commit fc74e7d237a19684bd4539645f36bdaacfcb1afe
parent cffdaea8d78c67c470c3acca2b08daf356e8104b
Author: Bob Owen <bobowencode@gmail.com>
Date: Tue, 11 Nov 2025 09:01:10 +0000
Bug 1997149 - Close KsecDD device handle in windows content process. r=handyman
The handle to KsecDD is opened by cryptbase.dll. It backs calls to
cryptbase!RtlDecryptMemory and cryptbase!RtlEncryptMemory which we do not use.
Controlling the closure via a pref to give a work-around if users hit issues.
Differential Revision: https://phabricator.services.mozilla.com/D271571
Diffstat:
2 files changed, 13 insertions(+), 0 deletions(-)
diff --git a/modules/libpref/init/StaticPrefList.yaml b/modules/libpref/init/StaticPrefList.yaml
@@ -17113,6 +17113,13 @@
type: RelaxedAtomicBool
value: false
mirror: always
+
+ # Whether \Device\KsecDD is closed in content process. We are closing this
+ # using a pref to give users a work-around if they have issues.
+- name: security.sandbox.content.close-ksecdd-handle
+ type: RelaxedAtomicBool
+ value: true
+ mirror: always
#endif
#if defined(XP_LINUX) && defined(MOZ_SANDBOX)
diff --git a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
@@ -1083,6 +1083,12 @@ void SandboxBroker::SetSecurityLevelForContentProcess(int32_t aSandboxLevel,
config->SetDesktop(sandbox::Desktop::kAlternateWinstation);
}
+ if (StaticPrefs::security_sandbox_content_close_ksecdd_handle()) {
+ result = config->AddKernelObjectToClose(L"File", L"\\Device\\KsecDD");
+ MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
+ "AddKernelObjectToClose should never fail.");
+ }
+
sandbox::MitigationFlags mitigations =
sandbox::MITIGATION_BOTTOM_UP_ASLR | sandbox::MITIGATION_HEAP_TERMINATE |
sandbox::MITIGATION_SEHOP | sandbox::MITIGATION_DEP_NO_ATL_THUNK |
