Closed Bug 1605478 Opened 5 years ago Closed 5 years ago

Data integrity problems in content process UntrustedModulesData

Categories

(Firefox :: Launcher Process, defect, P3)

Product:
Firefox
Component:
Launcher Process
Platform:
Unspecified
Windows
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Firefox 76
Tracking Flags:
Tracking Status
firefox75 --- wontfix
firefox76 --- fixed

People

(Reporter: bugzilla, Assigned: toshi)

References

(Blocks 1 open bug)

Details

(Whiteboard: inj+)

Crash Data

Attachments

(2 files)

Bug 1605478 - Add temporary MOZ_DIAGNOSTIC_ASSERT to narrow down UntrustedModulesData's integrity problem. r=aklotz
47 bytes, text/x-phabricator-request
Details | Review
Bug 1605478 - Skip processing a loading event of xul.dll without duration. r=aklotz
47 bytes, text/x-phabricator-request
Details | Review

Bug 1603714 was triggered because somehow we ended up with a content process sending UntrustedModulesData up to the parent where an event matched a non-existent module.

While I fixed the crash in that bug, unfortunately this condition still results in dropped third-party module pings from the affected machines.

We should add some diagnostics to learn why and correct this, so that we're not throwing away data that otherwise could be very useful.

Bug 1603714 showed there were UntrustedModulesData instances in which a load
event pointed to a module which did not exist in the modules list.

This patch adds MOZ_DIAGNOSTIC_ASSERT to the following places to narrow down
when it happened.

  1. When processing load events
    1-1. [Content] UntrustedModulesProcessor::CompleteProcessing:
    Verify events of a trusted module were eliminated by GetModulesTrust
    1-2. [Content] UntrustedModulesData::AddNewLoads:
    Verify a new ModuleRecord matches the event
    1-3. [Content] UntrustedModulesProcessor::CompleteProcessing:
    Verify processed data after new items were appended.

  2. When processed data is sent
    2-1. [Content] UntrustedModulesProcessor::GetAllProcessedData:
    Verify processed data before serialization.
    2-2. [Content] ParamTraits<mozilla::UntrustedModulesData>::WriteEvent:
    Verify processed data before transferring to the browser process
    2-3. [Browser] ParamTraits<mozilla::UntrustedModulesData>::ReadEvent:
    A final point to catch this integrity problem. We had an IPC error here.

Assignee: nobody → tkikuchi
Status: NEW → ASSIGNED
Pushed by csabou@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/996f931d61b6 Add temporary MOZ_DIAGNOSTIC_ASSERT to narrow down UntrustedModulesData's integrity problem. r=aklotz

https://hg.mozilla.org/mozilla-central/rev/996f931d61b6

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox75: --- → fixed
Resolution: --- → FIXED
Backout by opoprus@mozilla.com: https://hg.mozilla.org/mozilla-central/rev/6b1d5e72a65b Backed out changeset 996f931d61b6 for build bustages in Unified_cpp_toolkit_xre0.obj

Backed out changeset 996f931d61b6 (bug 1605478) for build bustages on Windows in Unified_cpp_toolkit_xre0.obj

This started to fail in today's central-as-beta simulations and would start to fail on beta tomorrow after central got merged to beta.

Push that started the failures: https://treeherder.mozilla.org/#/jobs?repo=try&selectedJob=292157522&resultStatus=testfailed%2Cbusted%2Cexception%2Cretry%2Cusercancel%2Crunnable&revision=1351d08be2769309f449b5cc80e5c449e6d6caf2

Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=292157522&repo=try&lineNumber=51272

Backout: https://hg.mozilla.org/mozilla-central/rev/6b1d5e72a65b5d97025a566196fa5cb63b7e4549

