gecko-dev/mozglue
Toshihito Kikuchi 65642af4cd Bug 1659398 - Don't resolve redirecion of JMP for DuplicateHandle. r=handyman
In Win7 and later, some exported functions in kernel32.dll are just a stub
jumping to a function in kernelbase.dll.  After the fix for Bug 1642626,
our detour resolves such a stub in kernel32.dll and detours a corresponding function in
kernelbase.dll.  This new behavior caused a problem in Win8 when we detour
`DuplicateHandle` because our detour cannot handle the assembly pattern of
`KERNELBASE!DuplicateHandle`.

Win8's `KERNELBASE!DuplicateHandle` has jump instructions whose destination is
within the region where we move instructions to a trampoline.

In the example below, the address `000007f954ad271c` is a destination of the
`JMP` instructions, but when we detour `KERNELBASE!DuplicateHandle`, we move
the original instructions to a trampoline, and that address will point to
an invalid instruction, jumping to which address causes a crash.

A proposed fix is to detour `KERNEL32!DuplicateHandle` without resolving redirection,
that is the behavior before bug 1642626.

```
KERNEL32!DuplicateHandle:
000007f9`54cd2d5c ff2556b61100    jmp     qword ptr [KERNEL32!_imp_DuplicateHandle] --> KERNELBASE!DuplicateHandle
```

```
KERNELBASE!DuplicateHandle:
000007f9`54ad2710 4883ec48        sub     rsp,48h
000007f9`54ad2714 4c8bd1          mov     r10,rcx
000007f9`54ad2717 83faf4          cmp     edx,0FFFFFFF4h
000007f9`54ad271a 733b            jae     KERNELBASE!DuplicateHandle+0x43 (000007f9`54ad2757)
000007f9`54ad271c 8b842480000000  mov     eax,dword ptr [rsp+80h]
...
000007f9`54b8f0de 65488b042560000000 mov   rax,qword ptr gs:[60h]
000007f9`54b8f0e7 488b5020        mov     rdx,qword ptr [rax+20h]
000007f9`54b8f0eb 488b5220        mov     rdx,qword ptr [rdx+20h]
000007f9`54b8f0ef e92836f4ff      jmp     KERNELBASE!DuplicateHandle+0xc (000007f9`54ad271c)
000007f9`54b8f0f4 65488b042560000000 mov   rax,qword ptr gs:[60h]
000007f9`54b8f0fd 488b5020        mov     rdx,qword ptr [rax+20h]
000007f9`54b8f101 488b5228        mov     rdx,qword ptr [rdx+28h]
000007f9`54b8f105 e91236f4ff      jmp     KERNELBASE!DuplicateHandle+0xc (000007f9`54ad271c)
000007f9`54b8f10a 65488b042560000000 mov   rax,qword ptr gs:[60h]
000007f9`54b8f113 488b5020        mov     rdx,qword ptr [rax+20h]
000007f9`54b8f117 488b5230        mov     rdx,qword ptr [rdx+30h]
000007f9`54b8f11b e9fc35f4ff      jmp     KERNELBASE!DuplicateHandle+0xc (000007f9`54ad271c)
```

Differential Revision: https://phabricator.services.mozilla.com/D88136
2020-08-26 20:26:36 +00:00
..
android Bug 689178 - Remove crash-reporter hooks to externally provide library mappings. r=gsvelto 2020-06-25 08:43:23 +00:00
baseprofiler Bug 1660177 - Fold GetTotalLength into its only caller CopyDataIntoLazilyAllocatedBuffer - r=canaltinova 2020-08-26 08:03:24 +00:00
build Bug 1621786 - Fix an incomplete skia suppression. r=mattwoodrow 2020-08-23 09:42:02 +00:00
dllservices Bug 1630444: Part2 - Add HandleLauncherError to DllServices. r=aklotz 2020-08-26 19:01:40 +00:00
linker Bug 1519636 - Reformat recent changes to the Google coding style r=andi 2020-07-14 09:34:19 +00:00
misc Bug 1659398 - Don't resolve redirecion of JMP for DuplicateHandle. r=handyman 2020-08-26 20:26:36 +00:00
static Bug 1617369 - Reformat mozglue/ using rustfmt r=glandium 2020-03-04 06:12:38 +00:00
tests Bug 1658230 - Deduplicate ProfileJSONWriter classes - r=gregtatum 2020-08-11 03:50:54 +00:00
moz.build