Closed
Bug 1201205
Opened 9 years ago
Closed 9 years ago
WindowsDllNopSpacePatcher should allow for different protection on the nop space than the function
Categories
(Core :: XPCOM, defect)
Tracking
()
RESOLVED
FIXED
mozilla43
| Tracking | Status | |
|---|---|---|
| firefox43 | --- | fixed |
People
(Reporter: away, Assigned: away)
References
Details
Attachments
(2 files)
|
(deleted),
patch
|
m_kato
:
review+
|
Details | Diff | Splinter Review |
|
(deleted),
patch
|
m_kato
:
review+
|
Details | Diff | Splinter Review |
On my clang-cl build, TestDllInterceptor!rotatePayload begins on a new page (PAGE_EXECUTE_READ) and the dead zone preceding it is marked PAGE_READONLY.
When WindowsDllNopSpacePatcher::AddHook finishes, it tries to restore the original protection bits, but it thinks the entire region was originally read-only. This leads to an NX crash since we can no longer execute rotatePayload.
I propose that we use two different VirtualProtect calls, so we can restore the preceding region separately from the actual function.
Assignee: nobody → dmajor
Attachment #8656142 -
Flags: review?(m_kato)
Attachment #8656143 -
Flags: review?(m_kato)
I should clarify that AddHook actually fails in my scenario, because the read-only dead zone does not contain NOP instructions. That is why it's OK to restore the read-only protection.
|
||
Updated•9 years ago
|
Attachment #8656142 -
Flags: review?(m_kato) → review+
|
|
||
Updated•9 years ago
|
Attachment #8656143 -
Flags: review?(m_kato) → review+
|
||
Comment 5•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/8caee6d458ec
https://hg.mozilla.org/mozilla-central/rev/7c9841d60ddc
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox43:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla43
You need to log in
before you can comment on or make changes to this bug.
Description
•