Pier Angelo Vendrame pushed to branch tor-browser-115.22.0esr-13.5-1 at The Tor Project / Applications / Tor Browser

Commits: 79ba5da1 by Mozilla Releng Treescript at 2025-03-25T13:19:10+00:00 No bug - Tagging a2f45243dae44717e5f46540c764d4015544c004 with FIREFOX_115_22_0esr_BUILD1 a=release CLOSED TREE DONTBUILD - - - - - aa7b351b by Mozilla Releng Treescript at 2025-03-27T04:41:24+00:00 No bug - Tagging 5ee62877b9cf66efc794f87f225257dd82c42ae7 with FIREFOX_115_21_1esr_BUILD1 a=release CLOSED TREE DONTBUILD - - - - - dbc65808 by Yannis Juglaret at 2025-03-26T21:01:45+00:00 Bug 1956398 - Avoid duplicating pseudo-handles in ipc_channel_win.cc. r=nika a=dmeehan

Differential Revision: https://phabricator.services.mozilla.com/D243189 - - - - -

2 changed files:

- .hgtags - ipc/chromium/src/chrome/common/ipc_channel_win.cc

Changes:

===================================== .hgtags ===================================== @@ -4430,3 +4430,5 @@ ddfd872425d03ecb89860f62f8f03c737728f501 FIREFOX_115_20_0esr_BUILD1 ddfd872425d03ecb89860f62f8f03c737728f501 FIREFOX_115_20_0esr_RELEASE ba3c2022649eb785fe436d01b0b8c9d67b67d775 FIREFOX_115_21_0esr_BUILD1 ba3c2022649eb785fe436d01b0b8c9d67b67d775 FIREFOX_115_21_0esr_RELEASE +a2f45243dae44717e5f46540c764d4015544c004 FIREFOX_115_22_0esr_BUILD1 +5ee62877b9cf66efc794f87f225257dd82c42ae7 FIREFOX_115_21_1esr_BUILD1

===================================== ipc/chromium/src/chrome/common/ipc_channel_win.cc ===================================== @@ -27,6 +27,34 @@

using namespace mozilla::ipc;

+namespace { + +// This logic is borrowed from Chromium's `base/win/win_util.h`. It allows us +// to distinguish pseudo-handle values, such as returned by GetCurrentProcess() +// (-1), GetCurrentThread() (-2), and potentially more. The code there claims +// that fuzzers have found issues up until -12 with DuplicateHandle. +// +// https://source.chromium.org/chromium/chromium/src/+/36dbbf38697dd1e23ef8944b... +inline bool IsPseudoHandle(HANDLE handle) { + auto handleValue = static_cast<int32_t>(reinterpret_cast<uintptr_t>(handle)); + return -12 <= handleValue && handleValue < 0; +} + +// A real handle is a handle that is not a pseudo-handle. Always preferably use +// this variant over ::DuplicateHandle. Only use stock ::DuplicateHandle if you +// explicitly need the ability to duplicate a pseudo-handle. +inline bool DuplicateRealHandle(HANDLE source_process, HANDLE source_handle, + HANDLE target_process, LPHANDLE target_handle, + DWORD desired_access, BOOL inherit_handle, + DWORD options) { + MOZ_RELEASE_ASSERT(!IsPseudoHandle(source_handle)); + return static_cast<bool>(::DuplicateHandle( + source_process, source_handle, target_process, target_handle, + desired_access, inherit_handle, options)); +} + +} // namespace + namespace IPC { //------------------------------------------------------------------------------

@@ -732,9 +760,9 @@ bool Channel::ChannelImpl::AcceptHandles(Message& msg) { CHROMIUM_LOG(ERROR) << "other_process_ is invalid in AcceptHandles"; return false; } - if (!::DuplicateHandle(other_process_, handle, GetCurrentProcess(), - &handle, 0, FALSE, - DUPLICATE_SAME_ACCESS | DUPLICATE_CLOSE_SOURCE)) { + if (!::DuplicateRealHandle( + other_process_, handle, GetCurrentProcess(), &handle, 0, FALSE, + DUPLICATE_SAME_ACCESS | DUPLICATE_CLOSE_SOURCE)) { CHROMIUM_LOG(ERROR) << "DuplicateHandle failed for handle " << handle << " in AcceptHandles"; return false; @@ -787,9 +815,9 @@ bool Channel::ChannelImpl::TransferHandles(Message& msg) { CHROMIUM_LOG(ERROR) << "other_process_ is invalid in TransferHandles"; return false; } - if (!::DuplicateHandle(GetCurrentProcess(), handle, other_process_, - &handle, 0, FALSE, - DUPLICATE_SAME_ACCESS | DUPLICATE_CLOSE_SOURCE)) { + if (!::DuplicateRealHandle( + GetCurrentProcess(), handle, other_process_, &handle, 0, FALSE, + DUPLICATE_SAME_ACCESS | DUPLICATE_CLOSE_SOURCE)) { CHROMIUM_LOG(ERROR) << "DuplicateHandle failed for handle " << handle << " in TransferHandles"; return false;

View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/2802cd0...