Windows: CreateMutexExW crash with sandboxed rendererer in WinRT app

Issue #2274 resolved
Marshall Greenblatt
created an issue

What steps will reproduce the problem?

Run CEF in a WinRT app with sandbox enabled.

What is the expected output? What do you see instead?

Application should not crash. Instead, renderer process occasionally crashes with the following call stack:

0   ntdll.dll   KiRaiseUserExceptionDispatcher  
1   ntdll.dll   KiFastSystemCall    
2   kernelbase.dll  CreateMutexExW  
3   shell32.dll wil::details_abi::ProcessLocalStorage<wil::details_abi::FeatureStateData>::GetShared()    
4   shell32.dll wil::details::WilApiImpl_RecordFeatureUsage(unsigned int, unsigned int, unsigned int, char const*)  
5   shell32.dll wil::details::WilApi_RecordFeatureUsage(unsigned int, unsigned int, unsigned int, char const*)  
6   shell32.dll <lambda_24e9fc7f78bb96270e64c1815fc9a1e0>::<lambda_invoker_stdcall> 
7   ntdll.dll   TppTimerpExecuteCallback    
8   ntdll.dll   TppWorkerThread 
9   kernel32.dll    BaseThreadInitThunk 
10  ntdll.dll   __RtlUserThreadStart    
11  ntdll.dll   _RtlUserThreadStart

This is a bug in the WinRT implementation where it incorrectly calls the CreateMutexExW function with an invalid handle. The sandbox crashes the process due to the sandbox::MITIGATION_STRICT_HANDLE_CHECKS mitigation [1].

What version of the product are you using? On what operating system?

Current CEF versions running on Windows 10.0.15063 and point releases.

[1] https://cs.chromium.org/chromium/src/sandbox/win/src/process_mitigations.cc?q=ProcessStrictHandleCheckPolicy&sq=package:chromium&dr=C&l=126

Comments (1)

  1. Log in to comment