Bug 1339729: Remove wow_helper from Windows process sandboxing. r=glandium
authorBob Owen <bobowencode@gmail.com>
Wed, 01 Mar 2017 10:41:07 +0000
changeset 345286 f73f900fab1c6e320786647327204cce7ba31bcb
parent 345285 479e6d9edfb7294b207ad511efa28ce9c538725f
child 345287 6d0ac4c74fd5a4e2f53e83c00ff8ca24abe5e1d7
push id31436
push userkwierso@gmail.com
push dateThu, 02 Mar 2017 01:18:52 +0000
treeherdermozilla-central@e91de6fb2b3d [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersglandium
bugs1339729
milestone54.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1339729: Remove wow_helper from Windows process sandboxing. r=glandium
browser/installer/Makefile.in
browser/installer/package-manifest.in
python/mozbuild/mozbuild/compilation/database.py
security/sandbox/chromium/sandbox/win/wow_helper/service64_resolver.cc
security/sandbox/chromium/sandbox/win/wow_helper/service64_resolver.h
security/sandbox/chromium/sandbox/win/wow_helper/target_code.cc
security/sandbox/chromium/sandbox/win/wow_helper/target_code.h
security/sandbox/chromium/sandbox/win/wow_helper/wow_helper.cc
security/sandbox/modifications-to-chromium-to-reapply-after-upstream-merge.txt
security/sandbox/moz.build
security/sandbox/win/wow_helper/Makefile.in
security/sandbox/win/wow_helper/moz.build
--- a/browser/installer/Makefile.in
+++ b/browser/installer/Makefile.in
@@ -133,23 +133,16 @@ endif
 DEFINES += -DMOZ_ICU_DBG_SUFFIX=$(MOZ_ICU_DBG_SUFFIX)
 DEFINES += -DICU_DATA_FILE=$(ICU_DATA_FILE)
 ifdef CLANG_CXX
 DEFINES += -DCLANG_CXX
 endif
 ifdef CLANG_CL
 DEFINES += -DCLANG_CL
 endif
-ifeq (x86,$(CPU_ARCH))
-ifdef _MSC_VER
-ifndef CLANG_CL
-DEFINES += -DWOW_HELPER
-endif
-endif
-endif
 
 
 # Builds using the hybrid FasterMake/RecursiveMake backend will
 # fail to produce a langpack. See bug 1255096.
 libs::
 ifeq (,$(filter FasterMake+RecursiveMake,$(BUILD_BACKENDS)))
 	$(MAKE) -C $(DEPTH)/browser/locales langpack
 endif
--- a/browser/installer/package-manifest.in
+++ b/browser/installer/package-manifest.in
@@ -722,24 +722,16 @@
 #endif
 @RESPATH@/chrome/pippki@JAREXT@
 @RESPATH@/chrome/pippki.manifest
 @RESPATH@/components/pipnss.xpt
 @RESPATH@/components/pippki.xpt
 
 ; For process sandboxing
 #if defined(MOZ_SANDBOX)
-#if defined(XP_WIN)
-#if defined(WOW_HELPER)
-@BINPATH@/wow_helper.exe
-#endif
-#endif
-#endif
-
-#if defined(MOZ_SANDBOX)
 #if defined(XP_LINUX)
 @BINPATH@/@DLL_PREFIX@mozsandbox@DLL_SUFFIX@
 @RESPATH@/components/sandbox.xpt
 #endif
 #endif
 
 ; for Solaris SPARC
 #ifdef SOLARIS
--- a/python/mozbuild/mozbuild/compilation/database.py
+++ b/python/mozbuild/mozbuild/compilation/database.py
@@ -53,17 +53,16 @@ class CompileDBBackend(CommonBackend):
 
     def consume_object(self, obj):
         # Those are difficult directories, that will be handled later.
         if obj.relativedir in (
                 'build/unix/elfhack',
                 'build/unix/elfhack/inject',
                 'build/clang-plugin',
                 'build/clang-plugin/tests',
-                'security/sandbox/win/wow_helper',
                 'toolkit/crashreporter/google-breakpad/src/common'):
             return True
 
         consumed = CommonBackend.consume_object(self, obj)
 
         if consumed:
             return True
 
deleted file mode 100644
--- a/security/sandbox/chromium/sandbox/win/wow_helper/service64_resolver.cc
+++ /dev/null
@@ -1,346 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/wow_helper/service64_resolver.h"
-
-#include <limits.h>
-#include <stddef.h>
-
-#include "base/bit_cast.h"
-#include "base/memory/scoped_ptr.h"
-#include "sandbox/win/wow_helper/target_code.h"
-
-namespace {
-#pragma pack(push, 1)
-
-const BYTE kMovEax = 0xB8;
-const BYTE kMovEdx = 0xBA;
-const USHORT kCallPtrEdx = 0x12FF;
-const BYTE kRet = 0xC2;
-const BYTE kNop = 0x90;
-const USHORT kJmpEdx = 0xE2FF;
-const USHORT kXorEcx = 0xC933;
-const ULONG kLeaEdx = 0x0424548D;
-const ULONG kCallFs1 = 0xC015FF64;
-const ULONG kCallFs2Ret = 0xC2000000;
-const BYTE kPopEdx = 0x5A;
-const BYTE kPushEdx = 0x52;
-const BYTE kPush32 = 0x68;
-
-const ULONG kMmovR10EcxMovEax = 0xB8D18B4C;
-const USHORT kSyscall = 0x050F;
-const BYTE kRetNp = 0xC3;
-const BYTE kPad = 0x66;
-const USHORT kNop16 = 0x9066;
-const BYTE kRelJmp = 0xE9;
-
-const ULONG kXorRaxMovEax = 0xB8C03148;
-const ULONG kSaveRcx = 0x10488948;
-const ULONG kMovRcxRaxJmp = 0xE9C88B48;
-
-// Service code for 64 bit systems.
-struct ServiceEntry {
-  // this struct contains roughly the following code:
-  // mov     r10,rcx
-  // mov     eax,52h
-  // syscall
-  // ret
-  // xchg    ax,ax
-  // xchg    ax,ax
-
-  ULONG mov_r10_ecx_mov_eax;  // = 4C 8B D1 B8
-  ULONG service_id;
-  USHORT syscall;             // = 0F 05
-  BYTE ret;                   // = C3
-  BYTE pad;                   // = 66
-  USHORT xchg_ax_ax1;         // = 66 90
-  USHORT xchg_ax_ax2;         // = 66 90
-};
-
-struct Redirected {
-  // this struct contains roughly the following code:
-  // jmp    relative_32
-  // xchg   ax,ax       // 3 byte nop
-
-  Redirected() {
-    jmp = kRelJmp;
-    relative = 0;
-    pad = kPad;
-    xchg_ax_ax = kNop16;
-  };
-  BYTE jmp;             // = E9
-  ULONG relative;
-  BYTE pad;             // = 66
-  USHORT xchg_ax_ax;    // = 66 90
-};
-
-struct InternalThunk {
-  // this struct contains roughly the following code:
-  // xor rax,rax
-  // mov eax, 0x00080000              // Thunk storage.
-  // mov [rax]PatchInfo.service, rcx  // Save first argument.
-  // mov rcx, rax
-  // jmp relative_to_interceptor
-
-  InternalThunk() {
-    xor_rax_mov_eax = kXorRaxMovEax;
-    patch_info = 0;
-    save_rcx = kSaveRcx;
-    mov_rcx_rax_jmp = kMovRcxRaxJmp;
-    relative = 0;
-  };
-  ULONG xor_rax_mov_eax;  // = 48 31 C0 B8
-  ULONG patch_info;
-  ULONG save_rcx;         // = 48 89 48 10
-  ULONG mov_rcx_rax_jmp;  // = 48 8b c8 e9
-  ULONG relative;
-};
-
-struct ServiceFullThunk {
-  sandbox::PatchInfo patch_info;
-  ServiceEntry original;
-  InternalThunk internal_thunk;
-};
-
-#pragma pack(pop)
-
-// Simple utility function to write to a buffer on the child, if the memery has
-// write protection attributes.
