Closed
Bug 1394550
Opened 7 years ago
Closed 5 years ago
Crash in rlls.dll@0x6dd6a
Categories
(External Software Affecting Firefox :: Other, defect, P3)
Tracking
(relnote-firefox 56+, firefox55 wontfix, firefox56+ wontfix, firefox57 wontfix, firefox58 wontfix, firefox59+ wontfix, firefox60+ wontfix, firefox61 wontfix, firefox62 affected, firefox63 affected)
People
(Reporter: marcia, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, Whiteboard: inj+)
Crash Data
This bug was filed from the Socorro interface and is
report bp-fe261ba9-7cca-4858-aa1c-295520170828.
=============================================================
Seen while looking at crash stats. #37 top crash in beta 6, correlated to a RelevantKnowledge dll: http://bit.ly/2wN4u63
Comment 1•7 years ago
|
||
those modules got added to our dll blocklist in bug 1277846 - apparently they found a way to work around that now...
See Also: → 1277846
Reporter | ||
Updated•7 years ago
|
Crash Signature: [@ rlls.dll@0x6dd6a] → [@ rlls.dll@0x6dd6a]
[@ rlls.dll@0x6c5ca]
Comment 2•7 years ago
|
||
can you help taking a look if there's something actionable in these reports?
Flags: needinfo?(ccorcoran)
Comment 3•7 years ago
|
||
the issue is occurring with a range of different signatures: https://crash-stats.mozilla.com/search/?signature=~ls.dll%400x&signature=~ls64.dll%400x
adding a few more to this bug report...
Crash Signature: [@ rlls.dll@0x6dd6a]
[@ rlls.dll@0x6c5ca] → [@ rlls.dll@0x6dd6a]
[@ rlls.dll@0x6c5ca]
[@ RtlpLowFragHeapFree | RtlFreeHeap | HeapFree | rlls.dll@0x6f2d9]
[@ pmls.dll@0x6dd6a]
[@ rlls64.dll@0x9b98c]
[@ RtlpLowFragHeapFree | RtlFreeHeap | HeapFree | pmls.dll@0x6f2d9]
[@ pmls64.dll@0x9b98c]
[@ …
Updated•7 years ago
|
Flags: needinfo?(ccorcoran)
Comment 4•7 years ago
|
||
Andym or David, anyone available from your team to investigate or re-do the blocklisting? It is getting to be high volume on beta, so this may turn into a worse issue on release. Thanks.
Flags: needinfo?(ddurst)
Flags: needinfo?(amckay)
Comment 5•7 years ago
|
||
Based on brief research about this, it seems we should just re-do the blocklisting. I'm not sure how this is being loaded or why the blocklisting in bug 1277846 isn't holding though.
Flags: needinfo?(amckay)
Comment 9•7 years ago
|
||
This may be related to our underlying problems with dll injection described in bug 1380335.
Sounds like dmajor and aklotz can't take this bug.
I am asking for help on the stability mailing list in case we can figure out some kind of workaround.
Adam, can you try contacting someone at RelevantKnowledge? Thanks.
Comment 10•7 years ago
|
||
Reaching out over email to a couple paths, left a voicemail with a possible phone number for them as well.
Flags: needinfo?(astevenson)
Comment 12•7 years ago
|
||
Looking at the "module" pings, we have ~20x more users on Release than on Beta with this DLL, but in percentage we have 2x less users on Release than on Beta.
Comment 13•7 years ago
|
||
Thanks Marco. So, we know to expect a crash spike for these signatures on 56 release, and we can't do much about it at the moment. We'll keep trying to contact the company. I don't consider this a release blocker for 56.
I will add this the release notes for 56 as a known issue and link to the SUMO page on removing unwanted software (https://support.mozilla.org/kb/troubleshoot-firefox-issues-caused-malware)
relnote-firefox:
--- → 56+
Comment 14•7 years ago
|
||
Marcia or philipp. I heard back from RelevantKnowledge support. They said they are unaware of any current issues and asked if we can provide specific details of the crash to help investigate.
I'm not sure if there's enough information in this report as is, or if a summary would be helpful to them.
Flags: needinfo?(mozillamarcia.knous)
Flags: needinfo?(madperson)
Comment 15•7 years ago
|
||
We could use steps to reproduce. :philipp is this something you can take a look at?
