Bug 1372849 - Improve the security of WindowsDllDetourPatcher. r=dmajor a=ritu
authorStephen Fewer <stephen@relyze.com>
Wed, 14 Jun 2017 14:46:39 -0500
changeset 414193 d231d2ff17b13723fe84c358f11ec4b3fbb9cd07
parent 414192 0ad29e7311f85835a2329bacf0eecbd1ce193ccc
child 414194 aeaa1767e58ed5d938f32aad77749c78ebb4ec94
push id1490
push usermtabara@mozilla.com
push dateMon, 31 Jul 2017 14:08:16 +0000
treeherdermozilla-release@70e32e6bf15e [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersdmajor, ritu
bugs1372849
milestone55.0
Bug 1372849 - Improve the security of WindowsDllDetourPatcher. r=dmajor a=ritu
xpcom/build/nsWindowsDllInterceptor.h
--- a/xpcom/build/nsWindowsDllInterceptor.h
+++ b/xpcom/build/nsWindowsDllInterceptor.h
@@ -391,31 +391,37 @@ public:
     for (i = 0, p = mHookPage; i < mCurHooks; i++, p += kHookSize) {
 #if defined(_M_IX86)
       size_t nBytes = 1 + sizeof(intptr_t);
 #elif defined(_M_X64)
       size_t nBytes = 2 + sizeof(intptr_t);
 #else
 #error "Unknown processor type"
 #endif
-      byteptr_t origBytes = *((byteptr_t*)p);
+      byteptr_t origBytes = (byteptr_t)DecodePointer(*((byteptr_t*)p));
 
       // ensure we can modify the original code
       AutoVirtualProtect protect(origBytes, nBytes, PAGE_EXECUTE_READWRITE);
       if (!protect.Protect()) {
         continue;
       }
 
       // Remove the hook by making the original function jump directly
       // in the trampoline.
       intptr_t dest = (intptr_t)(p + sizeof(void*));
 #if defined(_M_IX86)
+      // Ensure the JMP from CreateTrampoline is where we expect it to be.
+      if (origBytes[0] != 0xE9)
+        continue;
       *((intptr_t*)(origBytes + 1)) =
         dest - (intptr_t)(origBytes + 5); // target displacement
 #elif defined(_M_X64)
+      // Ensure the MOV R11 from CreateTrampoline is where we expect it to be.
+      if (origBytes[0] != 0x49 || origBytes[1] != 0xBB)
+        continue;
       *((intptr_t*)(origBytes + 2)) = dest;
 #else
 #error "Unknown processor type"
 #endif
     }
   }
 
   void Init(const char* aModuleName, int aNumHooks = 0)
@@ -731,17 +737,17 @@ protected:
 
     byteptr_t tramp = FindTrampolineSpace();
     if (!tramp) {
       return;
     }
 
     // We keep the address of the original function in the first bytes of
     // the trampoline buffer
-    *((void**)tramp) = aOrigFunction;
+    *((void**)tramp) = EncodePointer(aOrigFunction);
     tramp += sizeof(void*);
 
     byteptr_t origBytes = (byteptr_t)aOrigFunction;
 
     // # of bytes of the original function that we can overwrite.
     int nOrigBytes = 0;
 
 #if defined(_M_IX86)