1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
6
7 #define MOZ_USE_LAUNCHER_ERROR
8
9 #include "LauncherProcessWin.h"
10
11 #include <string.h>
12
13 #include "mozilla/Attributes.h"
14 #include "mozilla/CmdLineAndEnvUtils.h"
15 #include "mozilla/DebugOnly.h"
16 #include "mozilla/DynamicallyLinkedFunctionPtr.h"
17 #include "mozilla/glue/Debug.h"
18 #include "mozilla/Maybe.h"
19 #include "mozilla/SafeMode.h"
20 #include "mozilla/UniquePtr.h"
21 #include "mozilla/WindowsConsole.h"
22 #include "mozilla/WindowsVersion.h"
23 #include "mozilla/WinHeaderOnlyUtils.h"
24 #include "nsWindowsHelpers.h"
25
26 #include <windows.h>
27 #include <processthreadsapi.h>
28
29 #include "DllBlocklistInit.h"
30 #include "ErrorHandler.h"
31 #include "LaunchUnelevated.h"
32 #include "ProcThreadAttributes.h"
33
34 #if defined(MOZ_LAUNCHER_PROCESS)
35 # include "mozilla/LauncherRegistryInfo.h"
36 # include "SameBinary.h"
37 #endif // defined(MOZ_LAUNCHER_PROCESS)
38
39 /**
40 * At this point the child process has been created in a suspended state. Any
41 * additional startup work (eg, blocklist setup) should go here.
42 *
43 * @return Ok if browser startup should proceed
44 */
PostCreationSetup(const wchar_t * aFullImagePath,HANDLE aChildProcess,HANDLE aChildMainThread,const bool aIsSafeMode)45 static mozilla::LauncherVoidResult PostCreationSetup(
46 const wchar_t* aFullImagePath, HANDLE aChildProcess,
47 HANDLE aChildMainThread, const bool aIsSafeMode) {
48 return mozilla::InitializeDllBlocklistOOPFromLauncher(aFullImagePath,
49 aChildProcess);
50 }
51
52 #if !defined( \
53 PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_PREFER_SYSTEM32_ALWAYS_ON)
54 # define PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_PREFER_SYSTEM32_ALWAYS_ON \
55 (0x00000001ULL << 60)
56 #endif // !defined(PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_PREFER_SYSTEM32_ALWAYS_ON)
57
58 #if !defined(PROCESS_CREATION_MITIGATION_POLICY_CONTROL_FLOW_GUARD_ALWAYS_OFF)
59 # define PROCESS_CREATION_MITIGATION_POLICY_CONTROL_FLOW_GUARD_ALWAYS_OFF \
60 (0x00000002ULL << 40)
61 #endif // !defined(PROCESS_CREATION_MITIGATION_POLICY_CONTROL_FLOW_GUARD_ALWAYS_OFF)
62
63 #if (_WIN32_WINNT < 0x0602)
64 BOOL WINAPI
65 SetProcessMitigationPolicy(PROCESS_MITIGATION_POLICY aMitigationPolicy,
66 PVOID aBuffer, SIZE_T aBufferLen);
67 #endif // (_WIN32_WINNT >= 0x0602)
68
69 /**
70 * Any mitigation policies that should be set on the browser process should go
71 * here.
72 */
SetMitigationPolicies(mozilla::ProcThreadAttributes & aAttrs,const bool aIsSafeMode)73 static void SetMitigationPolicies(mozilla::ProcThreadAttributes& aAttrs,
74 const bool aIsSafeMode) {
75 if (mozilla::IsWin10AnniversaryUpdateOrLater()) {
76 aAttrs.AddMitigationPolicy(
77 PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_PREFER_SYSTEM32_ALWAYS_ON);
78 }
79
80 #if defined(_M_ARM64)
81 // Disable CFG on older versions of ARM64 Windows to avoid a crash in COM.
