[tbb-bugs] #16010 [Applications/Tor Browser]: Get a working content process sandbox for Tor Browser on Windows

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Apr 3 21:57:46 UTC 2017 

#16010: Get a working content process sandbox for Tor Browser on Windows
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:  tbb-
                                                 |  team
     Type:  task                                 |         Status:  new
 Priority:  High                                 |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  ff52-esr, tbb-gitian, tbb-security,  |  Actual Points:
  tbb-7.0-must, TorBrowserTeam201703,            |
  GeorgKoppen201703                              |
Parent ID:  #21147                               |         Points:
 Reviewer:                                       |        Sponsor:
                                                 |  Sponsor4
-------------------------------------------------+-------------------------

Comment (by cypherpunks):

 Replying to [comment:18 tom]:
 > Replying to [comment:17 cypherpunks]:
 > > According to https://dxr.mozilla.org/mozilla-
 esr52/search?limit=100&redirect=false&q=__except%20path%3Asecurity/sandbox%2F
 you can use #12425 as an easy-fix/dirty-haxx just to get it working like
 #12113, but it's not safe, however.
 >
 > I'm pretty sure we cannot. try {} except {} can be replaced with
 setjmp/longjmp but __try / __except are a special MSVC extension that
 catches what would otherwise be a segfault.
 See the link: sandbox doesn't catch segfaults, it seems. But if it does,
 sjlj is no op. (try/except? Maybe, C++ try/catch? {{{__try/__except}}} are
 for system SEH, Clang 3.7 claims to support that)
 > Right now we're looking at a few options:
 > 1) Rip out all __try /__except and just hope we don't hit an access
 violation in normal usage
 > 2) MinGW's __try1 / __except1 construct
 > 3) libseh from here:
 http://www.programmingunlimited.net/siteexec/content.cgi?page=mingw-seh
 >
 > Preliminary testing of both 1 and 2 indicate these probably don't work.
 But we don't know exactly why yet.
 It's not a problem to use SEH, it's a huge problem to use it safely. MS
 uses version 4 (SEH4) or later of its implementation. There are a lot of
 undocumented tricks, hopefully, we don't need C++ EH stuff. But also
 without it, there are a lot of things to do.
 (some code from the net: https://gist.github.com/kikairoya/1710310)

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16010#comment:19>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list