Bug 1114867 - Revert c29ebd2b4a10. r=dmajor
authorChris Pearce <cpearce@mozilla.com>
Tue, 06 Jan 2015 07:36:39 +1300
changeset 247877 cffdee8c23ad475528fea073db0e368ee5867510
parent 247876 2d323b539934cfdebaae103df53b1ab3c719d4a0
child 247878 e573fcf6096891655da49bfb170ed62acb3df848
push id4489
push userraliiev@mozilla.com
push dateMon, 23 Feb 2015 15:17:55 +0000
treeherdermozilla-beta@fd7c3dc24146 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersdmajor
bugs1114867
milestone37.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1114867 - Revert c29ebd2b4a10. r=dmajor
dom/media/gmp/GMPLoader.cpp
--- a/dom/media/gmp/GMPLoader.cpp
+++ b/dom/media/gmp/GMPLoader.cpp
@@ -67,16 +67,53 @@ private:
   GMPGetAPIFunc mGetAPIFunc;
   SandboxStarter* mSandboxStarter;
 };
 
 GMPLoader* CreateGMPLoader(SandboxStarter* aStarter) {
   return static_cast<GMPLoader*>(new GMPLoaderImpl(aStarter));
 }
 
+#if defined(XP_WIN) && defined(HASH_NODE_ID_WITH_DEVICE_ID)
+MOZ_NEVER_INLINE
+static bool
+GetStackAfterCurrentFrame(uint8_t** aOutTop, uint8_t** aOutBottom)
+{
+  // "Top" of the free space on the stack is directly after the memory
+  // holding our return address.
+  uint8_t* top = (uint8_t*)_AddressOfReturnAddress();
+
+  // Look down the stack until we find the guard page...
+  MEMORY_BASIC_INFORMATION memInfo = {0};
+  uint8_t* bottom = top;
+  while (1) {
+    if (!VirtualQuery(bottom, &memInfo, sizeof(memInfo))) {
+      return false;
+    }
+    if ((memInfo.Protect & PAGE_GUARD) == PAGE_GUARD) {
+      bottom = (uint8_t*)memInfo.BaseAddress + memInfo.RegionSize;
+#ifdef DEBUG
+      if (!VirtualQuery(bottom, &memInfo, sizeof(memInfo))) {
+        return false;
+      }
+      assert(!(memInfo.Protect & PAGE_GUARD)); // Should have found boundary.
+#endif
+      break;
+    } else if (memInfo.State != MEM_COMMIT ||
+               (memInfo.AllocationProtect & PAGE_READWRITE) != PAGE_READWRITE) {
+      return false;
+    }
+    bottom = (uint8_t*)memInfo.BaseAddress - 1;
+  }
+  *aOutTop = top;
+  *aOutBottom = bottom;
+  return true;
+}
+#endif
+
 bool
 GMPLoaderImpl::Load(const char* aLibPath,
                     uint32_t aLibPathLen,
                     char* aOriginSalt,
                     uint32_t aOriginSaltLen,
                     const GMPPlatformAPI* aPlatformAPI)
 {
   std::string nodeId;
@@ -104,19 +141,27 @@ GMPLoaderImpl::Load(const char* aLibPath
     memset(aOriginSalt, 0, aOriginSaltLen);
     volumeId = 0;
     memset(&deviceId[0], '*', sizeof(string16::value_type) * deviceId.size());
     deviceId = L"";
 
     if (!rlz_lib::BytesToString(digest, SHA256_LENGTH, &nodeId)) {
       return false;
     }
-    // TODO: (Bug 1114867) Clear any memory on the stack that may have been
-    // used by functions we've called that may have left behind data that
-    // can be used to uniquely identify the user.
+    // We've successfully bound the origin salt to node id.
+    // rlz_lib::GetRawMachineId and/or the system functions it
+    // called could have left user identifiable data on the stack,
+    // so carefully zero the stack down to the guard page.
+    uint8_t* top;
+    uint8_t* bottom;
+    if (!GetStackAfterCurrentFrame(&top, &bottom)) {
+      return false;
+    }
+    assert(top >= bottom);
+    SecureZeroMemory(bottom, (top - bottom));
   } else
 #endif
   {
     nodeId = std::string(aOriginSalt, aOriginSalt + aOriginSaltLen);
   }
 
   // Start the sandbox now that we've generated the device bound node id.
   // This must happen after the node id is bound to the device id, as