Closed Bug 1395073 Opened 7 years ago Closed 6 years ago

Crash in mozilla::a11y::DocAccessibleWrap::QueryInterface with Sandboxie (SbieDll.dll)

Categories

(Core :: Disability Access APIs, defect, P2)

Product:
Core
Component:
Disability Access APIs
Platform:
Unspecified
Windows 10
Type:
defect

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: kanru, Assigned: eeejay)

Details

(Keywords: crash, csectype-wildptr, sec-high)

Crash Data

This bug was filed from the Socorro interface and is 
report bp-41654307-d4ca-48ca-830c-e07ae0170830.
=============================================================

A low volume crash that started on 20170818100226 build.
This sounds like it could be a regression from recent E10S landings by Aaron. Putting this onto our list for triage.
Whiteboard: aes+
Current correlations show:
(100.0% in signature vs 00.10% overall) Module "SbieDll.dll" = true

Which is apparently for sandboxie.
not blocking on this.
Whiteboard: aes+
Making this P2 but let's keep an eye on it.
Priority: -- → P2
crashes aren't all nullptrs; it's hitting some real addresses, and also some 0xNN00000 type addresses.
Group: core-security
Keywords: csectype-wildptr, sec-high
Group: core-security → layout-core-security
David, can you help us find an owner?
Flags: needinfo?(dbolter)
Eitan can you see if you can recreate this in a vm, by installing sandboxie and testing with FF?

We may need to block SbieDll.dll but we'll want to test what happens in that case too. Additionally I want to know if sandboxie is uncovering a bug we should fix on our side.
Flags: needinfo?(dbolter) → needinfo?(eitan)
Playing with Sandboxie now. I don't see any obvious case where it instantiates a11y. Tried all kinds of options. I'll play with it more tomorrow.
Volume increasing now that we've released 57. Almost all of the crashes are EXCEPTION_ACCESS_VIOLATION_WRITE which is concerning.
Assignee: nobody → eitan
Eitan, you said you'd play some more. Did you forget to play or forget to update the bug? :)
I can't get a11y to instantiate, let alone a crash. I'm afraid I'm out of my depth in this one.
Flags: needinfo?(eitan)
Maybe putting SbieDll.dll in our block list would help?
One comment, translated from German "Seems to be a problem within - Sandboxie 5.22 64-bit. Firefox outside Sandboxie works normally. Tab crashes immediately after program call. Repeated Sandbox deleted, Sandboxie restarted. No change."

For the same sig, I see some client detection for rf-chrome-nm-host.exe|8.4.6.6

The Correlations tab doesn't seem to be worked right now...?
I suppose we could blacklist the Sandboxie DLLs to increase stability.
But then people using Firefox with Sandboxie will feel their user intent is … overridden by Firefox, which might be a new, different cause of frustration.
I'd suggest creating an article (SUMO?) if we did so and explain why people can't use Firefox with Sandboxie and that we already have our own sandbox anyway.


On another note, it seems this is not really sec-high, if users need to run Firefox in an unsupported setup. Injecting a DLL is quite a heavy-weight change - especially in contrast to config / pref changes we see more often.
The usage of sandboxie might not be entirely for security reasons, but to have some kind of "Portable Install", in which case they don't necessarily care we have our own sandbox.
My take - we don't support this configuration, and we're not going to do anything to help here. I'd suggest wontfixing this and opening it up so users of this sandboxie thing can find this bug.
(In reply to Jim Mathies [:jimm] from comment #16)
> My take - we don't support this configuration, and we're not going to do
> anything to help here. I'd suggest wontfixing this and opening it up so
> users of this sandboxie thing can find this bug.

I'm leaning to disagree.
Dan?
Flags: needinfo?(dveditz)
Ugh. I meant to say I'm leaning to *agree*.
I think we can wontfix this.
Group: layout-core-security
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(dveditz)
Resolution: --- → WONTFIX
Summary: Crash in mozilla::a11y::DocAccessibleWrap::QueryInterface → Crash in mozilla::a11y::DocAccessibleWrap::QueryInterface with Sandboxie (SbieDll.dll)
You need to log in before you can comment on or make changes to this bug.