remove_dir_all implementation on Windows is incompatible with some third-party hooks for NtOpenFile, leading to Firefox crashes

[yjugl]

Third-party software can inject a DLL into firefox.exe that detours calls to NtOpenFile to monitor the use of this system call. Some of these third-party DLLs can assume that in any NtOpenFile call, ObjectAttributes->ObjectName.Buffer is a valid pointer to dereference, and more generally that it is a null-terminated wide string. They do not check ObjectAttributes->ObjectName.Length nor ObjectAttributes->ObjectName.MaxLength. Rust's implementation of remove_dir_all on Windows makes direct calls to NtOpenFile that violate this third-party assumption, resulting in Firefox crashes in Bug 1973947.

While one could argue that this is an incorrect assumption to have in the first place, it turns out that this assumption does not usually lead to crashes. This is because the assumption seems valid for the UNICODE_STRING values that usually flow into NtOpenFile, for example through win32 API calls, because these calls happen to always provide null-terminated wide strings in Buffer. For example they may rely on RtlInitUnicodeString to wrap null-terminated wide strings as UNICODE_STRING values. RtlInitUnicodeString(&unicode_string, wide_string) will typically set unicode_string.Buffer to wide_string, unicode_string.Length to wcslen(wide_string) and unicode_string.MaxLength to wcslen(wide_string) + 2 (accounting for the null wide char).

Rust's implementation of remove_dir_all appears to be the only violation for this assumption when firefox.exe runs. Would it be possible to enforce this assumption, to mimic the way usual calls to NtOpenFile behave, thereby preventing these crashes? In particular, the code below generates a UNICODE_STRING where Length is 0, MaxLength is 0 and Buffer is 2:

pub fn remove_dir_all_iterative(dir: File) -> Result<(), WinError> {
  // ...
  retry(|| delete(&dir, &[]), WinError::DIR_NOT_EMPTY)?;
  // ...
}

This can be reproduced in a standalone binary. The code below prints 0 0 2:

type PWSTR = *mut u16;

#[repr(C)]
#[derive(Clone, Copy)]
struct UNICODE_STRING {
    pub Length: u16,
    pub MaximumLength: u16,
    pub Buffer: PWSTR,
}

impl UNICODE_STRING {
    pub fn from_ref(slice: &[u16]) -> Self {
        let len = size_of_val(slice);
        Self { Length: len as _, MaximumLength: len as _, Buffer: slice.as_ptr() as _ }
    }
}

fn main() {
    let str = UNICODE_STRING::from_ref(&[]);
    println!("{} {} {}", str.Length, str.MaximumLength, str.Buffer as u64);
}

This explains why the Firefox crashes we receive are caused by derefencing 2 as a pointer.

[RalfJung]

Thanks for filing an issue! However, I am inclined to strongly agree with this: "one could argue that this is an incorrect assumption to have in the first place".

What third-party software is so buggy that it just entirely ignores the documented API for NtOpenFile and imposes its own, unjustified assumptions on all applications? Is this yet another example of "security" software making the world a worse place for everyone? If we start working around every broken piece of terrible middleware out there, we'll never be done...

Cc @ChrisDenton

[Fulgen301]

Some of these third-party DLLs can assume that in any NtOpenFile call, ObjectAttributes->ObjectName.Buffer is a valid pointer to dereference, and more generally that it is a null-terminated wide string.

UNICODE_STRING is a counted string, not a null-terminated one - the somewhat confusing wording about it in the docs is simply because if you initialize the struct with a null terminated string, then the string is...well, null-terminated. But it's not a guarantee of the underlying data structure, and never has been.

It's not Rust's fault that third-party DLLs are once again incapable of actually respecting the platform's ABI and datastructure invariants. (I'm not criticizing the OP for this, they're simply the messenger of Mozilla having to deal with the usual third-party foo yet again...)
On the other hand, reality is never perfect.

[ChrisDenton]

In general I agree this is a problem that should be fixed by the DLLs hooking functions without implementing the APIs correctly. This should definitely be fixed on their end.

That said, if this specific issue is causing a problem in practice then I think we should seriously consider implementing a mitigation. Currently we just pass filenames returned by the OS directly back to the OS, which is nice and simple. The mitigation wouldn't be too onerous, we'd just need to instead copy paths into a buffer and append a null. This wouldn't be the first time we've added some complexity to workaround such misbehaving DLLs.

[workingjubilee]

Both ff64.dll and nsccor0364.dll appear to be security software.

The security software appears to be insecure.

[ChrisDenton]

Presumably the issue has been reported to them? Security software vendors are hopefully responsive to such issues.

[the8472]

I think this hasn't been stated clearly, but the remove_dir_all change was introduced in response to CVE-2022-21658 ( #93112), so firefox reverting to an older implementation reintroduces that. Maybe it doesn't affect firefox since that's usually not a privileged process... except for their updater? But still, security software triggering a rollback doesn't look good on them.

Presumably the issue has been reported to them?

The bugzilla issue doesn't indicate that that happened.

[RalfJung]

The security software appears to be insecure.

Sadly, that's the norm, not the exception.

[ChrisDenton]

The bugzilla issue doesn't indicate that that happened.

Regardless of the fix here. it would be very useful to not have a memory safety bug in security software. I have had some success in the past when reporting issues to security software but I think it's fair to say that Mozilla's name carries much more weight than my own.

[gregstoll]

I think this hasn't been stated clearly, but the remove_dir_all change was introduced in response to CVE-2022-21658 ( #93112), so firefox reverting to an older implementation reintroduces that. Maybe it doesn't affect firefox since that's usually not a privileged process... except for their updater? But still, security software triggering a rollback doesn't look good on them.

Our security folks looked at that and determined that the CVE didn't apply in the way that Firefox is using it. (but yeah, we'd definitely prefer to not have to use this)

Note that in addition to ff64.dll and nsccor0364.dll, we also saw crashes with paperphk64.dll and edptwc64.dll. As far as I can tell, these are DLLs from four different companies, so there's some common approach that they're all using that results in reading this invalid memory.