPVOID) { return TRUE; } + +// This helper function checks whether a given module is included +// in the executable's Import Table. Because an injected module's +// DllMain may revert the Import Table to the original state, we parse +// the Import Table every time a module is loaded without creating a cache. +static bool IsInjectedDependentModule( + const UNICODE_STRING& aModuleLeafName, + mozilla::freestanding::Kernel32ExportsSolver& aK32Exports) { + mozilla::nt::PEHeaders exeHeaders(aK32Exports.mGetModuleHandleW(nullptr)); + if (!exeHeaders || !exeHeaders.IsImportDirectoryTampered()) { + // If no tampering is detected, no need to enumerate the Import Table. + return false; + } + + bool isDependent = false; + exeHeaders.EnumImportChunks( + [&isDependent, &aModuleLeafName, &exeHeaders](const char* aDepModule) { + // If |aDepModule| is within the PE image, it's not an injected module + // but a legitimate dependent module. + if (isDependent || exeHeaders.IsWithinImage(aDepModule)) { + return; + } + + UNICODE_STRING depModuleLeafName; + mozilla::nt::AllocatedUnicodeString depModuleName(aDepModule); + mozilla::nt::GetLeafName(&depModuleLeafName, depModuleName); + isDependent = (::RtlCompareUnicodeString( + &aModuleLeafName, &depModuleLeafName, TRUE) == 0); + }); + return isDependent; +} + +// Allowing a module to be loaded but detour the entrypoint to NoOp_DllMain +// so that the module has no chance to interact with our code. We need this +// technique to safely block a module injected by IAT tampering because +// blocking such a module makes a process fail to launch. +static bool RedirectToNoOpEntryPoint( + const mozilla::nt::PEHeaders& aModule, + mozilla::freestanding::Kernel32ExportsSolver& aK32Exports) { + mozilla::interceptor::WindowsDllEntryPointInterceptor interceptor( + aK32Exports); + if (!interceptor.Set(aModule, NoOp_DllMain)) { + return false; + } + + return true; +} + +static BlockAction DetermineBlockAction( + const UNICODE_STRING& aLeafName, void* aBaseAddress, + mozilla::freestanding::Kernel32ExportsSolver* aK32Exports) { + if (mozilla::nt::Contains12DigitHexString(aLeafName) || + mozilla::nt::IsFileNameAtLeast16HexDigits(aLeafName)) { + return BlockAction::Deny; + } + + mozilla::nt::PEHeaders headers(aBaseAddress); + DWORD checksum = 0; + DWORD timestamp = 0; + DWORD imageSize = 0; + uint64_t version = 0; + + // Block some malicious DLLs known for crashing our process (bug 1841751), + // based on matching the combination of version number + timestamp + image + // size. We further reduce the chances of collision with legit DLLs by + // checking for a checksum of 0 and the absence of debug information, both of + // which are unusual for production-ready DLLs. + if (headers.GetCheckSum(checksum) && checksum == 0 && !headers.GetPdbInfo() && + headers.GetTimeStamp(timestamp)) { + struct KnownMaliciousCombination { + uint64_t mVersion; + uint32_t mTimestamp; + uint32_t mImageSize; + }; + const KnownMaliciousCombination instances[]{ + // 1.0.0.26638 + {0x000100000000680e, 0x570B8A90, 0x62000}, + // 1.0.0.26793 + {0x00010000000068a9, 0x572B4CE4, 0x62000}, + // 1.0.0.27567 + {0x0001000000006baf, 0x57A725AC, 0x61000}, + // 1.0.0.29915 + {0x00010000000074db, 0x5A115D81, 0x5D000}, + // 1.0.0.31122 + {0x0001000000007992, 0x5CFF88B8, 0x5D000}}; + + // We iterate over timestamps, because they are unique and it is a quick + // field to fetch + for (const auto& instance : instances) { + if (instance.mTimestamp == timestamp) { + // Only fetch other fields in case we have a match. Then, we can exit + // the loop. + if (headers.GetImageSize(imageSize) && + instance.mImageSize == imageSize && + headers.GetVersionInfo(version) && instance.mVersion == version) { + return BlockAction::Deny; + } + break; + } + } + } + + DECLARE_POINTER_TO_FIRST_DLL_BLOCKLIST_ENTRY(info); + DECLARE_DLL_BLOCKLIST_NUM_ENTRIES(infoNumEntries); + + mozilla::freestanding::DllBlockInfoComparator comp(aLeafName); + + size_t match = LowerBound(info, 0, infoNumEntries, comp); + bool builtinListHasLowerBound = match != infoNumEntries; + const DllBlockInfo* entry = nullptr; + BlockAction checkResult = BlockAction::Allow; + if (builtinListHasLowerBound) { + // There may be multiple entries on the list. Since LowerBound() returns + // the first entry that matches (if there are any matches), + // search forward from there. + while (match < infoNumEntries && (comp(info[match]) == 0)) { + entry = &info[match]; + checkResult = CheckBlockInfo(entry, headers, version); + if (checkResult != BlockAction::Allow) { + break; + } + ++match; + } + } + mozilla::DebugOnly<bool> blockedByDynamicBlocklist = false; + // Make sure we handle a case that older versions are blocked by the static + // list, but the dynamic list blocks all versions. + if (checkResult == BlockAction::Allow) { + if (!mozilla::freestanding::gSharedSection.IsDisabled()) { + entry = mozilla::freestanding::gSharedSection.SearchBlocklist(aLeafName); + if (entry) { + checkResult = CheckBlockInfo(entry, headers, version); + blockedByDynamicBlocklist = checkResult != BlockAction::Allow; + } + } + } + if (checkResult == BlockAction::Allow) { + return BlockAction::Allow; + } + + gBlockSet.Add(entry->mName, version); + + if ((entry->mFlags & DllBlockInfoFlags::REDIRECT_TO_NOOP_ENTRYPOINT) && + aK32Exports && RedirectToNoOpEntryPoint(headers, *aK32Exports)) { + MOZ_ASSERT(!blockedByDynamicBlocklist, "dynamic blocklist has redirect?"); + return BlockAction::NoOpEntryPoint; + } + + return checkResult; +} + +namespace mozilla { +namespace freestanding { + +CrossProcessDllInterceptor::FuncHookType<LdrLoadDllPtr> stub_LdrLoadDll; + +NTSTATUS NTAPI patched_LdrLoadDll(PWCHAR aDllPath, PULONG aFlags, + PUNICODE_STRING aDllName, + PHANDLE aOutHandle) { + ModuleLoadFrame frame(aDllName); + + NTSTATUS ntStatus = stub_LdrLoadDll(aDllPath, aFlags, aDllName, aOutHandle); + + return frame.SetLoadStatus(ntStatus, aOutHandle); +} + +CrossProcessDllInterceptor::FuncHookType<NtMapViewOfSectionPtr> + stub_NtMapViewOfSection; + +// All the code for patched_NtMapViewOfSection that relies on checked stack +// buffers (e.g. mbi, sectionFileName) should be put in this helper function +// (see bug 1733532). +MOZ_NEVER_INLINE NTSTATUS AfterMapViewOfExecutableSection( + HANDLE aProcess, PVOID* aBaseAddress, NTSTATUS aStubStatus) { + // We don't care about mappings that aren't MEM_IMAGE. + MEMORY_BASIC_INFORMATION mbi; + NTSTATUS ntStatus = + ::NtQueryVirtualMemory(aProcess, *aBaseAddress, MemoryBasicInformation, + &mbi, sizeof(mbi), nullptr); + if (!NT_SUCCESS(ntStatus)) { + ::NtUnmapViewOfSection(aProcess, *aBaseAddress); + return STATUS_ACCESS_DENIED; + } + if (!(mbi.Type & MEM_IMAGE)) { + return aStubStatus; + } + + // Get the section name + nt::MemorySectionNameBuf sectionFileName( + gLoaderPrivateAPI.GetSectionNameBuffer(*aBaseAddress)); + if (sectionFileName.IsEmpty()) { + ::NtUnmapViewOfSection(aProcess, *aBaseAddress); + return STATUS_ACCESS_DENIED; + } + + // Find the leaf name + UNICODE_STRING leafOnStack; + nt::GetLeafName(&leafOnStack, sectionFileName); + + bool isInjectedDependent = false; + const UNICODE_STRING k32Name = MOZ_LITERAL_UNICODE_STRING(L"kernel32.dll"); + Kernel32ExportsSolver* k32Exports = nullptr; + BlockAction blockAction; + // Trying to get the Kernel32Exports while loading kernel32.dll causes Firefox + // to crash. (but only during a profile-guided optimization run, oddly) We + // know we're never going to block kernel32.dll, so skip all this + if (::RtlCompareUnicodeString(&k32Name, &leafOnStack, TRUE) == 0) { + blockAction = BlockAction::Allow; + } else { + auto noSharedSectionReset{SharedSection::AutoNoReset()}; + k32Exports = gSharedSection.GetKernel32Exports(); + // Small optimization: Since loading a dependent module does not involve + // LdrLoadDll, we know isInjectedDependent is false if we hold a top frame. + if (k32Exports && !ModuleLoadFrame::ExistsTopFrame()) { + // Note that if a module is dependent but not injected, this means that + // the executable built against it, and it should be signed by Mozilla + // or Microsoft, so we don't need to worry about adding it to the list + // for CIG. (and users won't be able to block it) So the only special + // case here is a dependent module that has been injected. + isInjectedDependent = IsInjectedDependentModule(leafOnStack, *k32Exports); + } + + if (isInjectedDependent) { + // Add an NT dv\path to the shared section so that a sandbox process can + // use it to bypass CIG. In a sandbox process, this addition fails + // because we cannot map the section to a writable region, but it's + // ignorable because the paths have been added by the browser process. + Unused << SharedSection::AddDependentModule(sectionFileName); + + bool attemptToBlockViaRedirect; +#if defined(NIGHTLY_BUILD) + // We enable automatic DLL blocking only in Nightly for now + // because it caused a compat issue (bug 1682304 and 1704373). + attemptToBlockViaRedirect = true; + // We will set blockAction below in the if (attemptToBlockViaRedirect) + // block, but I guess the compiler isn't smart enough to figure + // that out and complains about an uninitialized variable :-( + blockAction = BlockAction::NoOpEntryPoint; +#else + // Check blocklist + blockAction = + DetermineBlockAction(leafOnStack, *aBaseAddress, k32Exports); + // If we were going to block this dependent module, try redirection + // instead of blocking it, since blocking it would cause the .exe not to + // launch. + // Note tht Deny and Error both end up blocking the module in a + // straightforward way, so those are the cases in which we need + // to redirect instead. + attemptToBlockViaRedirect = + blockAction == BlockAction::Deny || blockAction == BlockAction::Error; +#endif + if (attemptToBlockViaRedirect) { + // For a dependent module, try redirection instead of blocking it. + // If we fail, we reluctantly allow the module for free. + mozilla::nt::PEHeaders headers(*aBaseAddress); + blockAction = RedirectToNoOpEntryPoint(headers, *k32Exports) + ? BlockAction::NoOpEntryPoint + : BlockAction::Allow; + } + } else { + // Check blocklist + blockAction = + DetermineBlockAction(leafOnStack, *aBaseAddress, k32Exports); + } + } + + ModuleLoadInfo::Status loadStatus = ModuleLoadInfo::Status::Blocked; + + switch (blockAction) { + case BlockAction::Allow: + loadStatus = ModuleLoadInfo::Status::Loaded; + break; + + case BlockAction::NoOpEntryPoint: + loadStatus = ModuleLoadInfo::Status::Redirected; + break; + + case BlockAction::SubstituteLSP: + // The process heap needs to be available here because + // NotifyLSPSubstitutionRequired below copies a given string into + // the heap. We use a soft assert here, assuming LSP load always + // occurs after the heap is initialized. + MOZ_ASSERT(nt::RtlGetProcessHeap()); + + // Notify patched_LdrLoadDll that it will be necessary to perform + // a substitution before returning. + ModuleLoadFrame::NotifyLSPSubstitutionRequired(&leafOnStack); + break; + + default: + break; + } + + if (nt::RtlGetProcessHeap()) { + ModuleLoadFrame::NotifySectionMap( + nt::AllocatedUnicodeString(sectionFileName), *aBaseAddress, aStubStatus, + loadStatus, isInjectedDependent); + } + + if (loadStatus == ModuleLoadInfo::Status::Loaded || + loadStatus == ModuleLoadInfo::Status::Redirected) { + return aStubStatus; + } + + ::NtUnmapViewOfSection(aProcess, *aBaseAddress); + return STATUS_ACCESS_DENIED; +} + +// To preserve compatibility with third-parties, calling into this function +// must not use checked stack buffers when reached through Thread32Next (see +// bug 1733532). Hence this function is declared as MOZ_NO_STACK_PROTECTOR. +// Ideally, all code relying on stack buffers should be put in the dedicated +// helper function AfterMapViewOfExecutableImageSection, which does not have +// the MOZ_NO_STACK_PROTECTOR attribute. The obi variable below is an +// exception to this rule, as it is required to collect the information that +// lets us decide whether we really need to go through the helper function. +NTSTATUS NTAPI patched_NtMapViewOfSection( + HANDLE aSection, HANDLE aProcess, PVOID* aBaseAddress, ULONG_PTR aZeroBits, + SIZE_T aCommitSize, PLARGE_INTEGER aSectionOffset, PSIZE_T aViewSize, + SECTION_INHERIT aInheritDisposition, ULONG aAllocationType, + ULONG aProtectionFlags) { + // Save off the values currently in the out-pointers for later restoration if + // we decide not to permit this mapping. + auto const rollback = + [ + // Avoid taking a reference to the stack frame, mostly out of + // paranoia. (The values of `aBaseAddress` et al. may have been + // crafted to point to our return address anyway...) + =, + // `NtMapViewOfSection` itself is mildly robust to invalid pointers; + // we can't easily do that, but we can at least check for `nullptr`. + baseAddress = aBaseAddress ? *aBaseAddress : nullptr, + sectionOffset = aSectionOffset ? *aSectionOffset : LARGE_INTEGER{}, + viewSize = aViewSize ? *aViewSize : 0]() { + if (aBaseAddress) *aBaseAddress = baseAddress; + if (aSectionOffset) *aSectionOffset = sectionOffset; + if (aViewSize) *aViewSize = viewSize; + }; + + // We always map first, then we check for additional info after. + NTSTATUS stubStatus = stub_NtMapViewOfSection( + aSection, aProcess, aBaseAddress, aZeroBits, aCommitSize, aSectionOffset, + aViewSize, aInheritDisposition, aAllocationType, aProtectionFlags); + if (!NT_SUCCESS(stubStatus)) { + return stubStatus; + } + + if (aProcess != nt::kCurrentProcess) { + // We're only interested in mapping for the current process. + return stubStatus; + } + + PUBLIC_OBJECT_BASIC_INFORMATION obi; + NTSTATUS ntStatus = ::NtQueryObject(aSection, ObjectBasicInformation, &obi, + sizeof(obi), nullptr); + if (!NT_SUCCESS(ntStatus)) { + ::NtUnmapViewOfSection(aProcess, *aBaseAddress); + rollback(); + return STATUS_ACCESS_DENIED; + } + + // We don't care about sections for which the permission to map executable + // views was not asked at creation time. This early exit path is notably + // taken for: + // - calls to LoadLibraryExW using LOAD_LIBRARY_AS_DATAFILE or + // LOAD_LIBRARY_AS_IMAGE_RESOURCE (bug 1842088), thus allowing us to load + // blocked DLLs for analysis without executing them; + // - calls to Thread32Next (bug 1733532), thus avoiding the helper function + // with stack cookie checks. + if (!(obi.GrantedAccess & SECTION_MAP_EXECUTE)) { + return stubStatus; + } + + NTSTATUS rv = + AfterMapViewOfExecutableSection(aProcess, aBaseAddress, stubStatus); + if (FAILED(rv)) { + rollback(); + } + return rv; +} + +} // namespace freestanding +} // namespace mozilla diff --git a/browser/app/winlauncher/freestanding/DllBlocklist.h b/browser/app/winlauncher/freestanding/DllBlocklist.h new file mode 100644 index 0000000000..c0ae1d255f --- /dev/null +++ b/browser/app/winlauncher/freestanding/DllBlocklist.h @@ -0,0 +1,39 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at https://mozilla.org/MPL/2.0/. */ + +#ifndef mozilla_freestanding_DllBlocklist_h +#define mozilla_freestanding_DllBlocklist_h + +#include "mozilla/Attributes.h" +#include "mozilla/NativeNt.h" +#include "nsWindowsDllInterceptor.h" +#include "mozilla/WinHeaderOnlyUtils.h" + +namespace mozilla { +namespace freestanding { + +NTSTATUS NTAPI patched_LdrLoadDll(PWCHAR aDllPath, PULONG aFlags, + PUNICODE_STRING aDllName, PHANDLE aOutHandle); + +MOZ_NO_STACK_PROTECTOR NTSTATUS NTAPI patched_NtMapViewOfSection( + HANDLE aSection, HANDLE aProcess, PVOID* aBaseAddress, ULONG_PTR aZeroBits, + SIZE_T aCommitSize, PLARGE_INTEGER aSectionOffset, PSIZE_T aViewSize, + SECTION_INHERIT aInheritDisposition, ULONG aAllocationType, + ULONG aProtectionFlags); + +using LdrLoadDllPtr = decltype(&::LdrLoadDll); + +extern CrossProcessDllInterceptor::FuncHookType<LdrLoadDllPtr> stub_LdrLoadDll; + +using NtMapViewOfSectionPtr = decltype(&::NtMapViewOfSection); + +extern CrossProcessDllInterceptor::FuncHookType<NtMapViewOfSectionPtr> + stub_NtMapViewOfSection; + +} // namespace freestanding +} // namespace mozilla + +#endif // mozilla_freestanding_DllBlocklist_h diff --git a/browser/app/winlauncher/freestanding/Freestanding.h