-// Arguments:
-// child_process (in): process to write to.
-// address (out): memory position on the child to write to.
-// buffer (in): local buffer with the data to write .
-// length (in): number of bytes to write.
-// Returns true on success.
-bool WriteProtectedChildMemory(HANDLE child_process,
-                               void* address,
-                               const void* buffer,
-                               size_t length) {
-  // first, remove the protections
-  DWORD old_protection;
-  if (!::VirtualProtectEx(child_process, address, length,
-                          PAGE_WRITECOPY, &old_protection))
-    return false;
-
-  SIZE_T written;
-  bool ok = ::WriteProcessMemory(child_process, address, buffer, length,
-                                 &written) && (length == written);
-
-  // always attempt to restore the original protection
-  if (!::VirtualProtectEx(child_process, address, length,
-                          old_protection, &old_protection))
-    return false;
-
-  return ok;
-}
-
-// Get pointers to the functions that we need from ntdll.dll.
-NTSTATUS ResolveNtdll(sandbox::PatchInfo* patch_info) {
-  wchar_t* ntdll_name = L"ntdll.dll";
-  HMODULE ntdll = ::GetModuleHandle(ntdll_name);
-  if (!ntdll)
-    return STATUS_PROCEDURE_NOT_FOUND;
-
-  void* signal = ::GetProcAddress(ntdll, "NtSignalAndWaitForSingleObject");
-  if (!signal)
-    return STATUS_PROCEDURE_NOT_FOUND;
-
-  patch_info->signal_and_wait =
-      reinterpret_cast<NtSignalAndWaitForSingleObjectFunction>(signal);
-
-  return STATUS_SUCCESS;
-}
-
-};  // namespace
-
-namespace sandbox {
-
-NTSTATUS ResolverThunk::Init(const void* target_module,
-                             const void* interceptor_module,
-                             const char* target_name,
-                             const char* interceptor_name,
-                             const void* interceptor_entry_point,
-                             void* thunk_storage,
-                             size_t storage_bytes) {
-  if (NULL == thunk_storage || 0 == storage_bytes ||
-      NULL == target_module || NULL == target_name)
-    return STATUS_INVALID_PARAMETER;
-
-  if (storage_bytes < GetThunkSize())
-    return STATUS_BUFFER_TOO_SMALL;
-
-  NTSTATUS ret = STATUS_SUCCESS;
-  if (NULL == interceptor_entry_point) {
-    ret = ResolveInterceptor(interceptor_module, interceptor_name,
-                             &interceptor_entry_point);
-    if (!NT_SUCCESS(ret))
-      return ret;
-  }
-
-  ret = ResolveTarget(target_module, target_name, &target_);
-  if (!NT_SUCCESS(ret))
-    return ret;
-
-  interceptor_ = interceptor_entry_point;
-
-  return ret;
-}
-
-NTSTATUS ResolverThunk::ResolveInterceptor(const void* interceptor_module,
-                                           const char* interceptor_name,
-                                           const void** address) {
-  return STATUS_NOT_IMPLEMENTED;
-}
-
-NTSTATUS ResolverThunk::ResolveTarget(const void* module,
-                                      const char* function_name,
-                                      void** address) {
-  return STATUS_NOT_IMPLEMENTED;
-}
-
-NTSTATUS Service64ResolverThunk::Setup(const void* target_module,
-                                       const void* interceptor_module,
-                                       const char* target_name,
-                                       const char* interceptor_name,
-                                       const void* interceptor_entry_point,
-                                       void* thunk_storage,
-                                       size_t storage_bytes,
-                                       size_t* storage_used) {
-  NTSTATUS ret = Init(target_module, interceptor_module, target_name,
-                      interceptor_name, interceptor_entry_point,
-                      thunk_storage, storage_bytes);
-  if (!NT_SUCCESS(ret))
-    return ret;
-
-  size_t thunk_bytes = GetThunkSize();
-  scoped_ptr<char[]> thunk_buffer(new char[thunk_bytes]);
-  ServiceFullThunk* thunk = reinterpret_cast<ServiceFullThunk*>(
-                                thunk_buffer.get());
-
-  if (!IsFunctionAService(&thunk->original))
-    return STATUS_UNSUCCESSFUL;
-
-  ret = PerformPatch(thunk, thunk_storage);
-
-  if (NULL != storage_used)
-    *storage_used = thunk_bytes;
-
-  return ret;
-}
-
-NTSTATUS Service64ResolverThunk::ResolveInterceptor(
-    const void* interceptor_module,
-    const char* interceptor_name,
-    const void** address) {
-  // After all, we are using a locally mapped version of the exe, so the
-  // action is the same as for a target function.