82 if (!mozilla::IsWin10Sep2018UpdateOrLater()) {
83 aAttrs.AddMitigationPolicy(
84 PROCESS_CREATION_MITIGATION_POLICY_CONTROL_FLOW_GUARD_ALWAYS_OFF);
85 }
86 #endif // defined(_M_ARM64)
87 }
88
ProcessCmdLine(int & aArgc,wchar_t * aArgv[])89 static mozilla::LauncherFlags ProcessCmdLine(int& aArgc, wchar_t* aArgv[]) {
90 mozilla::LauncherFlags result = mozilla::LauncherFlags::eNone;
91
92 if (mozilla::CheckArg(aArgc, aArgv, L"wait-for-browser",
93 static_cast<const wchar_t**>(nullptr),
94 mozilla::CheckArgFlag::RemoveArg) ==
95 mozilla::ARG_FOUND ||
96 mozilla::CheckArg(aArgc, aArgv, L"marionette",
97 static_cast<const wchar_t**>(nullptr),
98 mozilla::CheckArgFlag::None) == mozilla::ARG_FOUND ||
99 mozilla::CheckArg(aArgc, aArgv, L"backgroundtask",
100 static_cast<const wchar_t**>(nullptr),
101 mozilla::CheckArgFlag::None) == mozilla::ARG_FOUND ||
102 mozilla::CheckArg(aArgc, aArgv, L"headless",
103 static_cast<const wchar_t**>(nullptr),
104 mozilla::CheckArgFlag::None) == mozilla::ARG_FOUND ||
105 mozilla::EnvHasValue("MOZ_AUTOMATION") ||
106 mozilla::EnvHasValue("MOZ_HEADLESS")) {
107 result |= mozilla::LauncherFlags::eWaitForBrowser;
108 }
109
110 if (mozilla::CheckArg(aArgc, aArgv, L"no-deelevate") == mozilla::ARG_FOUND) {
111 result |= mozilla::LauncherFlags::eNoDeelevate;
112 }
113
114 return result;
115 }
116
MaybeBreakForBrowserDebugging()117 static void MaybeBreakForBrowserDebugging() {
118 if (mozilla::EnvHasValue("MOZ_DEBUG_BROWSER_PROCESS")) {
119 ::DebugBreak();
120 return;
121 }
122
123 const wchar_t* pauseLenS = _wgetenv(L"MOZ_DEBUG_BROWSER_PAUSE");
124 if (!pauseLenS || !(*pauseLenS)) {
125 return;
126 }
127
128 DWORD pauseLenMs = wcstoul(pauseLenS, nullptr, 10) * 1000;
129 printf_stderr("\n\nBROWSERBROWSERBROWSERBROWSER\n debug me @ %lu\n\n",
130 ::GetCurrentProcessId());
131 ::Sleep(pauseLenMs);
132 }
133
DoLauncherProcessChecks(int & argc,wchar_t ** argv)134 static bool DoLauncherProcessChecks(int& argc, wchar_t** argv) {
135 // NB: We run all tests in this function instead of returning early in order
136 // to ensure that all side effects take place, such as clearing environment
137 // variables.
138 bool result = false;
139
140 #if defined(MOZ_LAUNCHER_PROCESS)
141 // We still prefer to compare file ids. Comparing NT paths i.e. passing
142 // CompareNtPathsOnly to IsSameBinaryAsParentProcess is much faster, but
143 // we're not 100% sure that NT path comparison perfectly prevents the
144 // launching loop of the launcher process.
