Closed Bug 1439642 Opened 3 years ago Closed 3 years ago

Crash in TppWaiterpThread/MD4Transform with crypto addons

Categories

(Core :: General, defect)

All
Windows 7
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME
Tracking Status
firefox-esr52 --- affected
firefox58 --- wontfix
firefox59 --- unaffected

People

(Reporter: philipp, Unassigned)

Details

(Keywords: crash, regression)

Crash Data

This bug was filed from the Socorro interface and is
report bp-73db1a9b-3bfe-443f-90c2-82c2f0180217.
=============================================================

Top 5 frames of crashing thread:

0 ntdll.dll MD4Transform 
1 kernel32.dll BaseThreadInitThunk 
2 mozglue.dll patched_BaseThreadInitThunk mozglue/build/WindowsDllBlocklist.cpp:834
3 ntdll.dll __RtlUserThreadStart 
4 ntdll.dll _RtlUserThreadStart 

=============================================================

these crash reports from windows 7 users have spiked up starting on 2018-02-16. many comments from users indicate that they receive the crash report after they have closed the browser.

the crash stack isn't really helpful but the signatures seem correlated to various cryptography-related extensions:

Addons facet
*{443830f0-1fff-4f9a-aa1e-444bafbc7319}:0.0.28 	458 	22.25 % ("Token signing")
*belgiumeid@eid.belgium.be:1.0.27 	266 	12.93 %
*belgiumeid@eid.belgium.be:1.0.26 	260 	12.63 %
*{02274e0c-d135-45f0-8a9c-32b35110e10d}:1.0.1 	188 	9.14 %	("Firefox PKCS11 loader")
*CPS2ter-2020_Firefox@asipsante.fr:6.0.19 	66 	3.21 %	("Extension CPS")
*eid-chrome-extension@e-contract.be:1.0.2 	63 	3.06 %
David, any idea what might trigger this?
Flags: needinfo?(dkeeler)
As far as I can tell, "MD4Transform" does not appear in our code. This looks like a Windows-specific issue - either a Windows bug or we're misusing a Windows API. Either way, someone like Matt would know better than I.
Flags: needinfo?(dkeeler) → needinfo?(mhowell)
That stack looks to me like external software trying to inject code into us, and looking at bug 1139497 and bug 1153824, which both had the MD4Transform signature, that was the case with them as well. I'm trying to identify the external software and having a hard time; there are a number of less common security products showing up in these reports, but I'm not sure how notable that fact is.
Flags: needinfo?(mhowell)
(In reply to Matt Howell [:mhowell] from comment #3)
> That stack looks to me like external software trying to inject code into us,
> and looking at bug 1139497 and bug 1153824, which both had the MD4Transform
> signature, that was the case with them as well. I'm trying to identify the
> external software and having a hard time; there are a number of less common
> security products showing up in these reports, but I'm not sure how notable
> that fact is.

Maybe they are using a common solution to inject (something like https://easyhook.github.io/).
Perhaps we can try to contact one of them and see if they can share some details.
The crashing functions are in ntdll.dll. Every crash report I'm looking at is ntdll.dll version 6.1.7601.24024, which corresponds to the February 2018 security updates. The timing of this also fits with last week's Patch Tuesday. Adam, I think we need to escalate this to MS as there's some smoke here that this is an issue with their latest Win7 security patches.
Flags: needinfo?(astevenson)
Reaching out on the mailing list.
Flags: needinfo?(astevenson)
Tracking for 59 to keep an eye on this after 59 release.
Probably wontfix for 58.
Quick update: we have passed on some crash info to Microsoft engineers (with permission from an affected user) and are waiting for their response.
So far, so good on 59 release. March's patch Tuesday seems to have fixed the issue. I'll leave this bug open a few more days to be sure of that, but then we can close it as WORKSFORME.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.