Closed Bug 1274630 Opened 4 years ago Closed 3 years ago

Stack buffer overrun in guard64.dll@0x494b (probably related to Comodo)

Categories

(Toolkit :: Blocklist Policy Requests, defect, critical)

Unspecified
Windows
defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
firefox47 --- affected
firefox48 --- affected
firefox49 --- affected
firefox-esr45 --- affected
firefox50 - affected

People

(Reporter: mccr8, Unassigned)

References

Details

(Keywords: crash, topcrash, topcrash-win, Whiteboard: [AV:Comodo Internet Security])

Crash Data

This bug was filed from the Socorro interface and is 
report bp-ec89564f-1f98-4442-9475-04f3c2160519.
=============================================================

#11 Nightly Windows crash with 7 crashes, and I see 74 reports across all channels, all stack buffer overruns. Maybe we should consider blocklisting.
it's crashing with guard32.dll as well:
https://crash-stats.mozilla.com/search/?signature=^guard&_facets=signature&_facets=version&_facets=user_comments&_facets=install_time&_facets=platform_pretty_version
Crash Signature: [@ guard64.dll@0x494b] → [@ guard64.dll@0x494b] [@ guard32.dll@0x4ac69] [@ guard32.dll@0x49f2] [@ guard32.dll@0x4a459] [@ guard32.dll@0x4a1e] [@ guard32.dll@0x48b2] [@ guard32.dll@0x4a3c9]
We have a few crashes that are related to external libraries (sometimes clearly malware). What should we do? Can we blocklist them all?

Looks like guard32.dll or guard64.dll are related to an antivirus (Comodo).
I've got this issue too.  I read the crash report and it highlighted lines in red with all one thing in common: guard32.dll.  I don't know enough computer IT speak to know that term, but I see Marco mentioned Comodo, which is our FIREWALL program. We use Avast for anti-virus and such.

We have malwarebytes free version to check for stuff, and my husband is an IT guy, it's just he's never around when firefox is jacked up or ever surfs more than 3 sites unlike myself.  I can't even do job applications without it crashing....

Don't know if it'll help anyone but here's my LATEST crash today, #4 I believe:
https://crash-stats.mozilla.com/report/index/5029b2c9-5e77-4b78-92d2-8aa5c2160614
guard32.dll@0x6a919 is causing 0.3% of crashes on 47 release currently.
Crash Signature: [@ guard64.dll@0x494b] [@ guard32.dll@0x4ac69] [@ guard32.dll@0x49f2] [@ guard32.dll@0x4a459] [@ guard32.dll@0x4a1e] [@ guard32.dll@0x48b2] [@ guard32.dll@0x4a3c9] → [@ guard64.dll@0x494b] [@ guard32.dll@0x4ac69] [@ guard32.dll@0x49f2] [@ guard32.dll@0x4a459] [@ guard32.dll@0x4a1e] [@ guard32.dll@0x48b2] [@ guard32.dll@0x4a3c9] [@ guard32.dll@0x6a919]
actually if you combine all the different signatures this issue is more in the range of 0.7% of all crashes on release...
https://crash-stats.mozilla.com/search/?signature=^guard32.dll&signature=^guard64.dll&version=47.0