145 mozilla::LauncherResult<bool> isSame = mozilla::IsSameBinaryAsParentProcess();
146 if (isSame.isOk()) {
147 result = !isSame.unwrap();
148 } else {
149 HandleLauncherError(isSame.unwrapErr());
150 }
151 #endif // defined(MOZ_LAUNCHER_PROCESS)
152
153 if (mozilla::EnvHasValue("MOZ_LAUNCHER_PROCESS")) {
154 mozilla::SaveToEnv("MOZ_LAUNCHER_PROCESS=");
155 result = true;
156 }
157
158 result |= mozilla::CheckArg(
159 argc, argv, L"launcher", static_cast<const wchar_t**>(nullptr),
160 mozilla::CheckArgFlag::RemoveArg) == mozilla::ARG_FOUND;
161
162 return result;
163 }
164
165 #if defined(MOZ_LAUNCHER_PROCESS)
RunAsLauncherProcess(mozilla::LauncherRegistryInfo & aRegInfo,int & argc,wchar_t ** argv)166 static mozilla::Maybe<bool> RunAsLauncherProcess(
167 mozilla::LauncherRegistryInfo& aRegInfo, int& argc, wchar_t** argv) {
168 #else
169 static mozilla::Maybe<bool> RunAsLauncherProcess(int& argc, wchar_t** argv) {
170 #endif // defined(MOZ_LAUNCHER_PROCESS)
171 // return fast when we're a child process.
172 // (The remainder of this function has some side effects that are
173 // undesirable for content processes)
174 if (mozilla::CheckArg(argc, argv, L"contentproc",
175 static_cast<const wchar_t**>(nullptr),
176 mozilla::CheckArgFlag::None) == mozilla::ARG_FOUND) {
177 return mozilla::Some(false);
178 }
179
180 bool runAsLauncher = DoLauncherProcessChecks(argc, argv);
181
182 #if defined(MOZ_LAUNCHER_PROCESS)
183 bool forceLauncher =
184 runAsLauncher &&
185 mozilla::CheckArg(argc, argv, L"force-launcher",
186 static_cast<const wchar_t**>(nullptr),
187 mozilla::CheckArgFlag::RemoveArg) == mozilla::ARG_FOUND;
188
189 mozilla::LauncherRegistryInfo::ProcessType desiredType =
190 runAsLauncher ? mozilla::LauncherRegistryInfo::ProcessType::Launcher
191 : mozilla::LauncherRegistryInfo::ProcessType::Browser;
192
193 mozilla::LauncherRegistryInfo::CheckOption checkOption =
194 forceLauncher ? mozilla::LauncherRegistryInfo::CheckOption::Force
195 : mozilla::LauncherRegistryInfo::CheckOption::Default;
196
197 mozilla::LauncherResult<mozilla::LauncherRegistryInfo::ProcessType>
198 runAsType = aRegInfo.Check(desiredType, checkOption);
199
200 if (runAsType.isErr()) {
201 mozilla::HandleLauncherError(runAsType);
202 return mozilla::Nothing();
203 }
204
205 runAsLauncher = runAsType.unwrap() ==
206 mozilla::LauncherRegistryInfo::ProcessType::Launcher;
207 #endif // defined(MOZ_LAUNCHER_PROCESS)
208
209 if (!runAsLauncher) {
210 // In this case, we will be proceeding to run as the browser.
211 // We should check MOZ_DEBUG_BROWSER_* env vars.
212 MaybeBreakForBrowserDebugging();
213 }
214
215 return mozilla::Some(runAsLauncher);
216 }
217
218 namespace mozilla {
219
220 Maybe<int> LauncherMain(int& argc, wchar_t* argv[],
221 const StaticXREAppData& aAppData) {
222 // Note: keep in sync with nsBrowserApp.
223 const wchar_t* acceptableParams[] = {L"url", nullptr};
224 EnsureCommandlineSafe(argc, argv, acceptableParams);
225
226 SetLauncherErrorAppData(aAppData);
227
228 if (CheckArg(argc, argv, L"log-launcher-error",
229 static_cast<const wchar_t**>(nullptr),
230 mozilla::CheckArgFlag::RemoveArg) == ARG_FOUND) {
231 SetLauncherErrorForceEventLog();
232 }
233
234 #if defined(MOZ_LAUNCHER_PROCESS)
235 LauncherRegistryInfo regInfo;
236 Maybe<bool> runAsLauncher = RunAsLauncherProcess(regInfo, argc, argv);
237 #else
238 Maybe<bool> runAsLauncher = RunAsLauncherProcess(argc, argv);
239 #endif // defined(MOZ_LAUNCHER_PROCESS)
240 if (!runAsLauncher || !runAsLauncher.value()) {
241 #if defined(MOZ_LAUNCHER_PROCESS)
242 // Update the registry as Browser
243 LauncherVoidResult commitResult = regInfo.Commit();
244 if (commitResult.isErr()) {
245 mozilla::HandleLauncherError(commitResult);
246 }
247 #endif // defined(MOZ_LAUNCHER_PROCESS)
248 return Nothing();
249 }
250
251 // Make sure that the launcher process itself has image load policies set
252 if (IsWin10AnniversaryUpdateOrLater()) {
253 static const StaticDynamicallyLinkedFunctionPtr<
254 decltype(&SetProcessMitigationPolicy)>
255 pSetProcessMitigationPolicy(L"kernel32.dll",
256 "SetProcessMitigationPolicy");
257 if (pSetProcessMitigationPolicy) {
258 PROCESS_MITIGATION_IMAGE_LOAD_POLICY imgLoadPol = {};
259 imgLoadPol.PreferSystem32Images = 1;
260
261 DebugOnly<BOOL> setOk = pSetProcessMitigationPolicy(
262 ProcessImageLoadPolicy, &imgLoadPol, sizeof(imgLoadPol));
263 MOZ_ASSERT(setOk);
264 }
265 }
266
267 mozilla::UseParentConsole();
268
269 if (!SetArgv0ToFullBinaryPath(argv)) {
270 HandleLauncherError(LAUNCHER_ERROR_GENERIC());
271 return Nothing();
272 }
273
274 LauncherFlags flags = ProcessCmdLine(argc, argv);
275
276 nsAutoHandle mediumIlToken;
277 LauncherResult<ElevationState> elevationState =
278 GetElevationState(argv[0], flags, mediumIlToken);
279 if (elevationState.isErr()) {
280 HandleLauncherError(elevationState);
281 return Nothing();
282 }
283
284 // If we're elevated, we should relaunch ourselves as a normal user.
285 // Note that we only call LaunchUnelevated when we don't need to wait for the
286 // browser process.
287 if (elevationState.unwrap() == ElevationState::eElevated &&
288 !(flags &
289 (LauncherFlags::eWaitForBrowser | LauncherFlags::eNoDeelevate)) &&
290 !mediumIlToken.get()) {
291 LauncherVoidResult launchedUnelevated = LaunchUnelevated(argc, argv);
292 bool failed = launchedUnelevated.isErr();
293 if (failed) {
294 HandleLauncherError(launchedUnelevated);
295 return Nothing();
296 }
297
298 return Some(0);
299 }
300
301 #if defined(MOZ_LAUNCHER_PROCESS)
302 // Update the registry as Launcher
303 LauncherVoidResult commitResult = regInfo.Commit();
304 if (commitResult.isErr()) {
305 mozilla::HandleLauncherError(commitResult);
306 return Nothing();
307 }
308 #endif // defined(MOZ_LAUNCHER_PROCESS)
309
310 // Now proceed with setting up the parameters for process creation
311 UniquePtr<wchar_t[]> cmdLine(MakeCommandLine(argc, argv));
312 if (!cmdLine) {
313 HandleLauncherError(LAUNCHER_ERROR_GENERIC());
314 return Nothing();
315 }
316
317 const Maybe<bool> isSafeMode =
318 IsSafeModeRequested(argc, argv, SafeModeFlag::NoKeyPressCheck);
319 if (!isSafeMode) {
320 HandleLauncherError(LAUNCHER_ERROR_FROM_WIN32(ERROR_INVALID_PARAMETER));
321 return Nothing();
322 }
323
324 ProcThreadAttributes attrs;
325 SetMitigationPolicies(attrs, isSafeMode.value());
326
327 HANDLE stdHandles[] = {::GetStdHandle(STD_INPUT_HANDLE),
328 ::GetStdHandle(STD_OUTPUT_HANDLE),
329 ::GetStdHandle(STD_ERROR_HANDLE)};
330
331 attrs.AddInheritableHandles(stdHandles);
332
333 DWORD creationFlags = CREATE_SUSPENDED | CREATE_UNICODE_ENVIRONMENT;
334
335 STARTUPINFOEXW siex;
336 LauncherResult<bool> attrsOk = attrs.AssignTo(siex);
337 if (attrsOk.isErr()) {
338 HandleLauncherError(attrsOk);
339 return Nothing();
340 }
341
342 BOOL inheritHandles = FALSE;
343
344 if (attrsOk.unwrap()) {
345 creationFlags |= EXTENDED_STARTUPINFO_PRESENT;
346
347 if (attrs.HasInheritableHandles()) {
348 siex.StartupInfo.dwFlags |= STARTF_USESTDHANDLES;
349 siex.StartupInfo.hStdInput = stdHandles[0];
350 siex.StartupInfo.hStdOutput = stdHandles[1];
351 siex.StartupInfo.hStdError = stdHandles[2];
352
353 // Since attrsOk == true, we have successfully set the handle inheritance
354 // whitelist policy, so only the handles added to attrs will be inherited.
