summaryrefslogtreecommitdiffstats
path: root/browser/app/winlauncher
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 09:22:09 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 09:22:09 +0000
commit43a97878ce14b72f0981164f87f2e35e14151312 (patch)
tree620249daf56c0258faa40cbdcf9cfba06de2a846 /browser/app/winlauncher
parentInitial commit. (diff)
downloadfirefox-43a97878ce14b72f0981164f87f2e35e14151312.tar.xz
firefox-43a97878ce14b72f0981164f87f2e35e14151312.zip
Adding upstream version 110.0.1.upstream/110.0.1upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'browser/app/winlauncher')
-rw-r--r--browser/app/winlauncher/DllBlocklistInit.cpp238
-rw-r--r--browser/app/winlauncher/DllBlocklistInit.h31
-rw-r--r--browser/app/winlauncher/ErrorHandler.cpp782
-rw-r--r--browser/app/winlauncher/ErrorHandler.h54
-rw-r--r--browser/app/winlauncher/LaunchUnelevated.cpp288
-rw-r--r--browser/app/winlauncher/LaunchUnelevated.h32
-rw-r--r--browser/app/winlauncher/LauncherProcessWin.cpp538
-rw-r--r--browser/app/winlauncher/LauncherProcessWin.h70
-rw-r--r--browser/app/winlauncher/NtLoaderAPI.cpp33
-rw-r--r--browser/app/winlauncher/ProcThreadAttributes.h159
-rw-r--r--browser/app/winlauncher/SameBinary.h146
-rw-r--r--browser/app/winlauncher/freestanding/CheckForCaller.h36
-rw-r--r--browser/app/winlauncher/freestanding/DllBlocklist.cpp487
-rw-r--r--browser/app/winlauncher/freestanding/DllBlocklist.h38
-rw-r--r--browser/app/winlauncher/freestanding/Freestanding.h67
-rw-r--r--browser/app/winlauncher/freestanding/LoaderPrivateAPI.cpp292
-rw-r--r--browser/app/winlauncher/freestanding/LoaderPrivateAPI.h62
-rw-r--r--browser/app/winlauncher/freestanding/ModuleLoadFrame.cpp144
-rw-r--r--browser/app/winlauncher/freestanding/ModuleLoadFrame.h97
-rw-r--r--browser/app/winlauncher/freestanding/SafeThreadLocal.h96
-rw-r--r--browser/app/winlauncher/freestanding/SharedSection.cpp366
-rw-r--r--browser/app/winlauncher/freestanding/SharedSection.h199
-rw-r--r--browser/app/winlauncher/freestanding/gen_ntdll_freestanding_lib.py28
-rw-r--r--browser/app/winlauncher/freestanding/moz.build58
-rw-r--r--browser/app/winlauncher/freestanding/ntdll_freestanding.def25
-rw-r--r--browser/app/winlauncher/moz.build61
-rw-r--r--browser/app/winlauncher/test/TestCrossProcessWin.cpp703
-rw-r--r--browser/app/winlauncher/test/TestSafeThreadLocal.cpp84
-rw-r--r--browser/app/winlauncher/test/TestSameBinary.cpp255
-rw-r--r--browser/app/winlauncher/test/moz.build30
30 files changed, 5499 insertions, 0 deletions
diff --git a/browser/app/winlauncher/DllBlocklistInit.cpp b/browser/app/winlauncher/DllBlocklistInit.cpp
new file mode 100644
index 0000000000..813189a495
--- /dev/null
+++ b/browser/app/winlauncher/DllBlocklistInit.cpp
@@ -0,0 +1,238 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#define MOZ_USE_LAUNCHER_ERROR
+
+#include "nsWindowsDllInterceptor.h"
+#include "mozilla/ArrayUtils.h"
+#include "mozilla/Attributes.h"
+#include "mozilla/BinarySearch.h"
+#include "mozilla/ImportDir.h"
+#include "mozilla/NativeNt.h"
+#include "mozilla/PolicyChecks.h"
+#include "mozilla/ScopeExit.h"
+#include "mozilla/Types.h"
+#include "mozilla/WindowsDllBlocklist.h"
+#include "mozilla/WinHeaderOnlyUtils.h"
+
+#include "DllBlocklistInit.h"
+#include "freestanding/DllBlocklist.h"
+#include "freestanding/SharedSection.h"
+
+namespace mozilla {
+
+#if defined(MOZ_ASAN) || defined(_M_ARM64)
+
+// This DLL blocking code is incompatible with ASAN because
+// it is able to execute before ASAN itself has even initialized.
+// Also, AArch64 has not been tested with this.
+LauncherVoidResultWithLineInfo InitializeDllBlocklistOOP(
+ const wchar_t* aFullImagePath, HANDLE aChildProcess,
+ const IMAGE_THUNK_DATA*, const bool aIsUtilityProcess,
+ const bool aIsSocketProcess) {
+ return mozilla::Ok();
+}
+
+LauncherVoidResultWithLineInfo InitializeDllBlocklistOOPFromLauncher(
+ const wchar_t* aFullImagePath, HANDLE aChildProcess,
+ const bool aDisableDynamicBlocklist,
+ Maybe<std::wstring> aBlocklistFileName) {
+ return mozilla::Ok();
+}
+
+#else
+
+static LauncherVoidResultWithLineInfo InitializeDllBlocklistOOPInternal(
+ const wchar_t* aFullImagePath, nt::CrossExecTransferManager& aTransferMgr,
+ const IMAGE_THUNK_DATA* aCachedNtdllThunk, const bool aIsUtilityProcess,
+ const bool aIsSocketProcess) {
+ CrossProcessDllInterceptor intcpt(aTransferMgr.RemoteProcess());
+ intcpt.Init(L"ntdll.dll");
+
+ bool ok = freestanding::stub_NtMapViewOfSection.SetDetour(
+ aTransferMgr, intcpt, "NtMapViewOfSection",
+ &freestanding::patched_NtMapViewOfSection);
+ if (!ok) {
+ return LAUNCHER_ERROR_FROM_DETOUR_ERROR(intcpt.GetLastDetourError());
+ }
+
+ ok = freestanding::stub_LdrLoadDll.SetDetour(
+ aTransferMgr, intcpt, "LdrLoadDll", &freestanding::patched_LdrLoadDll);
+ if (!ok) {
+ return LAUNCHER_ERROR_FROM_DETOUR_ERROR(intcpt.GetLastDetourError());
+ }
+
+ // Because aChildProcess has just been created in a suspended state, its
+ // dynamic linker has not yet been initialized, thus its executable has
+ // not yet been linked with ntdll.dll. If the blocklist hook intercepts a
+ // library load prior to the link, the hook will be unable to invoke any
+ // ntdll.dll functions.
+ //
+ // We know that the executable for our *current* process's binary is already
+ // linked into ntdll, so we obtain the IAT from our own executable and graft
+ // it onto the child process's IAT, thus enabling the child process's hook to
+ // safely make its ntdll calls.
+
+ const nt::PEHeaders& ourExeImage = aTransferMgr.LocalPEHeaders();
+
+ // As part of our mitigation of binary tampering, copy our import directory
+ // from the original in our executable file.
+ LauncherVoidResult importDirRestored =
+ RestoreImportDirectory(aFullImagePath, aTransferMgr);
+ if (importDirRestored.isErr()) {
+ return importDirRestored;
+ }
+
+ mozilla::nt::PEHeaders ntdllImage(::GetModuleHandleW(L"ntdll.dll"));
+ if (!ntdllImage) {
+ return LAUNCHER_ERROR_FROM_WIN32(ERROR_BAD_EXE_FORMAT);
+ }
+
+ // If we have a cached IAT i.e. |aCachedNtdllThunk| is non-null, we can
+ // safely copy it to |aChildProcess| even if the local IAT has been modified.
+ // If |aCachedNtdllThunk| is null, we've failed to cache the IAT or we're in
+ // the launcher process where there is no chance to cache the IAT. In those
+ // cases, we retrieve the IAT with the boundary check to avoid a modified IAT
+ // from being copied into |aChildProcess|.
+ Maybe<Span<IMAGE_THUNK_DATA> > ntdllThunks;
+ if (aCachedNtdllThunk) {
+ ntdllThunks = ourExeImage.GetIATThunksForModule("ntdll.dll");
+ } else {
+ Maybe<Range<const uint8_t> > ntdllBoundaries = ntdllImage.GetBounds();
+ if (!ntdllBoundaries) {
+ return LAUNCHER_ERROR_FROM_WIN32(ERROR_BAD_EXE_FORMAT);
+ }
+
+ // We can use GetIATThunksForModule() to check whether IAT is modified
+ // or not because no functions exported from ntdll.dll is forwarded.
+ ntdllThunks =
+ ourExeImage.GetIATThunksForModule("ntdll.dll", ntdllBoundaries.ptr());
+ }
+ if (!ntdllThunks) {
+ return LAUNCHER_ERROR_FROM_WIN32(ERROR_INVALID_DATA);
+ }
+
+ { // Scope for prot
+ PIMAGE_THUNK_DATA firstIatThunkDst = ntdllThunks.value().data();
+ const IMAGE_THUNK_DATA* firstIatThunkSrc =
+ aCachedNtdllThunk ? aCachedNtdllThunk : firstIatThunkDst;
+ SIZE_T iatLength = ntdllThunks.value().LengthBytes();
+
+ AutoVirtualProtect prot =
+ aTransferMgr.Protect(firstIatThunkDst, iatLength, PAGE_READWRITE);
+ if (!prot) {
+ return LAUNCHER_ERROR_FROM_MOZ_WINDOWS_ERROR(prot.GetError());
+ }
+
+ LauncherVoidResult writeResult =
+ aTransferMgr.Transfer(firstIatThunkDst, firstIatThunkSrc, iatLength);
+ if (writeResult.isErr()) {
+ return writeResult.propagateErr();
+ }
+ }
+
+ // Tell the mozglue blocklist that we have bootstrapped
+ uint32_t newFlags = eDllBlocklistInitFlagWasBootstrapped;
+
+ if (gBlocklistInitFlags & eDllBlocklistInitFlagWasBootstrapped) {
+ // If we ourselves were bootstrapped, then we are starting a child process
+ // and need to set the appropriate flag.
+ newFlags |= eDllBlocklistInitFlagIsChildProcess;
+ }
+
+ if (aIsUtilityProcess) {
+ newFlags |= eDllBlocklistInitFlagIsUtilityProcess;
+ }
+ if (aIsSocketProcess) {
+ newFlags |= eDllBlocklistInitFlagIsSocketProcess;
+ }
+
+ LauncherVoidResult writeResult =
+ aTransferMgr.Transfer(&gBlocklistInitFlags, &newFlags, sizeof(newFlags));
+ if (writeResult.isErr()) {
+ return writeResult.propagateErr();
+ }
+
+ return Ok();
+}
+
+LauncherVoidResultWithLineInfo InitializeDllBlocklistOOP(
+ const wchar_t* aFullImagePath, HANDLE aChildProcess,
+ const IMAGE_THUNK_DATA* aCachedNtdllThunk, const bool aIsUtilityProcess,
+ const bool aIsSocketProcess) {
+ nt::CrossExecTransferManager transferMgr(aChildProcess);
+ if (!transferMgr) {
+ return LAUNCHER_ERROR_FROM_WIN32(ERROR_BAD_EXE_FORMAT);
+ }
+
+ // We come here when the browser process launches a sandbox process.
+ // If the launcher process already failed to bootstrap the browser process,
+ // we should not attempt to bootstrap a child process because it's likely
+ // to fail again. Instead, we only restore the import directory entry.
+ if (!(gBlocklistInitFlags & eDllBlocklistInitFlagWasBootstrapped)) {
+ return RestoreImportDirectory(aFullImagePath, transferMgr);
+ }
+
+ // Transfer a readonly handle to the child processes because all information
+ // are already written to the section by the launcher and main process.
+ LauncherVoidResult transferResult =
+ freestanding::gSharedSection.TransferHandle(transferMgr, GENERIC_READ);
+ if (transferResult.isErr()) {
+ return transferResult.propagateErr();
+ }
+
+ return InitializeDllBlocklistOOPInternal(aFullImagePath, transferMgr,
+ aCachedNtdllThunk, aIsUtilityProcess,
+ aIsSocketProcess);
+}
+
+LauncherVoidResultWithLineInfo InitializeDllBlocklistOOPFromLauncher(
+ const wchar_t* aFullImagePath, HANDLE aChildProcess,
+ const bool aDisableDynamicBlocklist,
+ Maybe<std::wstring> aBlocklistFileName) {
+ nt::CrossExecTransferManager transferMgr(aChildProcess);
+ if (!transferMgr) {
+ return LAUNCHER_ERROR_FROM_WIN32(ERROR_BAD_EXE_FORMAT);
+ }
+
+ // The launcher process initializes a section object, whose handle is
+ // transferred to the browser process, and that transferred handle in
+ // the browser process is transferred to the sandbox processes.
+ LauncherVoidResultWithLineInfo result = freestanding::gSharedSection.Init();
+ if (result.isErr()) {
+ return result;
+ }
+
+ if (aBlocklistFileName.isSome() &&
+ !PolicyCheckBoolean(L"DisableThirdPartyModuleBlocking")) {
+ DynamicBlockList blockList(aBlocklistFileName->c_str());
+ result = freestanding::gSharedSection.SetBlocklist(
+ blockList, aDisableDynamicBlocklist);
+ if (result.isErr()) {
+ return result;
+ }
+ }
+
+ // Transfer a writable handle to the main process because it needs to append
+ // dependent module paths to the section.
+ LauncherVoidResult transferResult =
+ freestanding::gSharedSection.TransferHandle(transferMgr,
+ GENERIC_READ | GENERIC_WRITE);
+ if (transferResult.isErr()) {
+ return transferResult.propagateErr();
+ }
+
+ auto clearInstance = MakeScopeExit([]() {
+ // After transfer, the launcher process does not need the object anymore.
+ freestanding::gSharedSection.Reset(nullptr);
+ });
+ return InitializeDllBlocklistOOPInternal(aFullImagePath, transferMgr, nullptr,
+ false, false);
+}
+
+#endif // defined(MOZ_ASAN) || defined(_M_ARM64)
+
+} // namespace mozilla
diff --git a/browser/app/winlauncher/DllBlocklistInit.h b/browser/app/winlauncher/DllBlocklistInit.h
new file mode 100644
index 0000000000..291283a7f6
--- /dev/null
+++ b/browser/app/winlauncher/DllBlocklistInit.h
@@ -0,0 +1,31 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_DllBlocklistInit_h
+#define mozilla_DllBlocklistInit_h
+
+#include <windows.h>
+
+#if defined(MOZ_LAUNCHER_PROCESS)
+# include "mozilla/LauncherRegistryInfo.h"
+#endif
+#include "mozilla/WinHeaderOnlyUtils.h"
+
+namespace mozilla {
+
+LauncherVoidResultWithLineInfo InitializeDllBlocklistOOP(
+ const wchar_t* aFullImagePath, HANDLE aChildProcess,
+ const IMAGE_THUNK_DATA* aCachedNtdllThunk, const bool aIsUtilityProcess,
+ const bool aIsSocketProcess);
+
+LauncherVoidResultWithLineInfo InitializeDllBlocklistOOPFromLauncher(
+ const wchar_t* aFullImagePath, HANDLE aChildProcess,
+ const bool aDisableDynamicBlocklist,
+ Maybe<std::wstring> aBlocklistFileName);
+
+} // namespace mozilla
+
+#endif // mozilla_DllBlocklistInit_h
diff --git a/browser/app/winlauncher/ErrorHandler.cpp b/browser/app/winlauncher/ErrorHandler.cpp
new file mode 100644
index 0000000000..1286e0f90f
--- /dev/null
+++ b/browser/app/winlauncher/ErrorHandler.cpp
@@ -0,0 +1,782 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#include "ErrorHandler.h"
+
+#include <utility>
+
+#include "mozilla/ArrayUtils.h"
+#include "mozilla/CmdLineAndEnvUtils.h"
+#include "mozilla/DebugOnly.h"
+#include "mozilla/JSONWriter.h"
+#include "mozilla/UniquePtr.h"
+#include "mozilla/Unused.h"
+#include "mozilla/WinTokenUtils.h"
+#include "mozilla/WindowsVersion.h"
+#include "mozilla/XREAppData.h"
+#include "mozilla/glue/WindowsDllServices.h"
+#include "mozilla/mscom/ProcessRuntime.h"
+#include "nsWindowsHelpers.h"
+
+#if defined(MOZ_LAUNCHER_PROCESS)
+# include "mozilla/LauncherRegistryInfo.h"
+#endif // defined(MOZ_LAUNCHER_PROCESS)
+
+#include <algorithm>
+#include <process.h>
+#include <sstream>
+#include <string>
+#include <stdio.h>
+#include <string.h>
+#include <time.h>
+
+#include <objbase.h>
+#include <rpc.h>
+#if !defined(__MINGW32__)
+# include <comutil.h>
+# include <iwscapi.h>
+# include <wscapi.h>
+#endif // !defined(__MINGW32__)
+#include <tlhelp32.h>
+
+#if !defined(RRF_SUBKEY_WOW6464KEY)
+# define RRF_SUBKEY_WOW6464KEY 0x00010000
+#endif // !defined(RRF_SUBKEY_WOW6464KEY)
+
+#define QUOTE_ME2(x) #x
+#define QUOTE_ME(x) QUOTE_ME2(x)
+
+#define TELEMETRY_BASE_URL L"https://incoming.telemetry.mozilla.org/submit"
+#define TELEMETRY_NAMESPACE L"/firefox-launcher-process"
+#define TELEMETRY_LAUNCHER_PING_DOCTYPE L"/launcher-process-failure"
+#define TELEMETRY_LAUNCHER_PING_VERSION L"/1"
+
+static const wchar_t kUrl[] = TELEMETRY_BASE_URL TELEMETRY_NAMESPACE
+ TELEMETRY_LAUNCHER_PING_DOCTYPE TELEMETRY_LAUNCHER_PING_VERSION L"/";
+static const uint32_t kGuidCharLenWithNul = 39;
+static const uint32_t kGuidCharLenNoBracesNoNul = 36;
+static const mozilla::StaticXREAppData* gAppData;
+
+// Ordinarily, errors are only reported to the Windows Event Log when they are
+// not reported upstream via telemetry (usually due either to telemetry being
+// disabled or to network failure).
+//
+// If `--log-launcher-error` is given at the command line, launcher errors will
+// always be reported to the Windows Event Log, regardless of whether or not
+// they're sent upstream.
+static bool gForceEventLog = false;
+
+namespace {
+
+constexpr wchar_t kEventSourceName[] = L"" MOZ_APP_DISPLAYNAME " Launcher";
+
+struct EventSourceDeleter {
+ using pointer = HANDLE;
+
+ void operator()(pointer aEvtSrc) { ::DeregisterEventSource(aEvtSrc); }
+};
+
+using EventLog = mozilla::UniquePtr<HANDLE, EventSourceDeleter>;
+
+struct SerializedEventData {
+ HRESULT mHr;
+ uint32_t mLine;
+ char mFile[1];
+};
+
+} // anonymous namespace
+
+static void PostErrorToLog(const mozilla::LauncherError& aError) {
+ // This is very bare-bones; just enough to spit out an HRESULT to the
+ // Application event log.
+ EventLog log(::RegisterEventSourceW(nullptr, kEventSourceName));
+
+ if (!log) {
+ return;
+ }
+
+ size_t fileLen = strlen(aError.mFile);
+ size_t dataLen = sizeof(HRESULT) + sizeof(uint32_t) + fileLen;
+ auto evtDataBuf = mozilla::MakeUnique<char[]>(dataLen);
+ SerializedEventData& evtData =
+ *reinterpret_cast<SerializedEventData*>(evtDataBuf.get());
+ evtData.mHr = aError.mError.AsHResult();
+ evtData.mLine = aError.mLine;
+ // Since this is binary data, we're not concerning ourselves with null
+ // terminators.
+ memcpy(evtData.mFile, aError.mFile, fileLen);
+
+ ::ReportEventW(log.get(), EVENTLOG_ERROR_TYPE, 0, aError.mError.AsHResult(),
+ nullptr, 0, dataLen, nullptr, evtDataBuf.get());
+}
+
+#if defined(MOZ_TELEMETRY_REPORTING)
+
+namespace {
+
+// This JSONWriteFunc writes directly to a temp file. By creating this file
+// with the FILE_ATTRIBUTE_TEMPORARY attribute, we hint to the OS that this
+// file is short-lived. The OS will try to avoid flushing it to disk if at
+// all possible.
+class TempFileWriter final : public mozilla::JSONWriteFunc {
+ public:
+ TempFileWriter() : mFailed(false), mSuccessfulHandoff(false) {
+ wchar_t name[MAX_PATH + 1] = {};
+ if (_wtmpnam_s(name)) {
+ mFailed = true;
+ return;
+ }
+
+ mTempFileName = name;
+
+ mTempFile.own(::CreateFileW(name, GENERIC_WRITE, FILE_SHARE_READ, nullptr,
+ CREATE_NEW, FILE_ATTRIBUTE_TEMPORARY, nullptr));
+ if (mTempFile.get() == INVALID_HANDLE_VALUE) {
+ mFailed = true;
+ }
+ }
+
+ ~TempFileWriter() {
+ if (mSuccessfulHandoff) {
+ // It is no longer our responsibility to delete the temp file if we have
+ // successfully handed it off to pingsender.
+ return;
+ }
+
+ mTempFile.reset();
+ ::DeleteFileW(mTempFileName.c_str());
+ }
+
+ explicit operator bool() const { return !mFailed; }
+
+ void Write(const mozilla::Span<const char>& aStr) final {
+ if (mFailed) {
+ return;
+ }
+
+ DWORD bytesWritten = 0;
+ if (!::WriteFile(mTempFile, aStr.data(), aStr.size(), &bytesWritten,
+ nullptr) ||
+ bytesWritten != aStr.size()) {
+ mFailed = true;
+ }
+ }
+
+ const std::wstring& GetFileName() const { return mTempFileName; }
+
+ void SetSuccessfulHandoff() { mSuccessfulHandoff = true; }
+
+ private:
+ bool mFailed;
+ bool mSuccessfulHandoff;
+ std::wstring mTempFileName;
+ nsAutoHandle mTempFile;
+};
+
+using SigMap = mozilla::Vector<std::wstring, 0, InfallibleAllocPolicy>;
+
+} // anonymous namespace
+
+// This is the guideline for maximum string length for telemetry intake
+static const size_t kMaxStrLen = 80;
+
+static mozilla::UniquePtr<char[]> WideToUTF8(const wchar_t* aStr,
+ const size_t aStrLenExclNul) {
+ // Yes, this might not handle surrogate pairs correctly. Let's just let
+ // WideCharToMultiByte fail in that unlikely case.
+ size_t cvtLen = std::min(aStrLenExclNul, kMaxStrLen);
+
+ int numConv = ::WideCharToMultiByte(CP_UTF8, 0, aStr, cvtLen, nullptr, 0,
+ nullptr, nullptr);
+ if (!numConv) {
+ return nullptr;
+ }
+
+ // Include room for the null terminator by adding one
+ auto buf = mozilla::MakeUnique<char[]>(numConv + 1);
+
+ numConv = ::WideCharToMultiByte(CP_UTF8, 0, aStr, cvtLen, buf.get(), numConv,
+ nullptr, nullptr);
+ if (!numConv) {
+ return nullptr;
+ }
+
+ // Add null termination. numConv does not include the terminator, so we don't
+ // subtract 1 when indexing into buf.
+ buf[numConv] = 0;
+
+ return buf;
+}
+
+static mozilla::UniquePtr<char[]> WideToUTF8(const wchar_t* aStr) {
+ return WideToUTF8(aStr, wcslen(aStr));
+}
+
+static mozilla::UniquePtr<char[]> WideToUTF8(const std::wstring& aStr) {
+ return WideToUTF8(aStr.c_str(), aStr.length());
+}
+
+// MinGW does not support the Windows Security Center APIs.
+# if !defined(__MINGW32__)
+
+static mozilla::UniquePtr<char[]> WideToUTF8(const _bstr_t& aStr) {
+ return WideToUTF8(static_cast<const wchar_t*>(aStr), aStr.length());
+}
+
+namespace {
+
+struct ProviderKey {
+ WSC_SECURITY_PROVIDER mProviderType;
+ const char* mKey;
+};
+
+} // anonymous namespace
+
+static bool EnumWSCProductList(RefPtr<IWSCProductList>& aProdList,
+ mozilla::JSONWriter& aJson) {
+ LONG count;
+ HRESULT hr = aProdList->get_Count(&count);
+ if (FAILED(hr)) {
+ return false;
+ }
+
+ // Unlikely, but put a bound on the max length of the output array for the
+ // purposes of telemetry intake.
+ count = std::min(count, 1000L);
+
+ // Record the name(s) of each active registered product in this category
+ for (LONG index = 0; index < count; ++index) {
+ RefPtr<IWscProduct> product;
+ hr = aProdList->get_Item(index, getter_AddRefs(product));
+ if (FAILED(hr)) {
+ return false;
+ }
+
+ WSC_SECURITY_PRODUCT_STATE state;
+ hr = product->get_ProductState(&state);
+ if (FAILED(hr)) {
+ return false;
+ }
+
+ // We only care about products that are active
+ if (state == WSC_SECURITY_PRODUCT_STATE_OFF ||
+ state == WSC_SECURITY_PRODUCT_STATE_SNOOZED ||
+ state == WSC_SECURITY_PRODUCT_STATE_EXPIRED) {
+ continue;
+ }
+
+ _bstr_t bName;
+ hr = product->get_ProductName(bName.GetAddress());
+ if (FAILED(hr)) {
+ return false;
+ }
+
+ auto buf = WideToUTF8(bName);
+ if (!buf) {
+ return false;
+ }
+
+ aJson.StringElement(mozilla::MakeStringSpan(buf.get()));
+ }
+
+ return true;
+}
+
+static const ProviderKey gProvKeys[] = {
+ {WSC_SECURITY_PROVIDER_ANTIVIRUS, "av"},
+ {WSC_SECURITY_PROVIDER_ANTISPYWARE, "antispyware"},
+ {WSC_SECURITY_PROVIDER_FIREWALL, "firewall"}};
+
+static bool AddWscInfo(mozilla::JSONWriter& aJson) {
+ if (!mozilla::IsWin8OrLater()) {
+ // We haven't written anything yet, so we can return true here and continue
+ // capturing data.
+ return true;
+ }
+
+ // We need COM for this. Using ProcessRuntime so that process-global COM
+ // configuration is done correctly
+ mozilla::mscom::ProcessRuntime mscom(
+ mozilla::mscom::ProcessRuntime::ProcessCategory::Launcher);
+ if (!mscom) {
+ // We haven't written anything yet, so we can return true here and continue
+ // capturing data.
+ return true;
+ }
+
+ aJson.StartObjectProperty("security");
+
+ const CLSID clsid = __uuidof(WSCProductList);
+ const IID iid = __uuidof(IWSCProductList);
+
+ for (uint32_t index = 0; index < mozilla::ArrayLength(gProvKeys); ++index) {
+ // NB: A separate instance of IWSCProductList is needed for each distinct
+ // security provider type; MSDN says that we cannot reuse the same object
+ // and call Initialize() to pave over the previous data.
+ RefPtr<IWSCProductList> prodList;
+ HRESULT hr = ::CoCreateInstance(clsid, nullptr, CLSCTX_INPROC_SERVER, iid,
+ getter_AddRefs(prodList));
+ if (FAILED(hr)) {
+ return false;
+ }
+
+ hr = prodList->Initialize(gProvKeys[index].mProviderType);
+ if (FAILED(hr)) {
+ return false;
+ }
+
+ aJson.StartArrayProperty(mozilla::MakeStringSpan(gProvKeys[index].mKey));
+
+ if (!EnumWSCProductList(prodList, aJson)) {
+ return false;
+ }
+
+ aJson.EndArray();
+ }
+
+ aJson.EndObject();
+
+ return true;
+}
+# endif // !defined(__MINGW32__)
+
+// Max array length for telemetry intake.
+static const size_t kMaxArrayLen = 1000;
+
+static bool AddModuleInfo(const nsAutoHandle& aSnapshot,
+ mozilla::JSONWriter& aJson) {
+ if (aSnapshot.get() == INVALID_HANDLE_VALUE) {
+ // We haven't written anything yet, so we can return true here and continue
+ // capturing data.
+ return true;
+ }
+
+ SigMap signatures;
+ size_t moduleCount = 0;
+
+ MODULEENTRY32W module = {sizeof(module)};
+ if (!::Module32FirstW(aSnapshot, &module)) {
+ // We haven't written anything yet, so we can return true here and continue
+ // capturing data.
+ return true;
+ }
+
+ mozilla::glue::BasicDllServices dllServices;
+
+ aJson.StartObjectProperty("modules");
+
+ // For each module, add its version number (or empty string if not present),
+ // followed by an optional index into the signatures array
+ do {
+ ++moduleCount;
+
+ wchar_t leaf[_MAX_FNAME] = {};
+ if (::_wsplitpath_s(module.szExePath, nullptr, 0, nullptr, 0, leaf,
+ mozilla::ArrayLength(leaf), nullptr, 0)) {
+ return false;
+ }
+
+ if (_wcslwr_s(leaf, mozilla::ArrayLength(leaf))) {
+ return false;
+ }
+
+ auto leafUtf8 = WideToUTF8(leaf);
+ if (!leafUtf8) {
+ return false;
+ }
+
+ aJson.StartArrayProperty(mozilla::MakeStringSpan(leafUtf8.get()));
+
+ std::string version;
+ DWORD verInfoSize = ::GetFileVersionInfoSizeW(module.szExePath, nullptr);
+ if (verInfoSize) {
+ auto verInfoBuf = mozilla::MakeUnique<BYTE[]>(verInfoSize);
+
+ if (::GetFileVersionInfoW(module.szExePath, 0, verInfoSize,
+ verInfoBuf.get())) {
+ VS_FIXEDFILEINFO* fixedInfo = nullptr;
+ UINT fixedInfoLen = 0;
+
+ if (::VerQueryValueW(verInfoBuf.get(), L"\\",
+ reinterpret_cast<LPVOID*>(&fixedInfo),
+ &fixedInfoLen)) {
+ std::ostringstream oss;
+ oss << HIWORD(fixedInfo->dwFileVersionMS) << '.'
+ << LOWORD(fixedInfo->dwFileVersionMS) << '.'
+ << HIWORD(fixedInfo->dwFileVersionLS) << '.'
+ << LOWORD(fixedInfo->dwFileVersionLS);
+ version = oss.str();
+ }
+ }
+ }
+
+ aJson.StringElement(version);
+
+ mozilla::Maybe<ptrdiff_t> sigIndex;
+ auto signedBy = dllServices.GetBinaryOrgName(module.szExePath);
+ if (signedBy) {
+ std::wstring strSignedBy(signedBy.get());
+ auto entry = std::find(signatures.begin(), signatures.end(), strSignedBy);
+ if (entry == signatures.end()) {
+ mozilla::Unused << signatures.append(std::move(strSignedBy));
+ entry = &signatures.back();
+ }
+
+ sigIndex = mozilla::Some(entry - signatures.begin());
+ }
+
+ if (sigIndex) {
+ aJson.IntElement(sigIndex.value());
+ }
+
+ aJson.EndArray();
+ } while (moduleCount < kMaxArrayLen && ::Module32NextW(aSnapshot, &module));
+
+ aJson.EndObject();
+
+ aJson.StartArrayProperty("signatures");
+
+ // Serialize each entry in the signatures array
+ for (auto&& itr : signatures) {
+ auto sigUtf8 = WideToUTF8(itr);
+ if (!sigUtf8) {
+ continue;
+ }
+
+ aJson.StringElement(mozilla::MakeStringSpan(sigUtf8.get()));
+ }
+
+ aJson.EndArray();
+
+ return true;
+}
+
+namespace {
+
+struct PingThreadContext {
+ explicit PingThreadContext(const mozilla::LauncherError& aError,
+ const char* aProcessType)
+ : mLauncherError(aError),
+ mModulesSnapshot(::CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, 0)),
+ mProcessType(aProcessType ? aProcessType : "") {}
+ mozilla::LauncherError mLauncherError;
+ nsAutoHandle mModulesSnapshot;
+ std::string mProcessType;
+};
+
+} // anonymous namespace
+
+static bool PrepPing(const PingThreadContext& aContext, const std::wstring& aId,
+ mozilla::JSONWriter& aJson) {
+# if defined(DEBUG)
+ const mozilla::JSONWriter::CollectionStyle style =
+ mozilla::JSONWriter::MultiLineStyle;
+# else
+ const mozilla::JSONWriter::CollectionStyle style =
+ mozilla::JSONWriter::SingleLineStyle;
+# endif // defined(DEBUG)
+
+ aJson.Start(style);
+
+ aJson.StringProperty("type", "launcher-process-failure");
+ aJson.IntProperty("version", 1);
+
+ auto idUtf8 = WideToUTF8(aId);
+ if (idUtf8) {
+ aJson.StringProperty("id", mozilla::MakeStringSpan(idUtf8.get()));
+ }
+
+ time_t now;
+ time(&now);
+ tm gmTm;
+ if (!gmtime_s(&gmTm, &now)) {
+ char isoTimeBuf[32] = {};
+ if (strftime(isoTimeBuf, mozilla::ArrayLength(isoTimeBuf), "%FT%T.000Z",
+ &gmTm)) {
+ aJson.StringProperty("creationDate", isoTimeBuf);
+ }
+ }
+
+ aJson.StringProperty("update_channel", QUOTE_ME(MOZ_UPDATE_CHANNEL));
+
+ if (gAppData) {
+ aJson.StringProperty("build_id",
+ mozilla::MakeStringSpan(gAppData->buildID));
+ aJson.StringProperty("build_version",
+ mozilla::MakeStringSpan(gAppData->version));
+ }
+
+ OSVERSIONINFOEXW osv = {sizeof(osv)};
+ if (::GetVersionExW(reinterpret_cast<OSVERSIONINFOW*>(&osv))) {
+ std::ostringstream oss;
+ oss << osv.dwMajorVersion << "." << osv.dwMinorVersion << "."
+ << osv.dwBuildNumber;
+
+ if (osv.dwMajorVersion == 10 && osv.dwMinorVersion == 0) {
+ // Get the "Update Build Revision" (UBR) value
+ DWORD ubrValue;
+ DWORD ubrValueLen = sizeof(ubrValue);
+ LSTATUS ubrOk =
+ ::RegGetValueW(HKEY_LOCAL_MACHINE,
+ L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion",
+ L"UBR", RRF_RT_DWORD | RRF_SUBKEY_WOW6464KEY, nullptr,
+ &ubrValue, &ubrValueLen);
+ if (ubrOk == ERROR_SUCCESS) {
+ oss << "." << ubrValue;
+ }
+ }
+
+ if (oss) {
+ aJson.StringProperty("os_version", oss.str());
+ }
+
+ bool isServer = osv.wProductType == VER_NT_DOMAIN_CONTROLLER ||
+ osv.wProductType == VER_NT_SERVER;
+ aJson.BoolProperty("server_os", isServer);
+ }
+
+ WCHAR localeName[LOCALE_NAME_MAX_LENGTH] = {};
+ int localeNameLen =
+ ::GetUserDefaultLocaleName(localeName, mozilla::ArrayLength(localeName));
+ if (localeNameLen) {
+ auto localeNameUtf8 = WideToUTF8(localeName, localeNameLen - 1);
+ if (localeNameUtf8) {
+ aJson.StringProperty("os_locale",
+ mozilla::MakeStringSpan(localeNameUtf8.get()));
+ }
+ }
+
+ SYSTEM_INFO sysInfo;
+ ::GetNativeSystemInfo(&sysInfo);
+ aJson.IntProperty("cpu_arch", sysInfo.wProcessorArchitecture);
+ aJson.IntProperty("num_logical_cpus", sysInfo.dwNumberOfProcessors);
+
+ mozilla::LauncherResult<bool> isAdminWithoutUac =
+ mozilla::IsAdminWithoutUac();
+ if (isAdminWithoutUac.isOk()) {
+ aJson.BoolProperty("is_admin_without_uac", isAdminWithoutUac.unwrap());
+ }
+
+ if (!aContext.mProcessType.empty()) {
+ aJson.StringProperty("process_type", aContext.mProcessType);
+ }
+
+ MEMORYSTATUSEX memStatus = {sizeof(memStatus)};
+ if (::GlobalMemoryStatusEx(&memStatus)) {
+ aJson.StartObjectProperty("memory");
+ aJson.IntProperty("total_phys", memStatus.ullTotalPhys);
+ aJson.IntProperty("avail_phys", memStatus.ullAvailPhys);
+ aJson.IntProperty("avail_page_file", memStatus.ullAvailPageFile);
+ aJson.IntProperty("avail_virt", memStatus.ullAvailVirtual);
+ aJson.EndObject();
+ }
+
+ aJson.StringProperty("xpcom_abi", TARGET_XPCOM_ABI);
+
+ aJson.StartObjectProperty("launcher_error", style);
+
+ std::string srcFileLeaf(aContext.mLauncherError.mFile);
+ // Obtain the leaf name of the file for privacy reasons
+ // (In case this is somebody's local build)
+ auto pos = srcFileLeaf.find_last_of("/\\");
+ if (pos != std::string::npos) {
+ srcFileLeaf = srcFileLeaf.substr(pos + 1);
+ }
+
+ aJson.StringProperty("source_file", srcFileLeaf);
+
+ aJson.IntProperty("source_line", aContext.mLauncherError.mLine);
+ aJson.IntProperty("hresult", aContext.mLauncherError.mError.AsHResult());
+
+# if defined(NIGHTLY_BUILD)
+ if (aContext.mLauncherError.mDetourError.isSome()) {
+ static const char* kHexMap = "0123456789abcdef";
+ char hexStr[sizeof(mozilla::DetourError::mOrigBytes) * 2 + 1];
+ int cnt = 0;
+ for (uint8_t byte : aContext.mLauncherError.mDetourError->mOrigBytes) {
+ hexStr[cnt++] = kHexMap[(byte >> 4) & 0x0f];
+ hexStr[cnt++] = kHexMap[byte & 0x0f];
+ }
+ hexStr[cnt] = 0;
+ aJson.StringProperty("detour_orig_bytes", hexStr);
+ }
+# endif // defined(NIGHTLY_BUILD)
+
+ aJson.EndObject();
+
+# if !defined(__MINGW32__)
+ if (!AddWscInfo(aJson)) {
+ return false;
+ }
+# endif // !defined(__MINGW32__)
+
+ if (!AddModuleInfo(aContext.mModulesSnapshot, aJson)) {
+ return false;
+ }
+
+ aJson.End();
+
+ return true;
+}
+
+static bool DoSendPing(const PingThreadContext& aContext) {
+ TempFileWriter tempFile;
+ mozilla::JSONWriter json(tempFile);
+
+ UUID uuid;
+ if (::UuidCreate(&uuid) != RPC_S_OK) {
+ return false;
+ }
+
+ wchar_t guidBuf[kGuidCharLenWithNul] = {};
+ if (::StringFromGUID2(uuid, guidBuf, kGuidCharLenWithNul) !=
+ kGuidCharLenWithNul) {
+ return false;
+ }
+
+ // Strip the curly braces off of the guid
+ std::wstring guidNoBraces(guidBuf + 1, kGuidCharLenNoBracesNoNul);
+
+ // Populate json with the ping information
+ if (!PrepPing(aContext, guidNoBraces, json)) {
+ return false;
+ }
+
+ // Obtain the name of the temp file that we have written
+ const std::wstring& fileName = tempFile.GetFileName();
+
+ // Using the path to our executable binary, construct the path to
+ // pingsender.exe
+ mozilla::UniquePtr<wchar_t[]> exePath(mozilla::GetFullBinaryPath());
+
+ wchar_t drive[_MAX_DRIVE] = {};
+ wchar_t dir[_MAX_DIR] = {};
+ if (_wsplitpath_s(exePath.get(), drive, mozilla::ArrayLength(drive), dir,
+ mozilla::ArrayLength(dir), nullptr, 0, nullptr, 0)) {
+ return false;
+ }
+
+ wchar_t pingSenderPath[MAX_PATH + 1] = {};
+ if (_wmakepath_s(pingSenderPath, mozilla::ArrayLength(pingSenderPath), drive,
+ dir, L"pingsender", L"exe")) {
+ return false;
+ }
+
+ // Construct the telemetry URL
+ wchar_t urlBuf[mozilla::ArrayLength(kUrl) + kGuidCharLenNoBracesNoNul] = {};
+ if (wcscpy_s(urlBuf, kUrl)) {
+ return false;
+ }
+
+ if (wcscat_s(urlBuf, guidNoBraces.c_str())) {
+ return false;
+ }
+
+ // Now build the command line arguments to pingsender
+ wchar_t* pingSenderArgv[] = {pingSenderPath, urlBuf,
+ const_cast<wchar_t*>(fileName.c_str())};
+
+ mozilla::UniquePtr<wchar_t[]> pingSenderCmdLine(mozilla::MakeCommandLine(
+ mozilla::ArrayLength(pingSenderArgv), pingSenderArgv));
+
+ // Now start pingsender to handle the rest
+ PROCESS_INFORMATION pi;
+
+ STARTUPINFOW si = {sizeof(si)};
+ si.dwFlags = STARTF_USESHOWWINDOW;
+ si.wShowWindow = SW_HIDE;
+
+ if (!::CreateProcessW(pingSenderPath, pingSenderCmdLine.get(), nullptr,
+ nullptr, FALSE, 0, nullptr, nullptr, &si, &pi)) {
+ return false;
+ }
+
+ tempFile.SetSuccessfulHandoff();
+
+ nsAutoHandle proc(pi.hProcess);
+ nsAutoHandle thread(pi.hThread);
+
+ return true;
+}
+
+static unsigned __stdcall SendPingThread(void* aContext) {
+ mozilla::UniquePtr<PingThreadContext> context(
+ reinterpret_cast<PingThreadContext*>(aContext));
+
+ if (!DoSendPing(*context) || gForceEventLog) {
+ PostErrorToLog(context->mLauncherError);
+ }
+
+ return 0;
+}
+
+#endif // defined(MOZ_TELEMETRY_REPORTING)
+
+static bool SendPing(const mozilla::LauncherError& aError,
+ const char* aProcessType) {
+#if defined(MOZ_TELEMETRY_REPORTING)
+# if defined(MOZ_LAUNCHER_PROCESS)
+ mozilla::LauncherRegistryInfo regInfo;
+ mozilla::LauncherResult<bool> telemetryEnabled = regInfo.IsTelemetryEnabled();
+ if (telemetryEnabled.isErr() || !telemetryEnabled.unwrap()) {
+ // Do not send anything if telemetry has been opted out
+ return false;
+ }
+# endif // defined(MOZ_LAUNCHER_PROCESS)
+
+ // We send this ping when the launcher process fails. After we start the
+ // SendPingThread, this thread falls back from running as the launcher process
+ // to running as the browser main thread. Once this happens, it will be unsafe
+ // to set up PoisonIOInterposer (since we have already spun up a background
+ // thread).
+ mozilla::SaveToEnv("MOZ_DISABLE_POISON_IO_INTERPOSER=1");
+
+ // Capture aError and our module list into context for processing on another
+ // thread.
+ auto thdParam = mozilla::MakeUnique<PingThreadContext>(aError, aProcessType);
+
+ // The ping does a lot of file I/O. Since we want this thread to continue
+ // executing browser startup, we should gather that information on a
+ // background thread.
+ uintptr_t thdHandle =
+ _beginthreadex(nullptr, 0, &SendPingThread, thdParam.get(),
+ STACK_SIZE_PARAM_IS_A_RESERVATION, nullptr);
+ if (!thdHandle) {
+ return false;
+ }
+
+ // We have handed off thdParam to the background thread
+ mozilla::Unused << thdParam.release();
+
+ ::CloseHandle(reinterpret_cast<HANDLE>(thdHandle));
+ return true;
+#else
+ return false;
+#endif
+}
+
+namespace mozilla {
+
+void HandleLauncherError(const LauncherError& aError,
+ const char* aProcessType) {
+#if defined(MOZ_LAUNCHER_PROCESS)
+ LauncherRegistryInfo regInfo;
+ Unused << regInfo.DisableDueToFailure();
+#endif // defined(MOZ_LAUNCHER_PROCESS)
+
+ if (!SendPing(aError, aProcessType)) {
+ // couldn't (or shouldn't) send telemetry; fall back to event log
+ PostErrorToLog(aError);
+ }
+}
+
+void SetLauncherErrorAppData(const StaticXREAppData& aAppData) {
+ gAppData = &aAppData;
+}
+
+void SetLauncherErrorForceEventLog() { gForceEventLog = true; }
+
+} // namespace mozilla
diff --git a/browser/app/winlauncher/ErrorHandler.h b/browser/app/winlauncher/ErrorHandler.h
new file mode 100644
index 0000000000..71fe72cf07
--- /dev/null
+++ b/browser/app/winlauncher/ErrorHandler.h
@@ -0,0 +1,54 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_ErrorHandler_h
+#define mozilla_ErrorHandler_h
+
+#include "mozilla/Assertions.h"
+#include "mozilla/WinHeaderOnlyUtils.h"
+
+namespace mozilla {
+
+/**
+ * All launcher process error handling should live in the implementation of
+ * this function.
+ */
+void HandleLauncherError(const LauncherError& aError,
+ const char* aProcessType = nullptr);
+
+// This function is simply a convenience overload that automatically unwraps
+// the LauncherError from the provided LauncherResult and then forwards it to
+// the main implementation.
+template <typename T>
+inline void HandleLauncherError(const LauncherResult<T>& aResult,
+ const char* aProcessType = nullptr) {
+ MOZ_ASSERT(aResult.isErr());
+ if (aResult.isOk()) {
+ return;
+ }
+
+ HandleLauncherError(aResult.inspectErr(), aProcessType);
+}
+
+// This function is simply a convenience overload that unwraps the provided
+// GenericErrorResult<LauncherError> and forwards it to the main implementation.
+inline void HandleLauncherError(
+ const GenericErrorResult<LauncherError>& aResult,
+ const char* aProcessType = nullptr) {
+ LauncherVoidResult r(aResult);
+ HandleLauncherError(r, aProcessType);
+}
+
+// Forward declaration
+struct StaticXREAppData;
+
+void SetLauncherErrorAppData(const StaticXREAppData& aAppData);
+
+void SetLauncherErrorForceEventLog();
+
+} // namespace mozilla
+
+#endif // mozilla_ErrorHandler_h
diff --git a/browser/app/winlauncher/LaunchUnelevated.cpp b/browser/app/winlauncher/LaunchUnelevated.cpp
new file mode 100644
index 0000000000..fa4dccb22d
--- /dev/null
+++ b/browser/app/winlauncher/LaunchUnelevated.cpp
@@ -0,0 +1,288 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#define MOZ_USE_LAUNCHER_ERROR
+
+#include "LaunchUnelevated.h"
+
+#include "mozilla/Assertions.h"
+#include "mozilla/CmdLineAndEnvUtils.h"
+#include "mozilla/mscom/ProcessRuntime.h"
+#include "mozilla/RefPtr.h"
+#include "mozilla/ShellHeaderOnlyUtils.h"
+#include "mozilla/WinHeaderOnlyUtils.h"
+#include "../BrowserDefines.h"
+#include "nsWindowsHelpers.h"
+
+#include <windows.h>
+
+static mozilla::LauncherResult<bool> IsHighIntegrity(
+ const nsAutoHandle& aToken) {
+ DWORD reqdLen;
+ if (!::GetTokenInformation(aToken.get(), TokenIntegrityLevel, nullptr, 0,
+ &reqdLen)) {
+ DWORD err = ::GetLastError();
+ if (err != ERROR_INSUFFICIENT_BUFFER) {
+ return LAUNCHER_ERROR_FROM_WIN32(err);
+ }
+ }
+
+ auto buf = mozilla::MakeUnique<char[]>(reqdLen);
+
+ if (!::GetTokenInformation(aToken.get(), TokenIntegrityLevel, buf.get(),
+ reqdLen, &reqdLen)) {
+ return LAUNCHER_ERROR_FROM_LAST();
+ }
+
+ auto tokenLabel = reinterpret_cast<PTOKEN_MANDATORY_LABEL>(buf.get());
+
+ DWORD subAuthCount = *::GetSidSubAuthorityCount(tokenLabel->Label.Sid);
+ DWORD integrityLevel =
+ *::GetSidSubAuthority(tokenLabel->Label.Sid, subAuthCount - 1);
+ return integrityLevel > SECURITY_MANDATORY_MEDIUM_RID;
+}
+
+static mozilla::LauncherResult<HANDLE> GetMediumIntegrityToken(
+ const nsAutoHandle& aProcessToken) {
+ HANDLE rawResult;
+ if (!::DuplicateTokenEx(aProcessToken.get(), 0, nullptr,
+ SecurityImpersonation, TokenPrimary, &rawResult)) {
+ return LAUNCHER_ERROR_FROM_LAST();
+ }
+
+ nsAutoHandle result(rawResult);
+
+ BYTE mediumIlSid[SECURITY_MAX_SID_SIZE];
+ DWORD mediumIlSidSize = sizeof(mediumIlSid);
+ if (!::CreateWellKnownSid(WinMediumLabelSid, nullptr, mediumIlSid,
+ &mediumIlSidSize)) {
+ return LAUNCHER_ERROR_FROM_LAST();
+ }
+
+ TOKEN_MANDATORY_LABEL integrityLevel = {};
+ integrityLevel.Label.Attributes = SE_GROUP_INTEGRITY;
+ integrityLevel.Label.Sid = reinterpret_cast<PSID>(mediumIlSid);
+
+ if (!::SetTokenInformation(rawResult, TokenIntegrityLevel, &integrityLevel,
+ sizeof(integrityLevel))) {
+ return LAUNCHER_ERROR_FROM_LAST();
+ }
+
+ return result.disown();
+}
+
+static mozilla::LauncherResult<bool> IsAdminByAppCompat(
+ HKEY aRootKey, const wchar_t* aExecutablePath) {
+ static const wchar_t kPathToLayers[] =
+ L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\"
+ L"AppCompatFlags\\Layers";
+
+ DWORD dataLength = 0;
+ LSTATUS status = ::RegGetValueW(aRootKey, kPathToLayers, aExecutablePath,
+ RRF_RT_REG_SZ | RRF_SUBKEY_WOW6464KEY,
+ nullptr, nullptr, &dataLength);
+ if (status == ERROR_FILE_NOT_FOUND) {
+ return false;
+ } else if (status != ERROR_SUCCESS) {
+ return LAUNCHER_ERROR_FROM_WIN32(status);
+ }
+
+ auto valueData = mozilla::MakeUnique<wchar_t[]>(dataLength);
+ if (!valueData) {
+ return LAUNCHER_ERROR_FROM_WIN32(ERROR_OUTOFMEMORY);
+ }
+
+ status = ::RegGetValueW(aRootKey, kPathToLayers, aExecutablePath,
+ RRF_RT_REG_SZ | RRF_SUBKEY_WOW6464KEY, nullptr,
+ valueData.get(), &dataLength);
+ if (status != ERROR_SUCCESS) {
+ return LAUNCHER_ERROR_FROM_WIN32(status);
+ }
+
+ const wchar_t kRunAsAdmin[] = L"RUNASADMIN";
+ const wchar_t kDelimiters[] = L" ";
+ wchar_t* tokenContext = nullptr;
+ const wchar_t* token = wcstok_s(valueData.get(), kDelimiters, &tokenContext);
+ while (token) {
+ if (!_wcsnicmp(token, kRunAsAdmin, mozilla::ArrayLength(kRunAsAdmin))) {
+ return true;
+ }
+ token = wcstok_s(nullptr, kDelimiters, &tokenContext);
+ }
+
+ return false;
+}
+
+namespace mozilla {
+
+// If we're running at an elevated integrity level, re-run ourselves at the
+// user's normal integrity level. We do this by locating the active explorer
+// shell, and then asking it to do a ShellExecute on our behalf. We do it this
+// way to ensure that the child process runs as the original user in the active
+// session; an elevated process could be running with different credentials than
+// those of the session.
+// See https://devblogs.microsoft.com/oldnewthing/20131118-00/?p=2643
+
+LauncherVoidResult LaunchUnelevated(int aArgc, wchar_t* aArgv[]) {
+ // We need COM to talk to Explorer. Using ProcessRuntime so that
+ // process-global COM configuration is done correctly
+ mozilla::mscom::ProcessRuntime mscom(
+ mozilla::mscom::ProcessRuntime::ProcessCategory::Launcher);
+ if (!mscom) {
+ return LAUNCHER_ERROR_FROM_HRESULT(mscom.GetHResult());
+ }
+
+ // Omit the original argv[0] because ShellExecute doesn't need it. Insert
+ // ATTEMPTING_DEELEVATION_FLAG so that we know not to attempt to restart
+ // ourselves if deelevation fails.
+ UniquePtr<wchar_t[]> cmdLine = [&]() {
+ constexpr wchar_t const* kTagArg = L"--" ATTEMPTING_DEELEVATION_FLAG;
+
+ // This should have already been checked, but just in case...
+ EnsureBrowserCommandlineSafe(aArgc, aArgv);
+
+ if (mozilla::CheckArg(aArgc, aArgv, "osint", nullptr, CheckArgFlag::None)) {
+ // If the command line contains -osint, we have to arrange things in a
+ // particular order.
+ //
+ // (We can't just replace -osint with kTagArg, unfortunately: there is
+ // code in the browser which behaves differently in the presence of an
+ // `-osint` tag, but which will not have had a chance to react to this.
+ // See, _e.g._, bug 1243603.)
+ auto const aArgvCopy = MakeUnique<wchar_t const*[]>(aArgc + 1);
+ aArgvCopy[0] = aArgv[1];
+ aArgvCopy[1] = kTagArg;
+ for (int i = 2; i < aArgc; ++i) {
+ aArgvCopy[i] = aArgv[i];
+ }
+ aArgvCopy[aArgc] = nullptr; // because argv[argc] is NULL
+ return MakeCommandLine(aArgc, aArgvCopy.get(), 0, nullptr);
+ } else {
+ // Otherwise, just tack it on at the end.
+ constexpr wchar_t const* const kTagArgArray[] = {kTagArg};
+ return MakeCommandLine(aArgc - 1, aArgv + 1, 1, kTagArgArray);
+ }
+ }();
+ if (!cmdLine) {
+ return LAUNCHER_ERROR_GENERIC();
+ }
+
+ _bstr_t cmd;
+
+ UniquePtr<wchar_t[]> packageFamilyName = mozilla::GetPackageFamilyName();
+ if (packageFamilyName) {
+ int cmdLen =
+ // 22 for the prefix + suffix + null terminator below
+ 22 + wcslen(packageFamilyName.get());
+ wchar_t appCmd[cmdLen];
+ swprintf(appCmd, cmdLen, L"shell:appsFolder\\%s!App",
+ packageFamilyName.get());
+ cmd = appCmd;
+ } else {
+ cmd = aArgv[0];
+ }
+
+ _variant_t args(cmdLine.get());
+ _variant_t operation(L"open");
+ _variant_t directory;
+ _variant_t showCmd(SW_SHOWNORMAL);
+ return ShellExecuteByExplorer(cmd, args, operation, directory, showCmd);
+}
+
+LauncherResult<ElevationState> GetElevationState(
+ const wchar_t* aExecutablePath, mozilla::LauncherFlags aFlags,
+ nsAutoHandle& aOutMediumIlToken) {
+ aOutMediumIlToken.reset();
+
+ const DWORD tokenFlags = TOKEN_QUERY | TOKEN_DUPLICATE |
+ TOKEN_ADJUST_DEFAULT | TOKEN_ASSIGN_PRIMARY;
+ HANDLE rawToken;
+ if (!::OpenProcessToken(::GetCurrentProcess(), tokenFlags, &rawToken)) {
+ return LAUNCHER_ERROR_FROM_LAST();
+ }
+
+ nsAutoHandle token(rawToken);
+
+ LauncherResult<TOKEN_ELEVATION_TYPE> elevationType = GetElevationType(token);
+ if (elevationType.isErr()) {
+ return elevationType.propagateErr();
+ }
+
+ Maybe<ElevationState> elevationState;
+ switch (elevationType.unwrap()) {
+ case TokenElevationTypeLimited:
+ return ElevationState::eNormalUser;
+ case TokenElevationTypeFull:
+ elevationState = Some(ElevationState::eElevated);
+ break;
+ case TokenElevationTypeDefault: {
+ // In this case, UAC is disabled. We do not yet know whether or not we
+ // are running at high integrity. If we are at high integrity, we can't
+ // relaunch ourselves in a non-elevated state via Explorer, as we would
+ // just end up in an infinite loop of launcher processes re-launching
+ // themselves.
+ LauncherResult<bool> isHighIntegrity = IsHighIntegrity(token);
+ if (isHighIntegrity.isErr()) {
+ return isHighIntegrity.propagateErr();
+ }
+
+ if (!isHighIntegrity.unwrap()) {
+ return ElevationState::eNormalUser;
+ }
+
+ elevationState = Some(ElevationState::eHighIntegrityNoUAC);
+ break;
+ }
+ default:
+ MOZ_ASSERT_UNREACHABLE("Was a new value added to the enumeration?");
+ return LAUNCHER_ERROR_GENERIC();
+ }
+
+ MOZ_ASSERT(elevationState.isSome() &&
+ elevationState.value() != ElevationState::eNormalUser,
+ "Should have returned earlier for the eNormalUser case.");
+
+ LauncherResult<bool> isAdminByAppCompat =
+ IsAdminByAppCompat(HKEY_CURRENT_USER, aExecutablePath);
+ if (isAdminByAppCompat.isErr()) {
+ return isAdminByAppCompat.propagateErr();
+ }
+
+ if (isAdminByAppCompat.unwrap()) {
+ elevationState = Some(ElevationState::eHighIntegrityByAppCompat);
+ } else {
+ isAdminByAppCompat =
+ IsAdminByAppCompat(HKEY_LOCAL_MACHINE, aExecutablePath);
+ if (isAdminByAppCompat.isErr()) {
+ return isAdminByAppCompat.propagateErr();
+ }
+
+ if (isAdminByAppCompat.unwrap()) {
+ elevationState = Some(ElevationState::eHighIntegrityByAppCompat);
+ }
+ }
+
+ // A medium IL token is not needed in the following cases.
+ // 1) We keep the process elevated (= LauncherFlags::eNoDeelevate)
+ // 2) The process was elevated by UAC (= ElevationState::eElevated)
+ // AND the launcher process doesn't wait for the browser process
+ if ((aFlags & mozilla::LauncherFlags::eNoDeelevate) ||
+ (elevationState.value() == ElevationState::eElevated &&
+ !(aFlags & mozilla::LauncherFlags::eWaitForBrowser))) {
+ return elevationState.value();
+ }
+
+ LauncherResult<HANDLE> tokenResult = GetMediumIntegrityToken(token);
+ if (tokenResult.isOk()) {
+ aOutMediumIlToken.own(tokenResult.unwrap());
+ } else {
+ return tokenResult.propagateErr();
+ }
+
+ return elevationState.value();
+}
+
+} // namespace mozilla
diff --git a/browser/app/winlauncher/LaunchUnelevated.h b/browser/app/winlauncher/LaunchUnelevated.h
new file mode 100644
index 0000000000..8c6679edf3
--- /dev/null
+++ b/browser/app/winlauncher/LaunchUnelevated.h
@@ -0,0 +1,32 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_LaunchUnelevated_h
+#define mozilla_LaunchUnelevated_h
+
+#include "LauncherProcessWin.h"
+#include "mozilla/WinHeaderOnlyUtils.h"
+#include "mozilla/Maybe.h"
+#include "nsWindowsHelpers.h"
+
+namespace mozilla {
+
+enum class ElevationState {
+ eNormalUser = 0,
+ eElevated = (1 << 0),
+ eHighIntegrityNoUAC = (1 << 1),
+ eHighIntegrityByAppCompat = (1 << 2),
+};
+
+LauncherResult<ElevationState> GetElevationState(
+ const wchar_t* aExecutablePath, LauncherFlags aFlags,
+ nsAutoHandle& aOutMediumIlToken);
+
+LauncherVoidResult LaunchUnelevated(int aArgc, wchar_t* aArgv[]);
+
+} // namespace mozilla
+
+#endif // mozilla_LaunchUnelevated_h
diff --git a/browser/app/winlauncher/LauncherProcessWin.cpp b/browser/app/winlauncher/LauncherProcessWin.cpp
new file mode 100644
index 0000000000..33b8ed52bf
--- /dev/null
+++ b/browser/app/winlauncher/LauncherProcessWin.cpp
@@ -0,0 +1,538 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#define MOZ_USE_LAUNCHER_ERROR
+
+#include "LauncherProcessWin.h"
+
+#include <string.h>
+
+#include "mozilla/Attributes.h"
+#include "mozilla/CmdLineAndEnvUtils.h"
+#include "mozilla/DebugOnly.h"
+#include "mozilla/DynamicallyLinkedFunctionPtr.h"
+#include "mozilla/glue/Debug.h"
+#include "mozilla/GeckoArgs.h"
+#include "mozilla/Maybe.h"
+#include "mozilla/SafeMode.h"
+#include "mozilla/UniquePtr.h"
+#include "mozilla/WindowsConsole.h"
+#include "mozilla/WindowsVersion.h"
+#include "mozilla/WinHeaderOnlyUtils.h"
+#include "nsWindowsHelpers.h"
+
+#include <windows.h>
+#include <processthreadsapi.h>
+
+#include "DllBlocklistInit.h"
+#include "ErrorHandler.h"
+#include "LaunchUnelevated.h"
+#include "ProcThreadAttributes.h"
+#include "../BrowserDefines.h"
+
+#if defined(MOZ_LAUNCHER_PROCESS)
+# include "mozilla/LauncherRegistryInfo.h"
+# include "SameBinary.h"
+#endif // defined(MOZ_LAUNCHER_PROCESS)
+
+#if defined(MOZ_SANDBOX)
+# include "mozilla/sandboxing/SandboxInitialization.h"
+#endif
+
+namespace mozilla {
+// "const" because nothing in this process modifies it.
+// "volatile" because something in another process may.
+const volatile DeelevationStatus gDeelevationStatus =
+ DeelevationStatus::DefaultStaticValue;
+} // namespace mozilla
+
+/**
+ * At this point the child process has been created in a suspended state. Any
+ * additional startup work (eg, blocklist setup) should go here.
+ *
+ * @return Ok if browser startup should proceed
+ */
+static mozilla::LauncherVoidResult PostCreationSetup(
+ const wchar_t* aFullImagePath, HANDLE aChildProcess,
+ HANDLE aChildMainThread, mozilla::DeelevationStatus aDStatus,
+ const bool aIsSafeMode, const bool aDisableDynamicBlocklist,
+ mozilla::Maybe<std::wstring> aBlocklistFileName) {
+ /* scope for txManager */ {
+ mozilla::nt::CrossExecTransferManager txManager(aChildProcess);
+ if (!txManager) {
+ return LAUNCHER_ERROR_FROM_WIN32(ERROR_BAD_EXE_FORMAT);
+ }
+
+ using mozilla::gDeelevationStatus;
+
+ void* targetAddress = (LPVOID)&gDeelevationStatus;
+
+ auto const guard = txManager.Protect(
+ targetAddress, sizeof(gDeelevationStatus), PAGE_READWRITE);
+
+ mozilla::LauncherVoidResult result =
+ txManager.Transfer(targetAddress, &aDStatus, sizeof(aDStatus));
+ if (result.isErr()) {
+ return result;
+ }
+ }
+
+ return mozilla::InitializeDllBlocklistOOPFromLauncher(
+ aFullImagePath, aChildProcess, aDisableDynamicBlocklist,
+ aBlocklistFileName);
+}
+
+/**
+ * Create a new Job object and assign |aProcess| to it. If something fails
+ * in this function, we return nullptr but continue without recording
+ * a launcher failure because it's not a critical problem to launch
+ * the browser process.
+ */
+static nsReturnRef<HANDLE> CreateJobAndAssignProcess(HANDLE aProcess) {
+ nsAutoHandle empty;
+ nsAutoHandle job(::CreateJobObjectW(nullptr, nullptr));
+
+ // Set JOB_OBJECT_LIMIT_BREAKAWAY_OK to allow the browser process
+ // to put child processes into a job on Win7, which does not support
+ // nested jobs. See CanUseJob() in sandboxBroker.cpp.
+ JOBOBJECT_EXTENDED_LIMIT_INFORMATION jobInfo = {};
+ jobInfo.BasicLimitInformation.LimitFlags =
+ JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE | JOB_OBJECT_LIMIT_BREAKAWAY_OK;
+ if (!::SetInformationJobObject(job.get(), JobObjectExtendedLimitInformation,
+ &jobInfo, sizeof(jobInfo))) {
+ return empty.out();
+ }
+
+ if (!::AssignProcessToJobObject(job.get(), aProcess)) {
+ return empty.out();
+ }
+
+ return job.out();
+}
+
+#if !defined( \
+ PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_PREFER_SYSTEM32_ALWAYS_ON)
+# define PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_PREFER_SYSTEM32_ALWAYS_ON \
+ (0x00000001ULL << 60)
+#endif // !defined(PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_PREFER_SYSTEM32_ALWAYS_ON)
+
+#if !defined(PROCESS_CREATION_MITIGATION_POLICY_CONTROL_FLOW_GUARD_ALWAYS_OFF)
+# define PROCESS_CREATION_MITIGATION_POLICY_CONTROL_FLOW_GUARD_ALWAYS_OFF \
+ (0x00000002ULL << 40)
+#endif // !defined(PROCESS_CREATION_MITIGATION_POLICY_CONTROL_FLOW_GUARD_ALWAYS_OFF)
+
+#if (_WIN32_WINNT < 0x0602)
+BOOL WINAPI
+SetProcessMitigationPolicy(PROCESS_MITIGATION_POLICY aMitigationPolicy,
+ PVOID aBuffer, SIZE_T aBufferLen);
+#endif // (_WIN32_WINNT >= 0x0602)
+
+/**
+ * Any mitigation policies that should be set on the browser process should go
+ * here.
+ */
+static void SetMitigationPolicies(mozilla::ProcThreadAttributes& aAttrs,
+ const bool aIsSafeMode) {
+ if (mozilla::IsWin10AnniversaryUpdateOrLater()) {
+ aAttrs.AddMitigationPolicy(
+ PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_PREFER_SYSTEM32_ALWAYS_ON);
+ }
+
+#if defined(_M_ARM64)
+ // Disable CFG on older versions of ARM64 Windows to avoid a crash in COM.
+ if (!mozilla::IsWin10Sep2018UpdateOrLater()) {
+ aAttrs.AddMitigationPolicy(
+ PROCESS_CREATION_MITIGATION_POLICY_CONTROL_FLOW_GUARD_ALWAYS_OFF);
+ }
+#endif // defined(_M_ARM64)
+}
+
+static mozilla::LauncherFlags ProcessCmdLine(int& aArgc, wchar_t* aArgv[]) {
+ mozilla::LauncherFlags result = mozilla::LauncherFlags::eNone;
+
+ if (mozilla::CheckArg(aArgc, aArgv, "wait-for-browser", nullptr,
+ mozilla::CheckArgFlag::RemoveArg) ==
+ mozilla::ARG_FOUND ||
+ mozilla::CheckArg(aArgc, aArgv, "marionette", nullptr,
+ mozilla::CheckArgFlag::None) == mozilla::ARG_FOUND ||
+ mozilla::CheckArg(aArgc, aArgv, "backgroundtask", nullptr,
+ mozilla::CheckArgFlag::None) == mozilla::ARG_FOUND ||
+ mozilla::CheckArg(aArgc, aArgv, "headless", nullptr,
+ mozilla::CheckArgFlag::None) == mozilla::ARG_FOUND ||
+ mozilla::CheckArg(aArgc, aArgv, "remote-debugging-port", nullptr,
+ mozilla::CheckArgFlag::None) == mozilla::ARG_FOUND ||
+ mozilla::EnvHasValue("MOZ_AUTOMATION") ||
+ mozilla::EnvHasValue("MOZ_HEADLESS")) {
+ result |= mozilla::LauncherFlags::eWaitForBrowser;
+ }
+
+ if (mozilla::CheckArg(aArgc, aArgv, "no-deelevate") == mozilla::ARG_FOUND) {
+ result |= mozilla::LauncherFlags::eNoDeelevate;
+ }
+
+ if (mozilla::CheckArg(aArgc, aArgv, ATTEMPTING_DEELEVATION_FLAG) ==
+ mozilla::ARG_FOUND) {
+ result |= mozilla::LauncherFlags::eDeelevating;
+ }
+
+ return result;
+}
+
+static void MaybeBreakForBrowserDebugging() {
+ if (mozilla::EnvHasValue("MOZ_DEBUG_BROWSER_PROCESS")) {
+ ::DebugBreak();
+ return;
+ }
+
+ const wchar_t* pauseLenS = _wgetenv(L"MOZ_DEBUG_BROWSER_PAUSE");
+ if (!pauseLenS || !(*pauseLenS)) {
+ return;
+ }
+
+ DWORD pauseLenMs = wcstoul(pauseLenS, nullptr, 10) * 1000;
+ printf_stderr("\n\nBROWSERBROWSERBROWSERBROWSER\n debug me @ %lu\n\n",
+ ::GetCurrentProcessId());
+ ::Sleep(pauseLenMs);
+}
+
+static bool DoLauncherProcessChecks(int& argc, wchar_t** argv) {
+ // NB: We run all tests in this function instead of returning early in order
+ // to ensure that all side effects take place, such as clearing environment
+ // variables.
+ bool result = false;
+
+#if defined(MOZ_LAUNCHER_PROCESS)
+ // We still prefer to compare file ids. Comparing NT paths i.e. passing
+ // CompareNtPathsOnly to IsSameBinaryAsParentProcess is much faster, but
+ // we're not 100% sure that NT path comparison perfectly prevents the
+ // launching loop of the launcher process.
+ mozilla::LauncherResult<bool> isSame = mozilla::IsSameBinaryAsParentProcess();
+ if (isSame.isOk()) {
+ result = !isSame.unwrap();
+ } else {
+ HandleLauncherError(isSame.unwrapErr());
+ }
+#endif // defined(MOZ_LAUNCHER_PROCESS)
+
+ if (mozilla::EnvHasValue("MOZ_LAUNCHER_PROCESS")) {
+ mozilla::SaveToEnv("MOZ_LAUNCHER_PROCESS=");
+ result = true;
+ }
+
+ result |=
+ mozilla::CheckArg(argc, argv, "launcher", nullptr,
+ mozilla::CheckArgFlag::RemoveArg) == mozilla::ARG_FOUND;
+
+ return result;
+}
+
+#if defined(MOZ_LAUNCHER_PROCESS)
+static mozilla::Maybe<bool> RunAsLauncherProcess(
+ mozilla::LauncherRegistryInfo& aRegInfo, int& argc, wchar_t** argv) {
+#else
+static mozilla::Maybe<bool> RunAsLauncherProcess(int& argc, wchar_t** argv) {
+#endif // defined(MOZ_LAUNCHER_PROCESS)
+ bool runAsLauncher = DoLauncherProcessChecks(argc, argv);
+
+#if defined(MOZ_LAUNCHER_PROCESS)
+ bool forceLauncher =
+ runAsLauncher &&
+ mozilla::CheckArg(argc, argv, "force-launcher", nullptr,
+ mozilla::CheckArgFlag::RemoveArg) == mozilla::ARG_FOUND;
+
+ mozilla::LauncherRegistryInfo::ProcessType desiredType =
+ runAsLauncher ? mozilla::LauncherRegistryInfo::ProcessType::Launcher
+ : mozilla::LauncherRegistryInfo::ProcessType::Browser;
+
+ mozilla::LauncherRegistryInfo::CheckOption checkOption =
+ forceLauncher ? mozilla::LauncherRegistryInfo::CheckOption::Force
+ : mozilla::LauncherRegistryInfo::CheckOption::Default;
+
+ mozilla::LauncherResult<mozilla::LauncherRegistryInfo::ProcessType>
+ runAsType = aRegInfo.Check(desiredType, checkOption);
+
+ if (runAsType.isErr()) {
+ mozilla::HandleLauncherError(runAsType);
+ return mozilla::Nothing();
+ }
+
+ runAsLauncher = runAsType.unwrap() ==
+ mozilla::LauncherRegistryInfo::ProcessType::Launcher;
+#endif // defined(MOZ_LAUNCHER_PROCESS)
+
+ if (!runAsLauncher) {
+ // In this case, we will be proceeding to run as the browser.
+ // We should check MOZ_DEBUG_BROWSER_* env vars.
+ MaybeBreakForBrowserDebugging();
+ }
+
+ return mozilla::Some(runAsLauncher);
+}
+
+namespace mozilla {
+
+Maybe<int> LauncherMain(int& argc, wchar_t* argv[],
+ const StaticXREAppData& aAppData) {
+ EnsureBrowserCommandlineSafe(argc, argv);
+
+ SetLauncherErrorAppData(aAppData);
+
+ if (CheckArg(argc, argv, "log-launcher-error", nullptr,
+ mozilla::CheckArgFlag::RemoveArg) == ARG_FOUND) {
+ SetLauncherErrorForceEventLog();
+ }
+
+ // return fast when we're a child process.
+ // (The remainder of this function has some side effects that are
+ // undesirable for content processes)
+ if (mozilla::CheckArg(argc, argv, "contentproc", nullptr,
+ mozilla::CheckArgFlag::None) == mozilla::ARG_FOUND) {
+ // A child process should not instantiate LauncherRegistryInfo.
+ return Nothing();
+ }
+
+#if defined(MOZ_LAUNCHER_PROCESS)
+ LauncherRegistryInfo regInfo;
+ Maybe<bool> runAsLauncher = RunAsLauncherProcess(regInfo, argc, argv);
+ LauncherResult<std::wstring> blocklistFileNameResult =
+ regInfo.GetBlocklistFileName();
+ Maybe<std::wstring> blocklistFileName =
+ blocklistFileNameResult.isOk() ? Some(blocklistFileNameResult.unwrap())
+ : Nothing();
+#else
+ Maybe<bool> runAsLauncher = RunAsLauncherProcess(argc, argv);
+ Maybe<std::wstring> blocklistFileName = Nothing();
+#endif // defined(MOZ_LAUNCHER_PROCESS)
+ if (!runAsLauncher || !runAsLauncher.value()) {
+#if defined(MOZ_LAUNCHER_PROCESS)
+ // Update the registry as Browser
+ LauncherVoidResult commitResult = regInfo.Commit();
+ if (commitResult.isErr()) {
+ mozilla::HandleLauncherError(commitResult);
+ }
+#endif // defined(MOZ_LAUNCHER_PROCESS)
+ return Nothing();
+ }
+
+ // Make sure that the launcher process itself has image load policies set
+ if (IsWin10AnniversaryUpdateOrLater()) {
+ static const StaticDynamicallyLinkedFunctionPtr<
+ decltype(&SetProcessMitigationPolicy)>
+ pSetProcessMitigationPolicy(L"kernel32.dll",
+ "SetProcessMitigationPolicy");
+ if (pSetProcessMitigationPolicy) {
+ PROCESS_MITIGATION_IMAGE_LOAD_POLICY imgLoadPol = {};
+ imgLoadPol.PreferSystem32Images = 1;
+
+ DebugOnly<BOOL> setOk = pSetProcessMitigationPolicy(
+ ProcessImageLoadPolicy, &imgLoadPol, sizeof(imgLoadPol));
+ MOZ_ASSERT(setOk);
+ }
+ }
+
+#if defined(MOZ_SANDBOX)
+ // Ensure the relevant mitigations are enforced.
+ mozilla::sandboxing::ApplyParentProcessMitigations();
+#endif
+
+ mozilla::UseParentConsole();
+
+ if (!SetArgv0ToFullBinaryPath(argv)) {
+ HandleLauncherError(LAUNCHER_ERROR_GENERIC());
+ return Nothing();
+ }
+
+ LauncherFlags flags = ProcessCmdLine(argc, argv);
+
+ nsAutoHandle mediumIlToken;
+ LauncherResult<ElevationState> elevationState =
+ GetElevationState(argv[0], flags, mediumIlToken);
+ if (elevationState.isErr()) {
+ HandleLauncherError(elevationState);
+ return Nothing();
+ }
+
+ // Distill deelevation status, and/or attempt to perform launcher deelevation
+ // via an indirect relaunch.
+ DeelevationStatus deelevationStatus = DeelevationStatus::Unknown;
+ if (mediumIlToken.get()) {
+ // Rather than indirectly relaunch the launcher, we'll attempt to directly
+ // launch the main process with a reduced-privilege security token.
+ deelevationStatus = DeelevationStatus::PartiallyDeelevated;
+ } else if (elevationState.unwrap() == ElevationState::eElevated) {
+ if (flags & LauncherFlags::eWaitForBrowser) {
+ // An indirect relaunch won't provide a process-handle to block on,
+ // so we have to continue onwards with this process.
+ deelevationStatus = DeelevationStatus::DeelevationProhibited;
+ } else if (flags & LauncherFlags::eNoDeelevate) {
+ // Our invoker (hopefully, the user) has explicitly requested that the
+ // launcher not deelevate itself.
+ deelevationStatus = DeelevationStatus::DeelevationProhibited;
+ } else if (flags & LauncherFlags::eDeelevating) {
+ // We've already tried to deelevate, to no effect. Continue onward.
+ deelevationStatus = DeelevationStatus::UnsuccessfullyDeelevated;
+ } else {
+ // Otherwise, attempt to relaunch the launcher process itself via the
+ // shell, which hopefully will not be elevated. (But see bug 1733821.)
+ LauncherVoidResult launchedUnelevated = LaunchUnelevated(argc, argv);
+ if (launchedUnelevated.isErr()) {
+ // On failure, don't even try for a launcher process. Continue onwards
+ // in this one. (TODO: why? This isn't technically fatal...)
+ HandleLauncherError(launchedUnelevated);
+ return Nothing();
+ }
+ // Otherwise, tell our caller to exit with a success code.
+ return Some(0);
+ }
+ } else if (elevationState.unwrap() == ElevationState::eNormalUser) {
+ if (flags & LauncherFlags::eDeelevating) {
+ // Deelevation appears to have been successful!
+ deelevationStatus = DeelevationStatus::SuccessfullyDeelevated;
+ } else {
+ // We haven't done anything and we don't need to.
+ deelevationStatus = DeelevationStatus::StartedUnprivileged;
+ }
+ } else {
+ // Some other elevation state with no medium-integrity token.
+ // (This should probably not happen.)
+ deelevationStatus = DeelevationStatus::Unknown;
+ }
+
+#if defined(MOZ_LAUNCHER_PROCESS)
+ // Update the registry as Launcher
+ LauncherVoidResult commitResult = regInfo.Commit();
+ if (commitResult.isErr()) {
+ mozilla::HandleLauncherError(commitResult);
+ return Nothing();
+ }
+#endif // defined(MOZ_LAUNCHER_PROCESS)
+
+ // Now proceed with setting up the parameters for process creation
+ UniquePtr<wchar_t[]> cmdLine(MakeCommandLine(argc, argv));
+ if (!cmdLine) {
+ HandleLauncherError(LAUNCHER_ERROR_GENERIC());
+ return Nothing();
+ }
+
+ const Maybe<bool> isSafeMode =
+ IsSafeModeRequested(argc, argv, SafeModeFlag::NoKeyPressCheck);
+ if (!isSafeMode) {
+ HandleLauncherError(LAUNCHER_ERROR_FROM_WIN32(ERROR_INVALID_PARAMETER));
+ return Nothing();
+ }
+
+ ProcThreadAttributes attrs;
+ SetMitigationPolicies(attrs, isSafeMode.value());
+
+ HANDLE stdHandles[] = {::GetStdHandle(STD_INPUT_HANDLE),
+ ::GetStdHandle(STD_OUTPUT_HANDLE),
+ ::GetStdHandle(STD_ERROR_HANDLE)};
+
+ attrs.AddInheritableHandles(stdHandles);
+
+ DWORD creationFlags = CREATE_SUSPENDED | CREATE_UNICODE_ENVIRONMENT;
+
+ STARTUPINFOEXW siex;
+ LauncherResult<bool> attrsOk = attrs.AssignTo(siex);
+ if (attrsOk.isErr()) {
+ HandleLauncherError(attrsOk);
+ return Nothing();
+ }
+
+ BOOL inheritHandles = FALSE;
+
+ if (attrsOk.unwrap()) {
+ creationFlags |= EXTENDED_STARTUPINFO_PRESENT;
+
+ if (attrs.HasInheritableHandles()) {
+ siex.StartupInfo.dwFlags |= STARTF_USESTDHANDLES;
+ siex.StartupInfo.hStdInput = stdHandles[0];
+ siex.StartupInfo.hStdOutput = stdHandles[1];
+ siex.StartupInfo.hStdError = stdHandles[2];
+
+ // Since attrsOk == true, we have successfully set the handle inheritance
+ // whitelist policy, so only the handles added to attrs will be inherited.
+ inheritHandles = TRUE;
+ }
+ }
+
+ // Pass on the path of the shortcut used to launch this process, if any.
+ STARTUPINFOW currentStartupInfo = {.cb = sizeof(STARTUPINFOW)};
+ GetStartupInfoW(&currentStartupInfo);
+ if ((currentStartupInfo.dwFlags & STARTF_TITLEISLINKNAME) &&
+ currentStartupInfo.lpTitle) {
+ siex.StartupInfo.dwFlags |= STARTF_TITLEISLINKNAME;
+ siex.StartupInfo.lpTitle = currentStartupInfo.lpTitle;
+ }
+
+ PROCESS_INFORMATION pi = {};
+ BOOL createOk;
+
+ if (mediumIlToken.get()) {
+ createOk =
+ ::CreateProcessAsUserW(mediumIlToken.get(), argv[0], cmdLine.get(),
+ nullptr, nullptr, inheritHandles, creationFlags,
+ nullptr, nullptr, &siex.StartupInfo, &pi);
+ } else {
+ createOk = ::CreateProcessW(argv[0], cmdLine.get(), nullptr, nullptr,
+ inheritHandles, creationFlags, nullptr, nullptr,
+ &siex.StartupInfo, &pi);
+ }
+
+ if (!createOk) {
+ HandleLauncherError(LAUNCHER_ERROR_FROM_LAST());
+ return Nothing();
+ }
+
+ nsAutoHandle process(pi.hProcess);
+ nsAutoHandle mainThread(pi.hThread);
+
+ nsAutoHandle job;
+ if (flags & LauncherFlags::eWaitForBrowser) {
+ job = CreateJobAndAssignProcess(process.get());
+ }
+
+ bool disableDynamicBlocklist = IsDynamicBlocklistDisabled(
+ isSafeMode.value(),
+ mozilla::CheckArg(
+ argc, argv, mozilla::geckoargs::sDisableDynamicDllBlocklist.sMatch,
+ nullptr, mozilla::CheckArgFlag::None) == mozilla::ARG_FOUND);
+ LauncherVoidResult setupResult = PostCreationSetup(
+ argv[0], process.get(), mainThread.get(), deelevationStatus,
+ isSafeMode.value(), disableDynamicBlocklist, blocklistFileName);
+ if (setupResult.isErr()) {
+ HandleLauncherError(setupResult);
+ ::TerminateProcess(process.get(), 1);
+ return Nothing();
+ }
+
+ if (::ResumeThread(mainThread.get()) == static_cast<DWORD>(-1)) {
+ HandleLauncherError(LAUNCHER_ERROR_FROM_LAST());
+ ::TerminateProcess(process.get(), 1);
+ return Nothing();
+ }
+
+ if (flags & LauncherFlags::eWaitForBrowser) {
+ DWORD exitCode;
+ if (::WaitForSingleObject(process.get(), INFINITE) == WAIT_OBJECT_0 &&
+ ::GetExitCodeProcess(process.get(), &exitCode)) {
+ // Propagate the browser process's exit code as our exit code.
+ return Some(static_cast<int>(exitCode));
+ }
+ } else {
+ const DWORD timeout =
+ ::IsDebuggerPresent() ? INFINITE : kWaitForInputIdleTimeoutMS;
+
+ // Keep the current process around until the callback process has created
+ // its message queue, to avoid the launched process's windows being forced
+ // into the background.
+ mozilla::WaitForInputIdle(process.get(), timeout);
+ }
+
+ return Some(0);
+}
+
+} // namespace mozilla
diff --git a/browser/app/winlauncher/LauncherProcessWin.h b/browser/app/winlauncher/LauncherProcessWin.h
new file mode 100644
index 0000000000..8fd53d7d3f
--- /dev/null
+++ b/browser/app/winlauncher/LauncherProcessWin.h
@@ -0,0 +1,70 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_LauncherProcessWin_h
+#define mozilla_LauncherProcessWin_h
+
+#include "mozilla/Maybe.h"
+#include "mozilla/TypedEnumBits.h"
+
+#include <stdint.h>
+
+namespace mozilla {
+
+// Forward declaration
+struct StaticXREAppData;
+
+/**
+ * Determine whether or not the current process should be run as the launcher
+ * process, and run if so. If we are not supposed to run as the launcher
+ * process, or in the event of a launcher process failure, return Nothing, thus
+ * indicating that we should continue on the original startup code path.
+ */
+Maybe<int> LauncherMain(int& argc, wchar_t* argv[],
+ const StaticXREAppData& aAppData);
+
+enum class LauncherFlags : uint32_t {
+ eNone = 0,
+ eWaitForBrowser = (1 << 0), // Launcher should block until browser finishes
+ eNoDeelevate = (1 << 1), // If elevated, do not attempt to de-elevate
+ eDeelevating = (1 << 2), // A de-elevation attempt has been made
+};
+
+MOZ_MAKE_ENUM_CLASS_BITWISE_OPERATORS(LauncherFlags);
+
+enum class DeelevationStatus : uint32_t {
+ // The deelevation status could not be determined. Should never actually be
+ // the value of `gDeelevationStatus`.
+ Unknown = 0,
+
+ // Deelevation did not need to be performed because the process was started
+ // without administrative privileges.
+ StartedUnprivileged = 1,
+ // Deelevation would have been performed, but was prohibited due to a flag.
+ DeelevationProhibited = 2,
+ // The launcher process was successfully deelevated.
+ SuccessfullyDeelevated = 3,
+ // The launcher process was not successfully deelevated, but a
+ // medium-integrity token was used to launch the main process.
+ PartiallyDeelevated = 4,
+ // Deelevation was attempted, but failed completely. The main process is
+ // running with administrative privileges.
+ UnsuccessfullyDeelevated = 5,
+
+ // This is the static initial value of `gDeelevationStatus`; it acts as a
+ // sentinel to determine whether the launcher has set it at all. (It's
+ // therefore the normal value of `gDeelevationStatus` when the launcher is
+ // disabled.)
+ DefaultStaticValue = 0x55AA55AA,
+};
+
+// The result of the deelevation attempt. Set by the launcher process in the
+// main process when the two are distinct.
+extern const volatile DeelevationStatus gDeelevationStatus;
+
+} // namespace mozilla
+
+#endif // mozilla_LauncherProcessWin_h
diff --git a/browser/app/winlauncher/NtLoaderAPI.cpp b/browser/app/winlauncher/NtLoaderAPI.cpp
new file mode 100644
index 0000000000..97f8a20186
--- /dev/null
+++ b/browser/app/winlauncher/NtLoaderAPI.cpp
@@ -0,0 +1,33 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#include "mozilla/LoaderAPIInterfaces.h"
+
+#include "freestanding/CheckForCaller.h"
+#include "freestanding/LoaderPrivateAPI.h"
+
+namespace mozilla {
+
+extern "C" MOZ_EXPORT nt::LoaderAPI* GetNtLoaderAPI(
+ nt::LoaderObserver* aNewObserver) {
+ // Make sure the caller is inside mozglue.dll - we don't want to allow
+ // external access to this function, as it contains details about
+ // the SharedSection which is used to sandbox future child processes.
+ const bool isCallerMozglue =
+ CheckForAddress(RETURN_ADDRESS(), L"mozglue.dll");
+ MOZ_ASSERT(isCallerMozglue);
+ if (!isCallerMozglue) {
+ return nullptr;
+ }
+
+ freestanding::EnsureInitialized();
+ freestanding::LoaderPrivateAPI& api = freestanding::gLoaderPrivateAPI;
+ api.SetObserver(aNewObserver);
+
+ return &api;
+}
+
+} // namespace mozilla
diff --git a/browser/app/winlauncher/ProcThreadAttributes.h b/browser/app/winlauncher/ProcThreadAttributes.h
new file mode 100644
index 0000000000..74d5fee06c
--- /dev/null
+++ b/browser/app/winlauncher/ProcThreadAttributes.h
@@ -0,0 +1,159 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_ProcThreadAttributes_h
+#define mozilla_ProcThreadAttributes_h
+
+#include <windows.h>
+
+#include <utility>
+
+#include "mozilla/Attributes.h"
+#include "mozilla/Maybe.h"
+#include "mozilla/UniquePtr.h"
+#include "mozilla/Vector.h"
+
+namespace mozilla {
+
+class MOZ_RAII ProcThreadAttributes final {
+ struct ProcThreadAttributeListDeleter {
+ void operator()(LPPROC_THREAD_ATTRIBUTE_LIST aList) {
+ ::DeleteProcThreadAttributeList(aList);
+ delete[] reinterpret_cast<char*>(aList);
+ }
+ };
+
+ using ProcThreadAttributeListPtr =
+ UniquePtr<_PROC_THREAD_ATTRIBUTE_LIST, ProcThreadAttributeListDeleter>;
+
+ public:
+ ProcThreadAttributes() : mMitigationPolicies(0) {}
+
+ ~ProcThreadAttributes() = default;
+
+ ProcThreadAttributes(const ProcThreadAttributes&) = delete;
+ ProcThreadAttributes(ProcThreadAttributes&&) = delete;
+ ProcThreadAttributes& operator=(const ProcThreadAttributes&) = delete;
+ ProcThreadAttributes& operator=(ProcThreadAttributes&&) = delete;
+
+ void AddMitigationPolicy(DWORD64 aPolicy) { mMitigationPolicies |= aPolicy; }
+
+ bool AddInheritableHandle(HANDLE aHandle) {
+ DWORD type = ::GetFileType(aHandle);
+ if (type != FILE_TYPE_DISK && type != FILE_TYPE_PIPE) {
+ return false;
+ }
+
+ if (!::SetHandleInformation(aHandle, HANDLE_FLAG_INHERIT,
+ HANDLE_FLAG_INHERIT)) {
+ return false;
+ }
+
+ return mInheritableHandles.append(aHandle);
+ }
+
+ template <size_t N>
+ bool AddInheritableHandles(HANDLE (&aHandles)[N]) {
+ bool ok = true;
+ for (auto handle : aHandles) {
+ ok &= AddInheritableHandle(handle);
+ }
+
+ return ok;
+ }
+
+ bool HasMitigationPolicies() const { return !!mMitigationPolicies; }
+
+ bool HasInheritableHandles() const { return !mInheritableHandles.empty(); }
+
+ /**
+ * @return false if the STARTUPINFOEXW::lpAttributeList was set to null
+ * as expected based on the state of |this|;
+ * true if the STARTUPINFOEXW::lpAttributeList was set to
+ * non-null;
+ */
+ LauncherResult<bool> AssignTo(STARTUPINFOEXW& aSiex) {
+ ZeroMemory(&aSiex, sizeof(STARTUPINFOEXW));
+
+ // We'll set the size to sizeof(STARTUPINFOW) until we determine whether the
+ // extended fields will be used.
+ aSiex.StartupInfo.cb = sizeof(STARTUPINFOW);
+
+ DWORD numAttributes = 0;
+ if (HasMitigationPolicies()) {
+ ++numAttributes;
+ }
+
+ if (HasInheritableHandles()) {
+ ++numAttributes;
+ }
+
+ if (!numAttributes) {
+ return false;
+ }
+
+ SIZE_T listSize = 0;
+ if (!::InitializeProcThreadAttributeList(nullptr, numAttributes, 0,
+ &listSize)) {
+ DWORD err = ::GetLastError();
+ if (err != ERROR_INSUFFICIENT_BUFFER) {
+ return LAUNCHER_ERROR_FROM_WIN32(err);
+ }
+ }
+
+ auto buf = MakeUnique<char[]>(listSize);
+
+ LPPROC_THREAD_ATTRIBUTE_LIST tmpList =
+ reinterpret_cast<LPPROC_THREAD_ATTRIBUTE_LIST>(buf.get());
+
+ if (!::InitializeProcThreadAttributeList(tmpList, numAttributes, 0,
+ &listSize)) {
+ return LAUNCHER_ERROR_FROM_LAST();
+ }
+
+ // Transfer buf to a ProcThreadAttributeListPtr - now that the list is
+ // initialized, we are no longer dealing with a plain old char array. We
+ // must now deinitialize the attribute list before deallocating the
+ // underlying buffer.
+ ProcThreadAttributeListPtr attrList(
+ reinterpret_cast<LPPROC_THREAD_ATTRIBUTE_LIST>(buf.release()));
+
+ if (mMitigationPolicies) {
+ if (!::UpdateProcThreadAttribute(
+ attrList.get(), 0, PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY,
+ &mMitigationPolicies, sizeof(mMitigationPolicies), nullptr,
+ nullptr)) {
+ return LAUNCHER_ERROR_FROM_LAST();
+ }
+ }
+
+ if (!mInheritableHandles.empty()) {
+ if (!::UpdateProcThreadAttribute(
+ attrList.get(), 0, PROC_THREAD_ATTRIBUTE_HANDLE_LIST,
+ mInheritableHandles.begin(),
+ mInheritableHandles.length() * sizeof(HANDLE), nullptr,
+ nullptr)) {
+ return LAUNCHER_ERROR_FROM_LAST();
+ }
+ }
+
+ mAttrList = std::move(attrList);
+ aSiex.lpAttributeList = mAttrList.get();
+ aSiex.StartupInfo.cb = sizeof(STARTUPINFOEXW);
+ return true;
+ }
+
+ private:
+ static const uint32_t kNumInline = 3; // Inline storage for the std handles
+
+ DWORD64 mMitigationPolicies;
+ Vector<HANDLE, kNumInline> mInheritableHandles;
+ ProcThreadAttributeListPtr mAttrList;
+};
+
+} // namespace mozilla
+
+#endif // mozilla_ProcThreadAttributes_h
diff --git a/browser/app/winlauncher/SameBinary.h b/browser/app/winlauncher/SameBinary.h
new file mode 100644
index 0000000000..e8fa78600f
--- /dev/null
+++ b/browser/app/winlauncher/SameBinary.h
@@ -0,0 +1,146 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_SameBinary_h
+#define mozilla_SameBinary_h
+
+#include "mozilla/WinHeaderOnlyUtils.h"
+#include "mozilla/NativeNt.h"
+#include "nsWindowsHelpers.h"
+
+namespace mozilla {
+
+class ProcessImagePath final {
+ PathType mType;
+ LauncherVoidResult mLastError;
+
+ // Using a larger buffer because an NT path may exceed MAX_PATH.
+ WCHAR mPathBuffer[(MAX_PATH * 2) + 1];
+
+ public:
+ // Initialize with an NT path string of a given process handle
+ explicit ProcessImagePath(const nsAutoHandle& aProcess)
+ : mType(PathType::eNtPath), mLastError(Ok()) {
+ DWORD len = mozilla::ArrayLength(mPathBuffer);
+ if (!::QueryFullProcessImageNameW(aProcess.get(), PROCESS_NAME_NATIVE,
+ mPathBuffer, &len)) {
+ mLastError = LAUNCHER_ERROR_FROM_LAST();
+ return;
+ }
+ }
+
+ // Initizlize with a DOS path string of a given imagebase address
+ explicit ProcessImagePath(HMODULE aImageBase)
+ : mType(PathType::eDosPath), mLastError(Ok()) {
+ DWORD len = ::GetModuleFileNameW(aImageBase, mPathBuffer,
+ mozilla::ArrayLength(mPathBuffer));
+ if (!len || len == mozilla::ArrayLength(mPathBuffer)) {
+ mLastError = LAUNCHER_ERROR_FROM_LAST();
+ return;
+ }
+ }
+
+ bool IsError() const { return mLastError.isErr(); }
+
+ const WindowsErrorType& GetError() const { return mLastError.inspectErr(); }
+
+ FileUniqueId GetId() const { return FileUniqueId(mPathBuffer, mType); }
+
+ bool CompareNtPaths(const ProcessImagePath& aOther) const {
+ if (mLastError.isErr() || aOther.mLastError.isErr() ||
+ mType != PathType::eNtPath || aOther.mType != PathType::eNtPath) {
+ return false;
+ }
+
+ UNICODE_STRING path1, path2;
+ ::RtlInitUnicodeString(&path1, mPathBuffer);
+ ::RtlInitUnicodeString(&path2, aOther.mPathBuffer);
+ return !!::RtlEqualUnicodeString(&path1, &path2, TRUE);
+ }
+};
+
+enum class ImageFileCompareOption {
+ Default,
+ CompareNtPathsOnly,
+};
+
+static inline mozilla::LauncherResult<bool> IsSameBinaryAsParentProcess(
+ ImageFileCompareOption aOption = ImageFileCompareOption::Default) {
+ mozilla::LauncherResult<DWORD> parentPid = mozilla::nt::GetParentProcessId();
+ if (parentPid.isErr()) {
+ return parentPid.propagateErr();
+ }
+
+ nsAutoHandle parentProcess(::OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION,
+ FALSE, parentPid.unwrap()));
+ if (!parentProcess.get()) {
+ DWORD err = ::GetLastError();
+ if (err == ERROR_INVALID_PARAMETER || err == ERROR_ACCESS_DENIED) {
+ // In the ERROR_INVALID_PARAMETER case, the process identified by
+ // parentPid has already exited. This is a common case when the parent
+ // process is not Firefox, thus we should return false instead of erroring
+ // out.
+ // The ERROR_ACCESS_DENIED case can happen when the parent process is
+ // something that we don't have permission to query. For example, we may
+ // encounter this when Firefox is launched by the Windows Task Scheduler.
+ return false;
+ }
+
+ return LAUNCHER_ERROR_FROM_WIN32(err);
+ }
+
+ ProcessImagePath parentExe(parentProcess);
+ if (parentExe.IsError()) {
+ return ::mozilla::Err(parentExe.GetError());
+ }
+
+ if (aOption == ImageFileCompareOption::Default) {
+ bool skipFileIdComparison = false;
+
+ FileUniqueId id1 = parentExe.GetId();
+ if (id1.IsError()) {
+ // We saw a number of Win7 users failed to call NtOpenFile with
+ // STATUS_OBJECT_PATH_NOT_FOUND for an unknown reason. In this
+ // particular case, we fall back to the logic to compare NT path
+ // strings instead of a file id which will not fail because we don't
+ // need to open a file handle.
+#if !defined(STATUS_OBJECT_PATH_NOT_FOUND)
+ constexpr NTSTATUS STATUS_OBJECT_PATH_NOT_FOUND = 0xc000003a;
+#endif
+ const LauncherError& err = id1.GetError();
+ if (err.mError !=
+ WindowsError::FromNtStatus(STATUS_OBJECT_PATH_NOT_FOUND)) {
+ return ::mozilla::Err(err);
+ }
+
+ skipFileIdComparison = true;
+ }
+
+ if (!skipFileIdComparison) {
+ ProcessImagePath ourExe(nullptr);
+ if (ourExe.IsError()) {
+ return ::mozilla::Err(ourExe.GetError());
+ }
+
+ FileUniqueId id2 = ourExe.GetId();
+ if (id2.IsError()) {
+ return ::mozilla::Err(id2.GetError());
+ }
+ return id1 == id2;
+ }
+ }
+
+ nsAutoHandle ourProcess(::GetCurrentProcess());
+ ProcessImagePath ourExeNt(ourProcess);
+ if (ourExeNt.IsError()) {
+ return ::mozilla::Err(ourExeNt.GetError());
+ }
+ return parentExe.CompareNtPaths(ourExeNt);
+}
+
+} // namespace mozilla
+
+#endif // mozilla_SameBinary_h
diff --git a/browser/app/winlauncher/freestanding/CheckForCaller.h b/browser/app/winlauncher/freestanding/CheckForCaller.h
new file mode 100644
index 0000000000..799d16cd1f
--- /dev/null
+++ b/browser/app/winlauncher/freestanding/CheckForCaller.h
@@ -0,0 +1,36 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_freestanding_CheckForCaller_h
+#define mozilla_freestanding_CheckForCaller_h
+
+namespace mozilla {
+
+#if defined(_MSC_VER)
+# include <intrin.h>
+# pragma intrinsic(_ReturnAddress)
+# define RETURN_ADDRESS() _ReturnAddress()
+#elif defined(__GNUC__) || defined(__clang__)
+# define RETURN_ADDRESS() \
+ __builtin_extract_return_addr(__builtin_return_address(0))
+#endif
+
+template <int N>
+bool CheckForAddress(void* aReturnAddress, const wchar_t (&aName)[N]) {
+ HMODULE callingModule;
+ if (!::GetModuleHandleExW(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS |
+ GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT,
+ reinterpret_cast<LPCWSTR>(aReturnAddress),
+ &callingModule)) {
+ return false;
+ }
+
+ return callingModule && callingModule == ::GetModuleHandleW(aName);
+}
+
+} // namespace mozilla
+
+#endif // mozilla_freestanding_CheckForCaller_h
diff --git a/browser/app/winlauncher/freestanding/DllBlocklist.cpp b/browser/app/winlauncher/freestanding/DllBlocklist.cpp
new file mode 100644
index 0000000000..ce5937aeef
--- /dev/null
+++ b/browser/app/winlauncher/freestanding/DllBlocklist.cpp
@@ -0,0 +1,487 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#include "mozilla/ArrayUtils.h"
+#include "mozilla/Attributes.h"
+#include "mozilla/BinarySearch.h"
+#include "mozilla/NativeNt.h"
+#include "mozilla/Types.h"
+#include "mozilla/WindowsDllBlocklist.h"
+
+#include "CrashAnnotations.h"
+#include "DllBlocklist.h"
+#include "LoaderPrivateAPI.h"
+#include "ModuleLoadFrame.h"
+#include "SharedSection.h"
+
+#define DLL_BLOCKLIST_ENTRY(name, ...) \
+ {MOZ_LITERAL_UNICODE_STRING(L##name), __VA_ARGS__},
+#define DLL_BLOCKLIST_STRING_TYPE UNICODE_STRING
+
+#if defined(MOZ_LAUNCHER_PROCESS) || defined(NIGHTLY_BUILD)
+# include "mozilla/WindowsDllBlocklistLauncherDefs.h"
+#else
+# include "mozilla/WindowsDllBlocklistCommon.h"
+DLL_BLOCKLIST_DEFINITIONS_BEGIN
+DLL_BLOCKLIST_DEFINITIONS_END
+#endif
+
+using WritableBuffer = mozilla::glue::detail::WritableBuffer<1024>;
+
+class MOZ_STATIC_CLASS MOZ_TRIVIAL_CTOR_DTOR NativeNtBlockSet final {
+ struct NativeNtBlockSetEntry {
+ NativeNtBlockSetEntry() = default;
+ ~NativeNtBlockSetEntry() = default;
+ NativeNtBlockSetEntry(const UNICODE_STRING& aName, uint64_t aVersion,
+ NativeNtBlockSetEntry* aNext)
+ : mName(aName), mVersion(aVersion), mNext(aNext) {}
+ UNICODE_STRING mName;
+ uint64_t mVersion;
+ NativeNtBlockSetEntry* mNext;
+ };
+
+ public:
+ // Constructor and destructor MUST be trivial
+ constexpr NativeNtBlockSet() : mFirstEntry(nullptr) {}
+ ~NativeNtBlockSet() = default;
+
+ void Add(const UNICODE_STRING& aName, uint64_t aVersion);
+ void Write(WritableBuffer& buffer);
+
+ private:
+ static NativeNtBlockSetEntry* NewEntry(const UNICODE_STRING& aName,
+ uint64_t aVersion,
+ NativeNtBlockSetEntry* aNextEntry);
+
+ private:
+ NativeNtBlockSetEntry* mFirstEntry;
+ mozilla::nt::SRWLock mLock;
+};
+
+NativeNtBlockSet::NativeNtBlockSetEntry* NativeNtBlockSet::NewEntry(
+ const UNICODE_STRING& aName, uint64_t aVersion,
+ NativeNtBlockSet::NativeNtBlockSetEntry* aNextEntry) {
+ return mozilla::freestanding::RtlNew<NativeNtBlockSetEntry>(aName, aVersion,
+ aNextEntry);
+}
+
+void NativeNtBlockSet::Add(const UNICODE_STRING& aName, uint64_t aVersion) {
+ mozilla::nt::AutoExclusiveLock lock(mLock);
+
+ for (NativeNtBlockSetEntry* entry = mFirstEntry; entry;
+ entry = entry->mNext) {
+ if (::RtlEqualUnicodeString(&entry->mName, &aName, TRUE) &&
+ aVersion == entry->mVersion) {
+ return;
+ }
+ }
+
+ // Not present, add it
+ NativeNtBlockSetEntry* newEntry = NewEntry(aName, aVersion, mFirstEntry);
+ if (newEntry) {
+ mFirstEntry = newEntry;
+ }
+}
+
+void NativeNtBlockSet::Write(WritableBuffer& aBuffer) {
+ // NB: If this function is called, it is long after kernel32 is initialized,
+ // so it is safe to use Win32 calls here.
+ char buf[MAX_PATH];
+
+ // It would be nicer to use RAII here. However, its destructor
+ // might not run if an exception occurs, in which case we would never release
+ // the lock (MSVC warns about this possibility). So we acquire and release
+ // manually.
+ ::AcquireSRWLockExclusive(&mLock);
+
+ MOZ_SEH_TRY {
+ for (auto entry = mFirstEntry; entry; entry = entry->mNext) {
+ int convOk = ::WideCharToMultiByte(CP_UTF8, 0, entry->mName.Buffer,
+ entry->mName.Length / sizeof(wchar_t),
+ buf, sizeof(buf), nullptr, nullptr);
+ if (!convOk) {
+ continue;
+ }
+
+ // write name[,v.v.v.v];
+ aBuffer.Write(buf, convOk);
+
+ if (entry->mVersion != DllBlockInfo::ALL_VERSIONS) {
+ aBuffer.Write(",", 1);
+ uint16_t parts[4];
+ parts[0] = entry->mVersion >> 48;
+ parts[1] = (entry->mVersion >> 32) & 0xFFFF;
+ parts[2] = (entry->mVersion >> 16) & 0xFFFF;
+ parts[3] = entry->mVersion & 0xFFFF;
+ for (size_t p = 0; p < mozilla::ArrayLength(parts); ++p) {
+ _ltoa_s(parts[p], buf, sizeof(buf), 10);
+ aBuffer.Write(buf, strlen(buf));
+ if (p != mozilla::ArrayLength(parts) - 1) {
+ aBuffer.Write(".", 1);
+ }
+ }
+ }
+ aBuffer.Write(";", 1);
+ }
+ }
+ MOZ_SEH_EXCEPT(EXCEPTION_EXECUTE_HANDLER) {}
+
+ ::ReleaseSRWLockExclusive(&mLock);
+}
+
+static NativeNtBlockSet gBlockSet;
+
+extern "C" void MOZ_EXPORT
+NativeNtBlockSet_Write(CrashReporter::AnnotationWriter& aWriter) {
+ WritableBuffer buffer;
+ gBlockSet.Write(buffer);
+ aWriter.Write(CrashReporter::Annotation::BlockedDllList, buffer.Data(),
+ buffer.Length());
+}
+
+enum class BlockAction {
+ Allow,
+ SubstituteLSP,
+ Error,
+ Deny,
+ NoOpEntryPoint,
+};
+
+static BlockAction CheckBlockInfo(const DllBlockInfo* aInfo,
+ const mozilla::nt::PEHeaders& aHeaders,
+ uint64_t& aVersion) {
+ aVersion = DllBlockInfo::ALL_VERSIONS;
+
+ if (aInfo->mFlags & (DllBlockInfo::BLOCK_WIN8_AND_OLDER |
+ DllBlockInfo::BLOCK_WIN7_AND_OLDER)) {
+ RTL_OSVERSIONINFOW osv = {sizeof(osv)};
+ NTSTATUS ntStatus = ::RtlGetVersion(&osv);
+ if (!NT_SUCCESS(ntStatus)) {
+ return BlockAction::Error;
+ }
+
+ if ((aInfo->mFlags & DllBlockInfo::BLOCK_WIN8_AND_OLDER) &&
+ (osv.dwMajorVersion > 6 ||
+ (osv.dwMajorVersion == 6 && osv.dwMinorVersion > 2))) {
+ return BlockAction::Allow;
+ }
+
+ if ((aInfo->mFlags & DllBlockInfo::BLOCK_WIN7_AND_OLDER) &&
+ (osv.dwMajorVersion > 6 ||
+ (osv.dwMajorVersion == 6 && osv.dwMinorVersion > 1))) {
+ return BlockAction::Allow;
+ }
+ }
+
+ if ((aInfo->mFlags & DllBlockInfo::CHILD_PROCESSES_ONLY) &&
+ !(gBlocklistInitFlags & eDllBlocklistInitFlagIsChildProcess)) {
+ return BlockAction::Allow;
+ }
+
+ if ((aInfo->mFlags & DllBlockInfo::UTILITY_PROCESSES_ONLY) &&
+ !(gBlocklistInitFlags & eDllBlocklistInitFlagIsUtilityProcess)) {
+ return BlockAction::Allow;
+ }
+
+ if ((aInfo->mFlags & DllBlockInfo::SOCKET_PROCESSES_ONLY) &&
+ !(gBlocklistInitFlags & eDllBlocklistInitFlagIsSocketProcess)) {
+ return BlockAction::Allow;
+ }
+
+ if ((aInfo->mFlags & DllBlockInfo::BROWSER_PROCESS_ONLY) &&
+ (gBlocklistInitFlags & eDllBlocklistInitFlagIsChildProcess)) {
+ return BlockAction::Allow;
+ }
+
+ if (aInfo->mMaxVersion == DllBlockInfo::ALL_VERSIONS) {
+ return BlockAction::Deny;
+ }
+
+ if (!aHeaders) {
+ return BlockAction::Error;
+ }
+
+ if (aInfo->mFlags & DllBlockInfo::USE_TIMESTAMP) {
+ DWORD timestamp;
+ if (!aHeaders.GetTimeStamp(timestamp)) {
+ return BlockAction::Error;
+ }
+
+ if (timestamp > aInfo->mMaxVersion) {
+ return BlockAction::Allow;
+ }
+
+ return BlockAction::Deny;
+ }
+
+ // Else we try to get the file version information. Note that we don't have
+ // access to GetFileVersionInfo* APIs.
+ if (!aHeaders.GetVersionInfo(aVersion)) {
+ return BlockAction::Error;
+ }
+
+ if (aInfo->IsVersionBlocked(aVersion)) {
+ return BlockAction::Deny;
+ }
+
+ return BlockAction::Allow;
+}
+
+static BOOL WINAPI NoOp_DllMain(HINSTANCE, DWORD, LPVOID) { return TRUE; }
+
+// This helper function checks whether a given module is included
+// in the executable's Import Table. Because an injected module's
+// DllMain may revert the Import Table to the original state, we parse
+// the Import Table every time a module is loaded without creating a cache.
+static bool IsDependentModule(
+ const UNICODE_STRING& aModuleLeafName,
+ mozilla::freestanding::Kernel32ExportsSolver& aK32Exports) {
+ // We enable automatic DLL blocking only in early Beta or earlier for now
+ // because it caused a compat issue (bug 1682304 and 1704373).
+#if defined(EARLY_BETA_OR_EARLIER)
+ mozilla::nt::PEHeaders exeHeaders(aK32Exports.mGetModuleHandleW(nullptr));
+ if (!exeHeaders || !exeHeaders.IsImportDirectoryTampered()) {
+ // If no tampering is detected, no need to enumerate the Import Table.
+ return false;
+ }
+
+ bool isDependent = false;
+ exeHeaders.EnumImportChunks(
+ [&isDependent, &aModuleLeafName, &exeHeaders](const char* aDepModule) {
+ // If |aDepModule| is within the PE image, it's not an injected module
+ // but a legitimate dependent module.
+ if (isDependent || exeHeaders.IsWithinImage(aDepModule)) {
+ return;
+ }
+
+ UNICODE_STRING depModuleLeafName;
+ mozilla::nt::AllocatedUnicodeString depModuleName(aDepModule);
+ mozilla::nt::GetLeafName(&depModuleLeafName, depModuleName);
+ isDependent = (::RtlCompareUnicodeString(
+ &aModuleLeafName, &depModuleLeafName, TRUE) == 0);
+ });
+ return isDependent;
+#else
+ return false;
+#endif
+}
+
+// Allowing a module to be loaded but detour the entrypoint to NoOp_DllMain
+// so that the module has no chance to interact with our code. We need this
+// technique to safely block a module injected by IAT tampering because
+// blocking such a module makes a process fail to launch.
+static bool RedirectToNoOpEntryPoint(
+ const mozilla::nt::PEHeaders& aModule,
+ mozilla::freestanding::Kernel32ExportsSolver& aK32Exports) {
+ mozilla::interceptor::WindowsDllEntryPointInterceptor interceptor(
+ aK32Exports);
+ if (!interceptor.Set(aModule, NoOp_DllMain)) {
+ return false;
+ }
+
+ return true;
+}
+
+static BlockAction DetermineBlockAction(
+ const UNICODE_STRING& aLeafName, void* aBaseAddress,
+ mozilla::freestanding::Kernel32ExportsSolver* aK32Exports) {
+ if (mozilla::nt::Contains12DigitHexString(aLeafName) ||
+ mozilla::nt::IsFileNameAtLeast16HexDigits(aLeafName)) {
+ return BlockAction::Deny;
+ }
+
+ DECLARE_POINTER_TO_FIRST_DLL_BLOCKLIST_ENTRY(info);
+ DECLARE_DLL_BLOCKLIST_NUM_ENTRIES(infoNumEntries);
+
+ mozilla::freestanding::DllBlockInfoComparator comp(aLeafName);
+
+ size_t match;
+ bool onBuiltinList = BinarySearchIf(info, 0, infoNumEntries, comp, &match);
+ const DllBlockInfo* entry = nullptr;
+ mozilla::nt::PEHeaders headers(aBaseAddress);
+ uint64_t version;
+ BlockAction checkResult = BlockAction::Allow;
+ if (onBuiltinList) {
+ entry = &info[match];
+ checkResult = CheckBlockInfo(entry, headers, version);
+ }
+ mozilla::DebugOnly<bool> blockedByDynamicBlocklist = false;
+ // Make sure we handle a case that older versions are blocked by the static
+ // list, but the dynamic list blocks all versions.
+ if (checkResult == BlockAction::Allow) {
+ if (!mozilla::freestanding::gSharedSection.IsDisabled()) {
+ entry = mozilla::freestanding::gSharedSection.SearchBlocklist(aLeafName);
+ if (entry) {
+ checkResult = CheckBlockInfo(entry, headers, version);
+ blockedByDynamicBlocklist = checkResult != BlockAction::Allow;
+ }
+ }
+ }
+ if (checkResult == BlockAction::Allow) {
+ return BlockAction::Allow;
+ }
+
+ gBlockSet.Add(entry->mName, version);
+
+ if ((entry->mFlags & DllBlockInfo::REDIRECT_TO_NOOP_ENTRYPOINT) &&
+ aK32Exports && RedirectToNoOpEntryPoint(headers, *aK32Exports)) {
+ MOZ_ASSERT(!blockedByDynamicBlocklist, "dynamic blocklist has redirect?");
+ return BlockAction::NoOpEntryPoint;
+ }
+
+ return checkResult;
+}
+
+namespace mozilla {
+namespace freestanding {
+
+CrossProcessDllInterceptor::FuncHookType<LdrLoadDllPtr> stub_LdrLoadDll;
+
+NTSTATUS NTAPI patched_LdrLoadDll(PWCHAR aDllPath, PULONG aFlags,
+ PUNICODE_STRING aDllName,
+ PHANDLE aOutHandle) {
+ ModuleLoadFrame frame(aDllName);
+
+ NTSTATUS ntStatus = stub_LdrLoadDll(aDllPath, aFlags, aDllName, aOutHandle);
+
+ return frame.SetLoadStatus(ntStatus, aOutHandle);
+}
+
+CrossProcessDllInterceptor::FuncHookType<NtMapViewOfSectionPtr>
+ stub_NtMapViewOfSection;
+
+NTSTATUS NTAPI patched_NtMapViewOfSection(
+ HANDLE aSection, HANDLE aProcess, PVOID* aBaseAddress, ULONG_PTR aZeroBits,
+ SIZE_T aCommitSize, PLARGE_INTEGER aSectionOffset, PSIZE_T aViewSize,
+ SECTION_INHERIT aInheritDisposition, ULONG aAllocationType,
+ ULONG aProtectionFlags) {
+ // We always map first, then we check for additional info after.
+ NTSTATUS stubStatus = stub_NtMapViewOfSection(
+ aSection, aProcess, aBaseAddress, aZeroBits, aCommitSize, aSectionOffset,
+ aViewSize, aInheritDisposition, aAllocationType, aProtectionFlags);
+ if (!NT_SUCCESS(stubStatus)) {
+ return stubStatus;
+ }
+
+ if (aProcess != nt::kCurrentProcess) {
+ // We're only interested in mapping for the current process.
+ return stubStatus;
+ }
+
+ // Do a query to see if the memory is MEM_IMAGE. If not, continue
+ MEMORY_BASIC_INFORMATION mbi;
+ NTSTATUS ntStatus =
+ ::NtQueryVirtualMemory(aProcess, *aBaseAddress, MemoryBasicInformation,
+ &mbi, sizeof(mbi), nullptr);
+ if (!NT_SUCCESS(ntStatus)) {
+ ::NtUnmapViewOfSection(aProcess, *aBaseAddress);
+ return STATUS_ACCESS_DENIED;
+ }
+
+ // We don't care about mappings that aren't MEM_IMAGE or executable.
+ // We check for the AllocationProtect, not the Protect field because
+ // the first section of a mapped image is always PAGE_READONLY even
+ // when it's mapped as an executable.
+ constexpr DWORD kPageExecutable = PAGE_EXECUTE | PAGE_EXECUTE_READ |
+ PAGE_EXECUTE_READWRITE |
+ PAGE_EXECUTE_WRITECOPY;
+ if (!(mbi.Type & MEM_IMAGE) || !(mbi.AllocationProtect & kPageExecutable)) {
+ return stubStatus;
+ }
+
+ // Get the section name
+ nt::MemorySectionNameBuf sectionFileName(
+ gLoaderPrivateAPI.GetSectionNameBuffer(*aBaseAddress));
+ if (sectionFileName.IsEmpty()) {
+ ::NtUnmapViewOfSection(aProcess, *aBaseAddress);
+ return STATUS_ACCESS_DENIED;
+ }
+
+ // Find the leaf name
+ UNICODE_STRING leafOnStack;
+ nt::GetLeafName(&leafOnStack, sectionFileName);
+
+ bool isDependent = false;
+ const UNICODE_STRING k32Name = MOZ_LITERAL_UNICODE_STRING(L"kernel32.dll");
+ Kernel32ExportsSolver* k32Exports = nullptr;
+ BlockAction blockAction;
+ // Trying to get the Kernel32Exports while loading kernel32.dll causes Firefox
+ // to crash. (but only during a profile-guided optimization run, oddly) We
+ // know we're never going to block kernel32.dll, so skip all this
+ if (::RtlCompareUnicodeString(&k32Name, &leafOnStack, TRUE) == 0) {
+ blockAction = BlockAction::Allow;
+ } else {
+ k32Exports = gSharedSection.GetKernel32Exports();
+ // Small optimization: Since loading a dependent module does not involve
+ // LdrLoadDll, we know isDependent is false if we hold a top frame.
+ if (k32Exports && !ModuleLoadFrame::ExistsTopFrame()) {
+ isDependent = IsDependentModule(leafOnStack, *k32Exports);
+ }
+
+ if (isDependent) {
+ // Add an NT dv\path to the shared section so that a sandbox process can
+ // use it to bypass CIG. In a sandbox process, this addition fails
+ // because we cannot map the section to a writable region, but it's
+ // ignorable because the paths have been added by the browser process.
+ Unused << gSharedSection.AddDependentModule(sectionFileName);
+
+ // For a dependent module, try redirection instead of blocking it.
+ // If we fail, we reluctantly allow the module for free.
+ mozilla::nt::PEHeaders headers(*aBaseAddress);
+ blockAction = RedirectToNoOpEntryPoint(headers, *k32Exports)
+ ? BlockAction::NoOpEntryPoint
+ : BlockAction::Allow;
+ } else {
+ // Check blocklist
+ blockAction =
+ DetermineBlockAction(leafOnStack, *aBaseAddress, k32Exports);
+ }
+ }
+
+ ModuleLoadInfo::Status loadStatus = ModuleLoadInfo::Status::Blocked;
+
+ switch (blockAction) {
+ case BlockAction::Allow:
+ loadStatus = ModuleLoadInfo::Status::Loaded;
+ break;
+
+ case BlockAction::NoOpEntryPoint:
+ loadStatus = ModuleLoadInfo::Status::Redirected;
+ break;
+
+ case BlockAction::SubstituteLSP:
+ // The process heap needs to be available here because
+ // NotifyLSPSubstitutionRequired below copies a given string into
+ // the heap. We use a soft assert here, assuming LSP load always
+ // occurs after the heap is initialized.
+ MOZ_ASSERT(nt::RtlGetProcessHeap());
+
+ // Notify patched_LdrLoadDll that it will be necessary to perform
+ // a substitution before returning.
+ ModuleLoadFrame::NotifyLSPSubstitutionRequired(&leafOnStack);
+ break;
+
+ default:
+ break;
+ }
+
+ if (nt::RtlGetProcessHeap()) {
+ ModuleLoadFrame::NotifySectionMap(
+ nt::AllocatedUnicodeString(sectionFileName), *aBaseAddress, stubStatus,
+ loadStatus, isDependent);
+ }
+
+ if (loadStatus == ModuleLoadInfo::Status::Loaded ||
+ loadStatus == ModuleLoadInfo::Status::Redirected) {
+ return stubStatus;
+ }
+
+ ::NtUnmapViewOfSection(aProcess, *aBaseAddress);
+ return STATUS_ACCESS_DENIED;
+}
+
+} // namespace freestanding
+} // namespace mozilla
diff --git a/browser/app/winlauncher/freestanding/DllBlocklist.h b/browser/app/winlauncher/freestanding/DllBlocklist.h
new file mode 100644
index 0000000000..153a1dfb28
--- /dev/null
+++ b/browser/app/winlauncher/freestanding/DllBlocklist.h
@@ -0,0 +1,38 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_freestanding_DllBlocklist_h
+#define mozilla_freestanding_DllBlocklist_h
+
+#include "mozilla/NativeNt.h"
+#include "nsWindowsDllInterceptor.h"
+#include "mozilla/WinHeaderOnlyUtils.h"
+
+namespace mozilla {
+namespace freestanding {
+
+NTSTATUS NTAPI patched_LdrLoadDll(PWCHAR aDllPath, PULONG aFlags,
+ PUNICODE_STRING aDllName, PHANDLE aOutHandle);
+
+NTSTATUS NTAPI patched_NtMapViewOfSection(
+ HANDLE aSection, HANDLE aProcess, PVOID* aBaseAddress, ULONG_PTR aZeroBits,
+ SIZE_T aCommitSize, PLARGE_INTEGER aSectionOffset, PSIZE_T aViewSize,
+ SECTION_INHERIT aInheritDisposition, ULONG aAllocationType,
+ ULONG aProtectionFlags);
+
+using LdrLoadDllPtr = decltype(&::LdrLoadDll);
+
+extern CrossProcessDllInterceptor::FuncHookType<LdrLoadDllPtr> stub_LdrLoadDll;
+
+using NtMapViewOfSectionPtr = decltype(&::NtMapViewOfSection);
+
+extern CrossProcessDllInterceptor::FuncHookType<NtMapViewOfSectionPtr>
+ stub_NtMapViewOfSection;
+
+} // namespace freestanding
+} // namespace mozilla
+
+#endif // mozilla_freestanding_DllBlocklist_h
diff --git a/browser/app/winlauncher/freestanding/Freestanding.h b/browser/app/winlauncher/freestanding/Freestanding.h
new file mode 100644
index 0000000000..03999f231e
--- /dev/null
+++ b/browser/app/winlauncher/freestanding/Freestanding.h
@@ -0,0 +1,67 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_freestanding_Freestanding_h
+#define mozilla_freestanding_Freestanding_h
+
+/**
+ * This header is automatically included in all source code residing in the
+ * /browser/app/winlauncher/freestanding directory.
+ */
+
+#if defined(__STDC_HOSTED__) && __STDC_HOSTED__ == 1
+# error "This header should only be included by freestanding code"
+#endif // defined(__STDC_HOSTED__) && __STDC_HOSTED__ == 1
+
+#define MOZ_USE_LAUNCHER_ERROR
+#include "mozilla/NativeNt.h"
+
+namespace mozilla {
+namespace freestanding {
+
+/**
+ * Since this library is the only part of firefox.exe that needs special
+ * treatment with respect to the heap, we implement |RtlNew| and |RtlDelete|
+ * to be used instead of |new| and |delete| for any heap allocations inside
+ * the freestanding library.
+ */
+template <typename T, typename... Args>
+inline static T* RtlNew(Args&&... aArgs) {
+ HANDLE processHeap = nt::RtlGetProcessHeap();
+ if (!processHeap) {
+ // Handle the case where the process heap is not initialized because
+ // passing nullptr to RtlAllocateHeap crashes the process.
+ return nullptr;
+ }
+
+ void* ptr = ::RtlAllocateHeap(processHeap, 0, sizeof(T));
+ if (!ptr) {
+ return nullptr;
+ }
+
+ return new (ptr) T(std::forward<Args>(aArgs)...);
+}
+
+template <typename T>
+inline static void RtlDelete(T* aPtr) {
+ if (!aPtr) {
+ return;
+ }
+
+ aPtr->~T();
+ ::RtlFreeHeap(nt::RtlGetProcessHeap(), 0, aPtr);
+}
+
+} // namespace freestanding
+} // namespace mozilla
+
+// Initialization code for all statically-allocated data in freestanding is
+// placed into a separate section. This allows us to initialize any
+// freestanding statics without needing to initialize everything else in this
+// binary.
+#pragma init_seg(".freestd$g")
+
+#endif // mozilla_freestanding_Freestanding_h
diff --git a/browser/app/winlauncher/freestanding/LoaderPrivateAPI.cpp b/browser/app/winlauncher/freestanding/LoaderPrivateAPI.cpp
new file mode 100644
index 0000000000..908ebbdc91
--- /dev/null
+++ b/browser/app/winlauncher/freestanding/LoaderPrivateAPI.cpp
@@ -0,0 +1,292 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#include "LoaderPrivateAPI.h"
+
+#include "mozilla/Assertions.h"
+#include "mozilla/Types.h"
+#include "mozilla/Unused.h"
+#include "../DllBlocklistInit.h"
+#include "../ErrorHandler.h"
+
+using GlobalInitializerFn = void(__cdecl*)(void);
+
+// Allocation of static initialization section for the freestanding library
+#pragma section(".freestd$a", read)
+__declspec(allocate(".freestd$a")) static const GlobalInitializerFn
+ FreeStdStart = reinterpret_cast<GlobalInitializerFn>(0);
+
+#pragma section(".freestd$z", read)
+__declspec(allocate(".freestd$z")) static const GlobalInitializerFn FreeStdEnd =
+ reinterpret_cast<GlobalInitializerFn>(0);
+
+namespace mozilla {
+namespace freestanding {
+
+static RTL_RUN_ONCE gRunOnce = RTL_RUN_ONCE_INIT;
+
+// The contract for this callback is identical to the InitOnceCallback from
+// Win32 land; we're just using ntdll-layer types instead.
+static ULONG NTAPI DoOneTimeInit(PRTL_RUN_ONCE aRunOnce, PVOID aParameter,
+ PVOID* aContext) {
+ // Invoke every static initializer in the .freestd section
+ const GlobalInitializerFn* cur = &FreeStdStart + 1;
+ while (cur < &FreeStdEnd) {
+ if (*cur) {
+ (*cur)();
+ }
+
+ ++cur;
+ }
+
+ return TRUE;
+}
+
+/**
+ * This observer is only used until the mozglue observer connects itself.
+ * All we do here is accumulate the module loads into a vector.
+ * As soon as mozglue connects, we call |Forward| on mozglue's LoaderObserver
+ * to pass our vector on for further processing. This object then becomes
+ * defunct.
+ */
+class MOZ_ONLY_USED_TO_AVOID_STATIC_CONSTRUCTORS DefaultLoaderObserver final
+ : public nt::LoaderObserver {
+ public:
+ constexpr DefaultLoaderObserver() : mModuleLoads(nullptr) {}
+
+ void OnBeginDllLoad(void** aContext,
+ PCUNICODE_STRING aRequestedDllName) final {}
+ bool SubstituteForLSP(PCUNICODE_STRING aLSPLeafName,
+ PHANDLE aOutHandle) final {
+ return false;
+ }
+ void OnEndDllLoad(void* aContext, NTSTATUS aNtStatus,
+ ModuleLoadInfo&& aModuleLoadInfo) final;
+ void Forward(nt::LoaderObserver* aNext) final;
+ void OnForward(ModuleLoadInfoVec&& aInfo) final {
+ MOZ_ASSERT_UNREACHABLE("Not valid in freestanding::DefaultLoaderObserver");
+ }
+
+ private:
+ mozilla::nt::SRWLock mLock;
+ ModuleLoadInfoVec* mModuleLoads;
+};
+
+class MOZ_ONLY_USED_TO_AVOID_STATIC_CONSTRUCTORS LoaderPrivateAPIImp final
+ : public LoaderPrivateAPI {
+ public:
+ // LoaderAPI
+ ModuleLoadInfo ConstructAndNotifyBeginDllLoad(
+ void** aContext, PCUNICODE_STRING aRequestedDllName) final;
+ bool SubstituteForLSP(PCUNICODE_STRING aLSPLeafName,
+ PHANDLE aOutHandle) final;
+ void NotifyEndDllLoad(void* aContext, NTSTATUS aLoadNtStatus,
+ ModuleLoadInfo&& aModuleLoadInfo) final;
+ nt::AllocatedUnicodeString GetSectionName(void* aSectionAddr) final;
+ nt::LoaderAPI::InitDllBlocklistOOPFnPtr GetDllBlocklistInitFn() final;
+ nt::LoaderAPI::HandleLauncherErrorFnPtr GetHandleLauncherErrorFn() final;
+ nt::SharedSection* GetSharedSection() final;
+
+ // LoaderPrivateAPI
+ void NotifyBeginDllLoad(void** aContext,
+ PCUNICODE_STRING aRequestedDllName) final;
+ void NotifyBeginDllLoad(ModuleLoadInfo& aModuleLoadInfo, void** aContext,
+ PCUNICODE_STRING aRequestedDllName) final;
+ void SetObserver(nt::LoaderObserver* aNewObserver) final;
+ bool IsDefaultObserver() const final;
+ nt::MemorySectionNameBuf GetSectionNameBuffer(void* aSectionAddr) final;
+};
+
+static void Init() {
+ DebugOnly<NTSTATUS> ntStatus =
+ ::RtlRunOnceExecuteOnce(&gRunOnce, &DoOneTimeInit, nullptr, nullptr);
+ MOZ_ASSERT(NT_SUCCESS(ntStatus));
+}
+
+} // namespace freestanding
+} // namespace mozilla
+
+static mozilla::freestanding::DefaultLoaderObserver gDefaultObserver;
+static mozilla::freestanding::LoaderPrivateAPIImp gPrivateAPI;
+
+static mozilla::nt::SRWLock gLoaderObserverLock;
+static mozilla::nt::LoaderObserver* gLoaderObserver = &gDefaultObserver;
+
+namespace mozilla {
+namespace freestanding {
+
+LoaderPrivateAPI& gLoaderPrivateAPI = gPrivateAPI;
+
+void DefaultLoaderObserver::OnEndDllLoad(void* aContext, NTSTATUS aNtStatus,
+ ModuleLoadInfo&& aModuleLoadInfo) {
+ // If the DLL load failed, or if the DLL was loaded by a previous request
+ // and thus was not mapped by this request, we do not save the ModuleLoadInfo.
+ if (!NT_SUCCESS(aNtStatus) || !aModuleLoadInfo.WasMapped()) {
+ return;
+ }
+
+ nt::AutoExclusiveLock lock(mLock);
+ if (!mModuleLoads) {
+ mModuleLoads = RtlNew<ModuleLoadInfoVec>();
+ if (!mModuleLoads) {
+ return;
+ }
+ }
+
+ Unused << mModuleLoads->emplaceBack(
+ std::forward<ModuleLoadInfo>(aModuleLoadInfo));
+}
+
+/**
+ * Pass mModuleLoads's data off to |aNext| for further processing.
+ */
+void DefaultLoaderObserver::Forward(nt::LoaderObserver* aNext) {
+ MOZ_ASSERT(aNext);
+ if (!aNext) {
+ return;
+ }
+
+ ModuleLoadInfoVec* moduleLoads = nullptr;
+
+ { // Scope for lock
+ nt::AutoExclusiveLock lock(mLock);
+ moduleLoads = mModuleLoads;
+ mModuleLoads = nullptr;
+ }
+
+ if (!moduleLoads) {
+ return;
+ }
+
+ aNext->OnForward(std::move(*moduleLoads));
+ RtlDelete(moduleLoads);
+}
+
+ModuleLoadInfo LoaderPrivateAPIImp::ConstructAndNotifyBeginDllLoad(
+ void** aContext, PCUNICODE_STRING aRequestedDllName) {
+ ModuleLoadInfo loadInfo(aRequestedDllName);
+
+ NotifyBeginDllLoad(loadInfo, aContext, aRequestedDllName);
+
+ return loadInfo;
+}
+
+bool LoaderPrivateAPIImp::SubstituteForLSP(PCUNICODE_STRING aLSPLeafName,
+ PHANDLE aOutHandle) {
+ nt::AutoSharedLock lock(gLoaderObserverLock);
+ return gLoaderObserver->SubstituteForLSP(aLSPLeafName, aOutHandle);
+}
+
+void LoaderPrivateAPIImp::NotifyEndDllLoad(void* aContext,
+ NTSTATUS aLoadNtStatus,
+ ModuleLoadInfo&& aModuleLoadInfo) {
+ aModuleLoadInfo.SetEndLoadTimeStamp();
+
+ if (NT_SUCCESS(aLoadNtStatus)) {
+ aModuleLoadInfo.CaptureBacktrace();
+ }
+
+ nt::AutoSharedLock lock(gLoaderObserverLock);
+
+ // We need to notify the observer that the DLL load has ended even when
+ // |aLoadNtStatus| indicates a failure. This is to ensure that any resources
+ // acquired by the observer during OnBeginDllLoad are cleaned up.
+ gLoaderObserver->OnEndDllLoad(aContext, aLoadNtStatus,
+ std::move(aModuleLoadInfo));
+}
+
+nt::AllocatedUnicodeString LoaderPrivateAPIImp::GetSectionName(
+ void* aSectionAddr) {
+ const HANDLE kCurrentProcess = reinterpret_cast<HANDLE>(-1);
+
+ nt::MemorySectionNameBuf buf;
+ NTSTATUS ntStatus =
+ ::NtQueryVirtualMemory(kCurrentProcess, aSectionAddr, MemorySectionName,
+ &buf, sizeof(buf), nullptr);
+ if (!NT_SUCCESS(ntStatus)) {
+ return nt::AllocatedUnicodeString();
+ }
+
+ return nt::AllocatedUnicodeString(&buf.mSectionFileName);
+}
+
+nt::LoaderAPI::InitDllBlocklistOOPFnPtr
+LoaderPrivateAPIImp::GetDllBlocklistInitFn() {
+ return &InitializeDllBlocklistOOP;
+}
+
+nt::LoaderAPI::HandleLauncherErrorFnPtr
+LoaderPrivateAPIImp::GetHandleLauncherErrorFn() {
+ return &HandleLauncherError;
+}
+
+nt::SharedSection* LoaderPrivateAPIImp::GetSharedSection() {
+ return &gSharedSection;
+}
+
+nt::MemorySectionNameBuf LoaderPrivateAPIImp::GetSectionNameBuffer(
+ void* aSectionAddr) {
+ const HANDLE kCurrentProcess = reinterpret_cast<HANDLE>(-1);
+
+ nt::MemorySectionNameBuf buf;
+ NTSTATUS ntStatus =
+ ::NtQueryVirtualMemory(kCurrentProcess, aSectionAddr, MemorySectionName,
+ &buf, sizeof(buf), nullptr);
+ if (!NT_SUCCESS(ntStatus)) {
+ return nt::MemorySectionNameBuf();
+ }
+
+ return buf;
+}
+
+void LoaderPrivateAPIImp::NotifyBeginDllLoad(
+ void** aContext, PCUNICODE_STRING aRequestedDllName) {
+ nt::AutoSharedLock lock(gLoaderObserverLock);
+ gLoaderObserver->OnBeginDllLoad(aContext, aRequestedDllName);
+}
+
+void LoaderPrivateAPIImp::NotifyBeginDllLoad(
+ ModuleLoadInfo& aModuleLoadInfo, void** aContext,
+ PCUNICODE_STRING aRequestedDllName) {
+ NotifyBeginDllLoad(aContext, aRequestedDllName);
+ aModuleLoadInfo.SetBeginLoadTimeStamp();
+}
+
+void LoaderPrivateAPIImp::SetObserver(nt::LoaderObserver* aNewObserver) {
+ nt::LoaderObserver* prevLoaderObserver = nullptr;
+
+ nt::AutoExclusiveLock lock(gLoaderObserverLock);
+
+ MOZ_ASSERT(aNewObserver);
+ if (!aNewObserver) {
+ // This is unlikely, but we always want a valid observer, so use the
+ // gDefaultObserver if necessary.
+ gLoaderObserver = &gDefaultObserver;
+ return;
+ }
+
+ prevLoaderObserver = gLoaderObserver;
+ gLoaderObserver = aNewObserver;
+
+ MOZ_ASSERT(prevLoaderObserver);
+ if (!prevLoaderObserver) {
+ return;
+ }
+
+ // Now that we have a new observer, the previous observer must forward its
+ // data on to the new observer for processing.
+ prevLoaderObserver->Forward(aNewObserver);
+}
+
+bool LoaderPrivateAPIImp::IsDefaultObserver() const {
+ nt::AutoSharedLock lock(gLoaderObserverLock);
+ return gLoaderObserver == &gDefaultObserver;
+}
+
+void EnsureInitialized() { Init(); }
+
+} // namespace freestanding
+} // namespace mozilla
diff --git a/browser/app/winlauncher/freestanding/LoaderPrivateAPI.h b/browser/app/winlauncher/freestanding/LoaderPrivateAPI.h
new file mode 100644
index 0000000000..f21472d689
--- /dev/null
+++ b/browser/app/winlauncher/freestanding/LoaderPrivateAPI.h
@@ -0,0 +1,62 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_freestanding_LoaderPrivateAPI_h
+#define mozilla_freestanding_LoaderPrivateAPI_h
+
+#include "mozilla/LoaderAPIInterfaces.h"
+
+namespace mozilla {
+namespace freestanding {
+
+/**
+ * This part of the API is available only to the launcher process.
+ */
+class NS_NO_VTABLE LoaderPrivateAPI : public nt::LoaderAPI {
+ public:
+ /**
+ * Notify the nt::LoaderObserver that a module load is beginning
+ */
+ virtual void NotifyBeginDllLoad(void** aContext,
+ PCUNICODE_STRING aRequestedDllName) = 0;
+ /**
+ * Notify the nt::LoaderObserver that a module load is beginning and set the
+ * begin load timestamp on |aModuleLoadInfo|.
+ */
+ virtual void NotifyBeginDllLoad(ModuleLoadInfo& aModuleLoadInfo,
+ void** aContext,
+ PCUNICODE_STRING aRequestedDllName) = 0;
+
+ /**
+ * Set a new nt::LoaderObserver to be used by the launcher process. NB: This
+ * should only happen while the current process is still single-threaded!
+ */
+ virtual void SetObserver(nt::LoaderObserver* aNewObserver) = 0;
+
+ /**
+ * Returns true if the current nt::LoaderObserver is the launcher process's
+ * built-in observer.
+ */
+ virtual bool IsDefaultObserver() const = 0;
+
+ /**
+ * Returns the name of a given mapped section address as a local instance of
+ * nt::MemorySectionNameBuf. This does not involve heap allocation.
+ */
+ virtual nt::MemorySectionNameBuf GetSectionNameBuffer(void* aSectionAddr) = 0;
+};
+
+/**
+ * Ensures that any statics in the freestanding library are initialized.
+ */
+void EnsureInitialized();
+
+extern LoaderPrivateAPI& gLoaderPrivateAPI;
+
+} // namespace freestanding
+} // namespace mozilla
+
+#endif // mozilla_freestanding_LoaderPrivateAPI_h
diff --git a/browser/app/winlauncher/freestanding/ModuleLoadFrame.cpp b/browser/app/winlauncher/freestanding/ModuleLoadFrame.cpp
new file mode 100644
index 0000000000..3aa043b8c7
--- /dev/null
+++ b/browser/app/winlauncher/freestanding/ModuleLoadFrame.cpp
@@ -0,0 +1,144 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#include "ModuleLoadFrame.h"
+
+#include "LoaderPrivateAPI.h"
+
+namespace mozilla {
+namespace freestanding {
+
+ModuleLoadFrame::ModuleLoadFrame(PCUNICODE_STRING aRequestedDllName)
+ : mPrev(sTopFrame.get()),
+ mContext(nullptr),
+ mLSPSubstitutionRequired(false),
+ mLoadNtStatus(STATUS_UNSUCCESSFUL),
+ mLoadInfo(aRequestedDllName) {
+ EnsureInitialized();
+ sTopFrame.set(this);
+
+ gLoaderPrivateAPI.NotifyBeginDllLoad(mLoadInfo, &mContext, aRequestedDllName);
+}
+
+ModuleLoadFrame::ModuleLoadFrame(nt::AllocatedUnicodeString&& aSectionName,
+ const void* aMapBaseAddr, NTSTATUS aNtStatus,
+ ModuleLoadInfo::Status aLoadStatus,
+ bool aIsDependent)
+ : mPrev(sTopFrame.get()),
+ mContext(nullptr),
+ mLSPSubstitutionRequired(false),
+ mLoadNtStatus(aNtStatus),
+ mLoadInfo(std::move(aSectionName), aMapBaseAddr, aLoadStatus,
+ aIsDependent) {
+ sTopFrame.set(this);
+
+ gLoaderPrivateAPI.NotifyBeginDllLoad(&mContext, mLoadInfo.mSectionName);
+}
+
+ModuleLoadFrame::~ModuleLoadFrame() {
+ gLoaderPrivateAPI.NotifyEndDllLoad(mContext, mLoadNtStatus,
+ std::move(mLoadInfo));
+ sTopFrame.set(mPrev);
+}
+
+/* static */
+void ModuleLoadFrame::NotifyLSPSubstitutionRequired(
+ PCUNICODE_STRING aLeafName) {
+ ModuleLoadFrame* topFrame = sTopFrame.get();
+ if (!topFrame) {
+ return;
+ }
+
+ topFrame->SetLSPSubstitutionRequired(aLeafName);
+}
+
+void ModuleLoadFrame::SetLSPSubstitutionRequired(PCUNICODE_STRING aLeafName) {
+ MOZ_ASSERT(!mLoadInfo.mBaseAddr);
+ if (mLoadInfo.mBaseAddr) {
+ // If mBaseAddr is not null then |this| has already seen a module load. This
+ // should not be the case for a LSP substitution, so we bail.
+ return;
+ }
+
+ // Save aLeafName, as it will be used by SetLoadStatus when invoking
+ // SubstituteForLSP
+ mLoadInfo.mRequestedDllName = aLeafName;
+ mLSPSubstitutionRequired = true;
+}
+
+/* static */
+void ModuleLoadFrame::NotifySectionMap(
+ nt::AllocatedUnicodeString&& aSectionName, const void* aMapBaseAddr,
+ NTSTATUS aMapNtStatus, ModuleLoadInfo::Status aLoadStatus,
+ bool aIsDependent) {
+ ModuleLoadFrame* topFrame = sTopFrame.get();
+ if (!topFrame) {
+ // The only time that this data is useful is during initial mapping of
+ // the executable's dependent DLLs. If mozglue is present then
+ // IsDefaultObserver will return false, indicating that we are beyond
+ // initial process startup.
+ if (gLoaderPrivateAPI.IsDefaultObserver()) {
+ OnBareSectionMap(std::move(aSectionName), aMapBaseAddr, aMapNtStatus,
+ aLoadStatus, aIsDependent);
+ }
+ return;
+ }
+
+ topFrame->OnSectionMap(std::move(aSectionName), aMapBaseAddr, aMapNtStatus,
+ aLoadStatus, aIsDependent);
+}
+
+/* static */
+bool ModuleLoadFrame::ExistsTopFrame() { return !!sTopFrame.get(); }
+
+void ModuleLoadFrame::OnSectionMap(nt::AllocatedUnicodeString&& aSectionName,
+ const void* aMapBaseAddr,
+ NTSTATUS aMapNtStatus,
+ ModuleLoadInfo::Status aLoadStatus,
+ bool aIsDependent) {
+ if (mLoadInfo.mBaseAddr) {
+ // If mBaseAddr is not null then |this| has already seen a module load. This
+ // means that we are witnessing a bare section map.
+ OnBareSectionMap(std::move(aSectionName), aMapBaseAddr, aMapNtStatus,
+ aLoadStatus, aIsDependent);
+ return;
+ }
+
+ mLoadInfo.mSectionName = std::move(aSectionName);
+ mLoadInfo.mBaseAddr = aMapBaseAddr;
+ mLoadInfo.mStatus = aLoadStatus;
+}
+
+/* static */
+void ModuleLoadFrame::OnBareSectionMap(
+ nt::AllocatedUnicodeString&& aSectionName, const void* aMapBaseAddr,
+ NTSTATUS aMapNtStatus, ModuleLoadInfo::Status aLoadStatus,
+ bool aIsDependent) {
+ // We call the special constructor variant that is used for bare mappings.
+ ModuleLoadFrame frame(std::move(aSectionName), aMapBaseAddr, aMapNtStatus,
+ aLoadStatus, aIsDependent);
+}
+
+NTSTATUS ModuleLoadFrame::SetLoadStatus(NTSTATUS aNtStatus,
+ PHANDLE aOutHandle) {
+ mLoadNtStatus = aNtStatus;
+
+ if (!mLSPSubstitutionRequired) {
+ return aNtStatus;
+ }
+
+ if (!gLoaderPrivateAPI.SubstituteForLSP(mLoadInfo.mRequestedDllName,
+ aOutHandle)) {
+ return aNtStatus;
+ }
+
+ return STATUS_SUCCESS;
+}
+
+SafeThreadLocal<ModuleLoadFrame*> ModuleLoadFrame::sTopFrame;
+
+} // namespace freestanding
+} // namespace mozilla
diff --git a/browser/app/winlauncher/freestanding/ModuleLoadFrame.h b/browser/app/winlauncher/freestanding/ModuleLoadFrame.h
new file mode 100644
index 0000000000..51a179db99
--- /dev/null
+++ b/browser/app/winlauncher/freestanding/ModuleLoadFrame.h
@@ -0,0 +1,97 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_freestanding_ModuleLoadFrame_h
+#define mozilla_freestanding_ModuleLoadFrame_h
+
+#include "mozilla/LoaderAPIInterfaces.h"
+#include "mozilla/NativeNt.h"
+#include "mozilla/ThreadLocal.h"
+
+#include "SafeThreadLocal.h"
+
+namespace mozilla {
+namespace freestanding {
+
+/**
+ * This class holds information about a DLL load at a particular frame in the
+ * current thread's stack. Each instance adds itself to a thread-local linked
+ * list of ModuleLoadFrames, enabling us to query information about the
+ * previous module load on the stack.
+ */
+class MOZ_RAII ModuleLoadFrame final {
+ public:
+ /**
+ * This constructor is for use by the LdrLoadDll hook.
+ */
+ explicit ModuleLoadFrame(PCUNICODE_STRING aRequestedDllName);
+ ~ModuleLoadFrame();
+
+ static void NotifyLSPSubstitutionRequired(PCUNICODE_STRING aLeafName);
+
+ /**
+ * This static method is called by the NtMapViewOfSection hook.
+ */
+ static void NotifySectionMap(nt::AllocatedUnicodeString&& aSectionName,
+ const void* aMapBaseAddr, NTSTATUS aMapNtStatus,
+ ModuleLoadInfo::Status aLoadStatus,
+ bool aIsDependent);
+ static bool ExistsTopFrame();
+
+ /**
+ * Called by the LdrLoadDll hook to indicate the status of the load and for
+ * us to provide a substitute output handle if necessary.
+ */
+ NTSTATUS SetLoadStatus(NTSTATUS aNtStatus, PHANDLE aOutHandle);
+
+ ModuleLoadFrame(const ModuleLoadFrame&) = delete;
+ ModuleLoadFrame(ModuleLoadFrame&&) = delete;
+ ModuleLoadFrame& operator=(const ModuleLoadFrame&) = delete;
+ ModuleLoadFrame& operator=(ModuleLoadFrame&&) = delete;
+
+ private:
+ /**
+ * Called by OnBareSectionMap to construct a frame for a bare load.
+ */
+ ModuleLoadFrame(nt::AllocatedUnicodeString&& aSectionName,
+ const void* aMapBaseAddr, NTSTATUS aNtStatus,
+ ModuleLoadInfo::Status aLoadStatus, bool aIsDependent);
+
+ void SetLSPSubstitutionRequired(PCUNICODE_STRING aLeafName);
+ void OnSectionMap(nt::AllocatedUnicodeString&& aSectionName,
+ const void* aMapBaseAddr, NTSTATUS aMapNtStatus,
+ ModuleLoadInfo::Status aLoadStatus, bool aIsDependent);
+
+ /**
+ * A "bare" section mapping is one that was mapped without the code passing
+ * through a call to ntdll!LdrLoadDll. This method is invoked when we detect
+ * that condition.
+ */
+ static void OnBareSectionMap(nt::AllocatedUnicodeString&& aSectionName,
+ const void* aMapBaseAddr, NTSTATUS aMapNtStatus,
+ ModuleLoadInfo::Status aLoadStatus,
+ bool aIsDependent);
+
+ private:
+ // Link to the previous frame
+ ModuleLoadFrame* mPrev;
+ // Pointer to context managed by the nt::LoaderObserver implementation
+ void* mContext;
+ // Set to |true| when we need to block a WinSock LSP
+ bool mLSPSubstitutionRequired;
+ // NTSTATUS code from the |LdrLoadDll| call
+ NTSTATUS mLoadNtStatus;
+ // Telemetry information that will be forwarded to the nt::LoaderObserver
+ ModuleLoadInfo mLoadInfo;
+
+ // Head of the linked list
+ static SafeThreadLocal<ModuleLoadFrame*> sTopFrame;
+};
+
+} // namespace freestanding
+} // namespace mozilla
+
+#endif // mozilla_freestanding_ModuleLoadFrame_h
diff --git a/browser/app/winlauncher/freestanding/SafeThreadLocal.h b/browser/app/winlauncher/freestanding/SafeThreadLocal.h
new file mode 100644
index 0000000000..e4b869f649
--- /dev/null
+++ b/browser/app/winlauncher/freestanding/SafeThreadLocal.h
@@ -0,0 +1,96 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_freestanding_SafeThreadLocal_h
+#define mozilla_freestanding_SafeThreadLocal_h
+
+#include <type_traits>
+
+#include "mozilla/NativeNt.h"
+#include "mozilla/ThreadLocal.h"
+
+namespace mozilla {
+namespace freestanding {
+
+// We cannot fall back to the Tls* APIs because kernel32 might not have been
+// loaded yet.
+#if defined(__MINGW32__) && !defined(HAVE_THREAD_TLS_KEYWORD)
+# error "This code requires the compiler to have native TLS support"
+#endif // defined(__MINGW32__) && !defined(HAVE_THREAD_TLS_KEYWORD)
+
+/**
+ * This class holds data as a thread-local variable, or as a global variable
+ * if the thread local storage is not initialized yet. It should be safe
+ * because in that early stage we assume there is no more than a single thread.
+ */
+template <typename T>
+class SafeThreadLocal final {
+ static MOZ_THREAD_LOCAL(T) sThreadLocal;
+ static T sGlobal;
+ static bool sIsTlsUsed;
+
+ // In normal cases, TLS is always available and the class uses sThreadLocal
+ // without changing sMainThreadId. So sMainThreadId is likely to be 0.
+ //
+ // If TLS is not available, we use sGlobal instead and update sMainThreadId
+ // so that that thread keeps using sGlobal even after TLS is initialized
+ // later.
+ static DWORD sMainThreadId;
+
+ // Need non-inline accessors to prevent the compiler from generating code
+ // accessing sThreadLocal before checking a condition.
+ MOZ_NEVER_INLINE static void SetGlobalValue(T aValue) { sGlobal = aValue; }
+ MOZ_NEVER_INLINE static T GetGlobalValue() { return sGlobal; }
+
+ public:
+ static void set(T aValue) {
+ static_assert(std::is_pointer_v<T>,
+ "SafeThreadLocal must be used with a pointer");
+
+ if (sMainThreadId == mozilla::nt::RtlGetCurrentThreadId()) {
+ SetGlobalValue(aValue);
+ } else if (sIsTlsUsed) {
+ MOZ_ASSERT(mozilla::nt::RtlGetThreadLocalStoragePointer(),
+ "Once TLS is used, TLS should be available till the end.");
+ sThreadLocal.set(aValue);
+ } else if (mozilla::nt::RtlGetThreadLocalStoragePointer()) {
+ sIsTlsUsed = true;
+ sThreadLocal.set(aValue);
+ } else {
+ MOZ_ASSERT(sMainThreadId == 0,
+ "A second thread cannot be created before TLS is available.");
+ sMainThreadId = mozilla::nt::RtlGetCurrentThreadId();
+ SetGlobalValue(aValue);
+ }
+ }
+
+ static T get() {
+ if (sMainThreadId == mozilla::nt::RtlGetCurrentThreadId()) {
+ return GetGlobalValue();
+ } else if (sIsTlsUsed) {
+ return sThreadLocal.get();
+ }
+ return GetGlobalValue();
+ }
+};
+
+template <typename T>
+MOZ_THREAD_LOCAL(T)
+SafeThreadLocal<T>::sThreadLocal;
+
+template <typename T>
+T SafeThreadLocal<T>::sGlobal = nullptr;
+
+template <typename T>
+bool SafeThreadLocal<T>::sIsTlsUsed = false;
+
+template <typename T>
+DWORD SafeThreadLocal<T>::sMainThreadId = 0;
+
+} // namespace freestanding
+} // namespace mozilla
+
+#endif // mozilla_freestanding_SafeThreadLocal_h
diff --git a/browser/app/winlauncher/freestanding/SharedSection.cpp b/browser/app/winlauncher/freestanding/SharedSection.cpp
new file mode 100644
index 0000000000..19b2f94f74
--- /dev/null
+++ b/browser/app/winlauncher/freestanding/SharedSection.cpp
@@ -0,0 +1,366 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#include "SharedSection.h"
+
+#include <algorithm>
+#include "CheckForCaller.h"
+#include "mozilla/BinarySearch.h"
+
+namespace {
+
+bool AddString(mozilla::Span<wchar_t> aBuffer, const UNICODE_STRING& aStr) {
+ size_t offsetElements = 0;
+ while (offsetElements < aBuffer.Length()) {
+ UNICODE_STRING uniStr;
+ ::RtlInitUnicodeString(&uniStr, aBuffer.data() + offsetElements);
+
+ if (uniStr.Length == 0) {
+ // Reached to the array's last item.
+ break;
+ }
+
+ if (::RtlCompareUnicodeString(&uniStr, &aStr, TRUE) == 0) {
+ // Already included in the array.
+ return true;
+ }
+
+ // Go to the next string.
+ offsetElements += uniStr.MaximumLength / sizeof(wchar_t);
+ }
+
+ // Ensure enough space including the last empty string at the end.
+ if (offsetElements * sizeof(wchar_t) + aStr.Length + sizeof(wchar_t) +
+ sizeof(wchar_t) >
+ aBuffer.LengthBytes()) {
+ return false;
+ }
+
+ auto newStr = aBuffer.Subspan(offsetElements);
+ memcpy(newStr.data(), aStr.Buffer, aStr.Length);
+ memset(newStr.data() + aStr.Length / sizeof(wchar_t), 0, sizeof(wchar_t));
+ return true;
+}
+
+} // anonymous namespace
+
+namespace mozilla {
+namespace freestanding {
+
+SharedSection gSharedSection;
+
+// Why don't we use ::GetProcAddress?
+// If the export table of kernel32.dll is tampered in the current process,
+// we cannot transfer an RVA because the function pointed by the RVA may not
+// exist in a target process.
+// We can use ::GetProcAddress with additional check to detect tampering, but
+// FindExportAddressTableEntry fits perfectly here because it returns nullptr
+// if the target entry is outside the image, which means it's tampered or
+// forwarded to another DLL.
+#define INIT_FUNCTION(exports, name) \
+ do { \
+ auto rvaToFunction = exports.FindExportAddressTableEntry(#name); \
+ if (!rvaToFunction) { \
+ return; \
+ } \
+ m##name = reinterpret_cast<decltype(m##name)>(*rvaToFunction); \
+ } while (0)
+
+#define RESOLVE_FUNCTION(base, name) \
+ m##name = reinterpret_cast<decltype(m##name)>( \
+ base + reinterpret_cast<uintptr_t>(m##name))
+
+void Kernel32ExportsSolver::Init() {
+ interceptor::MMPolicyInProcess policy;
+ auto k32Exports = nt::PEExportSection<interceptor::MMPolicyInProcess>::Get(
+ ::GetModuleHandleW(L"kernel32.dll"), policy);
+ if (!k32Exports) {
+ return;
+ }
+
+ // Please make sure these functions are not forwarded to another DLL.
+ INIT_FUNCTION(k32Exports, FlushInstructionCache);
+ INIT_FUNCTION(k32Exports, GetModuleHandleW);
+ INIT_FUNCTION(k32Exports, GetSystemInfo);
+ INIT_FUNCTION(k32Exports, VirtualProtect);
+}
+
+bool Kernel32ExportsSolver::Resolve() {
+ const UNICODE_STRING k32Name = MOZ_LITERAL_UNICODE_STRING(L"kernel32.dll");
+
+ // We cannot use GetModuleHandleW because this code can be called
+ // before IAT is resolved.
+ auto k32Module = nt::GetModuleHandleFromLeafName(k32Name);
+ if (k32Module.isErr()) {
+ // Probably this is called before kernel32.dll is loaded.
+ return false;
+ }
+
+ uintptr_t k32Base =
+ nt::PEHeaders::HModuleToBaseAddr<uintptr_t>(k32Module.unwrap());
+
+ RESOLVE_FUNCTION(k32Base, FlushInstructionCache);
+ RESOLVE_FUNCTION(k32Base, GetModuleHandleW);
+ RESOLVE_FUNCTION(k32Base, GetSystemInfo);
+ RESOLVE_FUNCTION(k32Base, VirtualProtect);
+
+ return true;
+}
+
+HANDLE SharedSection::sSectionHandle = nullptr;
+SharedSection::Layout* SharedSection::sWriteCopyView = nullptr;
+RTL_RUN_ONCE SharedSection::sEnsureOnce = RTL_RUN_ONCE_INIT;
+
+void SharedSection::Reset(HANDLE aNewSectionObject) {
+ if (sWriteCopyView) {
+ nt::AutoMappedView view(sWriteCopyView);
+ sWriteCopyView = nullptr;
+ ::RtlRunOnceInitialize(&sEnsureOnce);
+ }
+
+ if (sSectionHandle != aNewSectionObject) {
+ if (sSectionHandle) {
+ ::CloseHandle(sSectionHandle);
+ }
+ sSectionHandle = aNewSectionObject;
+ }
+}
+
+void SharedSection::ConvertToReadOnly() {
+ if (!sSectionHandle) {
+ return;
+ }
+
+ HANDLE readonlyHandle;
+ if (!::DuplicateHandle(nt::kCurrentProcess, sSectionHandle,
+ nt::kCurrentProcess, &readonlyHandle, GENERIC_READ,
+ FALSE, 0)) {
+ return;
+ }
+
+ Reset(readonlyHandle);
+}
+
+LauncherVoidResult SharedSection::Init() {
+ static_assert(
+ kSharedViewSize >= sizeof(Layout),
+ "kSharedViewSize is too small to represent SharedSection::Layout.");
+
+ HANDLE section =
+ ::CreateFileMappingW(INVALID_HANDLE_VALUE, nullptr, PAGE_READWRITE, 0,
+ kSharedViewSize, nullptr);
+ if (!section) {
+ return LAUNCHER_ERROR_FROM_LAST();
+ }
+ Reset(section);
+
+ // The initial contents of the pages in a file mapping object backed by
+ // the operating system paging file are 0 (zero). No need to zero it out
+ // ourselves.
+ // https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-createfilemappingw
+ nt::AutoMappedView writableView(sSectionHandle, PAGE_READWRITE);
+ if (!writableView) {
+ return LAUNCHER_ERROR_FROM_LAST();
+ }
+
+ Layout* view = writableView.as<Layout>();
+ view->mK32Exports.Init();
+ view->mState = Layout::State::kInitialized;
+ // Leave view->mDependentModulePathArrayStart to be zero to indicate
+ // we can add blocklist entries
+ return Ok();
+}
+
+LauncherVoidResult SharedSection::AddDependentModule(PCUNICODE_STRING aNtPath) {
+ nt::AutoMappedView writableView(sSectionHandle, PAGE_READWRITE);
+ if (!writableView) {
+ return LAUNCHER_ERROR_FROM_WIN32(::RtlGetLastWin32Error());
+ }
+
+ Layout* view = writableView.as<Layout>();
+ if (!view->mDependentModulePathArrayStart) {
+ // This is the first time AddDependentModule is called. We set the initial
+ // value to mDependentModulePathArrayStart, which *closes* the blocklist.
+ // After this, AddBlocklist is no longer allowed.
+ view->mDependentModulePathArrayStart =
+ FIELD_OFFSET(Layout, mFirstBlockEntry) + sizeof(DllBlockInfo);
+ }
+
+ if (!AddString(view->GetDependentModules(), *aNtPath)) {
+ return LAUNCHER_ERROR_FROM_WIN32(ERROR_INSUFFICIENT_BUFFER);
+ }
+
+ return Ok();
+}
+
+LauncherVoidResult SharedSection::SetBlocklist(
+ const DynamicBlockList& aBlocklist, bool isDisabled) {
+ if (!aBlocklist.GetPayloadSize()) {
+ return Ok();
+ }
+
+ nt::AutoMappedView writableView(sSectionHandle, PAGE_READWRITE);
+ if (!writableView) {
+ return LAUNCHER_ERROR_FROM_WIN32(::RtlGetLastWin32Error());
+ }
+
+ Layout* view = writableView.as<Layout>();
+ if (view->mDependentModulePathArrayStart > 0) {
+ // If the dependent module array is already available, we must not update
+ // the blocklist.
+ return LAUNCHER_ERROR_FROM_WIN32(ERROR_INVALID_STATE);
+ }
+
+ view->mBlocklistIsDisabled = isDisabled ? 1 : 0;
+ uintptr_t bufferEnd = reinterpret_cast<uintptr_t>(view) + kSharedViewSize;
+ size_t bytesCopied = aBlocklist.CopyTo(
+ view->mFirstBlockEntry,
+ bufferEnd - reinterpret_cast<uintptr_t>(view->mFirstBlockEntry));
+ if (!bytesCopied) {
+ return LAUNCHER_ERROR_FROM_WIN32(ERROR_INSUFFICIENT_BUFFER);
+ }
+
+ // Setting mDependentModulePathArrayStart to a non-zero value means
+ // we no longer accept blocklist entries
+ // Just to be safe, make sure we don't overwrite mFirstBlockEntry even
+ // if there are no entries.
+ view->mDependentModulePathArrayStart =
+ FIELD_OFFSET(Layout, mFirstBlockEntry) +
+ std::max(bytesCopied, sizeof(DllBlockInfo));
+ return Ok();
+}
+
+/* static */
+ULONG NTAPI SharedSection::EnsureWriteCopyViewOnce(PRTL_RUN_ONCE, PVOID,
+ PVOID*) {
+ if (!sWriteCopyView) {
+ nt::AutoMappedView view(sSectionHandle, PAGE_WRITECOPY);
+ if (!view) {
+ return TRUE;
+ }
+ sWriteCopyView = view.as<Layout>();
+ view.release();
+ }
+ return sWriteCopyView->Resolve() ? TRUE : FALSE;
+}
+
+SharedSection::Layout* SharedSection::EnsureWriteCopyView(
+ bool requireKernel32Exports /*= false */) {
+ ::RtlRunOnceExecuteOnce(&sEnsureOnce, &EnsureWriteCopyViewOnce, nullptr,
+ nullptr);
+ if (!sWriteCopyView) {
+ return nullptr;
+ }
+ auto requiredState = requireKernel32Exports
+ ? Layout::State::kResolved
+ : Layout::State::kLoadedDynamicBlocklistEntries;
+ return sWriteCopyView->mState >= requiredState ? sWriteCopyView : nullptr;
+}
+
+bool SharedSection::Layout::Resolve() {
+ if (mState == State::kResolved) {
+ return true;
+ }
+ if (mState == State::kUninitialized) {
+ return false;
+ }
+ if (mState == State::kInitialized) {
+ if (!mNumBlockEntries) {
+ uintptr_t arrayBase = reinterpret_cast<uintptr_t>(mFirstBlockEntry);
+ uint32_t numEntries = 0;
+ for (DllBlockInfo* entry = mFirstBlockEntry;
+ entry->mName.Length && numEntries < GetMaxNumBlockEntries();
+ ++entry) {
+ entry->mName.Buffer = reinterpret_cast<wchar_t*>(
+ arrayBase + reinterpret_cast<uintptr_t>(entry->mName.Buffer));
+ ++numEntries;
+ }
+ mNumBlockEntries = numEntries;
+ // Sort by name so that we can binary-search
+ std::sort(mFirstBlockEntry, mFirstBlockEntry + mNumBlockEntries,
+ [](const DllBlockInfo& a, const DllBlockInfo& b) {
+ return ::RtlCompareUnicodeString(&a.mName, &b.mName, TRUE) <
+ 0;
+ });
+ }
+ mState = State::kLoadedDynamicBlocklistEntries;
+ }
+
+ if (!mK32Exports.Resolve()) {
+ return false;
+ }
+
+ mState = State::kResolved;
+ return true;
+}
+
+Span<wchar_t> SharedSection::Layout::GetDependentModules() {
+ if (!mDependentModulePathArrayStart) {
+ return nullptr;
+ }
+ return Span<wchar_t>(
+ reinterpret_cast<wchar_t*>(reinterpret_cast<uintptr_t>(this) +
+ mDependentModulePathArrayStart),
+ (kSharedViewSize - mDependentModulePathArrayStart) / sizeof(wchar_t));
+}
+
+bool SharedSection::Layout::IsDisabled() const {
+ return !!mBlocklistIsDisabled;
+}
+
+const DllBlockInfo* SharedSection::Layout::SearchBlocklist(
+ const UNICODE_STRING& aLeafName) const {
+ MOZ_ASSERT(mState >= State::kLoadedDynamicBlocklistEntries);
+ DllBlockInfoComparator comp(aLeafName);
+ size_t match;
+ if (!BinarySearchIf(mFirstBlockEntry, 0, mNumBlockEntries, comp, &match)) {
+ return nullptr;
+ }
+ return &mFirstBlockEntry[match];
+}
+
+Kernel32ExportsSolver* SharedSection::GetKernel32Exports() {
+ Layout* writeCopyView = EnsureWriteCopyView(true);
+ return writeCopyView ? &writeCopyView->mK32Exports : nullptr;
+}
+
+Span<const wchar_t> SharedSection::GetDependentModules() {
+ Layout* writeCopyView = EnsureWriteCopyView();
+ return writeCopyView ? writeCopyView->GetDependentModules() : nullptr;
+}
+
+Span<const DllBlockInfo> SharedSection::GetDynamicBlocklist() {
+ Layout* writeCopyView = EnsureWriteCopyView();
+ return writeCopyView ? writeCopyView->GetModulePathArray() : nullptr;
+}
+
+const DllBlockInfo* SharedSection::SearchBlocklist(
+ const UNICODE_STRING& aLeafName) {
+ Layout* writeCopyView = EnsureWriteCopyView();
+ return writeCopyView ? writeCopyView->SearchBlocklist(aLeafName) : nullptr;
+}
+
+bool SharedSection::IsDisabled() {
+ Layout* writeCopyView = EnsureWriteCopyView();
+ return writeCopyView ? writeCopyView->IsDisabled() : false;
+}
+
+LauncherVoidResult SharedSection::TransferHandle(
+ nt::CrossExecTransferManager& aTransferMgr, DWORD aDesiredAccess,
+ HANDLE* aDestinationAddress) {
+ HANDLE remoteHandle;
+ if (!::DuplicateHandle(nt::kCurrentProcess, sSectionHandle,
+ aTransferMgr.RemoteProcess(), &remoteHandle,
+ aDesiredAccess, FALSE, 0)) {
+ return LAUNCHER_ERROR_FROM_LAST();
+ }
+
+ return aTransferMgr.Transfer(aDestinationAddress, &remoteHandle,
+ sizeof(remoteHandle));
+}
+
+} // namespace freestanding
+} // namespace mozilla
diff --git a/browser/app/winlauncher/freestanding/SharedSection.h b/browser/app/winlauncher/freestanding/SharedSection.h
new file mode 100644
index 0000000000..496f577c80
--- /dev/null
+++ b/browser/app/winlauncher/freestanding/SharedSection.h
@@ -0,0 +1,199 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_freestanding_SharedSection_h
+#define mozilla_freestanding_SharedSection_h
+
+#include "mozilla/DynamicBlocklist.h"
+#include "mozilla/glue/SharedSection.h"
+#include "mozilla/NativeNt.h"
+#include "mozilla/interceptor/MMPolicies.h"
+
+// clang-format off
+#define MOZ_LITERAL_UNICODE_STRING(s) \
+ { \
+ /* Length of the string in bytes, less the null terminator */ \
+ sizeof(s) - sizeof(wchar_t), \
+ /* Length of the string in bytes, including the null terminator */ \
+ sizeof(s), \
+ /* Pointer to the buffer */ \
+ const_cast<wchar_t*>(s) \
+ }
+// clang-format on
+
+namespace mozilla {
+namespace freestanding {
+class SharedSectionTestHelper;
+
+struct DllBlockInfoComparator {
+ explicit DllBlockInfoComparator(const UNICODE_STRING& aTarget)
+ : mTarget(&aTarget) {}
+
+ int operator()(const DllBlockInfo& aVal) const {
+ return static_cast<int>(
+ ::RtlCompareUnicodeString(mTarget, &aVal.mName, TRUE));
+ }
+
+ PCUNICODE_STRING mTarget;
+};
+
+// This class calculates RVAs of kernel32's functions and transfers them
+// to a target process, where the transferred RVAs are resolved into
+// function addresses so that the target process can use them after
+// kernel32.dll is loaded and before IAT is resolved.