i've tried some outreach to comodo through regular customer support channels & getting them aware of this bug.
Harald, do you have some contacts for Comodo?
Summary: Stack buffer overrun in guard64.dll@0x494b → Stack buffer overrun in guard64.dll@0x494b (probably related to Comodo)
Crash Signature: [@ guard64.dll@0x494b] [@ guard32.dll@0x4ac69] [@ guard32.dll@0x49f2] [@ guard32.dll@0x4a459] [@ guard32.dll@0x4a1e] [@ guard32.dll@0x48b2] [@ guard32.dll@0x4a3c9] [@ guard32.dll@0x6a919] → [@ guard64.dll@0x494b] [@ guard32.dll@0x4ac69] [@ guard32.dll@0x49f2] [@ guard32.dll@0x4a459] [@ guard32.dll@0x4a1e] [@ guard32.dll@0x48b2] [@ guard32.dll@0x4a3c9] [@ guard32.dll@0x6a919] [@ guard32.dll@0x70a2] [@ guard64.dll@0x6fab] [@ guard32.…
This is the #14 top crasher, if we consider all guard32.dll and guard64.dll signatures.
OS: Windows 10 → Windows
Can someone from Comodo have a look at this? Thanks!
Flags: needinfo?(rob)
Flags: needinfo?(comodo-antivirus)
(In reply to Marco Castelluccio [:marco] from comment #2)
> We have a few crashes that are related to external libraries (sometimes
> clearly malware). What should we do? Can we blocklist them all?
> 
> Looks like guard32.dll or guard64.dll are related to an antivirus (Comodo).

i have locally tried blocklisting those modules through our usual WindowsDllBlocklist.cpp method, but this doesn't work unfortunately and guard32.dll/guard64.dll would still be hooking into the firefox process...
many of the user comments in the crash reports & this user at https://support.mozilla.org/questions/1129205 say the crashes are occurring when they scroll down in the search/feed results on facebook.
Flags: needinfo?(rob) → needinfo?(robin)
Our developers say that they have identified a buffer overflow in an http protocol parser.
I'm awaiting a release date for the fix and will let you know as soon as I know it.
Flags: needinfo?(robin)
Our developers are working towards a release date of July 11th for a fixed version.
(In reply to Robin Alden from comment #12)
> Our developers are working towards a release date of July 11th for a fixed
> version.

Thank you, Robin.  It's 99% on Facebook when you're on your feed/home page that it crashes. EVERY. TIME.
I was wondering if FACEBOOK was the problem, as it crashes doing the same thing on Google Chrome on PC as well like 15% of the time.
hi jen, comodo has released an update with a prospective fix now: https://forums.comodo.com/news-announcements-feedback-cis/comodo-internet-security-8405076-build-is-released-t116113.0.html

if you could reliably reproduce the problem till now, can you test if that update addresses the crashing issue? thank you
Flags: needinfo?(jlsmith.340.fl)
(In reply to [:philipp] from comment #14)
> hi jen, comodo has released an update with a prospective fix now:
> https://forums.comodo.com/news-announcements-feedback-cis/comodo-internet-
> security-8405076-build-is-released-t116113.0.html
> 
> if you could reliably reproduce the problem till now, can you test if that
> update addresses the crashing issue? thank you

It updated Comodo yesterday afternoon. I had been using Chrome for Facebook since Firefox was the offending party with Comodo related crashes involving facebook's news feed. Let me test it out and come back
Flags: needinfo?(jlsmith.340.fl)
in the past week the crashes with guard32.dll/guard64.dll have gone down 40% and i couldn't find new crash reports with version 8.4.0.5076 of the module present so i'll go ahead and mark this crashing bug as fixed by comodo's update.
Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(comodo-antivirus)
Resolution: --- → FIXED
Crash volume for signature 'guard32.dll@0x6a919':
 - aurora  (version 49): 106 crashes from 2016-06-07.
 - beta    (version 48): 1808 crashes from 2016-06-06.
 - release (version 47): 9723 crashes from 2016-05-31.
 - esr     (version 45): 120 crashes from 2016-04-07.

Crash volume on the last weeks:
             Week N-1   Week N-2   Week N-3   Week N-4   Week N-5   Week N-6   Week N-7
 - nightly          0          4          2          6          3          0          0
 - aurora           5          4         46         24         18          7          0
 - beta           118        277        442        484        345        119          0
 - release        414       1156       2724       2609       2123        604          0
 - esr             10         12         47         19         17         11          0

Affected platform: Windows
Most users seem to have upgraded the comodo tool by now, and this wasn't our bug to begin with, let's stop tracking for fx 50.
See Also: → 1407712
Whiteboard: [AV:Comodo Internet Security]
You need to log in before you can comment on or make changes to this bug.