-  return ResolveTarget(interceptor_module, interceptor_name,
-                       const_cast<void**>(address));
-}
-
-// In this case all the work is done from the parent, so resolve is
-// just a simple GetProcAddress.
-NTSTATUS Service64ResolverThunk::ResolveTarget(const void* module,
-                                             const char* function_name,
-                                             void** address) {
-  if (NULL == module)
-    return STATUS_UNSUCCESSFUL;
-
-  *address = ::GetProcAddress(bit_cast<HMODULE>(module), function_name);
-
-  if (NULL == *address)
-    return STATUS_UNSUCCESSFUL;
-
-  return STATUS_SUCCESS;
-}
-
-size_t Service64ResolverThunk::GetThunkSize() const {
-  return sizeof(ServiceFullThunk);
-}
-
-bool Service64ResolverThunk::IsFunctionAService(void* local_thunk) const {
-  ServiceEntry function_code;
-  SIZE_T read;
-  if (!::ReadProcessMemory(process_, target_, &function_code,
-                           sizeof(function_code), &read))
-    return false;
-
-  if (sizeof(function_code) != read)
-    return false;
-
-  if (kMmovR10EcxMovEax != function_code.mov_r10_ecx_mov_eax ||
-      kSyscall != function_code.syscall || kRetNp != function_code.ret)
-    return false;
-
-  // Save the verified code
-  memcpy(local_thunk, &function_code, sizeof(function_code));
-
-  return true;
-}
-
-NTSTATUS Service64ResolverThunk::PerformPatch(void* local_thunk,
-                                              void* remote_thunk) {
-  ServiceFullThunk* full_local_thunk = reinterpret_cast<ServiceFullThunk*>(
-                                           local_thunk);
-  ServiceFullThunk* full_remote_thunk = reinterpret_cast<ServiceFullThunk*>(
-                                           remote_thunk);
-
-  // If the source or target are above 4GB we cannot do this relative jump.
-  if (reinterpret_cast<ULONG_PTR>(full_remote_thunk) >
-      static_cast<ULONG_PTR>(ULONG_MAX))
-    return STATUS_CONFLICTING_ADDRESSES;
-
-  if (reinterpret_cast<ULONG_PTR>(target_) > static_cast<ULONG_PTR>(ULONG_MAX))
-    return STATUS_CONFLICTING_ADDRESSES;
-
-  // Patch the original code.
-  Redirected local_service;
-  Redirected* remote_service = reinterpret_cast<Redirected*>(target_);
-  ULONG_PTR diff = reinterpret_cast<BYTE*>(&full_remote_thunk->internal_thunk) -
-                   &remote_service->pad;
-  local_service.relative = static_cast<ULONG>(diff);
-
-  // Setup the PatchInfo structure.
-  SIZE_T actual;
-  if (!::ReadProcessMemory(process_, remote_thunk, local_thunk,
-                           sizeof(PatchInfo), &actual))
-    return STATUS_UNSUCCESSFUL;
-  if (sizeof(PatchInfo) != actual)
-    return STATUS_UNSUCCESSFUL;
-
-  full_local_thunk->patch_info.orig_MapViewOfSection = reinterpret_cast<
-      NtMapViewOfSectionFunction>(&full_remote_thunk->original);
-  full_local_thunk->patch_info.patch_location = target_;
-  NTSTATUS ret = ResolveNtdll(&full_local_thunk->patch_info);
-  if (!NT_SUCCESS(ret))
-    return ret;
-
-  // Setup the thunk. The jump out is performed from right after the end of the
-  // thunk (full_remote_thunk + 1).
