Closed
Bug 1509574
Opened 6 years ago
Closed 5 years ago
Crash in amsi.dll@0x53a0
Categories
(External Software Affecting Firefox :: Other, defect)
Tracking
(firefox-esr60 unaffected, firefox63 unaffected, firefox64 wontfix, firefox65 affected)
RESOLVED
WORKSFORME
Tracking | Status | |
---|---|---|
firefox-esr60 | --- | unaffected |
firefox63 | --- | unaffected |
firefox64 | --- | wontfix |
firefox65 | --- | affected |
People
(Reporter: philipp, Unassigned)
Details
(Keywords: crash, regression, sec-vector)
Crash Data
This bug was filed from the Socorro interface and is report bp-d5a45601-5885-4425-95b7-755060181121. ============================================================= Top 10 frames of crashing thread: 0 amsi.dll amsi.dll@0x53a0 1 ntdll.dll ntdll.dll@0x45c7c 2 mmdevapi.dll mmdevapi.dll@0xa63c 3 ntdll.dll ntdll.dll@0x45897 4 ntdll.dll ntdll.dll@0x6e269 5 ntdll.dll ntdll.dll@0x577d9 6 ntdll.dll ntdll.dll@0x57285 7 ntdll.dll ntdll.dll@0x14ae6 8 ntdll.dll ntdll.dll@0x570dc 9 ntdll.dll ntdll.dll@0x20e70 ============================================================= these crashes start showing up on 65.0a1 and 64.0b in a timeframe that seems to coincide with microsoft's november patch day - release is not affected yet. till now all reports are from 64bit builds on windows 10. amsi.dll seems to be a system library - https://docs.microsoft.com/en-us/windows/desktop/api/_amsi/
Comment 1•6 years ago
|
||
Hey Carl, can you take a look at these reports and see if you can glean anything from them? amsi is 'Antimalware Scan Interface' from Microsoft. It's a crash in a thread they create.
Flags: needinfo?(ccorcoran)
Comment 2•6 years ago
|
||
Looking at the minidump, asmi.dll is unloaded at the time of the crash. In the debugger, > 00 <Unloaded_amsi.dll>+0x53a0 > 01 ntdll!EtwpEventApiCallback+0xd9 > 02 ntdll!EtwpUpdateEnableInfoAndCallback+0xd8 > 03 ntdll!EtwpProcessNotification+0x4a > 04 ntdll!EtwDeliverDataBlock+0xd6 > 05 ntdll!EtwpNotificationThread+0x6d > 06 ntdll!TppExecuteWaitCallback+0xa4 > 07 ntdll!TppWorkerThread+0x3d0 > 08 kernel32!BaseThreadInitThunk+0x14 > 09 mozglue!patched_BaseThreadInitThunk+0x8e [z:\build\build\src\mozglue\build\WindowsDllBlocklist.cpp @ 754] > 0a ntdll!RtlUserThreadStart+0x21 I suspect this is not a new crash, but rather visible now due to bug 1372826, which adds unloaded module information in minidumps. Before that change, this would have shown up as a crash in an unknown address. It seems that ASMI is still registered for event tracing callback after it's unloaded, so the callback function is no longer valid. It looks like a bug in ASMI. I didn't see anything suspicious or notably relevant in other threads.
Flags: needinfo?(ccorcoran)
Updated•5 years ago
|
Comment 3•5 years ago
|
||
We posted to the ms list on this, so far no response. Also I noted there's a high correlation for accessibility users (55%). Low volume, pre-release Windows.
Group: core-security
Keywords: sec-want
Comment 4•5 years ago
|
||
I only see crashes in 64 (beta, release) and 65, nothing in 63.x. Some software hooking too deeply into something we changed perhaps? It swelled in November but activity has died down -- perhaps this software was updated? Seems odd that it's crashing in amsi.dll, but that .dll doesn't appear in the module list of the crash. Can't tell if they're all the same version or not (from crash-stats; maybe it shows up in the mini-dump for people who have access to those).
Group: core-security → core-security-release
Keywords: sec-want → sec-vector
Reporter | ||
Comment 5•5 years ago
|
||
these crashes seem to have stopped after win10 insider build 10.0.18289.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WORKSFORME
Updated•4 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•