b/browser/app/winlauncher/freestanding/Freestanding.h new file mode 100644 index 0000000000..03999f231e --- /dev/null +++ b/browser/app/winlauncher/freestanding/Freestanding.h @@ -0,0 +1,67 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at https://mozilla.org/MPL/2.0/. */ + +#ifndef mozilla_freestanding_Freestanding_h +#define mozilla_freestanding_Freestanding_h + +/** + * This header is automatically included in all source code residing in the + * /browser/app/winlauncher/freestanding directory. + */ + +#if defined(__STDC_HOSTED__) && __STDC_HOSTED__ == 1 +# error "This header should only be included by freestanding code" +#endif // defined(__STDC_HOSTED__) && __STDC_HOSTED__ == 1 + +#define MOZ_USE_LAUNCHER_ERROR +#include "mozilla/NativeNt.h" + +namespace mozilla { +namespace freestanding { + +/** + * Since this library is the only part of firefox.exe that needs special + * treatment with respect to the heap, we implement |RtlNew| and |RtlDelete| + * to be used instead of |new| and |delete| for any heap allocations inside + * the freestanding library. + */ +template <typename T, typename... Args> +inline static T* RtlNew(Args&&... aArgs) { + HANDLE processHeap = nt::RtlGetProcessHeap(); + if (!processHeap) { + // Handle the case where the process heap is not initialized because + // passing nullptr to RtlAllocateHeap crashes the process. + return nullptr; + } + + void* ptr = ::RtlAllocateHeap(processHeap, 0, sizeof(T)); + if (!ptr) { + return nullptr; + } + + return new (ptr) T(std::forward<Args>(aArgs)...); +} + +template <typename T> +inline static void RtlDelete(T* aPtr) { + if (!aPtr) { + return; + } + + aPtr->~T(); + ::RtlFreeHeap(nt::RtlGetProcessHeap(), 0, aPtr); +} + +} // namespace freestanding +} // namespace mozilla + +// Initialization code for all statically-allocated data in freestanding is +// placed into a separate section. This allows us to initialize any +// freestanding statics without needing to initialize everything else in this +// binary. +#pragma init_seg(".freestd$g") + +#endif // mozilla_freestanding_Freestanding_h diff --git a/browser/app/winlauncher/freestanding/LoaderPrivateAPI.cpp b/browser/app/winlauncher/freestanding/LoaderPrivateAPI.cpp new file mode 100644 index 0000000000..266f2ec6a4 --- /dev/null +++ b/browser/app/winlauncher/freestanding/LoaderPrivateAPI.cpp @@ -0,0 +1,293 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at https://mozilla.org/MPL/2.0/. */ + +#include "LoaderPrivateAPI.h" + +#include "mozilla/Assertions.h" +#include "mozilla/Types.h" +#include "mozilla/Unused.h" +#include "../DllBlocklistInit.h" +#include "../ErrorHandler.h" +#include "SharedSection.h" + +using GlobalInitializerFn = void(__cdecl*)(void); + +// Allocation of static initialization section for the freestanding library +#pragma section(".freestd$a", read) +__declspec(allocate(".freestd$a")) static const GlobalInitializerFn + FreeStdStart = reinterpret_cast<GlobalInitializerFn>(0); + +#pragma section(".freestd$z", read) +__declspec(allocate(".freestd$z")) static const GlobalInitializerFn FreeStdEnd = + reinterpret_cast<GlobalInitializerFn>(0); + +namespace mozilla { +namespace freestanding { + +static RTL_RUN_ONCE gRunOnce = RTL_RUN_ONCE_INIT; + +// The contract for this callback is identical to the InitOnceCallback from +// Win32 land; we're just using ntdll-layer types instead. +static ULONG NTAPI DoOneTimeInit(PRTL_RUN_ONCE aRunOnce, PVOID aParameter, + PVOID* aContext) { + // Invoke every static initializer in the .freestd section + const GlobalInitializerFn* cur = &FreeStdStart + 1; + while (cur < &FreeStdEnd) { + if (*cur) { + (*cur)(); + } + + ++cur; + } + + return TRUE; +} + +/** + * This observer is only used until the mozglue observer connects itself. + * All we do here is accumulate the module loads into a vector. + * As soon as mozglue connects, we call |Forward| on mozglue's LoaderObserver + * to pass our vector on for further processing. This object then becomes + * defunct. + */ +class MOZ_ONLY_USED_TO_AVOID_STATIC_CONSTRUCTORS DefaultLoaderObserver final + : public nt::LoaderObserver { + public: + constexpr DefaultLoaderObserver() : mModuleLoads(nullptr) {} + + void OnBeginDllLoad(void** aContext, + PCUNICODE_STRING aRequestedDllName) final {} + bool SubstituteForLSP(PCUNICODE_STRING aLSPLeafName, + PHANDLE aOutHandle) final { + return false; + } + void OnEndDllLoad(void* aContext, NTSTATUS aNtStatus, + ModuleLoadInfo&& aModuleLoadInfo) final; + void Forward(nt::LoaderObserver* aNext) final; + void OnForward(ModuleLoadInfoVec&& aInfo) final { + MOZ_ASSERT_UNREACHABLE("Not valid in freestanding::DefaultLoaderObserver"); + } + + private: + mozilla::nt::SRWLock mLock; + ModuleLoadInfoVec* mModuleLoads; +}; + +class MOZ_ONLY_USED_TO_AVOID_STATIC_CONSTRUCTORS LoaderPrivateAPIImp final + : public LoaderPrivateAPI { + public: + // LoaderAPI + ModuleLoadInfo ConstructAndNotifyBeginDllLoad( + void** aContext, PCUNICODE_STRING aRequestedDllName) final; + bool SubstituteForLSP(PCUNICODE_STRING aLSPLeafName, + PHANDLE aOutHandle) final; + void NotifyEndDllLoad(void* aContext, NTSTATUS aLoadNtStatus, + ModuleLoadInfo&& aModuleLoadInfo) final; + nt::AllocatedUnicodeString GetSectionName(void* aSectionAddr) final; + nt::LoaderAPI::InitDllBlocklistOOPFnPtr GetDllBlocklistInitFn() final; + nt::LoaderAPI::HandleLauncherErrorFnPtr GetHandleLauncherErrorFn() final; + nt::SharedSection* GetSharedSection() final; + + // LoaderPrivateAPI + void NotifyBeginDllLoad(void** aContext, + PCUNICODE_STRING aRequestedDllName) final; + void NotifyBeginDllLoad(ModuleLoadInfo& aModuleLoadInfo, void** aContext, + PCUNICODE_STRING aRequestedDllName) final; + void SetObserver(nt::LoaderObserver* aNewObserver) final; + bool IsDefaultObserver() const final; + nt::MemorySectionNameBuf GetSectionNameBuffer(void* aSectionAddr) final; +}; + +static void Init() { + DebugOnly<NTSTATUS> ntStatus = + ::RtlRunOnceExecuteOnce(&gRunOnce, &DoOneTimeInit, nullptr, nullptr); + MOZ_ASSERT(NT_SUCCESS(ntStatus)); +} + +} // namespace freestanding +} // namespace mozilla + +static mozilla::freestanding::DefaultLoaderObserver gDefaultObserver; +static mozilla::freestanding::LoaderPrivateAPIImp gPrivateAPI; + +static mozilla::nt::SRWLock gLoaderObserverLock; +static mozilla::nt::LoaderObserver* gLoaderObserver = &gDefaultObserver; + +namespace mozilla { +namespace freestanding { + +LoaderPrivateAPI& gLoaderPrivateAPI = gPrivateAPI; + +void DefaultLoaderObserver::OnEndDllLoad(void* aContext, NTSTATUS aNtStatus, + ModuleLoadInfo&& aModuleLoadInfo) { + // If the DLL load failed, or if the DLL was loaded by a previous request + // and thus was not mapped by this request, we do not save the ModuleLoadInfo. + if (!NT_SUCCESS(aNtStatus) || !aModuleLoadInfo.WasMapped()) { + return; + } + + nt::AutoExclusiveLock lock(mLock); + if (!mModuleLoads) { + mModuleLoads = RtlNew<ModuleLoadInfoVec>(); + if (!mModuleLoads) { + return; + } + } + + Unused << mModuleLoads->emplaceBack( + std::forward<ModuleLoadInfo>(aModuleLoadInfo)); +} + +/** + * Pass mModuleLoads's data off to |aNext| for further processing. + */ +void DefaultLoaderObserver::Forward(nt::LoaderObserver* aNext) { + MOZ_ASSERT(aNext); + if (!aNext) { + return; + } + + ModuleLoadInfoVec* moduleLoads = nullptr; + + { // Scope for lock + nt::AutoExclusiveLock lock(mLock); + moduleLoads = mModuleLoads; + mModuleLoads = nullptr; + } + + if (!moduleLoads) { + return; + } + + aNext->OnForward(std::move(*moduleLoads)); + RtlDelete(moduleLoads); +} + +ModuleLoadInfo LoaderPrivateAPIImp::ConstructAndNotifyBeginDllLoad( + void** aContext, PCUNICODE_STRING aRequestedDllName) { + ModuleLoadInfo loadInfo(aRequestedDllName); + + NotifyBeginDllLoad(loadInfo, aContext, aRequestedDllName); + + return loadInfo; +} + +bool LoaderPrivateAPIImp::SubstituteForLSP(PCUNICODE_STRING aLSPLeafName, + PHANDLE aOutHandle) { + nt::AutoSharedLock lock(gLoaderObserverLock); + return gLoaderObserver->SubstituteForLSP(aLSPLeafName, aOutHandle); +} + +void LoaderPrivateAPIImp::NotifyEndDllLoad(void* aContext, + NTSTATUS aLoadNtStatus, + ModuleLoadInfo&& aModuleLoadInfo) { + aModuleLoadInfo.SetEndLoadTimeStamp(); + + if (NT_SUCCESS(aLoadNtStatus)) { + aModuleLoadInfo.CaptureBacktrace(); + } + + nt::AutoSharedLock lock(gLoaderObserverLock); + + // We need to notify the observer that the DLL load has ended even when + // |aLoadNtStatus| indicates a failure. This is to ensure that any resources + // acquired by the observer during OnBeginDllLoad are cleaned up. + gLoaderObserver->OnEndDllLoad(aContext, aLoadNtStatus, + std::move(aModuleLoadInfo)); +} + +nt::AllocatedUnicodeString LoaderPrivateAPIImp::GetSectionName( + void* aSectionAddr) { + const HANDLE kCurrentProcess = reinterpret_cast<HANDLE>(-1); + + nt::MemorySectionNameBuf buf; + NTSTATUS ntStatus = + ::NtQueryVirtualMemory(kCurrentProcess, aSectionAddr, MemorySectionName, + &buf, sizeof(buf), nullptr); + if (!NT_SUCCESS(ntStatus)) { + return nt::AllocatedUnicodeString(); + } + + return nt::AllocatedUnicodeString(&buf.mSectionFileName); +} + +nt::LoaderAPI::InitDllBlocklistOOPFnPtr +LoaderPrivateAPIImp::GetDllBlocklistInitFn() { + return &InitializeDllBlocklistOOP; +} + +nt::LoaderAPI::HandleLauncherErrorFnPtr +LoaderPrivateAPIImp::GetHandleLauncherErrorFn() { + return &HandleLauncherError; +} + +nt::SharedSection* LoaderPrivateAPIImp::GetSharedSection() { + return &gSharedSection; +} + +nt::MemorySectionNameBuf LoaderPrivateAPIImp::GetSectionNameBuffer( + void* aSectionAddr) { + const HANDLE kCurrentProcess = reinterpret_cast<HANDLE>(-1); + + nt::MemorySectionNameBuf buf; + NTSTATUS ntStatus = + ::NtQueryVirtualMemory(kCurrentProcess, aSectionAddr, MemorySectionName, + &buf, sizeof(buf), nullptr); + if (!NT_SUCCESS(ntStatus)) { + return nt::MemorySectionNameBuf(); + } + + return buf; +} + +void LoaderPrivateAPIImp::NotifyBeginDllLoad( + void** aContext, PCUNICODE_STRING aRequestedDllName) { + nt::AutoSharedLock lock(gLoaderObserverLock); + gLoaderObserver->OnBeginDllLoad(aContext, aRequestedDllName); +} + +void LoaderPrivateAPIImp::NotifyBeginDllLoad( + ModuleLoadInfo& aModuleLoadInfo, void** aContext, + PCUNICODE_STRING aRequestedDllName) { + NotifyBeginDllLoad(aContext, aRequestedDllName); + aModuleLoadInfo.SetBeginLoadTimeStamp(); +} + +void LoaderPrivateAPIImp::SetObserver(nt::LoaderObserver* aNewObserver) { + nt::LoaderObserver* prevLoaderObserver = nullptr; + + nt::AutoExclusiveLock lock(gLoaderObserverLock); + + MOZ_ASSERT(aNewObserver); + if (!aNewObserver) { + // This is unlikely, but we always want a valid observer, so use the + // gDefaultObserver if necessary. + gLoaderObserver = &gDefaultObserver; + return; + } + + prevLoaderObserver = gLoaderObserver; + gLoaderObserver = aNewObserver; + + MOZ_ASSERT(prevLoaderObserver); + if (!prevLoaderObserver) { + return; + } + + // Now that we have a new observer, the previous observer must forward its + // data on to the new observer for processing. + prevLoaderObserver->Forward(aNewObserver); +} + +bool LoaderPrivateAPIImp::IsDefaultObserver() const { + nt::AutoSharedLock lock(gLoaderObserverLock); + return gLoaderObserver == &gDefaultObserver; +} + +void EnsureInitialized() { Init(); } + +} // namespace freestanding +} // namespace mozilla diff --git a/browser/app/winlauncher/freestanding/LoaderPrivateAPI.h b/browser/app/winlauncher/freestanding/LoaderPrivateAPI.h new file mode 100644 index 0000000000..f21472d689 --- /dev/null +++ b/browser/app/winlauncher/freestanding/LoaderPrivateAPI.h @@ -0,0 +1,62 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at https://mozilla.org/MPL/2.0/. */ + +#ifndef mozilla_freestanding_LoaderPrivateAPI_h +#define mozilla_freestanding_LoaderPrivateAPI_h + +#include "mozilla/LoaderAPIInterfaces.h" + +namespace mozilla { +namespace freestanding { + +/** + * This part of the API is available only to the launcher process. + */ +class NS_NO_VTABLE LoaderPrivateAPI : public nt::LoaderAPI { + public: + /** + * Notify the nt::LoaderObserver that a module load is beginning + */ + virtual void NotifyBeginDllLoad(void** aContext, + PCUNICODE_STRING aRequestedDllName) = 0; + /** + * Notify the nt::LoaderObserver that a module load is beginning and set the + * begin load timestamp on |aModuleLoadInfo|. + */ + virtual void NotifyBeginDllLoad(ModuleLoadInfo& aModuleLoadInfo, + void** aContext, + PCUNICODE_STRING aRequestedDllName) = 0; + + /** + * Set a new nt::LoaderObserver to be used by the launcher process. NB: This + * should only happen while the current process is still single-threaded! + */ + virtual void SetObserver(nt::LoaderObserver* aNewObserver) = 0; + + /** + * Returns true if the current nt::LoaderObserver is the launcher process's + * built-in observer. + */ + virtual bool IsDefaultObserver() const = 0; + + /** + * Returns the name of a given mapped section address as a local instance of + * nt::MemorySectionNameBuf. This does not involve heap allocation. + */ + virtual nt::MemorySectionNameBuf GetSectionNameBuffer(void* aSectionAddr) = 0; +}; + +/** + * Ensures that any statics in the freestanding library are initialized. + */ +void EnsureInitialized(); + +extern LoaderPrivateAPI& gLoaderPrivateAPI; + +} // namespace freestanding +} // namespace mozilla + +#endif // mozilla_freestanding_LoaderPrivateAPI_h diff --git a/browser/app/winlauncher/freestanding/ModuleLoadFrame.cpp b/browser/app/winlauncher/freestanding/ModuleLoadFrame.cpp new file mode 100644 index 0000000000..3aa043b8c7 --- /dev/null +++ b/browser/app/winlauncher/freestanding/ModuleLoadFrame.cpp @@ -0,0 +1,144 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at https://mozilla.org/MPL/2.0/. */ + +#include "ModuleLoadFrame.h" + +#include "LoaderPrivateAPI.h" + +namespace mozilla { +namespace freestanding { + +ModuleLoadFrame::ModuleLoadFrame(PCUNICODE_STRING aRequestedDllName) + : mPrev(sTopFrame.get()), + mContext(nullptr), + mLSPSubstitutionRequired(false), + mLoadNtStatus(STATUS_UNSUCCESSFUL), + mLoadInfo(aRequestedDllName) { + EnsureInitialized(); + sTopFrame.set(this); + + gLoaderPrivateAPI.NotifyBeginDllLoad(mLoadInfo, &mContext, aRequestedDllName); +} + +ModuleLoadFrame::ModuleLoadFrame(nt::AllocatedUnicodeString&& aSectionName, + const void* aMapBaseAddr, NTSTATUS aNtStatus, + ModuleLoadInfo::Status aLoadStatus, + bool aIsDependent) + : mPrev(sTopFrame.get()), + mContext(nullptr), + mLSPSubstitutionRequired(false), + mLoadNtStatus(aNtStatus), + mLoadInfo(std::move(aSectionName), aMapBaseAddr, aLoadStatus, + aIsDependent) { + sTopFrame.set(this); + + gLoaderPrivateAPI.NotifyBeginDllLoad(&mContext, mLoadInfo.mSectionName); +} + +ModuleLoadFrame::~ModuleLoadFrame() { + gLoaderPrivateAPI.NotifyEndDllLoad(mContext, mLoadNtStatus, + std::move(mLoadInfo)); + sTopFrame.set(mPrev); +} + +/* static */ +void ModuleLoadFrame::NotifyLSPSubstitutionRequired( + PCUNICODE_STRING aLeafName) { + ModuleLoadFrame* topFrame = sTopFrame.get(); + if (!topFrame) { + return; + } + + topFrame->SetLSPSubstitutionRequired(aLeafName); +} + +void ModuleLoadFrame::SetLSPSubstitutionRequired(PCUNICODE_STRING aLeafName) { + MOZ_ASSERT(!mLoadInfo.mBaseAddr); + if (mLoadInfo.mBaseAddr) { + // If mBaseAddr is not null then |this| has already seen a module load. This + // should not be the case for a LSP substitution, so we bail. + return; + } + + // Save aLeafName, as it will be used by SetLoadStatus when invoking + // SubstituteForLSP + mLoadInfo.mRequestedDllName = aLeafName; + mLSPSubstitutionRequired = true; +} + +/* static */ +void ModuleLoadFrame::NotifySectionMap( + nt::AllocatedUnicodeString&& aSectionName, const void* aMapBaseAddr, + NTSTATUS aMapNtStatus, ModuleLoadInfo::Status aLoadStatus, + bool aIsDependent) { + ModuleLoadFrame* topFrame = sTopFrame.get(); + if (!topFrame) { + // The only time that this data is useful is during initial mapping of + // the executable's dependent DLLs. If mozglue is present then + // IsDefaultObserver will return false, indicating that we are beyond + // initial process startup. + if (gLoaderPrivateAPI.IsDefaultObserver()) { + OnBareSectionMap(std::move(aSectionName), aMapBaseAddr, aMapNtStatus, + aLoadStatus, aIsDependent); + } + return; + } + + topFrame->OnSectionMap(std::move(aSectionName), aMapBaseAddr, aMapNtStatus, + aLoadStatus, aIsDependent); +} + +/* static */ +bool ModuleLoadFrame::ExistsTopFrame() { return !!sTopFrame.get(); } + +void ModuleLoadFrame::OnSectionMap(nt::AllocatedUnicodeString&& aSectionName, + const void* aMapBaseAddr, + NTSTATUS aMapNtStatus, + ModuleLoadInfo::Status aLoadStatus, + bool aIsDependent) { + if (mLoadInfo.mBaseAddr) { + // If mBaseAddr is not null then |this| has already seen a module load. This + // means that we are witnessing a bare section map. + OnBareSectionMap(std::move(aSectionName), aMapBaseAddr, aMapNtStatus, + aLoadStatus, aIsDependent); + return; + } + + mLoadInfo.mSectionName = std::move(aSectionName); + mLoadInfo.mBaseAddr = aMapBaseAddr; + mLoadInfo.mStatus = aLoadStatus; +} + +/* static */ +void ModuleLoadFrame::OnBareSectionMap( + nt::AllocatedUnicodeString&& aSectionName, const void* aMapBaseAddr, + NTSTATUS aMapNtStatus, ModuleLoadInfo::Status aLoadStatus, + bool aIsDependent) { + // We call the special constructor variant that is used for bare mappings. + ModuleLoadFrame frame(std::move(aSectionName), aMapBaseAddr, aMapNtStatus, + aLoadStatus, aIsDependent); +} + +NTSTATUS ModuleLoadFrame::SetLoadStatus(NTSTATUS aNtStatus, + PHANDLE aOutHandle) { + mLoadNtStatus = aNtStatus; + + if (!mLSPSubstitutionRequired) { + return aNtStatus; + } + + if (!gLoaderPrivateAPI.SubstituteForLSP(mLoadInfo.mRequestedDllName, + aOutHandle)) { + return aNtStatus; + } + + return STATUS_SUCCESS; +} + +SafeThreadLocal<ModuleLoadFrame*> ModuleLoadFrame::sTopFrame; + +} // namespace freestanding +} // namespace mozilla diff --git a/browser/app/winlauncher/freestanding/ModuleLoadFrame.h b/browser/app/winlauncher/freestanding/ModuleLoadFrame.h new file mode 100644 index 0000000000..51a179db99 --- /dev/null +++ b/browser/app/winlauncher/freestanding/ModuleLoadFrame.h @@ -0,0 +1,97 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at https://mozilla.org/MPL/2.0/. */ + +#ifndef mozilla_freestanding_ModuleLoadFrame_h +#define mozilla_freestanding_ModuleLoadFrame_h + +#include "mozilla/LoaderAPIInterfaces.h" +#include "mozilla/NativeNt.h" +#include "mozilla/ThreadLocal.h" + +#include "SafeThreadLocal.h" + +namespace mozilla { +namespace freestanding { + +/** + * This class holds information about a DLL load at a particular frame in the + * current thread's stack. Each instance adds itself to a thread-local linked + * list of ModuleLoadFrames, enabling us to query information about the + * previous module load on the stack. + */ +class MOZ_RAII ModuleLoadFrame final { + public: + /** + * This constructor is for use by the LdrLoadDll hook. + */ + explicit ModuleLoadFrame(PCUNICODE_STRING aRequestedDllName); + ~ModuleLoadFrame(); + + static void NotifyLSPSubstitutionRequired(PCUNICODE_STRING aLeafName); + + /** + * This static method is called by the NtMapViewOfSection hook. + */ + static void NotifySectionMap(nt::AllocatedUnicodeString&& aSectionName, + const void* aMapBaseAddr, NTSTATUS aMapNtStatus, + ModuleLoadInfo::Status aLoadStatus, + bool aIsDependent); + static bool ExistsTopFrame(); + + /** + * Called by the LdrLoadDll hook to indicate the status of the load and for + * us to provide a substitute output handle if necessary. + */ + NTSTATUS SetLoadStatus(NTSTATUS aNtStatus, PHANDLE aOutHandle); + + ModuleLoadFrame(const ModuleLoadFrame&) = delete; + ModuleLoadFrame(ModuleLoadFrame&&) = delete; + ModuleLoadFrame& operator=(const ModuleLoadFrame&) = delete; + ModuleLoadFrame& operator=(ModuleLoadFrame&&) = delete; + + private: + /** + * Called by OnBareSectionMap to construct a frame for a bare load. + */ + ModuleLoadFrame(nt::AllocatedUnicodeString&& aSectionName, + const void* aMapBaseAddr, NTSTATUS aNtStatus, + ModuleLoadInfo::Status aLoadStatus, bool aIsDependent); + + void SetLSPSubstitutionRequired(PCUNICODE_STRING aLeafName); + void OnSectionMap(nt::AllocatedUnicodeString&& aSectionName, + const void* aMapBaseAddr, NTSTATUS aMapNtStatus, + ModuleLoadInfo::Status aLoadStatus, bool aIsDependent); + + /** + * A "bare" section mapping is one that was mapped without the code passing + * through a call to ntdll!LdrLoadDll. This method is invoked when we detect + * that condition. + */ + static void OnBareSectionMap(nt::AllocatedUnicodeString&& aSectionName, + const void* aMapBaseAddr, NTSTATUS aMapNtStatus, + ModuleLoadInfo::Status aLoadStatus, + bool aIsDependent); + + private: + // Link to the previous frame + ModuleLoadFrame* mPrev; + // Pointer to context managed by the nt::LoaderObserver implementation + void* mContext; + // Set to |true| when we need to block a WinSock LSP + bool mLSPSubstitutionRequired; + // NTSTATUS code from the |LdrLoadDll| call + NTSTATUS mLoadNtStatus; + // Telemetry information that will be forwarded to the nt::LoaderObserver + ModuleLoadInfo mLoadInfo; + + // Head of the linked list + static SafeThreadLocal<ModuleLoadFrame*> sTopFrame; +}; + +} // namespace freestanding +} // namespace mozilla + +#endif // mozilla_freestanding_ModuleLoadFrame_h diff --git a/browser/app/winlauncher/freestanding/SafeThreadLocal.h b/browser/app/winlauncher/freestanding/SafeThreadLocal.h new file mode 100644 index 0000000000..e4b869f649 --- /dev/null +++ b/browser/app/winlauncher/freestanding/SafeThreadLocal.h @@ -0,0 +1,96 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at https://mozilla.org/MPL/2.0/. */ + +#ifndef mozilla_freestanding_SafeThreadLocal_h +#define mozilla_freestanding_SafeThreadLocal_h + +#include <type_traits> + +#include "mozilla/NativeNt.h" +#include "mozilla/ThreadLocal.h" + +namespace mozilla { +namespace freestanding { + +// We cannot fall back to the Tls* APIs because kernel32 might not have been +// loaded yet. +#if defined(__MINGW32__) && !defined(HAVE_THREAD_TLS_KEYWORD) +# error "This code requires the compiler to have native TLS support" +#endif // defined(__MINGW32__) && !defined(HAVE_THREAD_TLS_KEYWORD) + +/** + * This class holds data as a thread-local variable, or as a global variable + * if the thread local storage is not initialized yet. It should be safe + * because in that early stage we assume there is no more than a single thread. + */ +template <typename T> +class SafeThreadLocal final { + static MOZ_THREAD_LOCAL(T) sThreadLocal; + static T sGlobal; + static bool sIsTlsUsed; + + // In normal cases, TLS is always available and the class uses sThreadLocal + // without changing sMainThreadId. So sMainThreadId is likely to be 0. + // + // If TLS is not available, we use sGlobal instead and update sMainThreadId + // so that that thread keeps using sGlobal even after TLS is initialized + // later. + static DWORD sMainThreadId; + + // Need non-inline accessors to prevent the compiler from generating code + // accessing sThreadLocal before checking a condition. + MOZ_NEVER_INLINE static void SetGlobalValue(T aValue) { sGlobal = aValue; } + MOZ_NEVER_INLINE static T GetGlobalValue() { return sGlobal; } + + public: + static void set(T aValue) { + static_assert(std::is_pointer_v<T>, + "SafeThreadLocal must be used with a pointer"); + + if (sMainThreadId == mozilla::nt::RtlGetCurrentThreadId()) { + SetGlobalValue(aValue); + } else if (sIsTlsUsed) { + MOZ_ASSERT(mozilla::nt::RtlGetThreadLocalStoragePointer(), + "Once TLS is used, TLS should be available till the end."); + sThreadLocal.set(aValue); + } else if (mozilla::nt::RtlGetThreadLocalStoragePointer()) { + sIsTlsUsed = true; + sThreadLocal.set(aValue); + } else { + MOZ_ASSERT(sMainThreadId == 0, + "A second thread cannot be created before TLS is available."); + sMainThreadId = mozilla::nt::RtlGetCurrentThreadId(); + SetGlobalValue(aValue); + } + } + + static T get() { + if (sMainThreadId == mozilla::nt::RtlGetCurrentThreadId()) { + return GetGlobalValue(); + } else if (sIsTlsUsed) { + return sThreadLocal.get(); + } + return GetGlobalValue(); + } +}; + +template <typename T> +MOZ_THREAD_LOCAL(T) +SafeThreadLocal<T>::sThreadLocal; + +template <typename T> +T SafeThreadLocal<T>::sGlobal = nullptr; + +template <typename T> +bool SafeThreadLocal<T>::sIsTlsUsed = false; + +template <typename T> +DWORD SafeThreadLocal<T>::sMainThreadId = 0; + +} // namespace freestanding +} // namespace mozilla + +#endif // mozilla_freestanding_SafeThreadLocal_h diff --git a/browser/app/winlauncher/freestanding/SharedSection.cpp b/browser/app/winlauncher/freestanding/SharedSection.cpp new file mode 100644 index 0000000000..eab0074f60 --- /dev/null +++ b/browser/app/winlauncher/freestanding/SharedSection.cpp @@ -0,0 +1,368 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at https://mozilla.org/MPL/2.0/. */ + +#include "SharedSection.h" + +#include <algorithm> +#include "CheckForCaller.h" +#include "mozilla/BinarySearch.h" + +namespace { + +bool AddString(mozilla::Span<wchar_t> aBuffer, const UNICODE_STRING& aStr) { + size_t offsetElements = 0; + while (offsetElements < aBuffer.Length()) { + UNICODE_STRING uniStr; + ::RtlInitUnicodeString(&uniStr, aBuffer.data() + offsetElements); + + if (uniStr.Length == 0) { + // Reached to the array's last item. + break; + } + + if (::RtlCompareUnicodeString(&uniStr, &aStr, TRUE) == 0) { + // Already included in the array. + return true; + } + + // Go to the next string. + offsetElements += uniStr.MaximumLength / sizeof(wchar_t); + } + + // Ensure enough space including the last empty string at the end. + if (offsetElements * sizeof(wchar_t) + aStr.Length + sizeof(wchar_t) + + sizeof(wchar_t) > + aBuffer.LengthBytes()) { + return false; + } + + auto newStr = aBuffer.Subspan(offsetElements); + memcpy(newStr.data(), aStr.Buffer, aStr.Length); + memset(newStr.data() + aStr.Length / sizeof(wchar_t), 0, sizeof(wchar_t)); + return true; +} + +} // anonymous namespace + +namespace mozilla { +namespace freestanding { + +SharedSection gSharedSection; + +// Why don't we use ::GetProcAddress? +// If the export table of kernel32.dll is tampered in the current process, +// we cannot transfer an RVA because the function pointed by the RVA may not +// exist in a target process. +// We can use ::GetProcAddress with additional check to detect tampering, but +// FindExportAddressTableEntry fits perfectly here because it returns nullptr +// if the target entry is outside the image, which means it's tampered or +// forwarded to another DLL. +#define INIT_FUNCTION(exports, name) \ + do { \ + auto rvaToFunction = exports.FindExportAddressTableEntry(#name); \ + if (!rvaToFunction) { \ + return; \ + } \ + m##name = reinterpret_cast<decltype(m##name)>(*rvaToFunction); \ + } while (0) + +#define RESOLVE_FUNCTION(base, name) \ + m##name = reinterpret_cast<decltype(m##name)>( \ + base + reinterpret_cast<uintptr_t>(m##name)) + +void Kernel32ExportsSolver::Init() { + interceptor::MMPolicyInProcess policy; + auto k32Exports = nt::PEExportSection<interceptor::MMPolicyInProcess>::Get( + ::GetModuleHandleW(L"kernel32.dll"), policy); + if (!k32Exports) { + return; + } + + // Please make sure these functions are not forwarded to another DLL. + INIT_FUNCTION(k32Exports, FlushInstructionCache); + INIT_FUNCTION(k32Exports, GetModuleHandleW); + INIT_FUNCTION(k32Exports, GetSystemInfo); + INIT_FUNCTION(k32Exports, VirtualProtect); +} + +bool Kernel32ExportsSolver::Resolve() { + const UNICODE_STRING k32Name = MOZ_LITERAL_UNICODE_STRING(L"kernel32.dll"); + + // We cannot use GetModuleHandleW because this code can be called + // before IAT is resolved. + auto k32Module = nt::GetModuleHandleFromLeafName(k32Name); + if (k32Module.isErr()) { + // Probably this is called before kernel32.dll is loaded. + return false; + } + + uintptr_t k32Base = + nt::PEHeaders::HModuleToBaseAddr<uintptr_t>(k32Module.unwrap()); + + RESOLVE_FUNCTION(k32Base, FlushInstructionCache); + RESOLVE_FUNCTION(k32Base, GetModuleHandleW); + RESOLVE_FUNCTION(k32Base, GetSystemInfo); + RESOLVE_FUNCTION(k32Base, VirtualProtect); + + return true; +} + +HANDLE SharedSection::sSectionHandle = nullptr; +SharedSection::Layout* SharedSection::sWriteCopyView = nullptr; +RTL_RUN_ONCE SharedSection::sEnsureOnce = RTL_RUN_ONCE_INIT; +nt::SRWLock SharedSection::sLock; + +void SharedSection::Reset(HANDLE aNewSectionObject) { + nt::AutoExclusiveLock{sLock}; + if (sWriteCopyView) { + nt::AutoMappedView view(sWriteCopyView); + sWriteCopyView = nullptr; + ::RtlRunOnceInitialize(&sEnsureOnce); + } + + if (sSectionHandle != aNewSectionObject) { + if (sSectionHandle) { + ::CloseHandle(sSectionHandle); + } + sSectionHandle = aNewSectionObject; + } +} + +void SharedSection::ConvertToReadOnly() { + if (!sSectionHandle) { + return; + } + + HANDLE readonlyHandle; + if (!::DuplicateHandle(nt::kCurrentProcess, sSectionHandle, + nt::kCurrentProcess, &readonlyHandle, GENERIC_READ, + FALSE, 0)) { + return; + } + + Reset(readonlyHandle); +} + +LauncherVoidResult SharedSection::Init() { + static_assert( + kSharedViewSize >= sizeof(Layout), + "kSharedViewSize is too small to represent SharedSection::Layout."); + + HANDLE section = + ::CreateFileMappingW(INVALID_HANDLE_VALUE, nullptr, PAGE_READWRITE, 0, + kSharedViewSize, nullptr); + if (!section) { + return LAUNCHER_ERROR_FROM_LAST(); + } + Reset(section); + + // The initial contents of the pages in a file mapping object backed by + // the operating system paging file are 0 (zero). No need to zero it out + // ourselves. + // https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-createfilemappingw + nt::AutoMappedView writableView(sSectionHandle, PAGE_READWRITE); + if (!writableView) { + return LAUNCHER_ERROR_FROM_LAST(); + } + + Layout* view = writableView.as<Layout>(); + view->mK32Exports.Init(); + view->mState = Layout::State::kInitialized; + // Leave view->mDependentModulePathArrayStart to be zero to indicate + // we can add blocklist entries + return Ok(); +} + +LauncherVoidResult SharedSection::AddDependentModule(PCUNICODE_STRING aNtPath) { + nt::AutoMappedView writableView(sSectionHandle, PAGE_READWRITE); + if (!writableView) { + return LAUNCHER_ERROR_FROM_WIN32(::RtlGetLastWin32Error()); + } + + Layout* view = writableView.as<Layout>(); + if (!view->mDependentModulePathArrayStart) { + // This is the first time AddDependentModule is called. We set the initial + // value to mDependentModulePathArrayStart, which *closes* the blocklist. + // After this, AddBlocklist is no longer allowed. + view->mDependentModulePathArrayStart = + FIELD_OFFSET(Layout, mFirstBlockEntry) + sizeof(DllBlockInfo); + } + + if (!AddString(view->GetDependentModules(), *aNtPath)) { + return LAUNCHER_ERROR_FROM_WIN32(ERROR_INSUFFICIENT_BUFFER); + } + + return Ok(); +} + +LauncherVoidResult SharedSection::SetBlocklist( + const DynamicBlockList& aBlocklist, bool isDisabled) { + if (!aBlocklist.GetPayloadSize()) { + return Ok(); + } + + nt::AutoMappedView writableView(sSectionHandle, PAGE_READWRITE); + if (!writableView) { + return LAUNCHER_ERROR_FROM_WIN32(::RtlGetLastWin32Error()); + } + + Layout* view = writableView.as<Layout>(); + if (view->mDependentModulePathArrayStart > 0) { + // If the dependent module array is already available, we must not update + // the blocklist. + return LAUNCHER_ERROR_FROM_WIN32(ERROR_INVALID_STATE); + } + + view->mBlocklistIsDisabled = isDisabled ? 1 : 0; + uintptr_t bufferEnd = reinterpret_cast<uintptr_t>(view) + kSharedViewSize; + size_t bytesCopied = aBlocklist.CopyTo( + view->mFirstBlockEntry, + bufferEnd - reinterpret_cast<uintptr_t>(view->mFirstBlockEntry)); + if (!bytesCopied) { + return LAUNCHER_ERROR_FROM_WIN32(ERROR_INSUFFICIENT_BUFFER); + } + + // Setting mDependentModulePathArrayStart to a non-zero value means + // we no longer accept blocklist entries + // Just to be safe, make sure we don't overwrite mFirstBlockEntry even + // if there are no entries. + view->mDependentModulePathArrayStart = + FIELD_OFFSET(Layout, mFirstBlockEntry) + + std::max(bytesCopied, sizeof(DllBlockInfo)); + return Ok(); +} + +/* static */ +ULONG NTAPI SharedSection::EnsureWriteCopyViewOnce(PRTL_RUN_ONCE, PVOID, + PVOID*) { + if (!sWriteCopyView) { + nt::AutoMappedView view(sSectionHandle, PAGE_WRITECOPY); + if (!view) { + return TRUE; + } + sWriteCopyView = view.as<Layout>(); + view.release(); + } + return sWriteCopyView->Resolve() ? TRUE : FALSE; +} + +SharedSection::Layout* SharedSection::EnsureWriteCopyView( + bool requireKernel32Exports /*= false */) { + ::RtlRunOnceExecuteOnce(&sEnsureOnce, &EnsureWriteCopyViewOnce, nullptr, + nullptr); + if (!sWriteCopyView) { + return nullptr; + } + auto requiredState = requireKernel32Exports + ? Layout::State::kResolved + : Layout::State::kLoadedDynamicBlocklistEntries; + return sWriteCopyView->mState >= requiredState ? sWriteCopyView : nullptr; +} + +bool SharedSection::Layout::Resolve() { + if (mState == State::kResolved) { + return true; + } + if (mState == State::kUninitialized) { + return false; + } + if (mState == State::kInitialized) { + if (!mNumBlockEntries) { + uintptr_t arrayBase = reinterpret_cast<uintptr_t>(mFirstBlockEntry); + uint32_t numEntries = 0; + for (DllBlockInfo* entry = mFirstBlockEntry; + entry->mName.Length && numEntries < GetMaxNumBlockEntries(); + ++entry) { + entry->mName.Buffer = reinterpret_cast<wchar_t*>( + arrayBase + reinterpret_cast<uintptr_t>(entry->mName.Buffer)); + ++numEntries; + } + mNumBlockEntries = numEntries; + // Sort by name so that we can binary-search + std::sort(mFirstBlockEntry, mFirstBlockEntry + mNumBlockEntries, + [](const DllBlockInfo& a, const DllBlockInfo& b) { + return ::RtlCompareUnicodeString(&a.mName, &b.mName, TRUE) < + 0; + }); + } + mState = State::kLoadedDynamicBlocklistEntries; + } + + if (!mK32Exports.Resolve()) { + return false; + } + + mState = State::kResolved; + return true; +} + +Span<wchar_t> SharedSection::Layout::GetDependentModules() { + if (!mDependentModulePathArrayStart) { + return nullptr; + } + return Span<wchar_t>( + reinterpret_cast<wchar_t*>(reinterpret_cast<uintptr_t>(this) + + mDependentModulePathArrayStart), + (kSharedViewSize - mDependentModulePathArrayStart) / sizeof(wchar_t)); +} + +bool SharedSection::Layout::IsDisabled() const { + return !!mBlocklistIsDisabled; +} + +const DllBlockInfo* SharedSection::Layout::SearchBlocklist( + const UNICODE_STRING& aLeafName) const { + MOZ_ASSERT(mState >= State::kLoadedDynamicBlocklistEntries); + DllBlockInfoComparator comp(aLeafName); + size_t match; + if (!BinarySearchIf(mFirstBlockEntry, 0, mNumBlockEntries, comp, &match)) { + return nullptr; + } + return &mFirstBlockEntry[match]; +} + +Kernel32ExportsSolver* SharedSection::GetKernel32Exports() { + Layout* writeCopyView = EnsureWriteCopyView(true); + return writeCopyView ? &writeCopyView->mK32Exports : nullptr; +} + +Span<const wchar_t> SharedSection::GetDependentModules() { + Layout* writeCopyView = EnsureWriteCopyView(); + return writeCopyView ? writeCopyView->GetDependentModules() : nullptr; +} + +Span<const DllBlockInfo> SharedSection::GetDynamicBlocklist() { + Layout* writeCopyView = EnsureWriteCopyView(); + return writeCopyView ? writeCopyView->GetModulePathArray() : nullptr; +} + +const DllBlockInfo* SharedSection::SearchBlocklist( + const UNICODE_STRING& aLeafName) { + Layout* writeCopyView = EnsureWriteCopyView(); + return writeCopyView ? writeCopyView->SearchBlocklist(aLeafName) : nullptr; +} + +bool SharedSection::IsDisabled() { + Layout* writeCopyView = EnsureWriteCopyView(); + return writeCopyView ? writeCopyView->IsDisabled() : false; +} + +LauncherVoidResult SharedSection::TransferHandle( + nt::CrossExecTransferManager& aTransferMgr, DWORD aDesiredAccess, + HANDLE* aDestinationAddress) { + HANDLE remoteHandle; + if (!::DuplicateHandle(nt::kCurrentProcess, sSectionHandle, + aTransferMgr.RemoteProcess(), &remoteHandle, + aDesiredAccess, FALSE, 0)) { + return LAUNCHER_ERROR_FROM_LAST(); + } + + return aTransferMgr.Transfer(aDestinationAddress, &remoteHandle, + sizeof(remoteHandle)); +} + +} // namespace freestanding +} // namespace mozilla diff --git a/browser/app/winlauncher/freestanding/SharedSection.h b/browser/app/winlauncher/freestanding/SharedSection.h new file mode 100644 index 0000000000..4c3d1b8ef8 --- /dev/null +++ b/browser/app/winlauncher/freestanding/SharedSection.h @@ -0,0 +1,212 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at https://mozilla.org/MPL/2.0/. */ + +#ifndef mozilla_freestanding_SharedSection_h +#define mozilla_freestanding_SharedSection_h + +#include "mozilla/DynamicBlocklist.h" +#include "mozilla/glue/SharedSection.h" +#include "mozilla/NativeNt.h" +#include "mozilla/interceptor/MMPolicies.h" + +// clang-format off +#define MOZ_LITERAL_UNICODE_STRING(s) \ + { \ + /* Length of the string in bytes, less the null terminator */ \ + sizeof(s) - sizeof(wchar_t), \ + /* Length of the string in bytes, including the null terminator */ \ + sizeof(s), \ + /* Pointer to the buffer */ \ + const_cast<wchar_t*>(s) \ + } +// clang-format on + +namespace mozilla { +namespace freestanding { +class SharedSectionTestHelper; + +struct DllBlockInfoComparator { + explicit DllBlockInfoComparator(const UNICODE_STRING& aTarget) + : mTarget(&aTarget) {} + + int operator()(const DllBlockInfo& aVal) const { + return static_cast<int>( + ::RtlCompareUnicodeString(mTarget, &aVal.mName, TRUE)); + } + + PCUNICODE_STRING mTarget; +}; + +// This class calculates RVAs of kernel32's functions and transfers them +// to a target process, where the transferred RVAs are resolved into +// function addresses so that the target process can use them after +// kernel32.dll is loaded and before IAT is resolved. +struct MOZ_TRIVIAL_CTOR_DTOR Kernel32ExportsSolver final + : interceptor::MMPolicyInProcessEarlyStage::Kernel32Exports { + void Init(); + bool Resolve(); +}; + +// This class manages a section which is created in the launcher process and +// mapped in the browser process and the sandboxed processes. The section's +// layout is represented as SharedSection::Layout. +// +// (1) Kernel32's functions required for MMPolicyInProcessEarlyStage +// Formatted as Kernel32ExportsSolver. +// +// (2) Various flags and offsets +// +// (3) Entries in the dynamic blocklist, in DllBlockInfo format. There +// are mNumBlockEntries of these, followed by one that has mName.Length +// of 0. Note that the strings that contain +// the names of the entries in the blocklist are stored concatenated +// after the last entry. The mName pointers in each DllBlockInfo point +// to these strings correctly in Resolve(), so clients don't need +// to do anything special to read these strings. +// +// (4) Array of NT paths of the executable's dependent modules +// Formatted as a null-delimited wide-character string set ending with +// an empty string. These entries start at offset +// mDependentModulePathArrayStart (in bytes) from the beginning +// of the structure +// +// +--------------------------------------------------------------+ +// | (1) | FlushInstructionCache | +// | | GetModuleHandleW | +// | | GetSystemInfo | +// | | VirtualProtect | +// | | State [kUninitialized|kInitialized|kResolved] | +// +--------------------------------------------------------------+ +// | (2) | (flags and offsets) | +// +--------------------------------------------------------------+ +// | (3) | <DllBlockInfo for first entry in dynamic blocklist> | +// | | <DllBlockInfo for second entry in dynamic blocklist> | +// | | ... | +// | | <DllBlockInfo for last entry in dynamic blocklist> | +// | | <DllBlockInfo with mName.Length of 0> | +// | | L"string1.dllstring2.dll...stringlast.dll" | +// +--------------------------------------------------------------+ +// | (4) | L"NT path 1" | +// | | L"NT path 2" | +// | | ... | +// | | L"" | +// +--------------------------------------------------------------+ +class MOZ_TRIVIAL_CTOR_DTOR SharedSection final : public nt::SharedSection { + struct Layout final { + enum class State { + kUninitialized, + kInitialized, + kLoadedDynamicBlocklistEntries, + kResolved, + } mState; + + Kernel32ExportsSolver mK32Exports; + // 1 if the blocklist is disabled, 0 otherwise. + // If the blocklist is disabled, the entries are still loaded to make it + // easy for the user to remove any they don't want, but none of the DLLs + // here are actually blocked. + // Stored as a