Status: RESOLVED → REOPENED
status-firefox75: fixed → ---
Flags: needinfo?(tkikuchi)
Resolution: FIXED → ---
Regressions: 1620838
Pushed by shindli@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/2540a369a5a8 Add temporary MOZ_DIAGNOSTIC_ASSERT to narrow down UntrustedModulesData's integrity problem. r=aklotz
Flags: needinfo?(tkikuchi)

https://hg.mozilla.org/mozilla-central/rev/2540a369a5a8

Status: REOPENED → RESOLVED
Closed: 5 years ago5 years ago
status-firefox75: --- → fixed
Resolution: --- → FIXED
Regressions: 1620927
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Component: Telemetry → Launcher Process
Product: External Software Affecting Firefox → Firefox
Crash Signature: [@ IPC::ParamTraits<mozilla::UntrustedModulesData>::ReadEvent] [@ mozilla::UntrustedModulesProcessor::CompleteProcessing]

Analyzing the diagnostics asserts that were temporarily introduced, there were
loading events of xul.dll where mLoadDurationMS was empty. We put them into
the array of loading events but excluding them from the array of modules,
resulting in serialization failure of UntrustedModulesData.

The crashing processes loaded external modules of antivirus application, such
as Symantec, AVAST, or Comodo. With these modules, xul.dll might be loaded
without hitting ntdll!LdrLoadDll (ModuleLoadInf::IsBare() == false).

The proposed fix is to skip processing a loading event of xul.dll regardless of
the state of mLoadDurationMS.

Crash Signature: [@ IPC::ParamTraits<mozilla::UntrustedModulesData>::ReadEvent] [@ mozilla::UntrustedModulesProcessor::CompleteProcessing] → [@ IPC::ParamTraits<mozilla::UntrustedModulesData>::ReadEvent] [@ mozilla::UntrustedModulesProcessor::CompleteProcessing]
status-firefox75: fixedaffected
status-firefox76: --- → affected

There are 2 crashes with signature mozilla::UntrustedModulesData::VerifyConsistency, the moz_crash_reason is MOZ_DIAGNOSTIC_ASSERT(mModules.Get(evt.mModule->mResolvedNtName, nullptr)) (No match in the table):

Crash Signature: [@ IPC::ParamTraits<mozilla::UntrustedModulesData>::ReadEvent] [@ mozilla::UntrustedModulesProcessor::CompleteProcessing] → [@ IPC::ParamTraits<mozilla::UntrustedModulesData>::ReadEvent] [@ mozilla::UntrustedModulesProcessor::CompleteProcessing] [@ mozilla::UntrustedModulesData::VerifyConsistency]

Aaron, any chance you could review the patch here?

Flags: needinfo?(aklotz)

Toshi, do we need separate bugs for the other assertions (comment 11)?

Flags: needinfo?(tkikuchi)

No need for now. I believe that signature is also caused by the same root-cause of MOZ_DIAGNOSTIC_ASSERT(!event.IsTrusted()).

My patch generates a random number several times, which is used to reduce the number of affected users. The case of MOZ_DIAGNOSTIC_ASSERT(mModules.Get(evt.mModule->mResolvedNtName, nullptr)) and MOZ_DIAGNOSTIC_ASSERT(false) (Something else) happens when a first random number was lucky enough to pass through the check, but after that, a second or a third random number was not.

Flags: needinfo?(tkikuchi)
Flags: needinfo?(aklotz)
Pushed by csabou@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/e87ab6d3d9ab Skip processing a loading event of xul.dll without duration. r=aklotz

https://hg.mozilla.org/mozilla-central/rev/e87ab6d3d9ab

Status: REOPENED → RESOLVED
Closed: 5 years ago5 years ago
status-firefox76: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 76

Seems like all of the three diagnostics asserts are gone after the fix. We can back out the asserts.

Backed out changeset e87ab6d3d9ab (Bug 1605478) on toshi's request

Backout link: https://hg.mozilla.org/integration/autoland/rev/250960afe914203f41054e25728407476cd938fe

Flags: needinfo?(tkikuchi)
Pushed by btara@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/ab2014f6c4af Skip processing a loading event of xul.dll without duration. r=aklotz https://hg.mozilla.org/integration/autoland/rev/93abde6b396f Backed out changeset 2540a369a5a8 on toshi's request CLOSED TREE

Sorry for the miss match.

Flags: needinfo?(tkikuchi)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: