Bug 1339729: Remove wow_helper from Windows process sandboxing. r=glandium
authorBob Owen <bobowencode@gmail.com>
Wed, 01 Mar 2017 10:41:07 +0000
changeset 374313 f73f900fab1c6e320786647327204cce7ba31bcb
parent 374312 479e6d9edfb7294b207ad511efa28ce9c538725f
child 374314 6d0ac4c74fd5a4e2f53e83c00ff8ca24abe5e1d7
push id10863
push userjlorenzo@mozilla.com
push dateMon, 06 Mar 2017 23:02:23 +0000
treeherdermozilla-aurora@0931190cd725 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersglandium
bugs1339729
milestone54.0a1
Bug 1339729: Remove wow_helper from Windows process sandboxing. r=glandium
browser/installer/Makefile.in
browser/installer/package-manifest.in
python/mozbuild/mozbuild/compilation/database.py
security/sandbox/chromium/sandbox/win/wow_helper/service64_resolver.cc
security/sandbox/chromium/sandbox/win/wow_helper/service64_resolver.h
security/sandbox/chromium/sandbox/win/wow_helper/target_code.cc
security/sandbox/chromium/sandbox/win/wow_helper/target_code.h
security/sandbox/chromium/sandbox/win/wow_helper/wow_helper.cc
security/sandbox/modifications-to-chromium-to-reapply-after-upstream-merge.txt
security/sandbox/moz.build
security/sandbox/win/wow_helper/Makefile.in
security/sandbox/win/wow_helper/moz.build
--- a/browser/installer/Makefile.in
+++ b/browser/installer/Makefile.in
@@ -133,23 +133,16 @@ endif
 DEFINES += -DMOZ_ICU_DBG_SUFFIX=$(MOZ_ICU_DBG_SUFFIX)
 DEFINES += -DICU_DATA_FILE=$(ICU_DATA_FILE)
 ifdef CLANG_CXX
 DEFINES += -DCLANG_CXX
 endif
 ifdef CLANG_CL
 DEFINES += -DCLANG_CL
 endif
-ifeq (x86,$(CPU_ARCH))
-ifdef _MSC_VER
-ifndef CLANG_CL
-DEFINES += -DWOW_HELPER
-endif
-endif
-endif
 
 
 # Builds using the hybrid FasterMake/RecursiveMake backend will
 # fail to produce a langpack. See bug 1255096.
 libs::
 ifeq (,$(filter FasterMake+RecursiveMake,$(BUILD_BACKENDS)))
 	$(MAKE) -C $(DEPTH)/browser/locales langpack
 endif
--- a/browser/installer/package-manifest.in
+++ b/browser/installer/package-manifest.in
@@ -722,24 +722,16 @@
 #endif
 @RESPATH@/chrome/pippki@JAREXT@
 @RESPATH@/chrome/pippki.manifest
 @RESPATH@/components/pipnss.xpt
 @RESPATH@/components/pippki.xpt
 
 ; For process sandboxing
 #if defined(MOZ_SANDBOX)
-#if defined(XP_WIN)
-#if defined(WOW_HELPER)
-@BINPATH@/wow_helper.exe
-#endif
-#endif
-#endif
-
-#if defined(MOZ_SANDBOX)
 #if defined(XP_LINUX)
 @BINPATH@/@DLL_PREFIX@mozsandbox@DLL_SUFFIX@
 @RESPATH@/components/sandbox.xpt
 #endif
 #endif
 
 ; for Solaris SPARC
 #ifdef SOLARIS
--- a/python/mozbuild/mozbuild/compilation/database.py
+++ b/python/mozbuild/mozbuild/compilation/database.py
@@ -53,17 +53,16 @@ class CompileDBBackend(CommonBackend):
 
     def consume_object(self, obj):
         # Those are difficult directories, that will be handled later.
         if obj.relativedir in (
                 'build/unix/elfhack',
                 'build/unix/elfhack/inject',
                 'build/clang-plugin',
                 'build/clang-plugin/tests',
-                'security/sandbox/win/wow_helper',
                 'toolkit/crashreporter/google-breakpad/src/common'):
             return True
 
         consumed = CommonBackend.consume_object(self, obj)
 
         if consumed:
             return True
 
deleted file mode 100644
--- a/security/sandbox/chromium/sandbox/win/wow_helper/service64_resolver.cc
+++ /dev/null
@@ -1,346 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/wow_helper/service64_resolver.h"
-
-#include <limits.h>
-#include <stddef.h>
-
-#include "base/bit_cast.h"
-#include "base/memory/scoped_ptr.h"
-#include "sandbox/win/wow_helper/target_code.h"
-
-namespace {
-#pragma pack(push, 1)
-
-const BYTE kMovEax = 0xB8;
-const BYTE kMovEdx = 0xBA;
-const USHORT kCallPtrEdx = 0x12FF;
-const BYTE kRet = 0xC2;
-const BYTE kNop = 0x90;
-const USHORT kJmpEdx = 0xE2FF;
-const USHORT kXorEcx = 0xC933;
-const ULONG kLeaEdx = 0x0424548D;
-const ULONG kCallFs1 = 0xC015FF64;
-const ULONG kCallFs2Ret = 0xC2000000;
-const BYTE kPopEdx = 0x5A;
-const BYTE kPushEdx = 0x52;
-const BYTE kPush32 = 0x68;
-
-const ULONG kMmovR10EcxMovEax = 0xB8D18B4C;
-const USHORT kSyscall = 0x050F;
-const BYTE kRetNp = 0xC3;
-const BYTE kPad = 0x66;
-const USHORT kNop16 = 0x9066;
-const BYTE kRelJmp = 0xE9;
-
-const ULONG kXorRaxMovEax = 0xB8C03148;
-const ULONG kSaveRcx = 0x10488948;
-const ULONG kMovRcxRaxJmp = 0xE9C88B48;
-
-// Service code for 64 bit systems.
-struct ServiceEntry {
-  // this struct contains roughly the following code:
-  // mov     r10,rcx
-  // mov     eax,52h
-  // syscall
-  // ret
-  // xchg    ax,ax
-  // xchg    ax,ax
-
-  ULONG mov_r10_ecx_mov_eax;  // = 4C 8B D1 B8
-  ULONG service_id;
-  USHORT syscall;             // = 0F 05
-  BYTE ret;                   // = C3
-  BYTE pad;                   // = 66
-  USHORT xchg_ax_ax1;         // = 66 90
-  USHORT xchg_ax_ax2;         // = 66 90
-};
-
-struct Redirected {
-  // this struct contains roughly the following code:
-  // jmp    relative_32
-  // xchg   ax,ax       // 3 byte nop
-
-  Redirected() {
-    jmp = kRelJmp;
-    relative = 0;
-    pad = kPad;
-    xchg_ax_ax = kNop16;
-  };
-  BYTE jmp;             // = E9
-  ULONG relative;
-  BYTE pad;             // = 66
-  USHORT xchg_ax_ax;    // = 66 90
-};
-
-struct InternalThunk {
-  // this struct contains roughly the following code:
-  // xor rax,rax
-  // mov eax, 0x00080000              // Thunk storage.
-  // mov [rax]PatchInfo.service, rcx  // Save first argument.
-  // mov rcx, rax
-  // jmp relative_to_interceptor
-
-  InternalThunk() {
-    xor_rax_mov_eax = kXorRaxMovEax;
-    patch_info = 0;
-    save_rcx = kSaveRcx;
-    mov_rcx_rax_jmp = kMovRcxRaxJmp;
-    relative = 0;
-  };
-  ULONG xor_rax_mov_eax;  // = 48 31 C0 B8
-  ULONG patch_info;
-  ULONG save_rcx;         // = 48 89 48 10
-  ULONG mov_rcx_rax_jmp;  // = 48 8b c8 e9
-  ULONG relative;
-};
-
-struct ServiceFullThunk {
-  sandbox::PatchInfo patch_info;
-  ServiceEntry original;
-  InternalThunk internal_thunk;
-};
-
-#pragma pack(pop)
-
-// Simple utility function to write to a buffer on the child, if the memery has
-// write protection attributes.
-// Arguments:
-// child_process (in): process to write to.
-// address (out): memory position on the child to write to.
-// buffer (in): local buffer with the data to write .
-// length (in): number of bytes to write.
-// Returns true on success.
-bool WriteProtectedChildMemory(HANDLE child_process,
-                               void* address,
-                               const void* buffer,
-                               size_t length) {
-  // first, remove the protections
-  DWORD old_protection;
-  if (!::VirtualProtectEx(child_process, address, length,
-                          PAGE_WRITECOPY, &old_protection))
-    return false;
-
-  SIZE_T written;
-  bool ok = ::WriteProcessMemory(child_process, address, buffer, length,
-                                 &written) && (length == written);
-
-  // always attempt to restore the original protection
-  if (!::VirtualProtectEx(child_process, address, length,
-                          old_protection, &old_protection))
-    return false;
-
-  return ok;
-}
-
-// Get pointers to the functions that we need from ntdll.dll.
-NTSTATUS ResolveNtdll(sandbox::PatchInfo* patch_info) {
-  wchar_t* ntdll_name = L"ntdll.dll";
-  HMODULE ntdll = ::GetModuleHandle(ntdll_name);
-  if (!ntdll)
-    return STATUS_PROCEDURE_NOT_FOUND;
-
-  void* signal = ::GetProcAddress(ntdll, "NtSignalAndWaitForSingleObject");
-  if (!signal)
-    return STATUS_PROCEDURE_NOT_FOUND;
-
-  patch_info->signal_and_wait =
-      reinterpret_cast<NtSignalAndWaitForSingleObjectFunction>(signal);
-
-  return STATUS_SUCCESS;
-}
-
-};  // namespace
-
-namespace sandbox {
-
-NTSTATUS ResolverThunk::Init(const void* target_module,
-                             const void* interceptor_module,
-                             const char* target_name,
-                             const char* interceptor_name,
-                             const void* interceptor_entry_point,
-                             void* thunk_storage,
-                             size_t storage_bytes) {
-  if (NULL == thunk_storage || 0 == storage_bytes ||
-      NULL == target_module || NULL == target_name)
-    return STATUS_INVALID_PARAMETER;
-
-  if (storage_bytes < GetThunkSize())
-    return STATUS_BUFFER_TOO_SMALL;
-
-  NTSTATUS ret = STATUS_SUCCESS;
-  if (NULL == interceptor_entry_point) {
-    ret = ResolveInterceptor(interceptor_module, interceptor_name,
-                             &interceptor_entry_point);
-    if (!NT_SUCCESS(ret))
-      return ret;
-  }
-
-  ret = ResolveTarget(target_module, target_name, &target_);
-  if (!NT_SUCCESS(ret))
-    return ret;
-
-  interceptor_ = interceptor_entry_point;
-
-  return ret;
-}
-
-NTSTATUS ResolverThunk::ResolveInterceptor(const void* interceptor_module,
-                                           const char* interceptor_name,
-                                           const void** address) {
-  return STATUS_NOT_IMPLEMENTED;
-}
-
-NTSTATUS ResolverThunk::ResolveTarget(const void* module,
-                                      const char* function_name,
-                                      void** address) {
-  return STATUS_NOT_IMPLEMENTED;
-}
-
-NTSTATUS Service64ResolverThunk::Setup(const void* target_module,
-                                       const void* interceptor_module,
-                                       const char* target_name,
-                                       const char* interceptor_name,
-                                       const void* interceptor_entry_point,
-                                       void* thunk_storage,
-                                       size_t storage_bytes,
-                                       size_t* storage_used) {
-  NTSTATUS ret = Init(target_module, interceptor_module, target_name,
-                      interceptor_name, interceptor_entry_point,
-                      thunk_storage, storage_bytes);
-  if (!NT_SUCCESS(ret))
-    return ret;
-
-  size_t thunk_bytes = GetThunkSize();
-  scoped_ptr<char[]> thunk_buffer(new char[thunk_bytes]);
-  ServiceFullThunk* thunk = reinterpret_cast<ServiceFullThunk*>(
-                                thunk_buffer.get());
-
-  if (!IsFunctionAService(&thunk->original))
-    return STATUS_UNSUCCESSFUL;
-
-  ret = PerformPatch(thunk, thunk_storage);
-
-  if (NULL != storage_used)
-    *storage_used = thunk_bytes;
-
-  return ret;
-}
-
-NTSTATUS Service64ResolverThunk::ResolveInterceptor(
-    const void* interceptor_module,
-    const char* interceptor_name,
-    const void** address) {
-  // After all, we are using a locally mapped version of the exe, so the
-  // action is the same as for a target function.
-  return ResolveTarget(interceptor_module, interceptor_name,
-                       const_cast<void**>(address));
-}
-
-// In this case all the work is done from the parent, so resolve is
-// just a simple GetProcAddress.
-NTSTATUS Service64ResolverThunk::ResolveTarget(const void* module,
-                                             const char* function_name,
-                                             void** address) {
-  if (NULL == module)
-    return STATUS_UNSUCCESSFUL;
-
-  *address = ::GetProcAddress(bit_cast<HMODULE>(module), function_name);
-
-  if (NULL == *address)
-    return STATUS_UNSUCCESSFUL;
-
-  return STATUS_SUCCESS;
-}
-
-size_t Service64ResolverThunk::GetThunkSize() const {
-  return sizeof(ServiceFullThunk);
-}
-
-bool Service64ResolverThunk::IsFunctionAService(void* local_thunk) const {
-  ServiceEntry function_code;
-  SIZE_T read;
-  if (!::ReadProcessMemory(process_, target_, &function_code,
-                           sizeof(function_code), &read))
-    return false;
-
-  if (sizeof(function_code) != read)
-    return false;
-
-  if (kMmovR10EcxMovEax != function_code.mov_r10_ecx_mov_eax ||
-      kSyscall != function_code.syscall || kRetNp != function_code.ret)
-    return false;
-
-  // Save the verified code
-  memcpy(local_thunk, &function_code, sizeof(function_code));
-
-  return true;
-}
-
-NTSTATUS Service64ResolverThunk::PerformPatch(void* local_thunk,
-                                              void* remote_thunk) {
-  ServiceFullThunk* full_local_thunk = reinterpret_cast<ServiceFullThunk*>(
-                                           local_thunk);
-  ServiceFullThunk* full_remote_thunk = reinterpret_cast<ServiceFullThunk*>(
-                                           remote_thunk);
-
-  // If the source or target are above 4GB we cannot do this relative jump.
-  if (reinterpret_cast<ULONG_PTR>(full_remote_thunk) >
-      static_cast<ULONG_PTR>(ULONG_MAX))
-    return STATUS_CONFLICTING_ADDRESSES;
-
-  if (reinterpret_cast<ULONG_PTR>(target_) > static_cast<ULONG_PTR>(ULONG_MAX))
-    return STATUS_CONFLICTING_ADDRESSES;
-
-  // Patch the original code.
-  Redirected local_service;
-  Redirected* remote_service = reinterpret_cast<Redirected*>(target_);
-  ULONG_PTR diff = reinterpret_cast<BYTE*>(&full_remote_thunk->internal_thunk) -
-                   &remote_service->pad;
-  local_service.relative = static_cast<ULONG>(diff);
-
-  // Setup the PatchInfo structure.
-  SIZE_T actual;
-  if (!::ReadProcessMemory(process_, remote_thunk, local_thunk,
-                           sizeof(PatchInfo), &actual))
-    return STATUS_UNSUCCESSFUL;
-  if (sizeof(PatchInfo) != actual)
-    return STATUS_UNSUCCESSFUL;
-
-  full_local_thunk->patch_info.orig_MapViewOfSection = reinterpret_cast<
-      NtMapViewOfSectionFunction>(&full_remote_thunk->original);
-  full_local_thunk->patch_info.patch_location = target_;
-  NTSTATUS ret = ResolveNtdll(&full_local_thunk->patch_info);
-  if (!NT_SUCCESS(ret))
-    return ret;
-
-  // Setup the thunk. The jump out is performed from right after the end of the
-  // thunk (full_remote_thunk + 1).
-  InternalThunk my_thunk;
-  ULONG_PTR patch_info = reinterpret_cast<ULONG_PTR>(remote_thunk);
-  my_thunk.patch_info = static_cast<ULONG>(patch_info);
-  diff = reinterpret_cast<const BYTE*>(interceptor_) -
-         reinterpret_cast<BYTE*>(full_remote_thunk + 1);
-  my_thunk.relative = static_cast<ULONG>(diff);
-
-  memcpy(&full_local_thunk->internal_thunk, &my_thunk, sizeof(my_thunk));
-
-  // copy the local thunk buffer to the child
-  if (!::WriteProcessMemory(process_, remote_thunk, local_thunk,
-                            sizeof(ServiceFullThunk), &actual))
-    return STATUS_UNSUCCESSFUL;
-
-  if (sizeof(ServiceFullThunk) != actual)
-    return STATUS_UNSUCCESSFUL;
-
-  // and now change the function to intercept, on the child
-  if (!::WriteProtectedChildMemory(process_, target_, &local_service,
-                                   sizeof(local_service)))
-    return STATUS_UNSUCCESSFUL;
-
-  return STATUS_SUCCESS;
-}
-
-}  // namespace sandbox
deleted file mode 100644
--- a/security/sandbox/chromium/sandbox/win/wow_helper/service64_resolver.h
+++ /dev/null
@@ -1,75 +0,0 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_WOW_HELPER_SERVICE64_RESOLVER_H__
-#define SANDBOX_WOW_HELPER_SERVICE64_RESOLVER_H__
-
-#include <stddef.h>
-
-#include "base/macros.h"
-#include "sandbox/win/src/nt_internals.h"
-#include "sandbox/win/src/resolver.h"
-
-namespace sandbox {
-
-// This is the concrete resolver used to perform service-call type functions
-// inside ntdll.dll (64-bit).
-class Service64ResolverThunk : public ResolverThunk {
- public:
-  // The service resolver needs a child process to write to.
-  explicit Service64ResolverThunk(HANDLE process)
-      : process_(process), ntdll_base_(NULL) {}
-  virtual ~Service64ResolverThunk() {}
-
-  // Implementation of Resolver::Setup.
-  virtual NTSTATUS Setup(const void* target_module,
-                         const void* interceptor_module,
-                         const char* target_name,
-                         const char* interceptor_name,
-                         const void* interceptor_entry_point,
-                         void* thunk_storage,
-                         size_t storage_bytes,
-                         size_t* storage_used);
-
-  // Implementation of Resolver::ResolveInterceptor.
-  virtual NTSTATUS ResolveInterceptor(const void* module,
-                                      const char* function_name,
-                                      const void** address);
-
-  // Implementation of Resolver::ResolveTarget.
-  virtual NTSTATUS ResolveTarget(const void* module,
-                                 const char* function_name,
-                                 void** address);
-
-  // Implementation of Resolver::GetThunkSize.
-  virtual size_t GetThunkSize() const;
-
- protected:
-  // The unit test will use this member to allow local patch on a buffer.
-  HMODULE ntdll_base_;
-
-  // Handle of the child process.
-  HANDLE process_;
-
- private:
-  // Returns true if the code pointer by target_ corresponds to the expected
-  // type of function. Saves that code on the first part of the thunk pointed
-  // by local_thunk (should be directly accessible from the parent).
-  virtual bool IsFunctionAService(void* local_thunk) const;
-
-  // Performs the actual patch of target_.
-  // local_thunk must be already fully initialized, and the first part must
-  // contain the original code. The real type of this buffer is ServiceFullThunk
-  // (yes, private). remote_thunk (real type ServiceFullThunk), must be
-  // allocated on the child, and will contain the thunk data, after this call.
-  // Returns the apropriate status code.