-  InternalThunk my_thunk;
-  ULONG_PTR patch_info = reinterpret_cast<ULONG_PTR>(remote_thunk);
-  my_thunk.patch_info = static_cast<ULONG>(patch_info);
-  diff = reinterpret_cast<const BYTE*>(interceptor_) -
-         reinterpret_cast<BYTE*>(full_remote_thunk + 1);
-  my_thunk.relative = static_cast<ULONG>(diff);
-
-  memcpy(&full_local_thunk->internal_thunk, &my_thunk, sizeof(my_thunk));
-
-  // copy the local thunk buffer to the child
-  if (!::WriteProcessMemory(process_, remote_thunk, local_thunk,
-                            sizeof(ServiceFullThunk), &actual))
-    return STATUS_UNSUCCESSFUL;
-
-  if (sizeof(ServiceFullThunk) != actual)
-    return STATUS_UNSUCCESSFUL;
-
-  // and now change the function to intercept, on the child
-  if (!::WriteProtectedChildMemory(process_, target_, &local_service,
-                                   sizeof(local_service)))
-    return STATUS_UNSUCCESSFUL;
-
-  return STATUS_SUCCESS;
-}
-
-}  // namespace sandbox
deleted file mode 100644
--- a/security/sandbox/chromium/sandbox/win/wow_helper/service64_resolver.h
+++ /dev/null
@@ -1,75 +0,0 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_WOW_HELPER_SERVICE64_RESOLVER_H__
-#define SANDBOX_WOW_HELPER_SERVICE64_RESOLVER_H__
-
-#include <stddef.h>
-
-#include "base/macros.h"
-#include "sandbox/win/src/nt_internals.h"
-#include "sandbox/win/src/resolver.h"
-
-namespace sandbox {
-
-// This is the concrete resolver used to perform service-call type functions
-// inside ntdll.dll (64-bit).
-class Service64ResolverThunk : public ResolverThunk {
- public:
-  // The service resolver needs a child process to write to.
-  explicit Service64ResolverThunk(HANDLE process)
-      : process_(process), ntdll_base_(NULL) {}
-  virtual ~Service64ResolverThunk() {}
-
-  // Implementation of Resolver::Setup.
-  virtual NTSTATUS Setup(const void* target_module,
-                         const void* interceptor_module,
-                         const char* target_name,
-                         const char* interceptor_name,
-                         const void* interceptor_entry_point,
-                         void* thunk_storage,
-                         size_t storage_bytes,
-                         size_t* storage_used);
-
-  // Implementation of Resolver::ResolveInterceptor.
-  virtual NTSTATUS ResolveInterceptor(const void* module,
-                                      const char* function_name,
-                                      const void** address);
-
-  // Implementation of Resolver::ResolveTarget.
-  virtual NTSTATUS ResolveTarget(const void* module,
-                                 const char* function_name,
-                                 void** address);
-
-  // Implementation of Resolver::GetThunkSize.
-  virtual size_t GetThunkSize() const;
-
- protected:
-  // The unit test will use this member to allow local patch on a buffer.
-  HMODULE ntdll_base_;
-
-  // Handle of the child process.
-  HANDLE process_;
-
- private:
-  // Returns true if the code pointer by target_ corresponds to the expected
-  // type of function. Saves that code on the first part of the thunk pointed
-  // by local_thunk (should be directly accessible from the parent).
-  virtual bool IsFunctionAService(void* local_thunk) const;
-
-  // Performs the actual patch of target_.
-  // local_thunk must be already fully initialized, and the first part must
-  // contain the original code. The real type of this buffer is ServiceFullThunk
-  // (yes, private). remote_thunk (real type ServiceFullThunk), must be
-  // allocated on the child, and will contain the thunk data, after this call.
-  // Returns the apropriate status code.
-  virtual NTSTATUS PerformPatch(void* local_thunk, void* remote_thunk);
-
-  DISALLOW_COPY_AND_ASSIGN(Service64ResolverThunk);
-};
-
-}  // namespace sandbox
-
-
-#endif  // SANDBOX_WOW_HELPER_SERVICE64_RESOLVER_H__
deleted file mode 100644
--- a/security/sandbox/chromium/sandbox/win/wow_helper/target_code.cc
+++ /dev/null
@@ -1,38 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/wow_helper/target_code.h"
-
-namespace sandbox {
-
-// Hooks NtMapViewOfSection to detect the load of dlls.
-#pragma code_seg(push, code, ".TargetCode$A")
-NTSTATUS WINAPI TargetNtMapViewOfSection(
-    PatchInfo *patch_info, HANDLE process, PVOID *base, ULONG_PTR zero_bits,
-    SIZE_T commit_size, PLARGE_INTEGER offset, PSIZE_T view_size,
-    SECTION_INHERIT inherit, ULONG allocation_type, ULONG protect) {
-  NTSTATUS ret = patch_info->orig_MapViewOfSection(patch_info->section, process,
-                                                   base, zero_bits, commit_size,
-                                                   offset, view_size, inherit,
-                                                   allocation_type, protect);
-
-  LARGE_INTEGER timeout;
-  timeout.QuadPart = -(5 * 10000000);  // 5 seconds.
-
-  // The wait is alertable.
-  patch_info->signal_and_wait(patch_info->dll_load, patch_info->continue_load,
-                              TRUE, &timeout);
-
-  return ret;
-}
-#pragma code_seg(pop, code)
-
-// Marks the end of the code to copy to the target process.
-#pragma code_seg(push, code, ".TargetCode$B")
-NTSTATUS WINAPI TargetEnd() {
-  return STATUS_SUCCESS;
-}
-#pragma code_seg(pop, code)
-
-}  // namespace sandbox
deleted file mode 100644
--- a/security/sandbox/chromium/sandbox/win/wow_helper/target_code.h
+++ /dev/null
@@ -1,41 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_WOW_HELPER_TARGET_CODE_H__
-#define SANDBOX_WOW_HELPER_TARGET_CODE_H__
-
-#include "sandbox/win/src/nt_internals.h"
-
-namespace sandbox {
-
-extern "C" {
-
-// Holds the information needed for the interception of NtMapViewOfSection.
-// Changes of this structure must be synchronized with changes of PatchInfo32
-// on sandbox/win/src/wow64.cc.
-struct PatchInfo {
-  HANDLE dll_load;  // Event to signal the broker.
-  HANDLE continue_load;  // Event to wait for the broker.
-  HANDLE section;  // First argument of the call.
-  NtMapViewOfSectionFunction orig_MapViewOfSection;
-  NtSignalAndWaitForSingleObjectFunction signal_and_wait;
-  void* patch_location;
-};
-
-// Interception of NtMapViewOfSection on the child process.
-// It should never be called directly. This function provides the means to
-// detect dlls being loaded, so we can patch them if needed.
-NTSTATUS WINAPI TargetNtMapViewOfSection(
-    PatchInfo* patch_info, HANDLE process, PVOID* base, ULONG_PTR zero_bits,
-    SIZE_T commit_size, PLARGE_INTEGER offset, PSIZE_T view_size,
-    SECTION_INHERIT inherit, ULONG allocation_type, ULONG protect);
-
-// Marker of the end of TargetNtMapViewOfSection.
-NTSTATUS WINAPI TargetEnd();
-
-} // extern "C"
-
-}  // namespace sandbox
-
-#endif  // SANDBOX_WOW_HELPER_TARGET_CODE_H__
deleted file mode 100644
--- a/security/sandbox/chromium/sandbox/win/wow_helper/wow_helper.cc
+++ /dev/null
@@ -1,87 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// Wow_helper.exe is a simple Win32 64-bit executable designed to help to
-// sandbox a 32 bit application running on a 64 bit OS. The basic idea is to
-// perform a 64 bit interception of the target process and notify the 32-bit
-// broker process whenever a DLL is being loaded. This allows the broker to
-// setup the interceptions (32-bit) properly on the target.
