Closed
Bug 1439642
Opened 6 years ago
Closed 6 years ago
Crash in TppWaiterpThread/MD4Transform with crypto addons
Categories
(Core :: General, defect)
Tracking
()
RESOLVED
WORKSFORME
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | affected |
firefox58 | --- | wontfix |
firefox59 | --- | unaffected |
People
(Reporter: philipp, Unassigned)
Details
(Keywords: crash, regression)
Crash Data
This bug was filed from the Socorro interface and is report bp-73db1a9b-3bfe-443f-90c2-82c2f0180217. ============================================================= Top 5 frames of crashing thread: 0 ntdll.dll MD4Transform 1 kernel32.dll BaseThreadInitThunk 2 mozglue.dll patched_BaseThreadInitThunk mozglue/build/WindowsDllBlocklist.cpp:834 3 ntdll.dll __RtlUserThreadStart 4 ntdll.dll _RtlUserThreadStart ============================================================= these crash reports from windows 7 users have spiked up starting on 2018-02-16. many comments from users indicate that they receive the crash report after they have closed the browser. the crash stack isn't really helpful but the signatures seem correlated to various cryptography-related extensions: Addons facet *{443830f0-1fff-4f9a-aa1e-444bafbc7319}:0.0.28 458 22.25 % ("Token signing") *belgiumeid@eid.belgium.be:1.0.27 266 12.93 % *belgiumeid@eid.belgium.be:1.0.26 260 12.63 % *{02274e0c-d135-45f0-8a9c-32b35110e10d}:1.0.1 188 9.14 % ("Firefox PKCS11 loader") *CPS2ter-2020_Firefox@asipsante.fr:6.0.19 66 3.21 % ("Extension CPS") *eid-chrome-extension@e-contract.be:1.0.2 63 3.06 %
As far as I can tell, "MD4Transform" does not appear in our code. This looks like a Windows-specific issue - either a Windows bug or we're misusing a Windows API. Either way, someone like Matt would know better than I.
Flags: needinfo?(dkeeler) → needinfo?(mhowell)
Comment 3•6 years ago
|
||
That stack looks to me like external software trying to inject code into us, and looking at bug 1139497 and bug 1153824, which both had the MD4Transform signature, that was the case with them as well. I'm trying to identify the external software and having a hard time; there are a number of less common security products showing up in these reports, but I'm not sure how notable that fact is.
Flags: needinfo?(mhowell)
Comment 4•6 years ago
|
||
(In reply to Matt Howell [:mhowell] from comment #3) > That stack looks to me like external software trying to inject code into us, > and looking at bug 1139497 and bug 1153824, which both had the MD4Transform > signature, that was the case with them as well. I'm trying to identify the > external software and having a hard time; there are a number of less common > security products showing up in these reports, but I'm not sure how notable > that fact is. Maybe they are using a common solution to inject (something like https://easyhook.github.io/). Perhaps we can try to contact one of them and see if they can share some details.
Comment 5•6 years ago
|
||
The crashing functions are in ntdll.dll. Every crash report I'm looking at is ntdll.dll version 6.1.7601.24024, which corresponds to the February 2018 security updates. The timing of this also fits with last week's Patch Tuesday. Adam, I think we need to escalate this to MS as there's some smoke here that this is an issue with their latest Win7 security patches.
Flags: needinfo?(astevenson)
Comment 7•6 years ago
|
||
Tracking for 59 to keep an eye on this after 59 release.
tracking-firefox59:
--- → +
Comment 8•6 years ago
|
||
Probably wontfix for 58.
Comment 9•6 years ago
|
||
Quick update: we have passed on some crash info to Microsoft engineers (with permission from an affected user) and are waiting for their response.
Comment 10•6 years ago
|
||
So far, so good on 59 release. March's patch Tuesday seems to have fixed the issue. I'll leave this bug open a few more days to be sure of that, but then we can close it as WORKSFORME.
Reporter | ||
Updated•6 years ago
|
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WORKSFORME
Reporter | ||
Updated•6 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•