-  virtual NTSTATUS PerformPatch(void* local_thunk, void* remote_thunk);
-
-  DISALLOW_COPY_AND_ASSIGN(Service64ResolverThunk);
-};
-
-}  // namespace sandbox
-
-
-#endif  // SANDBOX_WOW_HELPER_SERVICE64_RESOLVER_H__
deleted file mode 100644
--- a/security/sandbox/chromium/sandbox/win/wow_helper/target_code.cc
+++ /dev/null
@@ -1,38 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/wow_helper/target_code.h"
-
-namespace sandbox {
-
-// Hooks NtMapViewOfSection to detect the load of dlls.
-#pragma code_seg(push, code, ".TargetCode$A")
-NTSTATUS WINAPI TargetNtMapViewOfSection(
-    PatchInfo *patch_info, HANDLE process, PVOID *base, ULONG_PTR zero_bits,
-    SIZE_T commit_size, PLARGE_INTEGER offset, PSIZE_T view_size,
-    SECTION_INHERIT inherit, ULONG allocation_type, ULONG protect) {
-  NTSTATUS ret = patch_info->orig_MapViewOfSection(patch_info->section, process,
-                                                   base, zero_bits, commit_size,
-                                                   offset, view_size, inherit,
-                                                   allocation_type, protect);
-
-  LARGE_INTEGER timeout;
-  timeout.QuadPart = -(5 * 10000000);  // 5 seconds.
-
-  // The wait is alertable.
-  patch_info->signal_and_wait(patch_info->dll_load, patch_info->continue_load,
-                              TRUE, &timeout);
-
-  return ret;
-}
-#pragma code_seg(pop, code)
-
-// Marks the end of the code to copy to the target process.
-#pragma code_seg(push, code, ".TargetCode$B")
-NTSTATUS WINAPI TargetEnd() {
-  return STATUS_SUCCESS;
-}
-#pragma code_seg(pop, code)
-
-}  // namespace sandbox
deleted file mode 100644
--- a/security/sandbox/chromium/sandbox/win/wow_helper/target_code.h
+++ /dev/null
@@ -1,41 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_WOW_HELPER_TARGET_CODE_H__
-#define SANDBOX_WOW_HELPER_TARGET_CODE_H__
-
-#include "sandbox/win/src/nt_internals.h"
-
-namespace sandbox {
-
-extern "C" {
-
-// Holds the information needed for the interception of NtMapViewOfSection.
-// Changes of this structure must be synchronized with changes of PatchInfo32
-// on sandbox/win/src/wow64.cc.
-struct PatchInfo {
-  HANDLE dll_load;  // Event to signal the broker.
-  HANDLE continue_load;  // Event to wait for the broker.
-  HANDLE section;  // First argument of the call.
-  NtMapViewOfSectionFunction orig_MapViewOfSection;
-  NtSignalAndWaitForSingleObjectFunction signal_and_wait;
-  void* patch_location;
-};
-
-// Interception of NtMapViewOfSection on the child process.
-// It should never be called directly. This function provides the means to
-// detect dlls being loaded, so we can patch them if needed.
-NTSTATUS WINAPI TargetNtMapViewOfSection(
-    PatchInfo* patch_info, HANDLE process, PVOID* base, ULONG_PTR zero_bits,
-    SIZE_T commit_size, PLARGE_INTEGER offset, PSIZE_T view_size,
-    SECTION_INHERIT inherit, ULONG allocation_type, ULONG protect);
-
-// Marker of the end of TargetNtMapViewOfSection.
-NTSTATUS WINAPI TargetEnd();
-
-} // extern "C"
-
-}  // namespace sandbox
-
-#endif  // SANDBOX_WOW_HELPER_TARGET_CODE_H__
deleted file mode 100644
--- a/security/sandbox/chromium/sandbox/win/wow_helper/wow_helper.cc
+++ /dev/null
@@ -1,87 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// Wow_helper.exe is a simple Win32 64-bit executable designed to help to
-// sandbox a 32 bit application running on a 64 bit OS. The basic idea is to
-// perform a 64 bit interception of the target process and notify the 32-bit
-// broker process whenever a DLL is being loaded. This allows the broker to
-// setup the interceptions (32-bit) properly on the target.