Flags: needinfo?(dmajor)
Comment 16•7 years ago
|
||
because this software is commonly referred to as malicious i'd be uneasy of trying to reproduce the crash myself or working closer with the vendor to troubleshoot it (like sharing crash dumps, even if an affected user would agree to that).
ultimately the kind of injection they are doing is no longer supported or allowed as per https://blog.mozilla.org/addons/2017/01/24/preventing-add-ons-third-party-software-from-loading-dlls-into-firefox/
Flags: needinfo?(madperson)
![]() |
||
Comment 17•7 years ago
|
||
(In reply to Adam Stevenson [:adamopenweb] from comment #14)
> Marcia or philipp. I heard back from RelevantKnowledge support. They said
> they are unaware of any current issues and asked if we can provide specific
> details of the crash to help investigate.
>
> I'm not sure if there's enough information in this report as is, or if a
> summary would be helpful to them.
1) This vendor is injecting a DLL into our process space. The DLL names is 'rlls.dll'.
https://forums.malwarebytes.com/topic/183518-removal-instructions-for-relevantknowledge/
2) This DLL inserts itself into call stacks associated with networking through an api hook added by this DLL.
https://crash-stats.mozilla.com/report/index/d0dc1167-2917-47e6-b414-f14990170920
3) This DLL commonly crashes when handling these api hook callbacks.
https://crash-stats.mozilla.com/search/?signature=~rlls.dll&product=Firefox&date=%3E%3D2017-09-13T16%3A48%3A00.000Z&date=%3C2017-09-20T16%3A48%3A00.000Z&_sort=-date&_facets=signature&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-signature
Due to this we blocked this DLL from injecting back in the Firefox 48 release, which solved the browser stability problems (bug 1277846).
The vendor apparently updated their injection method such that now the DLL is back in our process space and causing stability issues again.
Comment 18•7 years ago
|
||
Thanks :philipp and :jimm. Will update when I hear back from them.
Flags: needinfo?(mozillamarcia.knous)
Updated•7 years ago
|
Blocks: injecteject
Comment 19•7 years ago
|
||
No word back from this company. Using the search from comment 3, there are around 300 crashes per week with these signatures on 56.0. On 56.0.1 (64 bit migration) still a few crashes. I don't think we change anything dramatically here by the migration. Wontfix for 56.
status-firefox57:
--- → affected
status-firefox58:
--- → affected
Comment 20•7 years ago
|
||
Sorry Liz for not updating this report. Last contact they said:
"We have figured out the reason for the crashes and no longer need any additional information. We are working on a fix and should have one implemented in the near future."
![]() |
||
Updated•7 years ago
|
Priority: -- → P2
Updated•7 years ago
|
Crash Signature: RtlpLowFragHeapFree | RtlFreeHeap | HeapFree | rlls.dll@0x6db39]
[@ rlls.dll@0x6f8d8]
[@ rlls.dll@0x6f964]
[@ rlls.dll@0x6f8fc]
[@ rlls.dll@0x3ad5]
[@ rlls.dll@0x1df91] → RtlpLowFragHeapFree | RtlFreeHeap | HeapFree | rlls.dll@0x6db39]
[@ rlls.dll@0x6f8d8]
[@ rlls.dll@0x6f964]
[@ rlls.dll@0x6f8fc]
[@ rlls.dll@0x3ad5]
[@ rlls.dll@0x1df91]
[@ rlls.dll@0x6f8ac]
[@ rlls.dll@0x6e083]
Comment 21•7 years ago
|
||
Jim asked Adam to reach out to RelevantKnowledge again because this crash seems worse in Beta 57 than Firefox 56.0.
This crash affects all 32-bit Windows versions.
