Conversation
Replying to
Check out this insanity: github.com/mozilla/gecko-. The normal choices are a library being extracted to the file system or having it mapped directly from the apk by having it uncompressed. Instead, Firefox uses lazy loading by intercepting segfaults when libraries are used.
Firefox is beyond hope in terms of hardening due to all the undefined behavior incompatible with mitigations, but in this case they're taking things even further and blocking improvements to the OS. They are literally overwriting a portion of libc with their hard-wired code...
1
2
I love how they even go out of the way to provide their own sigaltstack without a guard page, even though the base system already provides one with a guard page:
github.com/mozilla/gecko-
The code all insanity:
github.com/mozilla/gecko-
It comes up as an issue again and again.
1
1
3
Show replies
Replying to
The latter kinda makes sense because the particular OS is so broken (vendor libs that call signal) but yes it's stupid that they're doing it to begin with.
1
Replying to
The library they're talking about is a cross-platform GPU driver, and GPU drivers are in general full of insane code. They like setting up all kinds of trampolines and alternate stack shenanigans so they are full of hard-wired hacks just like Firefox, which often conflict.
2
1
Show replies