mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-09 11:25:00 +00:00
Bug 1565848
: Revert latest change to MITIGATION_DLL_SEARCH_ORDER. r=aklotz
This is until any regressions can be fixed, see bug 1568850. Differential Revision: https://phabricator.services.mozilla.com/D39357 --HG-- extra : moz-landing-system : lando
This commit is contained in:
parent
3886a83206
commit
23d09ead45
@ -23,3 +23,4 @@ mingw_undefine_MemoryBarrier.patch
|
||||
add_return_in_QueryCancellationTraitsForNonCancellables_to_satisfy_build.patch
|
||||
include_atomic_header_in_platform_thread.patch
|
||||
aarch64_control_flow_guard.patch
|
||||
revert_removal_of_app_dir_for_DLL_load.patch
|
||||
|
@ -0,0 +1,74 @@
|
||||
# HG changeset patch
|
||||
# User Bob Owen <bobowencode@gmail.com>
|
||||
# Date 1564062993 -3600
|
||||
# Thu Jul 25 14:56:33 2019 +0100
|
||||
# Node ID aa8f8da7b00f1f751bf4a7c8a2cc58b290a328e0
|
||||
# Parent 69ac304560c98a733d44a0245fe9782dc6a465e2
|
||||
Bug 1565848: Revert latest change to MITIGATION_DLL_SEARCH_ORDER. r=handyman!
|
||||
|
||||
This is until any regressions can be fixed, see bug 1568850.
|
||||
|
||||
diff --git a/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc b/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc
|
||||
--- a/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc
|
||||
+++ b/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc
|
||||
@@ -72,26 +72,17 @@ bool ApplyProcessMitigationsToCurrentPro
|
||||
|
||||
if (flags & MITIGATION_DLL_SEARCH_ORDER) {
|
||||
SetDefaultDllDirectoriesFunction set_default_dll_directories =
|
||||
reinterpret_cast<SetDefaultDllDirectoriesFunction>(
|
||||
::GetProcAddress(module, "SetDefaultDllDirectories"));
|
||||
|
||||
// Check for SetDefaultDllDirectories since it requires KB2533623.
|
||||
if (set_default_dll_directories) {
|
||||
-#if defined(COMPONENT_BUILD)
|
||||
- const DWORD directory_flags = LOAD_LIBRARY_SEARCH_DEFAULT_DIRS;
|
||||
-#else
|
||||
- // In a non-component build, all DLLs will be loaded manually, or via
|
||||
- // manifest definition, so these flags can be stronger. This prevents DLL
|
||||
- // planting in the application directory.
|
||||
- const DWORD directory_flags =
|
||||
- LOAD_LIBRARY_SEARCH_SYSTEM32 | LOAD_LIBRARY_SEARCH_USER_DIRS;
|
||||
-#endif
|
||||
- if (!set_default_dll_directories(directory_flags) &&
|
||||
+ if (!set_default_dll_directories(LOAD_LIBRARY_SEARCH_DEFAULT_DIRS) &&
|
||||
ERROR_ACCESS_DENIED != ::GetLastError()) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Set the heap to terminate on corruption
|
||||
if (flags & MITIGATION_HEAP_TERMINATE) {
|
||||
diff --git a/security/sandbox/chromium/sandbox/win/src/security_level.h b/security/sandbox/chromium/sandbox/win/src/security_level.h
|
||||
--- a/security/sandbox/chromium/sandbox/win/src/security_level.h
|
||||
+++ b/security/sandbox/chromium/sandbox/win/src/security_level.h
|
||||
@@ -192,25 +192,20 @@ const MitigationFlags MITIGATION_BOTTOM_
|
||||
// PROCESS_CREATION_MITIGATION_POLICY_HIGH_ENTROPY_ASLR_ALWAYS_ON
|
||||
const MitigationFlags MITIGATION_HIGH_ENTROPY_ASLR = 0x00000080;
|
||||
|
||||
// Immediately raises an exception on a bad handle reference. Must be
|
||||
// enabled after startup. Corresponds to
|
||||
// PROCESS_CREATION_MITIGATION_POLICY_STRICT_HANDLE_CHECKS_ALWAYS_ON.