-
-#include <windows.h>
-#include <stddef.h>
-
-#include <string>
-
-#include "sandbox/win/wow_helper/service64_resolver.h"
-#include "sandbox/win/wow_helper/target_code.h"
-
-namespace sandbox {
-
-// Performs the interception of NtMapViewOfSection on the 64-bit version of
-// ntdll.dll. 'thunk' is the buffer on the address space of process 'child',
-// that will be used to store the information about the patch.
-int PatchNtdll(HANDLE child, void* thunk, size_t thunk_bytes) {
-  wchar_t* ntdll_name = L"ntdll.dll";
-  HMODULE ntdll_base = ::GetModuleHandle(ntdll_name);
-  if (!ntdll_base)
-    return 100;
-
-  Service64ResolverThunk resolver(child);
-  size_t used = resolver.GetThunkSize();
-  char* code = reinterpret_cast<char*>(thunk) + used;
-  NTSTATUS ret = resolver.Setup(ntdll_base, NULL, "NtMapViewOfSection", NULL,
-                                code, thunk, thunk_bytes, NULL);
-  if (!NT_SUCCESS(ret))
-    return 101;
-
-  size_t size = reinterpret_cast<char*>(&TargetEnd) -
-                reinterpret_cast<char*>(&TargetNtMapViewOfSection);
-
-  if (size + used > thunk_bytes)
-    return 102;
-
-  SIZE_T written;
-  if (!::WriteProcessMemory(child, code, &TargetNtMapViewOfSection, size,
-                            &written))
-    return 103;
-
-  if (size != written)
-    return 104;
-
-  return 0;
-}
-
-}  // namespace sandbox
-
-// We must receive two arguments: the process id of the target to intercept and
-// the address of a page of memory on that process that will be used for the
-// interception. We receive the address because the broker will cleanup the
-// patch when the work is performed.
-//
-// It should be noted that we don't wait until the real work is done; this
-// program quits as soon as the 64-bit interception is performed.
-int wWinMain(HINSTANCE, HINSTANCE, wchar_t* command_line, int) {
-  static_assert(sizeof(void*) > sizeof(DWORD), "unsupported 32 bits");
-  if (!command_line)
-    return 1;
-
-  wchar_t* next;
-  DWORD process_id = wcstoul(command_line, &next, 0);
-  if (!process_id)
-    return 2;
-
-  DWORD access = PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE;
-  HANDLE child = ::OpenProcess(access, FALSE, process_id);
-  if (!child)
-    return 3;
-
-  DWORD buffer = wcstoul(next, NULL, 0);
-  if (!buffer)
-    return 4;
-
-  void* thunk = reinterpret_cast<void*>(static_cast<ULONG_PTR>(buffer));
-
-  const size_t kPageSize = 4096;
-  return sandbox::PatchNtdll(child, thunk, kPageSize);
-}
--- a/security/sandbox/modifications-to-chromium-to-reapply-after-upstream-merge.txt
+++ b/security/sandbox/modifications-to-chromium-to-reapply-after-upstream-merge.txt
@@ -1,9 +1,8 @@
 Please add a link to the bugzilla bug and patch name that should be re-applied.
 Also, please update any existing links to their actual mozilla-central changeset.
 
 https://hg.mozilla.org/mozilla-central/rev/a05726163a79
-https://hg.mozilla.org/mozilla-central/rev/7df8d6639971
 https://hg.mozilla.org/mozilla-central/rev/e834e810a3fa
 https://hg.mozilla.org/mozilla-central/rev/c70d06fa5302
 https://hg.mozilla.org/mozilla-central/rev/d24db55deb85
 https://bugzilla.mozilla.org/show_bug.cgi?id=1321724 bug1321724.patch
--- a/security/sandbox/moz.build
+++ b/security/sandbox/moz.build
@@ -18,20 +18,16 @@ elif CONFIG['OS_ARCH'] == 'WINNT':
     FORCE_STATIC_LIB = True
 
     DIRS += [
         'win/src/sandboxbroker',
         'win/src/sandboxpermissions',
         'win/src/sandboxtarget',
     ]
 
-    if (CONFIG['CPU_ARCH'] == 'x86' and CONFIG['_MSC_VER'] and not
-            CONFIG['CLANG_CL']):
-        DIRS += ['win/wow_helper']
-
     EXPORTS.mozilla.sandboxing += [
         'chromium-shim/sandbox/win/loggingCallbacks.h',
         'chromium-shim/sandbox/win/loggingTypes.h',
         'chromium-shim/sandbox/win/permissionsService.h',
         'chromium-shim/sandbox/win/sandboxLogging.h',
         'win/SandboxInitialization.h',
     ]
 
deleted file mode 100644
--- a/security/sandbox/win/wow_helper/Makefile.in
+++ /dev/null
@@ -1,47 +0,0 @@
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-# We need to build a 64-bits binary during a 32-bits build. This requires
-# a different compiler and different library paths. Until the build system
-# supports this natively.