+struct MOZ_TRIVIAL_CTOR_DTOR Kernel32ExportsSolver final
+ : interceptor::MMPolicyInProcessEarlyStage::Kernel32Exports {
+ void Init();
+ bool Resolve();
+};
+
+// This class manages a section which is created in the launcher process and
+// mapped in the browser process and the sandboxed processes. The section's
+// layout is represented as SharedSection::Layout.
+//
+// (1) Kernel32's functions required for MMPolicyInProcessEarlyStage
+// Formatted as Kernel32ExportsSolver.
+//
+// (2) Various flags and offsets
+//
+// (3) Entries in the dynamic blocklist, in DllBlockInfo format. There
+// are mNumBlockEntries of these, followed by one that has mName.Length
+// of 0. Note that the strings that contain
+// the names of the entries in the blocklist are stored concatenated
+// after the last entry. The mName pointers in each DllBlockInfo point
+// to these strings correctly in Resolve(), so clients don't need
+// to do anything special to read these strings.
+//
+// (4) Array of NT paths of the executable's dependent modules
+// Formatted as a null-delimited wide-character string set ending with
+// an empty string. These entries start at offset
+// mDependentModulePathArrayStart (in bytes) from the beginning
+// of the structure
+//
+// +--------------------------------------------------------------+
+// | (1) | FlushInstructionCache |
+// | | GetModuleHandleW |
+// | | GetSystemInfo |
+// | | VirtualProtect |
+// | | State [kUninitialized|kInitialized|kResolved] |
+// +--------------------------------------------------------------+
+// | (2) | (flags and offsets) |
+// +--------------------------------------------------------------+
+// | (3) | <DllBlockInfo for first entry in dynamic blocklist> |
+// | | <DllBlockInfo for second entry in dynamic blocklist> |
+// | | ... |
+// | | <DllBlockInfo for last entry in dynamic blocklist> |
+// | | <DllBlockInfo with mName.Length of 0> |
+// | | L"string1.dllstring2.dll...stringlast.dll" |
+// +--------------------------------------------------------------+
+// | (4) | L"NT path 1" |
+// | | L"NT path 2" |
+// | | ... |
+// | | L"" |
+// +--------------------------------------------------------------+
+class MOZ_TRIVIAL_CTOR_DTOR SharedSection final : public nt::SharedSection {
+ struct Layout final {
+ enum class State {
+ kUninitialized,
+ kInitialized,
+ kLoadedDynamicBlocklistEntries,
+ kResolved,
+ } mState;
+
+ Kernel32ExportsSolver mK32Exports;
+ // 1 if the blocklist is disabled, 0 otherwise.
+ // If the blocklist is disabled, the entries are still loaded to make it
+ // easy for the user to remove any they don't want, but none of the DLLs
+ // here are actually blocked.
+ // Stored as a uint32_t for alignment reasons.
+ uint32_t mBlocklistIsDisabled;
+ // The offset, in bytes, from the beginning of the Layout structure to the
+ // first dependent module entry.
+ // When the Layout object is created, this value is 0, indicating that no
+ // dependent modules have been added and it is safe to add DllBlockInfo
+ // entries.
+ // After this value is set to something non-0, no more DllBlockInfo entries
+ // can be added.
+ uint32_t mDependentModulePathArrayStart;
+ // The number of blocklist entries.
+ uint32_t mNumBlockEntries;
+ DllBlockInfo mFirstBlockEntry[1];
+
+ Span<DllBlockInfo> GetModulePathArray() {
+ return Span<DllBlockInfo>(
+ mFirstBlockEntry,
+ (kSharedViewSize - (reinterpret_cast<uintptr_t>(mFirstBlockEntry) -
+ reinterpret_cast<uintptr_t>(this))) /
+ sizeof(DllBlockInfo));
+ }
+ // Can be used to make sure we don't step past the end of the shared memory
+ // section.
+ static constexpr uint32_t GetMaxNumBlockEntries() {
+ return (kSharedViewSize - (offsetof(Layout, mFirstBlockEntry))) /
+ sizeof(DllBlockInfo);
+ }
+ Layout() = delete; // disallow instantiation
+ bool Resolve();
+ bool IsDisabled() const;
+ const DllBlockInfo* SearchBlocklist(const UNICODE_STRING& aLeafName) const;
+ Span<wchar_t> GetDependentModules();
+ };
+
+ // As we define a global variable of this class and use it in our blocklist
+ // which is excuted in a process's early stage. If we have a complex dtor,
+ // the static initializer tries to register that dtor with onexit() of
+ // ucrtbase.dll which is not loaded yet, resulting in crash. Thus, we have
+ // a raw handle and a pointer as a static variable and manually release them
+ // by calling Reset() where possible.
+ static HANDLE sSectionHandle;
+ static Layout* sWriteCopyView;
+ static RTL_RUN_ONCE sEnsureOnce;
+
+ static ULONG NTAPI EnsureWriteCopyViewOnce(PRTL_RUN_ONCE, PVOID, PVOID*);
+ static Layout* EnsureWriteCopyView(bool requireKernel32Exports = false);
+
+ static constexpr size_t kSharedViewSize = 0x1000;
+
+ // For test use only
+ friend class SharedSectionTestHelper;
+
+ public:
+ // Replace |sSectionHandle| with a given handle.
+ static void Reset(HANDLE aNewSectionObject = sSectionHandle);
+
+ // Replace |sSectionHandle| with a new readonly handle.
+ static void ConvertToReadOnly();
+
+ // Create a new writable section and initialize the Kernel32ExportsSolver
+ // part.
+ static LauncherVoidResult Init();
+
+ // Append a new string to the |sSectionHandle|
+ static LauncherVoidResult AddDependentModule(PCUNICODE_STRING aNtPath);
+ static LauncherVoidResult SetBlocklist(const DynamicBlockList& aBlocklist,
+ bool isDisabled);
+
+ // Map |sSectionHandle| to a copy-on-write page and return a writable pointer
+ // to each structure, or null if Layout failed to resolve exports.
+ Kernel32ExportsSolver* GetKernel32Exports();
+ Span<const wchar_t> GetDependentModules() final override;
+ Span<const DllBlockInfo> GetDynamicBlocklist() final override;
+
+ static bool IsDisabled();
+ static const DllBlockInfo* SearchBlocklist(const UNICODE_STRING& aLeafName);
+
+ // Transfer |sSectionHandle| to a process associated with |aTransferMgr|.
+ static LauncherVoidResult TransferHandle(
+ nt::CrossExecTransferManager& aTransferMgr, DWORD aDesiredAccess,
+ HANDLE* aDestinationAddress = &sSectionHandle);
+};
+
+extern SharedSection gSharedSection;
+
+} // namespace freestanding
+} // namespace mozilla
+
+#endif // mozilla_freestanding_SharedSection_h
diff --git a/browser/app/winlauncher/freestanding/gen_ntdll_freestanding_lib.py b/browser/app/winlauncher/freestanding/gen_ntdll_freestanding_lib.py
new file mode 100644
index 0000000000..d9fe86d78e
--- /dev/null
+++ b/browser/app/winlauncher/freestanding/gen_ntdll_freestanding_lib.py
@@ -0,0 +1,28 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+import os
+import subprocess
+import tempfile
+
+
+def main(output_fd, def_file, llvm_dlltool, *llvm_dlltool_args):
+ # llvm-dlltool can't output to stdout, so we create a temp file, use that
+ # to write out the lib, and then copy it over to output_fd
+ (tmp_fd, tmp_output) = tempfile.mkstemp()
+ os.close(tmp_fd)
+
+ try:
+ cmd = [llvm_dlltool]
+ cmd.extend(llvm_dlltool_args)
+ cmd += ["-d", def_file, "-l", tmp_output]
+
+ subprocess.check_call(cmd)
+
+ with open(tmp_output, "rb") as tmplib:
+ output_fd.write(tmplib.read())
+ finally:
+ os.remove(tmp_output)
diff --git a/browser/app/winlauncher/freestanding/moz.build b/browser/app/winlauncher/freestanding/moz.build
new file mode 100644
index 0000000000..03a3dffe80
--- /dev/null
+++ b/browser/app/winlauncher/freestanding/moz.build
@@ -0,0 +1,58 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+Library("winlauncher-freestanding")
+
+FORCE_STATIC_LIB = True
+
+# Our patched NtMapViewOfSection can be called before the process's import
+# table is populated. Don't let the compiler insert any instrumentation
+# that might call an import.
+NO_PGO = True
+
+UNIFIED_SOURCES += [
+ "DllBlocklist.cpp",
+ "LoaderPrivateAPI.cpp",
+ "ModuleLoadFrame.cpp",
+ "SharedSection.cpp",
+]
+
+# This library must be compiled in a freestanding environment, as its code must
+# not assume that it has access to any runtime libraries.
+if CONFIG["CC_TYPE"] == "clang-cl":
+ CXXFLAGS += ["-Xclang"]
+
+CXXFLAGS += [
+ "-ffreestanding",
+]
+
+# Forcibly include Freestanding.h into all source files in this library.
+if CONFIG["CC_TYPE"] == "clang-cl":
+ CXXFLAGS += ["-FI"]
+else:
+ CXXFLAGS += ["-include"]
+
+CXXFLAGS += [SRCDIR + "/Freestanding.h"]
+
+OS_LIBS += [
+ "ntdll",
+ "ntdll_freestanding",
+]
+
+if CONFIG["COMPILE_ENVIRONMENT"] and CONFIG["LLVM_DLLTOOL"]:
+ GeneratedFile(
+ "%sntdll_freestanding.%s" % (CONFIG["LIB_PREFIX"], CONFIG["LIB_SUFFIX"]),
+ script="gen_ntdll_freestanding_lib.py",
+ inputs=["ntdll_freestanding.def"],
+ flags=[CONFIG["LLVM_DLLTOOL"]] + CONFIG["LLVM_DLLTOOL_FLAGS"],
+ )
+
+DisableStlWrapping()
+
+with Files("**"):
+ BUG_COMPONENT = ("Firefox", "Launcher Process")
+
+REQUIRES_UNIFIED_BUILD = True
diff --git a/browser/app/winlauncher/freestanding/ntdll_freestanding.def b/browser/app/winlauncher/freestanding/ntdll_freestanding.def
new file mode 100644
index 0000000000..6e5e2685fe
--- /dev/null
+++ b/browser/app/winlauncher/freestanding/ntdll_freestanding.def
@@ -0,0 +1,25 @@
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+LIBRARY ntdll
+
+; When we compile with -freestanding, the compiler still requires implementation
+; of the four functions listed below.
+;
+; We could implement our own naive versions of these functions, but that
+; solution is less than ideal since the implementations must be extern and are
+; thus picked up by the entire firefox.exe binary. This denies the rest of
+; firefox.exe the benefit of optimized implementations. On Windows the
+; sandbox is linked into firefox.exe, so we cannot just shrug and
+; assume that a naive implementation will not have any effect on anything.
+;
+; There are, however, optimized implementations of these functions that are
+; exported by ntdll.dll. OTOH, they are not included in the ntdll.lib
+; import library. This .def file is used to build an import library that "fills
+; in the blanks" and allows us to link into the ntdll implementations.
+EXPORTS
+ memcmp
+ memcpy
+ memmove
+ memset
diff --git a/browser/app/winlauncher/moz.build b/browser/app/winlauncher/moz.build
new file mode 100644
index 0000000000..290f7d98ee
--- /dev/null
+++ b/browser/app/winlauncher/moz.build
@@ -0,0 +1,61 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+Library("winlauncher")
+
+FORCE_STATIC_LIB = True
+
+UNIFIED_SOURCES += [
+ "/ipc/mscom/COMWrappers.cpp",
+ "/ipc/mscom/ProcessRuntime.cpp",
+ "/toolkit/xre/WinTokenUtils.cpp",
+ "/widget/windows/WindowsConsole.cpp",
+ "DllBlocklistInit.cpp",
+ "ErrorHandler.cpp",
+ "LauncherProcessWin.cpp",
+ "LaunchUnelevated.cpp",
+ "NtLoaderAPI.cpp",
+]
+
+OS_LIBS += [
+ "oleaut32",
+ "ole32",
+ "rpcrt4",
+ "version",
+]
+
+DIRS += [
+ "freestanding",
+]
+
+USE_LIBS += [
+ "winlauncher-freestanding",
+]
+
+TEST_DIRS += [
+ "test",
+]
+
+if CONFIG["MOZ_LAUNCHER_PROCESS"]:
+ LOCAL_INCLUDES += [
+ "/other-licenses/nsis/Contrib/CityHash/cityhash",
+ "/toolkit/mozapps/update/common",
+ ]
+ UNIFIED_SOURCES += [
+ "/other-licenses/nsis/Contrib/CityHash/cityhash/city.cpp",
+ "/toolkit/mozapps/update/common/commonupdatedir.cpp",
+ "/toolkit/xre/LauncherRegistryInfo.cpp",
+ ]
+
+for var in ("MOZ_APP_BASENAME", "MOZ_APP_VENDOR", "MOZ_APP_DISPLAYNAME"):
+ DEFINES[var] = '"%s"' % CONFIG[var]
+
+DisableStlWrapping()
+
+with Files("**"):
+ BUG_COMPONENT = ("Firefox", "Launcher Process")
+
+REQUIRES_UNIFIED_BUILD = True
diff --git a/browser/app/winlauncher/test/TestCrossProcessWin.cpp b/browser/app/winlauncher/test/TestCrossProcessWin.cpp
new file mode 100644
index 0000000000..cd92ff2570
--- /dev/null
+++ b/browser/app/winlauncher/test/TestCrossProcessWin.cpp
@@ -0,0 +1,703 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#include <thread>
+#include <winternl.h>
+
+#define MOZ_USE_LAUNCHER_ERROR
+
+#include <atomic>
+#include <thread>
+#include "freestanding/SharedSection.cpp"
+#include "mozilla/CmdLineAndEnvUtils.h"
+#include "mozilla/DynamicBlocklist.h"
+#include "mozilla/NativeNt.h"
+#include "mozilla/Vector.h"
+
+#define DLL_BLOCKLIST_ENTRY(name, ...) \
+ {MOZ_LITERAL_UNICODE_STRING(L##name), __VA_ARGS__},
+#define DLL_BLOCKLIST_STRING_TYPE UNICODE_STRING
+
+#include "mozilla/WindowsDllBlocklistLauncherDefs.h"
+
+const wchar_t kChildArg[] = L"--child";
+const char* kTestDependentModulePaths[] = {
+ "\\Device\\HarddiskVolume4\\Windows\\system32\\A B C",
+ "\\Device\\HarddiskVolume4\\Windows\\system32\\a b c.dll",
+ "\\Device\\HarddiskVolume4\\Windows\\system32\\A B C.exe",
+ "\\Device\\HarddiskVolume4\\Windows\\system32\\X Y Z.dll",
+ "\\Device\\HarddiskVolume1\\a b C",
+ "\\Device\\HarddiskVolume2\\A b c.DLL",
+ "\\Device\\HarddiskVolume3\\A B c.exe",
+ "\\Device\\HarddiskVolume4\\X y Z.dll",
+};
+const wchar_t kExpectedDependentModules[] =
+ L"A B C\0"
+ L"a b c.dll\0"
+ L"A B C.exe\0"
+ L"X Y Z.dll\0";
+
+const UNICODE_STRING kStringNotInBlocklist =
+ MOZ_LITERAL_UNICODE_STRING(L"Test_NotInBlocklist.dll");
+const UNICODE_STRING kTestDependentModuleString =
+ MOZ_LITERAL_UNICODE_STRING(L"Test_DependentModule.dll");
+
+// clang-format off
+const DllBlockInfo kDllBlocklistShort[] = {
+ // The entries do not have to be sorted.
+ DLL_BLOCKLIST_ENTRY("X Y Z_Test", MAKE_VERSION(1, 2, 65535, 65535),
+ DllBlockInfo::BLOCK_WIN8_AND_OLDER)
+ DLL_BLOCKLIST_ENTRY("\u30E9\u30FC\u30E1\u30F3_Test")
+ DLL_BLOCKLIST_ENTRY("Avmvirtualsource_Test.ax", MAKE_VERSION(1, 0, 0, 3),
+ DllBlockInfo::BROWSER_PROCESS_ONLY)
+ DLL_BLOCKLIST_ENTRY("1ccelerator_Test.dll", MAKE_VERSION(3, 2, 1, 6))
+ DLL_BLOCKLIST_ENTRY("atkdx11disp_Test.dll", DllBlockInfo::ALL_VERSIONS)
+ {},
+};
+// clang-format on
+
+using namespace mozilla;
+using namespace mozilla::freestanding;
+
+namespace mozilla::freestanding {
+class SharedSectionTestHelper {
+ public:
+ static constexpr size_t GetModulePathArraySize() {
+ return SharedSection::kSharedViewSize -
+ (offsetof(SharedSection::Layout, mFirstBlockEntry) +
+ sizeof(DllBlockInfo));
+ }
+};
+} // namespace mozilla::freestanding
+
+class TempFile final {
+ wchar_t mFullPath[MAX_PATH + 1];
+
+ public:
+ TempFile() : mFullPath{0} {
+ wchar_t tempDir[MAX_PATH + 1];
+ DWORD len = ::GetTempPathW(ArrayLength(tempDir), tempDir);
+ if (!len) {
+ return;
+ }
+
+ len = ::GetTempFileNameW(tempDir, L"blocklist", 0, mFullPath);
+ if (!len) {
+ return;
+ }
+ }
+
+ operator const wchar_t*() const { return mFullPath[0] ? mFullPath : nullptr; }
+};
+
+template <typename T, int N>
+void PrintLauncherError(const LauncherResult<T>& aResult,
+ const char (&aMsg)[N]) {
+ const LauncherError& err = aResult.inspectErr();
+ printf("TEST-FAILED | TestCrossProcessWin | %s - %lx at %s:%d\n", aMsg,
+ err.mError.AsHResult(), err.mFile, err.mLine);
+}
+
+#define VERIFY_FUNCTION_RESOLVED(mod, exports, name) \
+ do { \
+ if (reinterpret_cast<FARPROC>(exports->m##name) != \
+ ::GetProcAddress(mod, #name)) { \
+ printf( \
+ "TEST-FAILED | TestCrossProcessWin | " \
+ "Kernel32ExportsSolver::" #name " did not match.\n"); \
+ return false; \
+ } \
+ } while (0)
+
+static bool VerifySharedSection(SharedSection& aSharedSection) {
+ Kernel32ExportsSolver* k32Exports = aSharedSection.GetKernel32Exports();
+ if (!k32Exports) {
+ printf(
+ "TEST-FAILED | TestCrossProcessWin | Failed to map a shared section\n");
+ return false;
+ }
+
+ HMODULE k32mod = ::GetModuleHandleW(L"kernel32.dll");
+ VERIFY_FUNCTION_RESOLVED(k32mod, k32Exports, FlushInstructionCache);
+ VERIFY_FUNCTION_RESOLVED(k32mod, k32Exports, GetModuleHandleW);
+ VERIFY_FUNCTION_RESOLVED(k32mod, k32Exports, GetSystemInfo);
+ VERIFY_FUNCTION_RESOLVED(k32mod, k32Exports, VirtualProtect);
+
+ Span<const wchar_t> modulesArray = aSharedSection.GetDependentModules();
+ bool matched = memcmp(modulesArray.data(), kExpectedDependentModules,
+ sizeof(kExpectedDependentModules)) == 0;
+ if (!matched) {
+ // Print actual strings on error
+ for (const wchar_t* p = modulesArray.data(); *p;) {
+ printf("%p: %S\n", p, p);
+ while (*p) {
+ ++p;
+ }
+ ++p;
+ }
+ return false;
+ }
+
+ for (const DllBlockInfo* info = kDllBlocklistShort; info->mName.Buffer;
+ ++info) {
+ const DllBlockInfo* matched = aSharedSection.SearchBlocklist(info->mName);
+ if (!matched) {
+ printf(
+ "TEST-FAILED | TestCrossProcessWin | No blocklist entry match for "
+ "entry in blocklist.\n");
+ return false;
+ }
+ }
+
+ if (aSharedSection.SearchBlocklist(kStringNotInBlocklist)) {
+ printf(
+ "TEST-FAILED | TestCrossProcessWin | Found blocklist entry match for "
+ "something not in the blocklist.\n");
+ }
+
+ if (aSharedSection.IsDisabled()) {
+ printf("TEST-FAILED | TestCrossProcessWin | Wrong disabled value.\n");
+ }
+
+ return true;
+}
+
+static bool TestAddString() {
+ wchar_t testBuffer[3] = {0};
+ UNICODE_STRING ustr;
+
+ // This makes |testBuffer| full.
+ ::RtlInitUnicodeString(&ustr, L"a");
+ if (!AddString(testBuffer, ustr)) {
+ printf(
+ "TEST-FAILED | TestCrossProcessWin | "
+ "AddString failed.\n");
+ return false;
+ }
+
+ // Adding a string to a full buffer should fail.
+ ::RtlInitUnicodeString(&ustr, L"b");
+ if (AddString(testBuffer, ustr)) {
+ printf(
+ "TEST-FAILED | TestCrossProcessWin | "
+ "AddString caused OOB memory access.\n");
+ return false;
+ }
+
+ bool matched = memcmp(testBuffer, L"a\0", sizeof(testBuffer)) == 0;
+ if (!matched) {
+ printf(
+ "TEST-FAILED | TestCrossProcessWin | "
+ "AddString wrote wrong values.\n");
+ return false;
+ }
+
+ return true;
+}
+
+// Convert |aBlockEntries|, which is an array ending with an empty instance
+// of DllBlockInfo, to DynamicBlockList by storing it to a temp file, loading
+// as DynamicBlockList, and deleting the temp file.
+static DynamicBlockList ConvertStaticBlocklistToDynamic(
+ const DllBlockInfo aBlockEntries[]) {
+ size_t originalLength = 0;
+ CheckedUint32 totalStringLen = 0;
+ for (const DllBlockInfo* entry = aBlockEntries; entry->mName.Length;
+ ++entry) {
+ totalStringLen += entry->mName.Length;
+ MOZ_RELEASE_ASSERT(totalStringLen.isValid());
+ ++originalLength;
+ }
+
+ // Pack all strings in this buffer without null characters
+ UniquePtr<uint8_t[]> stringBuffer =
+ MakeUnique<uint8_t[]>(totalStringLen.value());
+
+ // The string buffer is placed immediately after the array of DllBlockInfo
+ const size_t stringBufferOffset = (originalLength + 1) * sizeof(DllBlockInfo);
+
+ // Entries in the dynamic blocklist do have to be sorted,
+ // unlike in the static blocklist.
+ UniquePtr<DllBlockInfo[]> sortedBlockEntries =
+ MakeUnique<DllBlockInfo[]>(originalLength);
+ memcpy(sortedBlockEntries.get(), aBlockEntries,
+ sizeof(DllBlockInfo) * originalLength);
+ std::sort(sortedBlockEntries.get(), sortedBlockEntries.get() + originalLength,
+ [](const DllBlockInfo& a, const DllBlockInfo& b) {
+ return ::RtlCompareUnicodeString(&a.mName, &b.mName, TRUE) < 0;
+ });
+
+ Vector<DllBlockInfo> copied;
+ Unused << copied.resize(originalLength + 1); // aBlockEntries + sentinel
+
+ size_t currentStringOffset = 0;
+ for (size_t i = 0; i < originalLength; ++i) {
+ copied[i].mMaxVersion = sortedBlockEntries[i].mMaxVersion;
+ copied[i].mFlags = sortedBlockEntries[i].mFlags;
+
+ // Copy the module's name to the string buffer and store its offset
+ // in mName.Buffer
+ memcpy(stringBuffer.get() + currentStringOffset,
+ sortedBlockEntries[i].mName.Buffer,
+ sortedBlockEntries[i].mName.Length);
+ copied[i].mName.Buffer =
+ reinterpret_cast<wchar_t*>(stringBufferOffset + currentStringOffset);
+ // Only keep mName.Length and leave mName.MaximumLength to be zero
+ copied[i].mName.Length = sortedBlockEntries[i].mName.Length;
+
+ currentStringOffset += sortedBlockEntries[i].mName.Length;
+ }
+
+ TempFile blocklistFile;
+ nsAutoHandle file(::CreateFileW(blocklistFile, GENERIC_WRITE, FILE_SHARE_READ,
+ nullptr, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL,
+ nullptr));
+ MOZ_RELEASE_ASSERT(file);
+
+ DynamicBlockListBase::FileHeader header;
+ header.mSignature = DynamicBlockListBase::kSignature;
+ header.mFileVersion = DynamicBlockListBase::kCurrentVersion;
+ header.mPayloadSize =
+ sizeof(DllBlockInfo) * copied.length() + totalStringLen.value();
+
+ DWORD written = 0;
+ MOZ_RELEASE_ASSERT(
+ ::WriteFile(file.get(), &header, sizeof(header), &written, nullptr));
+ MOZ_RELEASE_ASSERT(::WriteFile(file.get(), copied.begin(),
+ sizeof(DllBlockInfo) * copied.length(),
+ &written, nullptr));
+ MOZ_RELEASE_ASSERT(::WriteFile(file.get(), stringBuffer.get(),
+ totalStringLen.value(), &written, nullptr));
+
+ DynamicBlockList blockList(blocklistFile);
+ ::DeleteFileW(blocklistFile);
+ return blockList;
+}
+
+const DynamicBlockList gFullList =
+ ConvertStaticBlocklistToDynamic(gWindowsDllBlocklist);
+const DynamicBlockList gShortList =
+ ConvertStaticBlocklistToDynamic(kDllBlocklistShort);
+
+static bool TestDependentModules() {
+ LauncherVoidResult result = gSharedSection.Init();
+ if (result.isErr()) {
+ PrintLauncherError(result, "SharedSection::Init failed");
+ return false;
+ }
+
+ constexpr size_t sizeInBytes =
+ SharedSectionTestHelper::GetModulePathArraySize();
+ UniquePtr<uint8_t[]> bufferData = MakeUnique<uint8_t[]>(sizeInBytes);
+ Span<uint8_t> buffer(bufferData, sizeInBytes);
+ memset(buffer.data(), 0x88, buffer.size());
+
+ // Try to add a long string that does not fit in the section,
+ // since there's no room for the NULL character to indicate the final string.
+ UNICODE_STRING ustr;
+ ustr.Buffer = reinterpret_cast<wchar_t*>(buffer.data());
+ ustr.Length = ustr.MaximumLength = buffer.size();
+
+ result = gSharedSection.AddDependentModule(&ustr);
+ if (result.isOk() || result.inspectErr() != WindowsError::FromWin32Error(
+ ERROR_INSUFFICIENT_BUFFER)) {
+ printf(
+ "TEST-FAILED | TestCrossProcessWin | "
+ "Adding a too long string should fail.\n");
+ return false;
+ }
+
+ result = gSharedSection.Init();
+ if (result.isErr()) {
+ PrintLauncherError(result, "SharedSection::Init failed");
+ return false;
+ }
+
+ // Keep adding a single-char string until it fails and
+ // make sure no crash.
+ // We want to make sure no strings match any earlier strings so
+ // we can get the expected count. This is a little tricky since
+ // it includes case-insensitivity, so start at the "CJK Unified Ideographs
+ // Extension A" block of Unicode, which has no two characters that compare
+ // equal under a case insensitive comparison.
+ *(reinterpret_cast<wchar_t*>(buffer.data())) = 0x3400;
+ ustr.Length = ustr.MaximumLength = sizeof(wchar_t);
+ wchar_t numberOfStringsAdded = 0;
+ while (gSharedSection.AddDependentModule(&ustr).isOk()) {
+ ++numberOfStringsAdded;
+ // Make sure the string doesn't match any earlier strings
+ wchar_t oldValue = *(reinterpret_cast<wchar_t*>(buffer.data()));
+ *(reinterpret_cast<wchar_t*>(buffer.data())) = oldValue + 1;
+ }
+
+ int numberOfCharactersInBuffer =
+ SharedSectionTestHelper::GetModulePathArraySize() / sizeof(wchar_t);
+ // Each string is two characters long (one "real" character and a null), but
+ // the whole buffer needs an additional null at the end.
+ int expectedNumberOfStringsAdded = (numberOfCharactersInBuffer - 1) / 2;
+ if (numberOfStringsAdded != expectedNumberOfStringsAdded) {
+ printf(
+ "TEST-FAILED | TestCrossProcessWin | "
+ "Added %d dependent strings before failing (expected %d).\n",
+ static_cast<int>(numberOfStringsAdded), expectedNumberOfStringsAdded);
+ return false;
+ }
+
+ // SetBlocklist is not allowed after AddDependentModule
+ result = gSharedSection.SetBlocklist(gShortList, false);
+ if (result.isOk() || result.inspectErr() !=
+ WindowsError::FromWin32Error(ERROR_INVALID_STATE)) {
+ printf(
+ "TEST-FAILED | TestCrossProcessWin | "
+ "SetBlocklist is not allowed after AddDependentModule\n");
+ return false;
+ }
+
+ gSharedSection.Reset();
+ return true;
+}
+
+static bool TestDynamicBlocklist() {
+ if (!gFullList.GetPayloadSize() || !gShortList.GetPayloadSize()) {
+ printf(
+ "TEST-FAILED | TestCrossProcessWin | DynamicBlockList::LoadFile "
+ "failed\n");
+ return false;
+ }
+
+ LauncherVoidResult result = gSharedSection.Init();
+ if (result.isErr()) {
+ PrintLauncherError(result, "SharedSection::Init failed");
+ return false;
+ }
+
+ // Set gShortList, and gShortList
+ // 1. Setting gShortList succeeds
+ // 2. Next try to set gShortList fails
+ result = gSharedSection.SetBlocklist(gShortList, false);
+ if (result.isErr()) {
+ PrintLauncherError(result, "SetBlocklist(gShortList) failed");
+ return false;
+ }
+ result = gSharedSection.SetBlocklist(gShortList, false);
+ if (result.isOk() || result.inspectErr() !=
+ WindowsError::FromWin32Error(ERROR_INVALID_STATE)) {
+ printf(
+ "TEST-FAILED | TestCrossProcessWin | "
+ "SetBlocklist is allowed only once\n");
+ return false;
+ }
+
+ result = gSharedSection.Init();
+ if (result.isErr()) {
+ PrintLauncherError(result, "SharedSection::Init failed");
+ return false;
+ }
+
+ // Add gFullList and gShortList
+ // 1. Adding gFullList always fails because it doesn't fit the section
+ // 2. Adding gShortList succeeds because no entry is added yet
+ MOZ_RELEASE_ASSERT(
+ gFullList.GetPayloadSize() >
+ SharedSectionTestHelper::GetModulePathArraySize(),
+ "Test assumes gFullList is too big to fit in shared section");
+ result = gSharedSection.SetBlocklist(gFullList, false);
+ if (result.isOk() || result.inspectErr() != WindowsError::FromWin32Error(
+ ERROR_INSUFFICIENT_BUFFER)) {
+ printf(
+ "TEST-FAILED | TestCrossProcessWin | "
+ "SetBlocklist(gFullList) should fail\n");
+ return false;
+ }
+ result = gSharedSection.SetBlocklist(gShortList, false);
+ if (result.isErr()) {
+ PrintLauncherError(result, "SetBlocklist(gShortList) failed");
+ return false;
+ }
+
+ // AddDependentModule is allowed after SetBlocklist
+ result = gSharedSection.AddDependentModule(&kTestDependentModuleString);
+ if (result.isErr()) {
+ PrintLauncherError(result, "SharedSection::AddDependentModule failed");
+ return false;
+ }
+
+ gSharedSection.Reset();
+ return true;
+}
+
+class ChildProcess final {
+ nsAutoHandle mChildProcess;
+ nsAutoHandle mChildMainThread;
+ DWORD mProcessId;
+
+ public:
+ // The following variables are updated from the parent process via
+ // WriteProcessMemory while the process is suspended as a part of
+ // TestWithChildProcess().
+ //
+ // Having both a non-const and a const is important because a constant
+ // is separately placed in the .rdata section which is read-only, so
+ // the region's attribute needs to be changed before modifying data via
+ // WriteProcessMemory.
+ // The keyword "volatile" is needed for a constant, otherwise the compiler
+ // evaluates a constant as a literal without fetching data from memory.
+ static HMODULE sExecutableImageBase;
+ static volatile const DWORD sReadOnlyProcessId;
+
+ static int Main() {
+ SRWLOCK lock = SRWLOCK_INIT;
+ ::AcquireSRWLockExclusive(&lock);
+
+ Vector<std::thread> threads;
+ std::atomic<bool> success = true;
+ for (int i = 0; i < 10; ++i) {
+ Unused << threads.emplaceBack(
+ [&success](SRWLOCK* aLock) {
+ // All threads call GetKernel32Exports(), but only the first thread
+ // maps a write-copy section and populates it.
+ ::AcquireSRWLockShared(aLock);
+ if (gSharedSection.GetKernel32Exports() == nullptr) {
+ success = false;
+ }
+ ::ReleaseSRWLockShared(aLock);
+ },
+ &lock);
+ }
+
+ // Wait a msec for all threads to be ready and release the lock
+ ::Sleep(1);
+ ::ReleaseSRWLockExclusive(&lock);
+
+ for (auto& thread : threads) {
+ thread.join();
+ }
+
+ if (!success) {
+ printf(
+ "TEST-FAILED | TestCrossProcessWin | "
+ "GetKernel32Exports() returned null.\n");
+ return 1;
+ }
+
+ if (sExecutableImageBase != ::GetModuleHandle(nullptr)) {
+ printf(
+ "TEST-FAILED | TestCrossProcessWin | "
+ "sExecutableImageBase is expected to be %p, but actually was %p.\n",
+ ::GetModuleHandle(nullptr), sExecutableImageBase);
+ return 1;
+ }
+
+ if (sReadOnlyProcessId != ::GetCurrentProcessId()) {
+ printf(
+ "TEST-FAILED | TestCrossProcessWin | "
+ "sReadOnlyProcessId is expected to be %lx, but actually was %lx.\n",
+ ::GetCurrentProcessId(), sReadOnlyProcessId);
+ return 1;
+ }
+
+ if (!VerifySharedSection(gSharedSection)) {
+ return 1;
+ }
+
+ // Test a scenario to transfer a transferred section as a readonly handle
+ gSharedSection.ConvertToReadOnly();
+
+ // AddDependentModule fails as the handle is readonly.
+ LauncherVoidResult result =
+ gSharedSection.AddDependentModule(&kTestDependentModuleString);
+ if (result.inspectErr() !=
+ WindowsError::FromWin32Error(ERROR_ACCESS_DENIED)) {
+ PrintLauncherError(result, "The readonly section was writable");
+ return 1;
+ }
+
+ if (!VerifySharedSection(gSharedSection)) {
+ return 1;
+ }
+
+ return 0;
+ }
+
+ ChildProcess(const wchar_t* aExecutable, const wchar_t* aOption)
+ : mProcessId(0) {
+ const wchar_t* childArgv[] = {aExecutable, aOption};
+ auto cmdLine(
+ mozilla::MakeCommandLine(mozilla::ArrayLength(childArgv), childArgv));
+
+ STARTUPINFOW si = {sizeof(si)};
+ PROCESS_INFORMATION pi;
+ BOOL ok =
+ ::CreateProcessW(aExecutable, cmdLine.get(), nullptr, nullptr, FALSE,
+ CREATE_SUSPENDED, nullptr, nullptr, &si, &pi);
+ if (!ok) {
+ printf(
+ "TEST-FAILED | TestCrossProcessWin | "
+ "CreateProcessW falied - %08lx.\n",
+ GetLastError());
+ return;
+ }
+
+ mProcessId = pi.dwProcessId;
+
+ mChildProcess.own(pi.hProcess);
+ mChildMainThread.own(pi.hThread);
+ }
+
+ ~ChildProcess() { ::TerminateProcess(mChildProcess, 0); }
+
+ operator HANDLE() const { return mChildProcess; }
+ DWORD GetProcessId() const { return mProcessId; }
+
+ bool ResumeAndWaitUntilExit() {
+ if (::ResumeThread(mChildMainThread) == 0xffffffff) {
+ printf(
+ "TEST-FAILED | TestCrossProcessWin | "
+ "ResumeThread failed - %08lx\n",
+ GetLastError());
+ return false;
+ }
+
+ if (::WaitForSingleObject(mChildProcess, 60000) != WAIT_OBJECT_0) {
+ printf(
+ "TEST-FAILED | TestCrossProcessWin | "
+ "Unexpected result from WaitForSingleObject\n");
+ return false;
+ }
+
+ DWORD exitCode;
+ if (!::GetExitCodeProcess(mChildProcess, &exitCode)) {
+ printf(
+ "TEST-FAILED | TestCrossProcessWin | "
+ "GetExitCodeProcess failed - %08lx\n",
+ GetLastError());
+ return false;
+ }
+
+ return exitCode == 0;
+ }
+};
+
+HMODULE ChildProcess::sExecutableImageBase = 0;
+volatile const DWORD ChildProcess::sReadOnlyProcessId = 0;
+
+int wmain(int argc, wchar_t* argv[]) {
+ printf("Process: %-8lx Base: %p\n", ::GetCurrentProcessId(),
+ ::GetModuleHandle(nullptr));
+
+ if (argc == 2 && wcscmp(argv[1], kChildArg) == 0) {
+ return ChildProcess::Main();
+ }
+
+ ChildProcess childProcess(argv[0], kChildArg);
+ if (!childProcess) {
+ return 1;
+ }
+
+ if (!TestAddString()) {
+ return 1;
+ }
+
+ if (!TestDependentModules()) {
+ return 1;
+ }
+
+ if (!TestDynamicBlocklist()) {
+ return 1;
+ }
+
+ LauncherResult<HMODULE> remoteImageBase =
+ nt::GetProcessExeModule(childProcess);
+ if (remoteImageBase.isErr()) {
+ PrintLauncherError(remoteImageBase, "nt::GetProcessExeModule failed");
+ return 1;
+ }
+
+ nt::CrossExecTransferManager transferMgr(childProcess);
+ if (!transferMgr) {
+ printf(
+ "TEST-FAILED | TestCrossProcessWin | "
+ "CrossExecTransferManager instantiation failed.\n");
+ return 1;
+ }
+
+ LauncherVoidResult result =
+ transferMgr.Transfer(&ChildProcess::sExecutableImageBase,
+ &remoteImageBase.inspect(), sizeof(HMODULE));
+ if (result.isErr()) {
+ PrintLauncherError(result, "ChildProcess::WriteData(Imagebase) failed");
+ return 1;
+ }
+
+ DWORD childPid = childProcess.GetProcessId();
+
+ DWORD* readOnlyData = const_cast<DWORD*>(&ChildProcess::sReadOnlyProcessId);
+ result = transferMgr.Transfer(readOnlyData, &childPid, sizeof(DWORD));
+ if (result.isOk()) {
+ printf(
+ "TEST-UNEXPECTED | TestCrossProcessWin | "
+ "A constant was located in a writable section.");
+ return 1;
+ }
+
+ AutoVirtualProtect prot =
+ transferMgr.Protect(readOnlyData, sizeof(uint32_t), PAGE_READWRITE);
+ if (!prot) {
+ printf(
+ "TEST-FAILED | TestCrossProcessWin | "
+ "VirtualProtect failed - %08lx\n",
+ prot.GetError().AsHResult());
+ return 1;
+ }
+
+ result = transferMgr.Transfer(readOnlyData, &childPid, sizeof(DWORD));
+ if (result.isErr()) {
+ PrintLauncherError(result, "ChildProcess::WriteData(PID) failed");
+ return 1;
+ }
+
+ result = gSharedSection.Init();
+ if (result.isErr()) {
+ PrintLauncherError(result, "SharedSection::Init failed");
+ return 1;
+ }
+
+ result = gSharedSection.SetBlocklist(gShortList, false);
+ if (result.isErr()) {
+ PrintLauncherError(result, "SetBlocklist(gShortList) failed");
+ return false;
+ }
+
+ for (const char* testString : kTestDependentModulePaths) {
+ // Test AllocatedUnicodeString(const char*) that is used
+ // in IsDependentModule()
+ nt::AllocatedUnicodeString depModule(testString);
+ UNICODE_STRING depModuleLeafName;
+ nt::GetLeafName(&depModuleLeafName, depModule);
+ result = gSharedSection.AddDependentModule(&depModuleLeafName);
+ if (result.isErr()) {
+ PrintLauncherError(result, "SharedSection::AddDependentModule failed");
+ return 1;
+ }
+ }
+
+ result =
+ gSharedSection.TransferHandle(transferMgr, GENERIC_READ | GENERIC_WRITE);
+ if (result.isErr()) {
+ PrintLauncherError(result, "SharedSection::TransferHandle failed");
+ return 1;
+ }
+
+ // Close the section in the parent process before resuming the child process
+ gSharedSection.Reset(nullptr);
+
+ if (!childProcess.ResumeAndWaitUntilExit()) {
+ return 1;
+ }
+
+ printf("TEST-PASS | TestCrossProcessWin | All checks passed\n");
+ return 0;
+}
diff --git a/browser/app/winlauncher/test/TestSafeThreadLocal.cpp b/browser/app/winlauncher/test/TestSafeThreadLocal.cpp
new file mode 100644
index 0000000000..31af93c375
--- /dev/null
+++ b/browser/app/winlauncher/test/TestSafeThreadLocal.cpp
@@ -0,0 +1,84 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#define MOZ_USE_LAUNCHER_ERROR
+
+#include "freestanding/SafeThreadLocal.h"
+
+#include "mozilla/NativeNt.h"
+#include "nsWindowsHelpers.h"
+
+#include <process.h>
+#include <stdio.h>
+
+// Need a non-inline function to bypass compiler optimization that the thread
+// local storage pointer is cached in a register before accessing a thread-local
+// variable.
+MOZ_NEVER_INLINE PVOID SwapThreadLocalStoragePointer(PVOID aNewValue) {
+ auto oldValue = mozilla::nt::RtlGetThreadLocalStoragePointer();
+ mozilla::nt::RtlSetThreadLocalStoragePointerForTestingOnly(aNewValue);
+ return oldValue;
+}
+
+static mozilla::freestanding::SafeThreadLocal<int*> gTheStorage;
+
+// Need non-inline functions to bypass compiler optimization that the thread
+// local storage pointer is cached in a register before accessing a thread-local
+// variable. See bug 1803322 for a motivating example.
+MOZ_NEVER_INLINE int* getTheStorage() { return gTheStorage.get(); }
+MOZ_NEVER_INLINE void setTheStorage(int* p) { gTheStorage.set(p); }
+
+static unsigned int __stdcall TestNonMainThread(void* aArg) {
+ for (int i = 0; i < 100; ++i) {
+ setTheStorage(&i);
+ if (getTheStorage() != &i) {
+ printf(
+ "TEST-FAILED | TestSafeThreadLocal | "
+ "A value is not correctly stored in the thread-local storage.\n");
+ return 1;
+ }
+ }
+ return 0;
+}
+
+extern "C" int wmain(int argc, wchar_t* argv[]) {
+ int dummy = 0x1234;
+
+ auto origHead = SwapThreadLocalStoragePointer(nullptr);
+ // Setting gTheStorage when TLS is null.
+ setTheStorage(&dummy);
+ SwapThreadLocalStoragePointer(origHead);
+
+ nsAutoHandle handles[8];
+ for (auto& handle : handles) {
+ handle.own(reinterpret_cast<HANDLE>(
+ ::_beginthreadex(nullptr, 0, TestNonMainThread, nullptr, 0, nullptr)));
+ }
+
+ for (int i = 0; i < 100; ++i) {
+ if (getTheStorage() != &dummy) {
+ printf(
+ "TEST-FAILED | TestSafeThreadLocal | "
+ "A value is not correctly stored in the global scope.\n");
+ return 1;
+ }
+ }
+
+ for (auto& handle : handles) {
+ ::WaitForSingleObject(handle, INFINITE);
+
+#if !defined(MOZ_ASAN)
+ // ASAN builds under Windows 11 can have unexpected thread exit codes.
+ // See bug 1798796
+ DWORD exitCode;
+ if (!::GetExitCodeThread(handle, &exitCode) || exitCode) {
+ return 1;
+ }
+#endif // !defined(MOZ_ASAN)
+ }
+
+ return 0;
+}
diff --git a/browser/app/winlauncher/test/TestSameBinary.cpp b/browser/app/winlauncher/test/TestSameBinary.cpp
new file mode 100644
index 0000000000..2cb45f546f
--- /dev/null
+++ b/browser/app/winlauncher/test/TestSameBinary.cpp
@@ -0,0 +1,255 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#define MOZ_USE_LAUNCHER_ERROR
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <utility>
+
+#include "SameBinary.h"
+#include "mozilla/ArrayUtils.h"
+#include "mozilla/Assertions.h"
+#include "mozilla/CmdLineAndEnvUtils.h"
+#include "mozilla/NativeNt.h"
+#include "mozilla/Unused.h"
+#include "mozilla/Vector.h"
+#include "mozilla/WinHeaderOnlyUtils.h"
+#include "nsWindowsHelpers.h"
+
+#define EXPECT_SAMEBINARY_IS(expected, option, message) \
+ do { \
+ mozilla::LauncherResult<bool> isSame = \
+ mozilla::IsSameBinaryAsParentProcess(option); \
+ if (isSame.isErr()) { \
+ PrintLauncherError(isSame, \
+ "IsSameBinaryAsParentProcess returned error " \
+ "when we were expecting success."); \
+ return 1; \
+ } \
+ if (isSame.unwrap() != expected) { \
+ PrintErrorMsg(message); \
+ return 1; \
+ } \
+ } while (0)
+
+/**
+ * This test involves three processes:
+ * 1. The "Monitor" process, which is executed by |MonitorMain|. This process
+ * is responsible for integrating with the test harness, so it spawns the
+ * "Parent" process (2), and then waits for the other two processes to
+ * finish.
+ * 2. The "Parent" process, which is executed by |ParentMain|. This process
+ * creates the "Child" process (3) and then waits indefinitely.
+ * 3. The "Child" process, which is executed by |ChildMain| and carries out
+ * the actual test. It terminates the Parent process during its execution,
+ * using the Child PID as the Parent process's exit code. This serves as a
+ * hacky yet effective way to signal to the Monitor process which PID it
+ * should wait on to ensure that the Child process has exited.
+ */
+
+static const char kMsgStart[] = "TEST-FAILED | SameBinary | ";
+
+inline void PrintErrorMsg(const char* aMsg) {
+ printf("%s%s\n", kMsgStart, aMsg);
+}
+
+inline void PrintWinError(const char* aMsg) {
+ mozilla::WindowsError err(mozilla::WindowsError::FromLastError());
+ printf("%s%s: %S\n", kMsgStart, aMsg, err.AsString().get());
+}
+
+template <typename T>
+inline void PrintLauncherError(const mozilla::LauncherResult<T>& aResult,
+ const char* aMsg = nullptr) {
+ const char* const kSep = aMsg ? ": " : "";
+ const char* msg = aMsg ? aMsg : "";
+ const mozilla::LauncherError& err = aResult.inspectErr();
+ printf("%s%s%s%S (%s:%d)\n", kMsgStart, msg, kSep,
+ err.mError.AsString().get(), err.mFile, err.mLine);
+}
+
+static int ChildMain(DWORD aExpectedParentPid) {
+ mozilla::LauncherResult<DWORD> parentPid = mozilla::nt::GetParentProcessId();
+ if (parentPid.isErr()) {
+ PrintLauncherError(parentPid);
+ return 1;
+ }
+
+ if (parentPid.inspect() != aExpectedParentPid) {
+ PrintErrorMsg("Unexpected mismatch of parent PIDs");
+ return 1;
+ }
+
+ const DWORD kAccess = PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_TERMINATE;
+ nsAutoHandle parentProcess(
+ ::OpenProcess(kAccess, FALSE, parentPid.inspect()));
+ if (!parentProcess) {
+ PrintWinError("Unexpectedly failed to call OpenProcess on parent");
+ return 1;
+ }
+
+ EXPECT_SAMEBINARY_IS(
+ true, mozilla::ImageFileCompareOption::Default,
+ "IsSameBinaryAsParentProcess returned incorrect result for identical "
+ "binaries");
+ EXPECT_SAMEBINARY_IS(
+ true, mozilla::ImageFileCompareOption::CompareNtPathsOnly,
+ "IsSameBinaryAsParentProcess(CompareNtPathsOnly) returned incorrect "
+ "result for identical binaries");
+
+ // Total hack, but who cares? We'll set the parent's exit code as our PID
+ // so that the monitor process knows who to wait for!
+ if (!::TerminateProcess(parentProcess.get(), ::GetCurrentProcessId())) {
+ PrintWinError("Unexpected failure in TerminateProcess");
+ return 1;
+ }
+
+ // Close our handle to the parent process so that no references are held.
+ ::CloseHandle(parentProcess.disown());
+
+ // Querying a pid on a terminated process may still succeed some time after
+ // that process has been terminated. For the purposes of this test, we'll poll
+ // the OS until we cannot succesfully open the parentPid anymore.
+ const uint32_t kMaxAttempts = 100;
+ uint32_t curAttempt = 0;
+ while (HANDLE p = ::OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE,
+ parentPid.inspect())) {
+ ::CloseHandle(p);
+ ::Sleep(100);
+ ++curAttempt;
+ if (curAttempt >= kMaxAttempts) {
+ PrintErrorMsg(
+ "Exhausted retry attempts waiting for parent pid to become invalid");
+ return 1;
+ }
+ }
+
+ EXPECT_SAMEBINARY_IS(
+ false, mozilla::ImageFileCompareOption::Default,
+ "IsSameBinaryAsParentProcess returned incorrect result for dead parent "
+ "process");
+ EXPECT_SAMEBINARY_IS(
+ false, mozilla::ImageFileCompareOption::CompareNtPathsOnly,
+ "IsSameBinaryAsParentProcess(CompareNtPathsOnly) returned incorrect "
+ "result for dead parent process");
+
+ return 0;
+}
+
+static nsReturnRef<HANDLE> CreateSelfProcess(int argc, wchar_t* argv[]) {
+ nsAutoHandle empty;
+
+ DWORD myPid = ::GetCurrentProcessId();
+
+ wchar_t strPid[11] = {};
+#if defined(__MINGW32__)
+ _ultow(myPid, strPid, 16);
+#else
+ if (_ultow_s(myPid, strPid, 16)) {
+ PrintErrorMsg("_ultow_s failed");
+ return empty.out();
+ }
+#endif // defined(__MINGW32__)
+
+ wchar_t* extraArgs[] = {strPid};
+
+ auto cmdLine = mozilla::MakeCommandLine(
+ argc, argv, mozilla::ArrayLength(extraArgs), extraArgs);
+ if (!cmdLine) {
+ PrintErrorMsg("MakeCommandLine failed");
+ return empty.out();
+ }
+
+ STARTUPINFOW si = {sizeof(si)};
+ PROCESS_INFORMATION pi;
+ BOOL ok =
+ ::CreateProcessW(argv[0], cmdLine.get(), nullptr, nullptr, FALSE,
+ CREATE_UNICODE_ENVIRONMENT, nullptr, nullptr, &si, &pi);
+ if (!ok) {
+ PrintWinError("CreateProcess failed");
+ return empty.out();
+ }
+
+ nsAutoHandle proc(pi.hProcess);
+ nsAutoHandle thd(pi.hThread);
+
+ return proc.out();
+}
+
+static int ParentMain(int argc, wchar_t* argv[]) {
+ nsAutoHandle childProc(CreateSelfProcess(argc, argv));
+ if (!childProc) {
+ return 1;
+ }
+
+ if (::WaitForSingleObject(childProc.get(), INFINITE) != WAIT_OBJECT_0) {
+ PrintWinError(
+ "Unexpected result from WaitForSingleObject on child process");
+ return 1;
+ }
+
+ MOZ_ASSERT_UNREACHABLE("This process should be terminated by now");
+ return 0;
+}
+
+static int MonitorMain(int argc, wchar_t* argv[]) {
+ // In this process, "parent" means the process that will be running
+ // ParentMain, which is our child process (confusing, I know...)
+ nsAutoHandle parentProc(CreateSelfProcess(argc, argv));
+ if (!parentProc) {
+ return 1;
+ }
+
+ if (::WaitForSingleObject(parentProc.get(), 60000) != WAIT_OBJECT_0) {
+ PrintWinError("Unexpected result from WaitForSingleObject on parent");
+ return 1;
+ }
+
+ DWORD childPid;
+ if (!::GetExitCodeProcess(parentProc.get(), &childPid)) {
+ PrintWinError("GetExitCodeProcess failed");
+ return 1;
+ }
+
+ nsAutoHandle childProc(::OpenProcess(SYNCHRONIZE, FALSE, childPid));
+ if (!childProc) {
+ // Nothing to wait on anymore, which is OK.
+ return 0;
+ }
+
+ // We want no more references to parentProc
+ ::CloseHandle(parentProc.disown());
+
+ if (::WaitForSingleObject(childProc.get(), 60000) != WAIT_OBJECT_0) {
+ PrintWinError("Unexpected result from WaitForSingleObject on child");
+ return 1;
+ }
+
+ return 0;
+}
+
+extern "C" int wmain(int argc, wchar_t* argv[]) {
+ if (argc == 3) {
+ return ChildMain(wcstoul(argv[2], nullptr, 16));
+ }
+
+ if (!mozilla::SetArgv0ToFullBinaryPath(argv)) {
+ return 1;
+ }
+
+ if (argc == 1) {
+ return MonitorMain(argc, argv);
+ }
+
+ if (argc == 2) {
+ return ParentMain(argc, argv);
+ }
+
+ PrintErrorMsg("Unexpected argc");
+ return 1;
+}
diff --git a/browser/app/winlauncher/test/moz.build b/browser/app/winlauncher/test/moz.build
new file mode 100644
index 0000000000..a8503ddf55
--- /dev/null
+++ b/browser/app/winlauncher/test/moz.build
@@ -0,0 +1,30 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+DisableStlWrapping()
+
+GeckoCppUnitTests(
+ [
+ "TestCrossProcessWin",
+ "TestSafeThreadLocal",
+ "TestSameBinary",
+ ],
+ linkage=None,
+)
+
+LOCAL_INCLUDES += [
+ "/browser/app/winlauncher",
+]
+
+OS_LIBS += [
+ "ntdll",
+]
+
+if CONFIG["CC_TYPE"] in ("gcc", "clang"):
+ # This allows us to use wmain as the entry point on mingw
+ LDFLAGS += [
+ "-municode",
+ ]