Crash in [@ PR_MD_UNLOCK | PRI_DetachThread] with Panda Security
Categories
(External Software Affecting Firefox :: Other, defect)
Tracking
(firefox79 fixed)
Tracking | Status | |
---|---|---|
firefox79 | --- | fixed |
People
(Reporter: RyanVM, Assigned: toshi)
References
Details
(Keywords: crash)
Crash Data
Attachments
(3 files)
This bug is for crash report bp-577db51e-847a-42be-8331-315290200514.
All Windows 7 64-bit so far from what I can see. Currently the #18 overall content process topcrash on release.
Top 9 frames of crashing thread:
0 nss3.dll PR_MD_UNLOCK nsprpub/pr/src/md/windows/w95cv.c:365
1 nss3.dll PRI_DetachThread nsprpub/pr/src/threads/combined/pruthr.c:1516
2 nss3.dll DllMain nsprpub/pr/src/md/windows/w95dllmain.c:32
3 nss3.dll dllmain_dispatch /builds/worker/workspace/obj-build/security/f:/dd/vctools/crt/vcstartup/src/startup/dll_dllmain.cpp:200
4 ntdll.dll LdrShutdownThread
5 ntdll.dll RtlExitUserThread
6 @0x93b0022
7 kernel32.dll BaseThreadInitThunk
8 ntdll.dll RtlUserThreadStart
Comment 1•4 years ago
|
||
DllMain is "The DLL entry point (DllMain) for NSPR." and I see these correlations:
(100.0% in signature vs 00.18% overall) Module "PavLspHook64.DLL" = true
(100.0% in signature vs 00.18% overall) Module "sysHelper64.dll" = true
(100.0% in signature vs 00.18% overall) Module "PavTrc64.dll" = true
(100.0% in signature vs 09.29% overall) address = 0x0
(96.25% in signature vs 12.45% overall) Module "secur32.dll" = true
(100.0% in signature vs 28.01% overall) reason = EXCEPTION_ACCESS_VIOLATION_READ
(75.00% in signature vs 00.11% overall) Module "PAVSHOOK64.DLL" = true
(100.0% in signature vs 36.76% overall) Module "api-ms-win-crt-multibyte-l1-1-0.dll" = true
(100.0% in signature vs 36.76% overall) Module "api-ms-win-crt-environment-l1-1-0.dll" = true
(100.0% in signature vs 36.76% overall) Module "api-ms-win-crt-string-l1-1-0.dll" = true
I found a site that says that PavLspHook64.DLL is part of Panda Security. So, I'm going to guess the issue is the interaction with external software.
Updated•4 years ago
|
Assignee | ||
Comment 2•4 years ago
|
||
The crashing thread was running nss3!Dllmain
with DLL_THREAD_DETACH
. When releasing the PRThread
object, nss3!_PR_MD_UNLOCK
tried to execute movaps
but the stack pointer was not aligned on a 128-bit. Probably the injected module PavLspHook64
shifted the stack by 8 bytes.
Comment 3•4 years ago
|
||
The severity field is not set for this bug.
:gcp, could you have a look please?
For more information, please visit auto_nag documentation.
Assignee | ||
Comment 5•4 years ago
•
|
||
Looking at the version of PavLspHook64.dll in the crash reports, the crashing modules are all 9.2.x.x, while we can see the version 9.3.x.x in the loading events. Thus blocking PavLspHook64.dll older than 9.3.0.0 is an option.
One concern is the loading events do not clearly tell how it's loaded because the callstack is incomplete because of a module-less address, which looks a dynamically-allocated trampoline region. Plus, as the name suggests, PavLspHook64.dll may be related to Layered Service Provider, and blocking a LSP on Win8+ breaks browser functionality.
Given that this signature is coming from only Win7, blocking the older PavLspHook64.dll on Win7 is a realistic option.
Another possible workaround other than blocking would be to make a stack pointer aligned on a 128-bit, but the code is a part of NSPR and we don't want to change NSPR for such an ad-hoc workaround.
This crash happened because movaps
was executed. I think it didn't happen on version 75 even though the stack pointer was not aligned because the assembly layout around this area is different and movaps
was not executed in this scenario.
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 6•4 years ago
|
||
Assignee | ||
Comment 7•4 years ago
|
||
This patch introduces a new flag BLOCK_WIN7_AND_OLDER
with which the blocklist
blocks a module on Win7 or older.
Assignee | ||
Comment 8•4 years ago
|
||
Depends on D78414
Pushed by btara@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/34592f2d9495 Part 1: Introduce a new blocklist flag BLOCK_WIN7_AND_OLDER. r=mhowell https://hg.mozilla.org/integration/autoland/rev/a1d2876231fc Part 2: Block PavLspHook64.dll on Win7 and older. r=gcp
Comment 10•4 years ago
|
||
bugherder |
Assignee | ||
Comment 11•3 years ago
|
||
The crashes reappear since February. Correlations show 58.54% of them loaded another Panda's module PavSHook64.dll (not PavLspHook64). Let's consider to block it on Win7, too.
(100.0% in signature vs 31.97% overall) platform_pretty_version = Windows 7
(58.54% in signature vs 00.04% overall) Module "PAVSHOOK64.DLL" = true
(48.78% in signature vs 03.69% overall) Module "WLIDNSP.DLL" = true
Description
•