355 inheritHandles = TRUE;
356 }
357 }
358
359 // Pass on the path of the shortcut used to launch this process, if any.
360 STARTUPINFOW currentStartupInfo;
361 GetStartupInfoW(¤tStartupInfo);
362 if ((currentStartupInfo.dwFlags & STARTF_TITLEISLINKNAME) &&
363 currentStartupInfo.lpTitle) {
364 siex.StartupInfo.dwFlags |= STARTF_TITLEISLINKNAME;
365 siex.StartupInfo.lpTitle = currentStartupInfo.lpTitle;
366 }
367
368 PROCESS_INFORMATION pi = {};
369 BOOL createOk;
370
371 if (mediumIlToken.get()) {
372 createOk =
373 ::CreateProcessAsUserW(mediumIlToken.get(), argv[0], cmdLine.get(),
374 nullptr, nullptr, inheritHandles, creationFlags,
375 nullptr, nullptr, &siex.StartupInfo, &pi);
376 } else {
377 createOk = ::CreateProcessW(argv[0], cmdLine.get(), nullptr, nullptr,
378 inheritHandles, creationFlags, nullptr, nullptr,
379 &siex.StartupInfo, &pi);
380 }
381
382 if (!createOk) {
383 HandleLauncherError(LAUNCHER_ERROR_FROM_LAST());
384 return Nothing();
385 }
386
387 nsAutoHandle process(pi.hProcess);
388 nsAutoHandle mainThread(pi.hThread);
389
390 LauncherVoidResult setupResult = PostCreationSetup(
391 argv[0], process.get(), mainThread.get(), isSafeMode.value());
392 if (setupResult.isErr()) {
393 HandleLauncherError(setupResult);
394 ::TerminateProcess(process.get(), 1);
395 return Nothing();
396 }
397
398 if (::ResumeThread(mainThread.get()) == static_cast<DWORD>(-1)) {
399 HandleLauncherError(LAUNCHER_ERROR_FROM_LAST());
400 ::TerminateProcess(process.get(), 1);
401 return Nothing();
402 }
403
404 if (flags & LauncherFlags::eWaitForBrowser) {
405 DWORD exitCode;
406 if (::WaitForSingleObject(process.get(), INFINITE) == WAIT_OBJECT_0 &&
407 ::GetExitCodeProcess(process.get(), &exitCode)) {
408 // Propagate the browser process's exit code as our exit code.
409 return Some(static_cast<int>(exitCode));
410 }
411 } else {
412 const DWORD timeout =
413 ::IsDebuggerPresent() ? INFINITE : kWaitForInputIdleTimeoutMS;
414
415 // Keep the current process around until the callback process has created
416 // its message queue, to avoid the launched process's windows being forced
417 // into the background.
418 mozilla::WaitForInputIdle(process.get(), timeout);
419 }
420
421 return Some(0);
422 }
423
424 } // namespace mozilla
425