Closed Bug 1701794 Opened 4 years ago Closed 4 years ago

Invalid Win32k use in content process [xul!nsOSHelperAppService::nsOSHelperAppService]

Categories

(Core :: Security: Process Sandboxing, defect, P2)

Product:
Core
Component:
Security: Process Sandboxing
Platform:
All
Windows
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
92 Branch
Tracking Flags:
Tracking Status
firefox92 --- fixed

People

(Reporter: cmartin, Assigned: cmartin)

References

Details

Attachments

(1 file)

Bug 1701794 - Use nsOSHelperAppServiceChild with Windows
48 bytes, text/x-phabricator-request
Details | Review

COM is initialized here

Call stack:

win32u!NtUserGetThreadState
USER32!LoadIcoCur+0x1db
USER32!RegisterIMEClass+0x9f
USER32!VerNtUserCreateWindowEx+0x26f
USER32!CreateWindowInternal+0x1a4
USER32!CreateWindowExW+0x82
combase!InitMainThreadWnd+0x57 [onecore\com\combase\objact\mainthrd.cxx @ 148]
combase!ThreadFirstInitialize+0x213 [onecore\com\combase\class\compobj.cxx @ 3460]
combase!_CoInitializeEx+0x1d0 [onecore\com\combase\class\compobj.cxx @ 3745]
combase!CoInitializeEx+0x58 [onecore\com\combase\class\compobj.cxx @ 3835]
xul!nsOSHelperAppService::nsOSHelperAppService+0x63 [c:\moz\mozilla-central\uriloader\exthandler\win\nsOSHelperAppService.cpp @ 36]
xul!nsExternalHelperAppService::GetSingleton+0x2f [c:\moz\mozilla-central\uriloader\exthandler\nsExternalHelperAppService.cpp @ 629]
xul!mozilla::xpcom::CreateInstanceImpl+0x4535 [c:\moz\mozilla-central\obj-x86_64-pc-mingw32\xpcom\components\StaticComponents.cpp @ 11080]
xul!anonymous namespace'::EntryWrapper::CreateInstance+0x1d [c:\moz\mozilla-central\xpcom\components\nsComponentManager.cpp @ 177] xul!nsComponentManagerImpl::GetServiceLocked+0x3c8 [c:\moz\mozilla-central\xpcom\components\nsComponentManager.cpp @ 1277] xul!nsComponentManagerImpl::GetServiceByContractID+0x13b [c:\moz\mozilla-central\xpcom\components\nsComponentManager.cpp @ 1466] xul!CallGetService+0x1e [c:\moz\mozilla-central\xpcom\components\nsComponentManagerUtils.cpp @ 61] xul!nsGetServiceByContractIDWithError::operator()+0x2a [c:\moz\mozilla-central\xpcom\components\nsComponentManagerUtils.cpp @ 254] xul!nsCOMPtr_base::assign_from_gs_contractid_with_error+0x2a [c:\moz\mozilla-central\xpcom\base\nsCOMPtr.cpp @ 91] xul!nsCOMPtr<nsIMIMEService>::nsCOMPtr+0x1f [c:\moz\mozilla-central\obj-x86_64-pc-mingw32\dist\include\nsCOMPtr.h @ 635] xul!nsFileChannel::MakeFileInputStream+0x16e [c:\moz\mozilla-central\netwerk\protocol\file\nsFileChannel.cpp @ 316] xul!nsFileChannel::OpenContentStream+0x396 [c:\moz\mozilla-central\netwerk\protocol\file\nsFileChannel.cpp @ 384] xul!nsBaseChannel::Open+0x8a [c:\moz\mozilla-central\netwerk\base\nsBaseChannel.cpp @ 643] xul!nsMessageManagerScriptExecutor::TryCacheLoadAndCompileScript+0x42d [c:\moz\mozilla-central\dom\base\nsFrameMessageManager.cpp @ 1276] xul!nsMessageManagerScriptExecutor::LoadScriptInternal+0x1a0 [c:\moz\mozilla-central\dom\base\nsFrameMessageManager.cpp @ 1189] xul!mozilla::dom::ContentProcessMessageManager::LoadScript+0x76 [c:\moz\mozilla-central\dom\base\ContentProcessMessageManager.cpp @ 121] xul!mozilla::dom::ContentChild::RecvLoadProcessScript+0x28 [c:\moz\mozilla-central\dom\ipc\ContentChild.cpp @ 2279] xul!mozilla::dom::PContentChild::OnMessageReceived+0x163c [c:\moz\mozilla-central\obj-x86_64-pc-mingw32\ipc\ipdl\PContentChild.cpp @ 11675] xul!mozilla::ipc::MessageChannel::DispatchAsyncMessage+0x6e [c:\moz\mozilla-central\ipc\glue\MessageChannel.cpp @ 2155] xul!mozilla::ipc::MessageChannel::DispatchMessage+0x165 [c:\moz\mozilla-central\ipc\glue\MessageChannel.cpp @ 2078] xul!mozilla::ipc::MessageChannel::MessageTask::Run+0x52 [c:\moz\mozilla-central\ipc\glue\MessageChannel.cpp @ 1959] xul!mozilla::RunnableTask::Run+0xb7 [c:\moz\mozilla-central\xpcom\threads\TaskController.cpp @ 471] xul!mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal+0x7d1 [c:\moz\mozilla-central\xpcom\threads\TaskController.cpp @ 754] xul!mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal+0x21 [c:\moz\mozilla-central\xpcom\threads\TaskController.cpp @ 609] xul!mozilla::TaskController::ProcessPendingMTTask+0x3c [c:\moz\mozilla-central\xpcom\threads\TaskController.cpp @ 393] xul!mozilla::TaskController::InitializeInternal::<unnamed-tag>::operator()+0xe [c:\moz\mozilla-central\xpcom\threads\TaskController.cpp @ 133] xul!mozilla::detail::RunnableFunction<lambda at c:/moz/mozilla-central/xpcom/threads/TaskController.cpp:133:7'>::Run+0x12 [c:\moz\mozilla-central\obj-x86_64-pc-mingw32\dist\include\nsThreadUtils.h @ 535]
xul!nsThread::ProcessNextEvent+0x731 [c:\moz\mozilla-central\xpcom\threads\nsThread.cpp @ 1159]
xul!NS_ProcessNextEvent+0x65 [c:\moz\mozilla-central\xpcom\threads\nsThreadUtils.cpp @ 548]
xul!mozilla::ipc::MessagePump::Run+0xa6 [c:\moz\mozilla-central\ipc\glue\MessagePump.cpp @ 87]
xul!MessageLoop::RunInternal+0x16 [c:\moz\mozilla-central\ipc\chromium\src\base\message_loop.cc @ 335]
xul!MessageLoop::RunHandler+0x50 [c:\moz\mozilla-central\ipc\chromium\src\base\message_loop.cc @ 329]
xul!MessageLoop::Run+0x58 [c:\moz\mozilla-central\ipc\chromium\src\base\message_loop.cc @ 311]
xul!nsBaseAppShell::Run+0x28 [c:\moz\mozilla-central\widget\nsBaseAppShell.cpp @ 139]
xul!nsAppShell::Run+0x1bc [c:\moz\mozilla-central\widget\windows\nsAppShell.cpp @ 602]
xul!XRE_RunAppShell+0x4c [c:\moz\mozilla-central\toolkit\xre\nsEmbedFunctions.cpp @ 902]
xul!MessageLoop::RunInternal+0x16 [c:\moz\mozilla-central\ipc\chromium\src\base\message_loop.cc @ 335]
xul!MessageLoop::RunHandler+0x50 [c:\moz\mozilla-central\ipc\chromium\src\base\message_loop.cc @ 329]
xul!MessageLoop::Run+0x58 [c:\moz\mozilla-central\ipc\chromium\src\base\message_loop.cc @ 311]
xul!XRE_InitChildProcess+0x6c9 [c:\moz\mozilla-central\toolkit\xre\nsEmbedFunctions.cpp @ 738]
firefox!content_process_main+0x9d [c:\moz\mozilla-central\ipc\contentproc\plugin-container.cpp @ 57]
firefox!NS_internal_main+0x327 [c:\moz\mozilla-central\browser\app\nsBrowserApp.cpp @ 309]
firefox!wmain+0x1fe [c:\moz\mozilla-central\toolkit\xre\nsWindowsWMain.cpp @ 131]
firefox!invoke_main+0x22 [d:\agent_work\2\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 90]
firefox!__scrt_common_main_seh+0x10c [d:\agent_work\2\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 288]
KERNEL32!BaseThreadInitThunk+0x14
ntdll!RtlUserThreadStart+0x21

Severity: -- → S4
Priority: -- → P2
Assignee: nobody → cmartin
Status: NEW → ASSIGNED

Currently, COM is initialized as part of creating nsExternalHelperAppService
so that it can use the IApplicationAssociationRegistration interface to
query what applications are associated with a specific type.

This functionality can't be used with Win32k lockdown enabled, and so this
COM initialization is unnecessary.

Attachment #9228190 - Attachment description: Bug 1701794 - Don't initialize COM when creating nsExternalHelperAppService → Bug 1701794 - Use nsOSHelperAppServiceChild with Windows
Pushed by cmartin@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/9f0152394bee Use nsOSHelperAppServiceChild with Windows r=nika,haik

https://hg.mozilla.org/mozilla-central/rev/9f0152394bee

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox92: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 92 Branch
See Also: → 1452278
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: