commit 7e140f1e0a3259f3eeb87f0a9f87cac43463b15d
parent 177a7de62579a81ada9b51176c8b833ee70fae3b
Author: Bob Owen <bobowencode@gmail.com>
Date: Sat, 10 Jan 2026 11:30:43 +0000
Bug 2009140: Allow extra room in SizeTrackingConfig for padding during LowLevelPolicy::Done. r=handyman
Differential Revision: https://phabricator.services.mozilla.com/D278273
Diffstat:
2 files changed, 7 insertions(+), 4 deletions(-)
diff --git a/security/sandbox/win/src/sandboxbroker/ConfigHelpers.cpp b/security/sandbox/win/src/sandboxbroker/ConfigHelpers.cpp
@@ -31,9 +31,11 @@ SizeTrackingConfig::SizeTrackingConfig(sandbox::TargetConfig* aConfig,
MOZ_ASSERT(mConfig);
// The calculation uses the kPolMemPageCount constant in sandbox_policy.h.
- // We reduce the allowable size by 1 to account for the PolicyGlobal.
+ // We reduce the allowable size by 2 to account for the PolicyGlobal and
+ // padding that occurs during LowLevelPolicy::Done. See bug 2009140.
MOZ_ASSERT(aStoragePages > 0);
- MOZ_ASSERT(static_cast<size_t>(aStoragePages) < sandbox::kPolMemPageCount);
+ MOZ_ASSERT(static_cast<size_t>(aStoragePages) <=
+ sandbox::kPolMemPageCount - 2);
constexpr int32_t kOneMemPage = 4096;
mRemainingSize = kOneMemPage * aStoragePages;
diff --git a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
@@ -1362,8 +1362,9 @@ void SandboxBroker::SetSecurityLevelForGPUProcess(int32_t aSandboxLevel) {
config->AddRestrictingRandomSid();
// Policy wrapper to keep track of available rule space. The full policy has
- // 14 pages, so 13 allows one page for generic process rules.
- sandboxing::SizeTrackingConfig trackingConfig(config, 13);
+ // 14 pages, so 12 allows two pages for generic process rules and to allow for
+ // padding that occurs in LowLevelPolicy::Done. See bug 2009140.
+ sandboxing::SizeTrackingConfig trackingConfig(config, 12);
if (StaticPrefs::security_sandbox_chrome_pipe_rule_enabled()) {
// Add the policy for the client side of a pipe. It is just a file
