Bug 1565848: Revert latest change to MITIGATION_DLL_SEARCH_ORDER. r=aklotz
authorBob Owen <bobowencode@gmail.com>
Thu, 25 Jul 2019 17:44:24 +0000
changeset 484748 7ba557fab26e27e366372eaf3d78997f71185b20
parent 484747 d9ac2124b930dc8e2b494de989178dbdc7da1fa3
child 484749 cedf1207e1a9d8ea93ce5a7f125470af51cdfe4f
push id90914
push userbobowencode@gmail.com
push dateThu, 25 Jul 2019 18:28:51 +0000
treeherderautoland@7ba557fab26e [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersaklotz
bugs1565848, 1568850
milestone70.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1565848: Revert latest change to MITIGATION_DLL_SEARCH_ORDER. r=aklotz This is until any regressions can be fixed, see bug 1568850. Differential Revision: https://phabricator.services.mozilla.com/D39357
security/sandbox/chromium-shim/patches/with_update/patch_order.txt
security/sandbox/chromium-shim/patches/with_update/revert_removal_of_app_dir_for_DLL_load.patch
security/sandbox/chromium/sandbox/win/src/process_mitigations.cc
security/sandbox/chromium/sandbox/win/src/security_level.h
--- a/security/sandbox/chromium-shim/patches/with_update/patch_order.txt
+++ b/security/sandbox/chromium-shim/patches/with_update/patch_order.txt
@@ -18,8 +18,9 @@ fix_incorrect_int_use_in_Kernel32BaseVer
 revert_removal_of_AlterEnvironment_on_Windows.patch
 allow_env_changes.patch
 ifdef_out_AppContainerProfileBase_testing_functions.patch
 mingw_missing_windows_types_defines.patch
 mingw_undefine_MemoryBarrier.patch
 add_return_in_QueryCancellationTraitsForNonCancellables_to_satisfy_build.patch
 include_atomic_header_in_platform_thread.patch
 aarch64_control_flow_guard.patch
+revert_removal_of_app_dir_for_DLL_load.patch
new file mode 100644
--- /dev/null
+++ b/security/sandbox/chromium-shim/patches/with_update/revert_removal_of_app_dir_for_DLL_load.patch
@@ -0,0 +1,74 @@
+# HG changeset patch
+# User Bob Owen <bobowencode@gmail.com>
+# Date 1564062993 -3600
+#      Thu Jul 25 14:56:33 2019 +0100
+# Node ID aa8f8da7b00f1f751bf4a7c8a2cc58b290a328e0
+# Parent  69ac304560c98a733d44a0245fe9782dc6a465e2
+Bug 1565848: Revert latest change to MITIGATION_DLL_SEARCH_ORDER. r=handyman!
+
+This is until any regressions can be fixed, see bug 1568850.
+
+diff --git a/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc b/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc
+--- a/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc
++++ b/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc
+@@ -72,26 +72,17 @@ bool ApplyProcessMitigationsToCurrentPro
+ 
+   if (flags & MITIGATION_DLL_SEARCH_ORDER) {
+     SetDefaultDllDirectoriesFunction set_default_dll_directories =
+         reinterpret_cast<SetDefaultDllDirectoriesFunction>(
+             ::GetProcAddress(module, "SetDefaultDllDirectories"));
+ 
+     // Check for SetDefaultDllDirectories since it requires KB2533623.
+     if (set_default_dll_directories) {
+-#if defined(COMPONENT_BUILD)
+-      const DWORD directory_flags = LOAD_LIBRARY_SEARCH_DEFAULT_DIRS;
+-#else
+-      // In a non-component build, all DLLs will be loaded manually, or via
+-      // manifest definition, so these flags can be stronger. This prevents DLL
+-      // planting in the application directory.
+-      const DWORD directory_flags =
+-          LOAD_LIBRARY_SEARCH_SYSTEM32 | LOAD_LIBRARY_SEARCH_USER_DIRS;
+-#endif
+-      if (!set_default_dll_directories(directory_flags) &&
++      if (!set_default_dll_directories(LOAD_LIBRARY_SEARCH_DEFAULT_DIRS) &&
+           ERROR_ACCESS_DENIED != ::GetLastError()) {
+         return false;
+       }
+     }
+   }
+ 
+   // Set the heap to terminate on corruption
+   if (flags & MITIGATION_HEAP_TERMINATE) {
+diff --git a/security/sandbox/chromium/sandbox/win/src/security_level.h b/security/sandbox/chromium/sandbox/win/src/security_level.h
+--- a/security/sandbox/chromium/sandbox/win/src/security_level.h
++++ b/security/sandbox/chromium/sandbox/win/src/security_level.h
+@@ -192,25 +192,20 @@ const MitigationFlags MITIGATION_BOTTOM_
+ // PROCESS_CREATION_MITIGATION_POLICY_HIGH_ENTROPY_ASLR_ALWAYS_ON
+ const MitigationFlags MITIGATION_HIGH_ENTROPY_ASLR = 0x00000080;
+ 
+ // Immediately raises an exception on a bad handle reference. Must be
+ // enabled after startup. Corresponds to
+ // PROCESS_CREATION_MITIGATION_POLICY_STRICT_HANDLE_CHECKS_ALWAYS_ON.
+ const MitigationFlags MITIGATION_STRICT_HANDLE_CHECKS = 0x00000100;
+ 
+-// Strengthens the DLL search order. See
+-// http://msdn.microsoft.com/en-us/library/windows/desktop/hh310515. In a
+-// component build - sets this to LOAD_LIBRARY_SEARCH_DEFAULT_DIRS allowing
+-// additional directories to be added via Windows AddDllDirectory() function,
+-// but preserving current load order. In a non-component build, all DLLs should
+-// be loaded manually, so strenthen to LOAD_LIBRARY_SEARCH_SYSTEM32 |
+-// LOAD_LIBRARY_SEARCH_USER_DIRS, removing LOAD_LIBRARY_SEARCH_APPLICATION_DIR,
+-// preventing DLLs being implicitly loaded from the application path. Must be
+-// enabled after startup.
++// Sets the DLL search order to LOAD_LIBRARY_SEARCH_DEFAULT_DIRS. Additional
++// directories can be added via the Windows AddDllDirectory() function.
++// http://msdn.microsoft.com/en-us/library/windows/desktop/hh310515
++// Must be enabled after startup.
+ const MitigationFlags MITIGATION_DLL_SEARCH_ORDER = 0x00000200;
+ 
+ // Changes the mandatory integrity level policy on the current process' token
+ // to enable no-read and no-execute up. This prevents a lower IL process from
+ // opening the process token for impersonate/duplicate/assignment.
+ const MitigationFlags MITIGATION_HARDEN_TOKEN_IL_POLICY = 0x00000400;
+ 
+ // Prevents the process from making Win32k calls. Corresponds to
--- a/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc
+++ b/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc
@@ -72,26 +72,17 @@ bool ApplyProcessMitigationsToCurrentPro
 
   if (flags & MITIGATION_DLL_SEARCH_ORDER) {
     SetDefaultDllDirectoriesFunction set_default_dll_directories =
         reinterpret_cast<SetDefaultDllDirectoriesFunction>(
             ::GetProcAddress(module, "SetDefaultDllDirectories"));
 
     // Check for SetDefaultDllDirectories since it requires KB2533623.
     if (set_default_dll_directories) {
-#if defined(COMPONENT_BUILD)
-      const DWORD directory_flags = LOAD_LIBRARY_SEARCH_DEFAULT_DIRS;
-#else
-      // In a non-component build, all DLLs will be loaded manually, or via
-      // manifest definition, so these flags can be stronger. This prevents DLL
-      // planting in the application directory.
-      const DWORD directory_flags =
-          LOAD_LIBRARY_SEARCH_SYSTEM32 | LOAD_LIBRARY_SEARCH_USER_DIRS;
-#endif
-      if (!set_default_dll_directories(directory_flags) &&
+      if (!set_default_dll_directories(LOAD_LIBRARY_SEARCH_DEFAULT_DIRS) &&
           ERROR_ACCESS_DENIED != ::GetLastError()) {
         return false;
       }
     }
   }
 
   // Set the heap to terminate on corruption
   if (flags & MITIGATION_HEAP_TERMINATE) {
--- a/security/sandbox/chromium/sandbox/win/src/security_level.h
+++ b/security/sandbox/chromium/sandbox/win/src/security_level.h
@@ -192,25 +192,20 @@ const MitigationFlags MITIGATION_BOTTOM_
 // PROCESS_CREATION_MITIGATION_POLICY_HIGH_ENTROPY_ASLR_ALWAYS_ON
 const MitigationFlags MITIGATION_HIGH_ENTROPY_ASLR = 0x00000080;
 
 // Immediately raises an exception on a bad handle reference. Must be
 // enabled after startup. Corresponds to
 // PROCESS_CREATION_MITIGATION_POLICY_STRICT_HANDLE_CHECKS_ALWAYS_ON.
 const MitigationFlags MITIGATION_STRICT_HANDLE_CHECKS = 0x00000100;
 
-// Strengthens the DLL search order. See
-// http://msdn.microsoft.com/en-us/library/windows/desktop/hh310515. In a
-// component build - sets this to LOAD_LIBRARY_SEARCH_DEFAULT_DIRS allowing
-// additional directories to be added via Windows AddDllDirectory() function,
-// but preserving current load order. In a non-component build, all DLLs should
-// be loaded manually, so strenthen to LOAD_LIBRARY_SEARCH_SYSTEM32 |
-// LOAD_LIBRARY_SEARCH_USER_DIRS, removing LOAD_LIBRARY_SEARCH_APPLICATION_DIR,
-// preventing DLLs being implicitly loaded from the application path. Must be
-// enabled after startup.
+// Sets the DLL search order to LOAD_LIBRARY_SEARCH_DEFAULT_DIRS. Additional
+// directories can be added via the Windows AddDllDirectory() function.
+// http://msdn.microsoft.com/en-us/library/windows/desktop/hh310515
+// Must be enabled after startup.
 const MitigationFlags MITIGATION_DLL_SEARCH_ORDER = 0x00000200;
 
 // Changes the mandatory integrity level policy on the current process' token
 // to enable no-read and no-execute up. This prevents a lower IL process from
 // opening the process token for impersonate/duplicate/assignment.
 const MitigationFlags MITIGATION_HARDEN_TOKEN_IL_POLICY = 0x00000400;
 
 // Prevents the process from making Win32k calls. Corresponds to