Crash Signature: RtlpLowFragHeapFree | RtlFreeHeap | HeapFree | rlls.dll@0x6db39]
[@ rlls.dll@0x6f8d8]
[@ rlls.dll@0x6f964]
[@ rlls.dll@0x6f8fc]
[@ rlls.dll@0x3ad5]
[@ rlls.dll@0x1df91]
[@ rlls.dll@0x6f8ac]
[@ rlls.dll@0x6e083] → RtlpLowFragHeapFree | RtlFreeHeap | HeapFree | rlls.dll@0x6db39]
[@ rlls.dll@0x6f8d8]
[@ rlls.dll@0x6f964]
[@ rlls.dll@0x6f8fc]
[@ rlls.dll@0x3ad5]
[@ rlls.dll@0x1df91]
[@ rlls.dll@0x6f8ac]
[@ rlls.dll@0x6e083]
[@ RtlFreeHeap | HeapFree | rlls.dl…
OS: Windows 7 → Windows
Comment 22•7 years ago
|
||
rlls64.dll/pmls64.dll are the corresponding 64bit variants of this crashing module
Comment 23•7 years ago
|
||
Thanks Chris. Follow up has been sent.
Comment 24•7 years ago
|
||
They have identified what they believe will likely fix this issue and will be testing a build internally next week. If all goes well they should be able to roll out the fix worldwide by December.
Comment 25•7 years ago
|
||
Adam any confirmation on that rollout?
(Some crashes in nightly https://crash-stats.mozilla.com/signature/?date=%3C2018-01-08T18%3A47%3A52%2B00%3A00&date=%3E%3D2018-01-01T18%3A47%3A52%2B00%3A00&product=Firefox&version=59.0a1&signature=rlls64.dll%400x114683)
Flags: needinfo?(astevenson)
Comment 26•7 years ago
|
||
David, I haven't heard anything. Sent another message, will update when I hear back.
Flags: needinfo?(astevenson)
Comment 27•7 years ago
|
||
They ran into an unexpected issue and were delayed from the planned December release. The build is finished now and they expect to release in the next couple of weeks, no later than the end of the month.
Comment 28•7 years ago
|
||
crashes with those malicious modules are becoming more frequent during the 59.0b cycle (4% of browser crashes on 59.0b5).
Comment 29•7 years ago
|
||
Adam, noting it's past end of January but we are still seeing these crashes on the rise.
4% of browser crashes is very high. Can we make another stab at blocklisting?
Comment 30•7 years ago
|
||
Thanks Liz, that's not good. I'll follow up again.
Flags: needinfo?(astevenson)
Updated•7 years ago
|
Updated•7 years ago
|
Priority: P2 → P3
Whiteboard: inj+
Comment 31•7 years ago
|
||
From our contact:
"We completed testing the fix build and began rolling it out to our panel in segmented upgrades yesterday. We expect it to be released to 100% of the panel by the end of the month, if no issues are noted in the roll out."
Comment 32•7 years ago
|
||
Currently 3.3% of browser crashes in beta 59.
Comment 33•7 years ago
|
||
If there's a fixed version being rolled out, when can we blocklist older DLL versions?
Comment 34•7 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM] from comment #33)
> If there's a fixed version being rolled out, when can we blocklist older DLL
> versions?
Unfortunately it sounds like our blocklisting isn't effective against this DLL.
:aklotz, could you take a look?
Flags: needinfo?(aklotz)
Comment 35•7 years ago
|
||
In every one of those crash reports I looked at, user32BeforeBlocklist was set to 1.
I couldn't query for that in the aggregate because that annotation is not whitelisted, but it looks to me like something is loading user32 early, which runs Windows hooks before our blocklist has a chance to initialize.
Once the blocklist initializes, we would catch it.
Flags: needinfo?(aklotz)
Updated•7 years ago
|
Comment 36•7 years ago
|
||
Early 59.0 release shows we are still getting a few of these crashes. It isn't a top crash currently though.
Comment 37•7 years ago
|
||
yes, so far the numbers on release are much lower than what i'd have expected from the pattern during the 59.0b cycle :-)
Updated•7 years ago
|
Crash Signature: rlls.dll@0x6f2d9][@ rlls.dll@0x3ad3]
[@ RtlFreeHeap | rlls.dll@0x6f2d9]
[@ rlls.dll@0x5ea7]
[@ rlls.dll@0x5242f] → rlls.dll@0x6f2d9][@ rlls.dll@0x3ad3]
[@ RtlFreeHeap | rlls.dll@0x6f2d9]
[@ rlls.dll@0x5ea7]
[@ rlls.dll@0x5242f]
[@ mozilla::net::nsHttpConnection::OnReadSegment ]
Updated•7 years ago
|
Reporter | ||
Comment 38•7 years ago
|
||
Added [@ rlls.dll@0x21e6 ], as this is showing up in early b3/b4 crash stats.