|
||||
const MitigationFlags MITIGATION_STRICT_HANDLE_CHECKS = 0x00000100;
|
||||
|
||||
-// Strengthens the DLL search order. See
|
||||
-// http://msdn.microsoft.com/en-us/library/windows/desktop/hh310515. In a
|
||||
-// component build - sets this to LOAD_LIBRARY_SEARCH_DEFAULT_DIRS allowing
|
||||
-// additional directories to be added via Windows AddDllDirectory() function,
|
||||
-// but preserving current load order. In a non-component build, all DLLs should
|
||||
-// be loaded manually, so strenthen to LOAD_LIBRARY_SEARCH_SYSTEM32 |
|
||||
-// LOAD_LIBRARY_SEARCH_USER_DIRS, removing LOAD_LIBRARY_SEARCH_APPLICATION_DIR,
|
||||
-// preventing DLLs being implicitly loaded from the application path. Must be
|
||||
-// enabled after startup.
|
||||
+// Sets the DLL search order to LOAD_LIBRARY_SEARCH_DEFAULT_DIRS. Additional
|
||||
+// directories can be added via the Windows AddDllDirectory() function.
|
||||
+// http://msdn.microsoft.com/en-us/library/windows/desktop/hh310515
|
||||
+// Must be enabled after startup.
|
||||
const MitigationFlags MITIGATION_DLL_SEARCH_ORDER = 0x00000200;
|
||||
|
||||
// Changes the mandatory integrity level policy on the current process' token
|
||||
// to enable no-read and no-execute up. This prevents a lower IL process from
|
||||
// opening the process token for impersonate/duplicate/assignment.
|
||||
const MitigationFlags MITIGATION_HARDEN_TOKEN_IL_POLICY = 0x00000400;
|
||||
|
||||
// Prevents the process from making Win32k calls. Corresponds to
|
@ -77,16 +77,7 @@ bool ApplyProcessMitigationsToCurrentProcess(MitigationFlags flags) {
|
||||
|
||||
// Check for SetDefaultDllDirectories since it requires KB2533623.
|
||||
if (set_default_dll_directories) {
|
||||
#if defined(COMPONENT_BUILD)
|
||||
const DWORD directory_flags = LOAD_LIBRARY_SEARCH_DEFAULT_DIRS;
|
||||
#else
|
||||
// In a non-component build, all DLLs will be loaded manually, or via
|
||||
// manifest definition, so these flags can be stronger. This prevents DLL
|
||||
// planting in the application directory.
|
||||
const DWORD directory_flags =
|
||||
LOAD_LIBRARY_SEARCH_SYSTEM32 | LOAD_LIBRARY_SEARCH_USER_DIRS;
|
||||
#endif
|
||||
if (!set_default_dll_directories(directory_flags) &&
|
||||
if (!set_default_dll_directories(LOAD_LIBRARY_SEARCH_DEFAULT_DIRS) &&
|
||||
ERROR_ACCESS_DENIED != ::GetLastError()) {
|
||||
return false;
|
||||
}
|
||||
|
@ -197,15 +197,10 @@ const MitigationFlags MITIGATION_HIGH_ENTROPY_ASLR = 0x00000080;
|
||||
// PROCESS_CREATION_MITIGATION_POLICY_STRICT_HANDLE_CHECKS_ALWAYS_ON.
|
||||
const MitigationFlags MITIGATION_STRICT_HANDLE_CHECKS = 0x00000100;
|
||||
|
||||
// Strengthens the DLL search order. See
|
||||
// http://msdn.microsoft.com/en-us/library/windows/desktop/hh310515. In a
|
||||
// component build - sets this to LOAD_LIBRARY_SEARCH_DEFAULT_DIRS allowing
|
||||
// additional directories to be added via Windows AddDllDirectory() function,
|
||||
// but preserving current load order. In a non-component build, all DLLs should
|
||||
// be loaded manually, so strenthen to LOAD_LIBRARY_SEARCH_SYSTEM32 |
|
||||
// LOAD_LIBRARY_SEARCH_USER_DIRS, removing LOAD_LIBRARY_SEARCH_APPLICATION_DIR,
|
||||
// preventing DLLs being implicitly loaded from the application path. Must be
|
||||
// enabled after startup.
|
||||
// Sets the DLL search order to LOAD_LIBRARY_SEARCH_DEFAULT_DIRS. Additional
|
||||
// directories can be added via the Windows AddDllDirectory() function.
|
||||
// http://msdn.microsoft.com/en-us/library/windows/desktop/hh310515
|
||||
// Must be enabled after startup.
|
||||
const MitigationFlags MITIGATION_DLL_SEARCH_ORDER = 0x00000200;
|
||||
|
||||
// Changes the mandatory integrity level policy on the current process' token
|
||||
|
Loading…
Reference in New Issue
Block a user