Closed Bug 1438562 Opened 6 years ago Closed 3 years ago

Crash in GetMessageA (with Diebold Warsaw)

Categories

(External Software Affecting Firefox :: Other, defect)

Product:
External Software Affecting Firefox
Component:
Other
Platform:
x86_64
Windows
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(firefox59+ wontfix, firefox60 affected)

Status:
RESOLVED DUPLICATE of bug 1644240
Tracking Flags:
Tracking Status
firefox59 + wontfix
firefox60 --- affected

People

(Reporter: philipp, Unassigned)

References

Details

(Keywords: crash, csectype-wildptr)

Crash Data

This bug was filed from the Socorro interface and is
report bp-9fcce89b-2e85-45ab-8635-2cdfa0180215.
=============================================================

this crash signature is starting to creep up since a couple of days ago - there aren't any correlations generated for this yet, but manually looking through some reports they all seemed to have modules relating to kaspersky hooking into the process.

most reports are from win64 builds and windows 8/10. 96% of reports have accessibility switched on & 85% are from the pt-BR locale.
Most of the crash reports have the Kaspersky addon.
Group: core-security
I've contacted Kaspersky.
Seems like wslbdhm64.dll was loaded in almost every crashed process. According to https://bugzilla.mozilla.org/show_bug.cgi?id=1419418 and https://bugzilla.mozilla.org/show_bug.cgi?id=1417897 this module is from anti-fraud software called Warsaw by Diebold Nixdorf (http://www.dieboldnixdorf.com.br/warsaw). It is used mostly by Brazilian banks which explains the correlation with the Portuguese (Brazilian) locale. I tried to install Warsaw to reproduce the issue but I cannot make it load wslbdhm64.dll to the Firefox process. Only wslbscrwh64.dll is loaded on my test machine. Trying to find a contact of a technical person from Diebold Nixdorf that can help me configure Warsaw. If you know someone please let me know.
Reuben, could you share the contact details of the Diebold analyst with Sergei?
Flags: needinfo?(reuben.bmo)
See Also: → 1417897, 1419418
(In reply to Marco Castelluccio [:marco] from comment #4)
> Reuben, could you share the contact details of the Diebold analyst with
> Sergei?

Done.
Flags: needinfo?(reuben.bmo)
It sounds like this will be fixed in the next Diebold software update for their product (see bug 1417897).
status-firefox59: --- → affected
tracking-firefox59: --- → +
We still see the crash in early results for 59.0.3, and definitely still in 59.0.2. It's also showing up at lower volume in beta 60. Too late to fix in 59, though.
status-firefox59: affectedwontfix
status-firefox60: --- → affected
(In reply to Liz Henry (:lizzard) (needinfo? me) from comment #6)
> It sounds like this will be fixed in the next Diebold software update for
> their product (see bug 1417897).

Do we know when that is supposed to be rolled out?
Flags: needinfo?(mcastelluccio)
The person from Diebold never actually answered me regarding a schedule. I've asked her again.
Flags: needinfo?(mcastelluccio)
She said they have released the update already. The crash rate is lower than before, but we're still seeing crashes.
Maybe some of the users haven't updated yet, I've asked her more details.
See Also: → 1644240
Summary: Crash in GetMessageA (with Kaspersky) → Crash in GetMessageA (with Dieblo Warsaw)
Summary: Crash in GetMessageA (with Dieblo Warsaw) → Crash in GetMessageA (with Diebold Warsaw)

The minidumps of this signature clearly show there is an application hooking user32!GetMessageA. Kaspersky developer said their modules do never do it.

0:065> r
Last set context:
rax=0000000000000000 rbx=0000000000000001 rcx=000000c1c1affea0
rdx=0000000000000000 rsi=00007ffe4e8a9000 rdi=00000000000030e8
rip=00007ffe533375d0 rsp=000000c1c1affe38 rbp=0000000000000000
 r8=0000000000000000  r9=0000000000000000 r10=00000fffc9d1237e
r11=000000c1c1affe10 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
user32!GetMessageA:
00007ffe`533375d0 ff25608a9300    jmp     qword ptr [00007ffe`53c70036] ds:00007ffe`53c70036=????????????????

0:065> knL
 # Child-SP          RetAddr           Call Site
00 000000c1`c1affe38 00007ffe`4e893355 user32!GetMessageA
01 000000c1`c1affe40 00007ffe`51e07bd4 winmm!mciwindow+0x145
02 000000c1`c1affee0 00007ffe`53d2ce51 kernel32!BaseThreadInitThunk+0x14
03 000000c1`c1afff10 00000000`00000000 ntdll!RtlUserThreadStart+0x21
0:065> ub 00007ffe`4e893355 l1
winmm!mciwindow+0x13e:
00007ffe`4e89334e 48ff15b38d0100  call    qword ptr [winmm!_imp_GetMessageA (00007ffe`4e8ac108)]

0:065> !address 00007ffe`53c70036
Usage:                  Free
Base Address:           00007ffe`53c46000
End Address:            00007ffe`53c90000
Region Size:            00000000`0004a000 ( 296.000 kB)
State:                  00010000          MEM_FREE
Protect:                00000001          PAGE_NOACCESS
Type:                   <info not present at the target>

0:065>  lmvm wslbdhm64
start             end                 module name
00007ffe`37f90000 00007ffe`38056000   wslbdhm64   (deferred)
    Image path: C:\Program Files\Diebold\Warsaw\wslbdhm64.dll
    Image name: wslbdhm64.dll
    Timestamp:        Thu Oct 31 21:23:10 2019 (5DBAD22E)
    CheckSum:         000C8ADB
    ImageSize:        000C6000
    File version:     1.0.3.1046
    Product version:  1.0.3.1046
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
    Information from resource tables:

The crashing place is different, but the root cause should be the same as bug 1644240. Closing this as a dup.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
See Also: 1644240
You need to log in before you can comment on or make changes to this bug.