Crash Signature: rlls.dll@0x6f2d9][@ rlls.dll@0x3ad3]
[@ RtlFreeHeap | rlls.dll@0x6f2d9]
[@ rlls.dll@0x5ea7]
[@ rlls.dll@0x5242f]
[@ mozilla::net::nsHttpConnection::OnReadSegment ] → rlls.dll@0x6f2d9][@ rlls.dll@0x3ad3]
[@ RtlFreeHeap | rlls.dll@0x6f2d9]
[@ rlls.dll@0x5ea7]
[@ rlls.dll@0x5242f]
[@ rlls.dll@0x21e6]
[@ mozilla::net::nsHttpConnection::OnReadSegment ]
Updated•7 years ago
|
Crash Signature: rlls.dll@0x6f2d9][@ rlls.dll@0x3ad3]
[@ RtlFreeHeap | rlls.dll@0x6f2d9]
[@ rlls.dll@0x5ea7]
[@ rlls.dll@0x5242f]
[@ rlls.dll@0x21e6]
[@ mozilla::net::nsHttpConnection::OnReadSegment ] → rlls.dll@0x6f2d9][@ rlls.dll@0x3ad3]
[@ RtlFreeHeap | rlls.dll@0x6f2d9]
[@ rlls.dll@0x5ea7]
[@ rlls.dll@0x5242f]
[@ rlls.dll@0x21e6]
[@ mozilla::net::nsHttpConnection::OnReadSegment ]
[@ @0x0 | send | mozilla::net::nsHttpConnection::OnReadSegment ]
Reporter | ||
Comment 39•7 years ago
|
||
Adding a signature that was seen in 62 beta. There was also one crash in 61.
Crash Signature: [@ rlls.dll@0x6dd6a]
[@ rlls.dll@0x6c5ca]
[@ RtlpLowFragHeapFree | RtlFreeHeap | HeapFree | rlls.dll@0x6f2d9]
[@ pmls.dll@0x6dd6a]
[@ rlls64.dll@0x9b98c]
[@ RtlpLowFragHeapFree | RtlFreeHeap | HeapFree | pmls.dll@0x6f2d9]
[@ pmls64.dll@0x9b98c]
[@ … → [@ rlls.dll@0x6dd6a]
[@ rlls.dll@0x6c5ca]
[@ RtlpLowFragHeapFree | RtlFreeHeap | HeapFree | rlls.dll@0x6f2d9]
[@ pmls.dll@0x6dd6a]
[@ pmls.dll@0x21e6]
[@ rlls64.dll@0x9b98c]
[@ RtlpLowFragHeapFree | RtlFreeHeap | HeapFree | pmls.dll@0x6f2d9]
[@ pml…
status-firefox62:
--- → affected
Comment 40•7 years ago
|
||
Most of the crashes in beta 62 seem to be on one signature, https://crash-stats.mozilla.com/signature/?signature=%400x0%20%7C%20send%20%7C%20mozilla%3A%3Anet%3A%3AnsHttpConnection%3A%3AOnReadSegment#summary
I'm emailing the support address for RelevantKnowledge, asking them to take a look.
Updated•7 years ago
|
Reporter | ||
Updated•7 years ago
|
Crash Signature: mozilla::net::nsHttpConnection::OnReadSegment ] → mozilla::net::nsHttpConnection::OnReadSegment ]
[@ PR_Close | rlls.dll@0x400ac]
Updated•6 years ago
|
Crash Signature: mozilla::net::nsHttpConnection::OnReadSegment ]
[@ PR_Close | rlls.dll@0x400ac] → mozilla::net::nsHttpConnection::OnReadSegment ]
[@ PR_Close | rlls.dll@0x400ac]
[@ rlls.dll | mozilla::net::nsSocketInputStream::Read]
[@ rlls64.dll | `anonymous namespace'::checkHandshake]
[@ pmls.dll | mozilla::net::nsSocketInputStream::Read]
…
Reporter | ||
Comment 41•5 years ago
|
||
A few signatures still have crashes, but in such trivial volume this is not worth keeping open.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•