-
-# Some Make magic to avoid CXX and LIB being evaluated when nothing
-# is built in this directory
-lazy = $(if $(___$(1)),,$(eval ___$(1) := $(2)))$(___$(1))
-
-# We could use the `which` python module, but it needs more code to handle
-# the situation where CXX points to an absolute path. But using the shell
-# which returns a msys path, while we need a windows path. So force msys
-# to do the conversion for us by calling python with an environment variable
-# with the result of the call to `which`. Then munge that path to add the
-# x64 cross-compiler path.
-ifdef MOZ_USING_COMPILER_WRAPPER
-ORIG_CXX := cl
-else
-ORIG_CXX := $(CXX)
-endif
-CXX = $(call lazy,CXX,"$$(subst amd64_x86/x86_amd64/,amd64/,$$(shell CL=`which "$(ORIG_CXX)"` $(PYTHON) -c 'import os; print os.path.dirname(os.environ["CL"])')/x86_amd64/cl.exe)")
-
-MOZ_WINCONSOLE = 0
-
-include $(topsrcdir)/config/config.mk
-
-# Munge the LIB variable to contain paths to the x64 CRT and system libraries.
-# Unconveniently, none of the paths have the same convention, including the
-# compiler path above.
-LIB = $(call lazy,LIB,$$(shell python -c 'import os; print ";".join(s.lower().replace(os.sep, "/").replace("/vc/lib", "/vc/lib/amd64").replace("/um/x86", "/um/x64").replace("/ucrt/x86", "/ucrt/x64") for s in os.environ["LIB"].split(";"))'))
-
-CXXFLAGS := $(filter-out -arch:%,$(CXXFLAGS))
-
-# OS_COMPILE_CXXFLAGS includes mozilla-config.h, which contains x86-specific
-# defines breaking the build.
-OS_COMPILE_CXXFLAGS :=
-
-# LNK1246: '/SAFESEH' not compatible with 'x64' target machine
-LDFLAGS := $(filter-out -SAFESEH,$(LDFLAGS))
-
-# When targetting x64, we need to specify a subsystem of at least 5.02, because
-# the 5.01 value we inherit from the x86 parts is silently ignored, making the
-# linker default to 6.00 (Vista) as of VS2013.
-WIN32_GUI_EXE_LDFLAGS=-SUBSYSTEM:WINDOWS,5.02
deleted file mode 100644
--- a/security/sandbox/win/wow_helper/moz.build
+++ /dev/null
@@ -1,30 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-Program('wow_helper')
-
-SOURCES += [ '../../chromium/sandbox/win/wow_helper/' + f for f in (
-    'service64_resolver.cc',
-    'target_code.cc',
-    'wow_helper.cc',
-)]
-
-LOCAL_INCLUDES += [
-    '../../',
-    '../../../',
-    '../../chromium/',
-]
-
-DISABLE_STL_WRAPPING = True
-
-DEFINES['UNICODE'] = True
-
-USE_STATIC_LIBS = True
-
-# The rules in Makefile.in only force the use of the 64-bits compiler, not
-# the 64-bits linker, and the 32-bits linker can't do 64-bits compilation for
-# PGO, so disable PGO, which is not interesting for this small binary anyways.
-NO_PGO = True