-
-#include <windows.h>
-#include <stddef.h>
-
-#include <string>
-
-#include "sandbox/win/wow_helper/service64_resolver.h"
-#include "sandbox/win/wow_helper/target_code.h"
-
-namespace sandbox {
-
-// Performs the interception of NtMapViewOfSection on the 64-bit version of
-// ntdll.dll. 'thunk' is the buffer on the address space of process 'child',
-// that will be used to store the information about the patch.
-int PatchNtdll(HANDLE child, void* thunk, size_t thunk_bytes) {
-  wchar_t* ntdll_name = L"ntdll.dll";
-  HMODULE ntdll_base = ::GetModuleHandle(ntdll_name);
-  if (!ntdll_base)
-    return 100;
-
-  Service64ResolverThunk resolver(child);
-  size_t used = resolver.GetThunkSize();
-  char* code = reinterpret_cast<char*>(thunk) + used;
-  NTSTATUS ret = resolver.Setup(ntdll_base, NULL, "NtMapViewOfSection", NULL,
-                                code, thunk, thunk_bytes, NULL);
-  if (!NT_SUCCESS(ret))
-    return 101;
-
-  size_t size = reinterpret_cast<char*>(&TargetEnd) -
-                reinterpret_cast<char*>(&TargetNtMapViewOfSection);
-
-  if (size + used > thunk_bytes)
-    return 102;
-
-  SIZE_T written;
-  if (!::WriteProcessMemory(child, code, &TargetNtMapViewOfSection, size,
-                            &written))
-    return 103;
-
-  if (size != written)
-    return 104;
-
-  return 0;
-}
-
-}  // namespace sandbox
-
-// We must receive two arguments: the process id of the target to intercept and
-// the address of a page of memory on that process that will be used for the
-// interception. We receive the address because the broker will cleanup the
-// patch when the work is performed.
-//
-// It should be noted that we don't wait until the real work is done; this
-// program quits as soon as the 64-bit interception is performed.
-int wWinMain(HINSTANCE, HINSTANCE, wchar_t* command_line, int) {
-  static_assert(sizeof(void*) > sizeof(DWORD), "unsupported 32 bits");
-  if (!command_line)
-    return 1;
-
-  wchar_t* next;
-  DWORD process_id = wcstoul(command_line, &next, 0);
-  if (!process_id)
-    return 2;
-
-  DWORD access = PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE;
-  HANDLE child = ::OpenProcess(access, FALSE, process_id);
-  if (!child)
-    return 3;
-
-  DWORD buffer = wcstoul(next, NULL, 0);
-  if (!buffer)
-    return 4;
-
-  void* thunk = reinterpret_cast<void*>(static_cast<ULONG_PTR>(buffer));
-
-  const size_t kPageSize = 4096;
-  return sandbox::PatchNtdll(child, thunk, kPageSize);
-}
--- a/security/sandbox/modifications-to-chromium-to-reapply-after-upstream-merge.txt
+++ b/security/sandbox/modifications-to-chromium-to-reapply-after-upstream-merge.txt
@@ -1,9 +1,8 @@
 Please add a link to the bugzilla bug and patch name that should be re-applied.
 Also, please update any existing links to their actual mozilla-central changeset.
 
 https://hg.mozilla.org/mozilla-central/rev/a05726163a79
-https://hg.mozilla.org/mozilla-central/rev/7df8d6639971
 https://hg.mozilla.org/mozilla-central/rev/e834e810a3fa
 https://hg.mozilla.org/mozilla-central/rev/c70d06fa5302
 https://hg.mozilla.org/mozilla-central/rev/d24db55deb85
 https://bugzilla.mozilla.org/show_bug.cgi?id=1321724 bug1321724.patch
--- a/security/sandbox/moz.build
+++ b/security/sandbox/moz.build
@@ -18,20 +18,16 @@ elif CONFIG['OS_ARCH'] == 'WINNT':
     FORCE_STATIC_LIB = True
 
     DIRS += [
         'win/src/sandboxbroker',
         'win/src/sandboxpermissions',
         'win/src/sandboxtarget',
     ]
 
-    if (CONFIG['CPU_ARCH'] == 'x86' and CONFIG['_MSC_VER'] and not
-            CONFIG['CLANG_CL']):
-        DIRS += ['win/wow_helper']
-
     EXPORTS.mozilla.sandboxing += [
         'chromium-shim/sandbox/win/loggingCallbacks.h',
         'chromium-shim/sandbox/win/loggingTypes.h',
         'chromium-shim/sandbox/win/permissionsService.h',
         'chromium-shim/sandbox/win/sandboxLogging.h',
         'win/SandboxInitialization.h',
     ]
 
deleted file mode 100644
--- a/security/sandbox/win/wow_helper/Makefile.in
+++ /dev/null
@@ -1,47 +0,0 @@
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-# We need to build a 64-bits binary during a 32-bits build. This requires
-# a different compiler and different library paths. Until the build system
-# supports this natively.
-
-# Some Make magic to avoid CXX and LIB being evaluated when nothing
-# is built in this directory
-lazy = $(if $(___$(1)),,$(eval ___$(1) := $(2)))$(___$(1))
-
-# We could use the `which` python module, but it needs more code to handle
-# the situation where CXX points to an absolute path. But using the shell
-# which returns a msys path, while we need a windows path. So force msys
-# to do the conversion for us by calling python with an environment variable
-# with the result of the call to `which`. Then munge that path to add the
-# x64 cross-compiler path.
-ifdef MOZ_USING_COMPILER_WRAPPER
-ORIG_CXX := cl
-else
-ORIG_CXX := $(CXX)
-endif
-CXX = $(call lazy,CXX,"$$(subst amd64_x86/x86_amd64/,amd64/,$$(shell CL=`which "$(ORIG_CXX)"` $(PYTHON) -c 'import os; print os.path.dirname(os.environ["CL"])')/x86_amd64/cl.exe)")
-
-MOZ_WINCONSOLE = 0
-
-include $(topsrcdir)/config/config.mk
-
-# Munge the LIB variable to contain paths to the x64 CRT and system libraries.
-# Unconveniently, none of the paths have the same convention, including the
-# compiler path above.
-LIB = $(call lazy,LIB,$$(shell python -c 'import os; print ";".join(s.lower().replace(os.sep, "/").replace("/vc/lib", "/vc/lib/amd64").replace("/um/x86", "/um/x64").replace("/ucrt/x86", "/ucrt/x64") for s in os.environ["LIB"].split(";"))'))
-
-CXXFLAGS := $(filter-out -arch:%,$(CXXFLAGS))
-
-# OS_COMPILE_CXXFLAGS includes mozilla-config.h, which contains x86-specific
-# defines breaking the build.
-OS_COMPILE_CXXFLAGS :=
-
-# LNK1246: '/SAFESEH' not compatible with 'x64' target machine
-LDFLAGS := $(filter-out -SAFESEH,$(LDFLAGS))
-
-# When targetting x64, we need to specify a subsystem of at least 5.02, because
-# the 5.01 value we inherit from the x86 parts is silently ignored, making the
-# linker default to 6.00 (Vista) as of VS2013.
-WIN32_GUI_EXE_LDFLAGS=-SUBSYSTEM:WINDOWS,5.02
deleted file mode 100644
--- a/security/sandbox/win/wow_helper/moz.build
+++ /dev/null
@@ -1,30 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-Program('wow_helper')
-
-SOURCES += [ '../../chromium/sandbox/win/wow_helper/' + f for f in (
-    'service64_resolver.cc',
-    'target_code.cc',
-    'wow_helper.cc',
-)]
-
-LOCAL_INCLUDES += [
-    '../../',
-    '../../../',
-    '../../chromium/',
-]
-
-DISABLE_STL_WRAPPING = True
-
-DEFINES['UNICODE'] = True
-
-USE_STATIC_LIBS = True
-
-# The rules in Makefile.in only force the use of the 64-bits compiler, not
-# the 64-bits linker, and the 32-bits linker can't do 64-bits compilation for
-# PGO, so disable PGO, which is not interesting for this small binary anyways.
-NO_PGO = True