uint32_t for alignment reasons. + uint32_t mBlocklistIsDisabled; + // The offset, in bytes, from the beginning of the Layout structure to the + // first dependent module entry. + // When the Layout object is created, this value is 0, indicating that no + // dependent modules have been added and it is safe to add DllBlockInfo + // entries. + // After this value is set to something non-0, no more DllBlockInfo entries + // can be added. + uint32_t mDependentModulePathArrayStart; + // The number of blocklist entries. + uint32_t mNumBlockEntries; + DllBlockInfo mFirstBlockEntry[1]; + + Span<DllBlockInfo> GetModulePathArray() { + return Span<DllBlockInfo>( + mFirstBlockEntry, + (kSharedViewSize - (reinterpret_cast<uintptr_t>(mFirstBlockEntry) - + reinterpret_cast<uintptr_t>(this))) / + sizeof(DllBlockInfo)); + } + // Can be used to make sure we don't step past the end of the shared memory + // section. + static constexpr uint32_t GetMaxNumBlockEntries() { + return (kSharedViewSize - (offsetof(Layout, mFirstBlockEntry))) / + sizeof(DllBlockInfo); + } + Layout() = delete; // disallow instantiation + bool Resolve(); + bool IsDisabled() const; + const DllBlockInfo* SearchBlocklist(const UNICODE_STRING& aLeafName) const; + Span<wchar_t> GetDependentModules(); + }; + + // As we define a global variable of this class and use it in our blocklist + // which is excuted in a process's early stage. If we have a complex dtor, + // the static initializer tries to register that dtor with onexit() of + // ucrtbase.dll which is not loaded yet, resulting in crash. Thus, we have + // a raw handle and a pointer as a static variable and manually release them + // by calling Reset() where possible. + static HANDLE sSectionHandle; + static Layout* sWriteCopyView; + static RTL_RUN_ONCE sEnsureOnce; + + // The sLock lock guarantees that while it is held, sSectionHandle will not + // change nor get closed, sEnsureOnce will not get reinitialized, and + // sWriteCopyView will not change nor get unmapped once initialized. We take + // sLock on paths that could run concurrently with ConvertToReadOnly(). This + // method is only called on the main process, and very early, so the only + // real risk here should be threads started by third-party products reaching + // our patched_NtMapViewOfSection (see bug 1850969). + static nt::SRWLock sLock; + + static ULONG NTAPI EnsureWriteCopyViewOnce(PRTL_RUN_ONCE, PVOID, PVOID*); + static Layout* EnsureWriteCopyView(bool requireKernel32Exports = false); + + static constexpr size_t kSharedViewSize = 0x1000; + + // For test use only + friend class SharedSectionTestHelper; + + public: + // Replace |sSectionHandle| with a given handle. + static void Reset(HANDLE aNewSectionObject = sSectionHandle); + + static inline nt::AutoSharedLock AutoNoReset() { + return nt::AutoSharedLock{sLock}; + } + + // Replace |sSectionHandle| with a new readonly handle. + static void ConvertToReadOnly(); + + // Create a new writable section and initialize the Kernel32ExportsSolver + // part. + static LauncherVoidResult Init(); + + // Append a new string to the |sSectionHandle| + static LauncherVoidResult AddDependentModule(PCUNICODE_STRING aNtPath); + static LauncherVoidResult SetBlocklist(const DynamicBlockList& aBlocklist, + bool isDisabled); + + // Map |sSectionHandle| to a copy-on-write page and return a writable pointer + // to each structure, or null if Layout failed to resolve exports. + Kernel32ExportsSolver* GetKernel32Exports(); + Span<const wchar_t> GetDependentModules() final override; + Span<const DllBlockInfo> GetDynamicBlocklist() final override; + + static bool IsDisabled(); + static const DllBlockInfo* SearchBlocklist(const UNICODE_STRING& aLeafName); + + // Transfer |sSectionHandle| to a process associated with |aTransferMgr|. + static LauncherVoidResult TransferHandle( + nt::CrossExecTransferManager& aTransferMgr, DWORD aDesiredAccess, + HANDLE* aDestinationAddress = &sSectionHandle); +}; + +extern SharedSection gSharedSection; + +} // namespace freestanding +} // namespace mozilla + +#endif // mozilla_freestanding_SharedSection_h diff --git a/browser/app/winlauncher/freestanding/gen_ntdll_freestanding_lib.py b/browser/app/winlauncher/freestanding/gen_ntdll_freestanding_lib.py new file mode 100644 index 0000000000..d9fe86d78e --- /dev/null +++ b/browser/app/winlauncher/freestanding/gen_ntdll_freestanding_lib.py @@ -0,0 +1,28 @@ +# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- +# vim: set filetype=python: +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +import os +import subprocess +import tempfile + + +def main(output_fd, def_file, llvm_dlltool, *llvm_dlltool_args): + # llvm-dlltool can't output to stdout, so we create a temp file, use that + # to write out the lib, and then copy it over to output_fd + (tmp_fd, tmp_output) = tempfile.mkstemp() + os.close(tmp_fd) + + try: + cmd = [llvm_dlltool] + cmd.extend(llvm_dlltool_args) + cmd += ["-d", def_file, "-l", tmp_output] + + subprocess.check_call(cmd) + + with open(tmp_output, "rb") as tmplib: + output_fd.write(tmplib.read()) + finally: + os.remove(tmp_output) diff --git a/browser/app/winlauncher/freestanding/moz.build b/browser/app/winlauncher/freestanding/moz.build new file mode 100644 index 0000000000..7a43d9a104 --- /dev/null +++ b/browser/app/winlauncher/freestanding/moz.build @@ -0,0 +1,56 @@ +# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- +# vim: set filetype=python: +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +Library("winlauncher-freestanding") + +FORCE_STATIC_LIB = True + +# Our patched NtMapViewOfSection can be called before the process's import +# table is populated. Don't let the compiler insert any instrumentation +# that might call an import. +NO_PGO = True + +UNIFIED_SOURCES += [ + "DllBlocklist.cpp", + "LoaderPrivateAPI.cpp", + "ModuleLoadFrame.cpp", + "SharedSection.cpp", +] + +# This library must be compiled in a freestanding environment, as its code must +# not assume that it has access to any runtime libraries. +if CONFIG["CC_TYPE"] == "clang-cl": + CXXFLAGS += ["-Xclang"] + +CXXFLAGS += [ + "-ffreestanding", +] + +# Forcibly include Freestanding.h into all source files in this library. +if CONFIG["CC_TYPE"] == "clang-cl": + CXXFLAGS += ["-FI"] +else: + CXXFLAGS += ["-include"] + +CXXFLAGS += [SRCDIR + "/Freestanding.h"] + +OS_LIBS += [ + "ntdll", + "ntdll_freestanding", +] + +if CONFIG["COMPILE_ENVIRONMENT"] and CONFIG["LLVM_DLLTOOL"]: + GeneratedFile( + "%sntdll_freestanding.%s" % (CONFIG["LIB_PREFIX"], CONFIG["LIB_SUFFIX"]), + script="gen_ntdll_freestanding_lib.py", + inputs=["ntdll_freestanding.def"], + flags=[CONFIG["LLVM_DLLTOOL"]] + CONFIG["LLVM_DLLTOOL_FLAGS"], + ) + +DisableStlWrapping() + +with Files("**"): + BUG_COMPONENT = ("Firefox", "Launcher Process") diff --git a/browser/app/winlauncher/freestanding/ntdll_freestanding.def b/browser/app/winlauncher/freestanding/ntdll_freestanding.def new file mode 100644 index 0000000000..6e5e2685fe --- /dev/null +++ b/browser/app/winlauncher/freestanding/ntdll_freestanding.def @@ -0,0 +1,25 @@ +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. + +LIBRARY ntdll + +; When we compile with -freestanding, the compiler still requires implementation +; of the four functions listed below. +; +; We could implement our own naive versions of these functions, but that +; solution is less than ideal since the implementations must be extern and are +; thus picked up by the entire firefox.exe binary. This denies the rest of +; firefox.exe the benefit of optimized implementations. On Windows the +; sandbox is linked into firefox.exe, so we cannot just shrug and +; assume that a naive implementation will not have any effect on anything. +; +; There are, however, optimized implementations of these functions that are +; exported by ntdll.dll. OTOH, they are not included in the ntdll.lib +; import library. This .def file is used to build an import library that "fills +; in the blanks" and allows us to link into the ntdll implementations. +EXPORTS + memcmp + memcpy + memmove + memset |