commit 4d3ded9dbfe94e473a9869299a7e724f09dcfa81 parent 2f2552a10b43abf7e4238feaa1d74bad55ffd03c Author: Greg Stoll <gstoll@mozilla.com> Date: Tue, 28 Oct 2025 17:18:30 +0000 Bug 1994743 - block McAfee/Musarubra DLLs from RDD process r=gsvelto,win-reviewers,handyman These are causing a lot of crashes in the RDD process, and I don't think they're doing any good there, so just block them all. Note that this required adding a mechanism to block DLLs in the RDD process only. Differential Revision: https://phabricator.services.mozilla.com/D269990 Diffstat:
10 files changed, 76 insertions(+), 6 deletions(-)
diff --git a/browser/app/winlauncher/freestanding/DllBlocklist.cpp b/browser/app/winlauncher/freestanding/DllBlocklist.cpp @@ -193,6 +193,11 @@ static BlockAction CheckBlockInfo(const DllBlockInfo* aInfo, return BlockAction::Allow; } + if ((aInfo->mFlags & DllBlockInfoFlags::RDD_PROCESSES_ONLY) && + !(gBlocklistInitFlags & eDllBlocklistInitFlagIsRDDProcess)) { + return BlockAction::Allow; + } + if (aInfo->mMaxVersion == DllBlockInfo::ALL_VERSIONS) { return BlockAction::Deny; } diff --git a/toolkit/xre/dllservices/mozglue/WindowsDllBlocklist.cpp b/toolkit/xre/dllservices/mozglue/WindowsDllBlocklist.cpp @@ -332,6 +332,11 @@ static bool ShouldBlockBasedOnBlockInfo(const DllBlockInfo& info, return false; } + if ((info.mFlags & DllBlockInfoFlags::RDD_PROCESSES_ONLY) && + !(sInitFlags & eDllBlocklistInitFlagIsRDDProcess)) { + return false; + } + *fVersion = DllBlockInfo::ALL_VERSIONS; if (info.mMaxVersion != DllBlockInfo::ALL_VERSIONS) { diff --git a/toolkit/xre/dllservices/mozglue/WindowsDllBlocklist.h b/toolkit/xre/dllservices/mozglue/WindowsDllBlocklist.h @@ -24,6 +24,7 @@ enum DllBlocklistInitFlags { eDllBlocklistInitFlagIsSocketProcess = 1 << 3, eDllBlocklistInitFlagIsGPUProcess = 1 << 4, eDllBlocklistInitFlagIsGMPluginProcess = 1 << 5, + eDllBlocklistInitFlagIsRDDProcess = 1 << 6, }; inline void SetDllBlocklistProcessTypeFlags(uint32_t& aFlags, @@ -36,6 +37,8 @@ inline void SetDllBlocklistProcessTypeFlags(uint32_t& aFlags, aFlags |= eDllBlocklistInitFlagIsGPUProcess; } else if (aProcessType == GeckoProcessType_GMPlugin) { aFlags |= eDllBlocklistInitFlagIsGMPluginProcess; + } else if (aProcessType == GeckoProcessType_RDD) { + aFlags |= eDllBlocklistInitFlagIsRDDProcess; } } diff --git a/toolkit/xre/dllservices/mozglue/WindowsDllBlocklistDefs.in b/toolkit/xre/dllservices/mozglue/WindowsDllBlocklistDefs.in @@ -465,3 +465,20 @@ GMPLUGIN_PROCESSES_TESTS += [ # DLLs used by TestDllBlocklist* gTests DllBlocklistEntry("testdllblocklist_gmpluginprocessonly.dll", ALL_VERSIONS), ] + +RDD_PROCESSES += [ + # McAfee/Musarubra DLLs, bug 1994743 + DllBlocklistEntry("epclient64.dll", ALL_VERSIONS), + DllBlocklistEntry("EpMPApi.dll", ALL_VERSIONS), + DllBlocklistEntry("EpMPThe.dll", ALL_VERSIONS), + DllBlocklistEntry("fcagpph64.dll", ALL_VERSIONS), + DllBlocklistEntry("fcagff64.dll", ALL_VERSIONS), + DllBlocklistEntry("mfehcinj.dll", ALL_VERSIONS), + DllBlocklistEntry("mfehcthe.dll", ALL_VERSIONS), + DllBlocklistEntry("mvcairo_x64.dll", ALL_VERSIONS), +] + +RDD_PROCESSES_TESTS += [ + # DLLs used by TestDllBlocklist* gTests + DllBlocklistEntry("testdllblocklist_rddprocessonly.dll", ALL_VERSIONS), +] +\ No newline at end of file diff --git a/toolkit/xre/dllservices/mozglue/WindowsDllBlocklistInfo.h b/toolkit/xre/dllservices/mozglue/WindowsDllBlocklistInfo.h @@ -15,9 +15,9 @@ namespace mozilla { // the IMAGE_FILE_HEADER in lieu of a version number. // // If the UTILITY_PROCESSES_ONLY, SOCKET_PROCESSES_ONLY, GPU_PROCESSES_ONLY, -// or GMPLUGIN_PROCESSES_ONLY flags are set, the dll will only be blocked for -// these specific child processes. Note that these are a subset of -// CHILD_PROCESSES_ONLY. +// GMPLUGIN_PROCESSES_ONLY, or RDD_PROCESSES_ONLY flags are set, the dll +// will only be blocked for these specific child processes. +// Note that these are a subset of CHILD_PROCESSES_ONLY. enum DllBlockInfoFlags : uint32_t { FLAGS_DEFAULT = 0, USE_TIMESTAMP = 1 << 0, @@ -28,6 +28,7 @@ enum DllBlockInfoFlags : uint32_t { SOCKET_PROCESSES_ONLY = 1 << 5, GPU_PROCESSES_ONLY = 1 << 6, GMPLUGIN_PROCESSES_ONLY = 1 << 7, + RDD_PROCESSES_ONLY = 1 << 8, }; constexpr DllBlockInfoFlags operator|(const DllBlockInfoFlags a, @@ -56,9 +57,9 @@ struct DllBlockInfoT { // the IMAGE_FILE_HEADER in lieu of a version number. // // If the UTILITY_PROCESSES_ONLY, SOCKET_PROCESSES_ONLY, GPU_PROCESSES_ONLY, - // or GMPLUGIN_PROCESSES_ONLY flags are set, the dll will only be blocked for - // these specific child processes. Note that these are a subset of - // CHILD_PROCESSES_ONLY. These flags cannot be combined. + // GMPLUGIN_PROCESSES_ONLY, or RDD_PROCESSES_ONLY flags are set, the dll will + // only be blocked for these specific child processes. Note that these are a + // subset of CHILD_PROCESSES_ONLY. These flags cannot be combined. DllBlockInfoFlags mFlags; bool IsVersionBlocked(const uint64_t aOther) const { diff --git a/toolkit/xre/dllservices/mozglue/gen_dll_blocklist_defs.py b/toolkit/xre/dllservices/mozglue/gen_dll_blocklist_defs.py @@ -61,6 +61,7 @@ UTILITY_PROCESSES_ONLY = "UTILITY_PROCESSES_ONLY" SOCKET_PROCESSES_ONLY = "SOCKET_PROCESSES_ONLY" GPU_PROCESSES_ONLY = "GPU_PROCESSES_ONLY" GMPLUGIN_PROCESSES_ONLY = "GMPLUGIN_PROCESSES_ONLY" +RDD_PROCESSES_ONLY = "RDD_PROCESSES_ONLY" def FILTER_ALLOW_ALL(entry): @@ -98,6 +99,7 @@ ALL_DEFINITION_LISTS = ( "GPU_PROCESSES", "UTILITY_PROCESSES", "SOCKET_PROCESSES", + "RDD_PROCESSES", ) @@ -367,6 +369,7 @@ GENERATED_BLOCKLIST_FILES = [ "GPU_PROCESSES": {GPU_PROCESSES_ONLY}, "UTILITY_PROCESSES": {UTILITY_PROCESSES_ONLY}, "SOCKET_PROCESSES": {SOCKET_PROCESSES_ONLY}, + "RDD_PROCESSES": {RDD_PROCESSES_ONLY}, }, ), BlocklistDescriptor( @@ -379,6 +382,7 @@ GENERATED_BLOCKLIST_FILES = [ "GPU_PROCESSES": {GPU_PROCESSES_ONLY}, "UTILITY_PROCESSES": {UTILITY_PROCESSES_ONLY}, "SOCKET_PROCESSES": {SOCKET_PROCESSES_ONLY}, + "RDD_PROCESSES": {RDD_PROCESSES_ONLY}, }, ), # Roughed-in for the moment; we'll enable this in bug 1238735 diff --git a/toolkit/xre/dllservices/tests/gtest/TestDLLBlocklist.cpp b/toolkit/xre/dllservices/tests/gtest/TestDLLBlocklist.cpp @@ -216,6 +216,17 @@ TEST(TestDllBlocklist, GMPluginProcessOnly_AllowInMainProcess) EXPECT_TRUE(!!::GetModuleHandleW(kLeafName.get())); } +TEST(TestDllBlocklist, RDDProcessOnly_AllowInMainProcess) +{ + constexpr auto kLeafName = u"TestDllBlocklist_RDDProcessOnly.dll"_ns; + nsString dllPath = GetFullPath(kLeafName); + + nsModuleHandle hDll(::LoadLibraryW(dllPath.get())); + + EXPECT_TRUE(!!hDll); + EXPECT_TRUE(!!::GetModuleHandleW(kLeafName.get())); +} + // This DLL has two entries; it's blocked for unversioned (i.e. DLLs that // have no version information) everywhere and blocked for versions 5.5.5.5 and // earlier only in the GPU process. Since the version we're trying to load diff --git a/toolkit/xre/dllservices/tests/gtest/TestDllBlocklist_RDDProcessOnly/TestDllBlocklist_RDDProcessOnly.cpp b/toolkit/xre/dllservices/tests/gtest/TestDllBlocklist_RDDProcessOnly/TestDllBlocklist_RDDProcessOnly.cpp @@ -0,0 +1,7 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include <windows.h> + +BOOL WINAPI DllMain(HINSTANCE hInstance, DWORD aReason, LPVOID) { return TRUE; } diff --git a/toolkit/xre/dllservices/tests/gtest/TestDllBlocklist_RDDProcessOnly/moz.build b/toolkit/xre/dllservices/tests/gtest/TestDllBlocklist_RDDProcessOnly/moz.build @@ -0,0 +1,15 @@ +# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +DIST_INSTALL = False + +SharedLibrary("TestDllBlocklist_RDDProcessOnly") + +UNIFIED_SOURCES = [ + "TestDllBlocklist_RDDProcessOnly.cpp", +] + +if CONFIG["COMPILE_ENVIRONMENT"]: + TEST_HARNESS_FILES.gtest += ["!TestDllBlocklist_RDDProcessOnly.dll"] diff --git a/toolkit/xre/dllservices/tests/gtest/moz.build b/toolkit/xre/dllservices/tests/gtest/moz.build @@ -25,6 +25,7 @@ TEST_DIRS += [ "TestDllBlocklist_MultipleEntries_SameProcessBackward", "TestDllBlocklist_MultipleEntries_SameProcessForward", "TestDllBlocklist_NoOpEntryPoint", + "TestDllBlocklist_RDDProcessOnly", "TestDllBlocklist_SingleNotification1", "TestDllBlocklist_SingleNotification2", "TestDllBlocklist_SocketProcessOnly",