Bug 1582776: Change cross-process stub to not store remote stub pointer in local mOrigFunc; r=handyman

This is showing up with hooks that are set both by the launcher process and by the browser process when starting early DLL blocklist init on content processes: * The browser's copy of mOrigFunc was set by the launcher process. * The browser is setting a hook in the new child process, which writes to the child's mOrigFunc. * But FuncHookCrossProcess also writes that pointer to the browser's mOrigFunc, thus corrupting the browser process's copy of the pointer. For in-process hooks, we want to immediately write the stub pointer to its final location; this is not an issue for cross-process hooks since the child process is suspended when we do this and the parent process can't call the stub; there is no possibility of a race. Differential Revision: https://phabricator.services.mozilla.com/D46615 --HG-- extra : moz-landing-system : lando
2019-09-20 16:55:27 +00:00 · 2019-09-20 16:55:27 +00:00 · 38e11b4896
--- a/mozglue/misc/nsWindowsDllInterceptor.h
+++ b/mozglue/misc/nsWindowsDllInterceptor.h
@ -214,22 +214,24 @@ class MOZ_ONLY_USED_TO_AVOID_STATIC_CONSTRUCTORS FuncHookCrossProcess final {

  bool Set(HANDLE aProcess, InterceptorT& aInterceptor, const char* aName,
           FuncPtrT aHookDest) {
+    FuncPtrT origFunc;
    if (!aInterceptor.AddHook(aName, reinterpret_cast<intptr_t>(aHookDest),
-                              reinterpret_cast<void**>(&mOrigFunc))) {
+                              reinterpret_cast<void**>(&origFunc))) {
      return false;
    }

-    return CopyStubToChildProcess(aProcess);
+    return CopyStubToChildProcess(origFunc, aProcess);
  }

  bool SetDetour(HANDLE aProcess, InterceptorT& aInterceptor, const char* aName,
                 FuncPtrT aHookDest) {
+    FuncPtrT origFunc;
    if (!aInterceptor.AddDetour(aName, reinterpret_cast<intptr_t>(aHookDest),
-                                reinterpret_cast<void**>(&mOrigFunc))) {
+                                reinterpret_cast<void**>(&origFunc))) {
      return false;
    }

-    return CopyStubToChildProcess(aProcess);
+    return CopyStubToChildProcess(origFunc, aProcess);
  }

  explicit operator bool() const { return !!mOrigFunc; }
@ -250,10 +252,11 @@ class MOZ_ONLY_USED_TO_AVOID_STATIC_CONSTRUCTORS FuncHookCrossProcess final {
 #endif  // defined(DEBUG)

 private:
-  bool CopyStubToChildProcess(HANDLE aProcess) {
+  bool CopyStubToChildProcess(FuncPtrT aStub, HANDLE aProcess) {
    SIZE_T bytesWritten;
-    return !!::WriteProcessMemory(aProcess, &mOrigFunc, &mOrigFunc,
-                                  sizeof(mOrigFunc), &bytesWritten);
+    return ::WriteProcessMemory(aProcess, &mOrigFunc, &aStub,
+                                sizeof(FuncPtrT), &bytesWritten) &&
+           bytesWritten == sizeof(FuncPtrT);
  }

 private: