Closed Bug 1637984 Opened 4 years ago Closed 4 years ago

Crash in [@ PR_MD_UNLOCK | PRI_DetachThread] with Panda Security

Categories

(External Software Affecting Firefox :: Other, defect)

Product:
External Software Affecting Firefox
Component:
Other
Platform:
Unspecified
Windows 7
Type:
defect

Tracking

(firefox79 fixed)

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox79 --- fixed

People

(Reporter: RyanVM, Assigned: toshi)

References

Details

(Keywords: crash)

Crash Data

Attachments

(3 files)

bug1637984-block-PavLspHook64.txt
1.62 KB, text/plain
Details
Bug 1637984 - Part 1: Introduce a new blocklist flag BLOCK_WIN7_AND_OLDER. r=mhowell
47 bytes, text/x-phabricator-request
Details | Review
Bug 1637984 - Part 2: Block PavLspHook64.dll on Win7 and older. r=gcp
47 bytes, text/x-phabricator-request
Details | Review

This bug is for crash report bp-577db51e-847a-42be-8331-315290200514.

All Windows 7 64-bit so far from what I can see. Currently the #18 overall content process topcrash on release.

Top 9 frames of crashing thread:

0 nss3.dll PR_MD_UNLOCK nsprpub/pr/src/md/windows/w95cv.c:365
1 nss3.dll PRI_DetachThread nsprpub/pr/src/threads/combined/pruthr.c:1516
2 nss3.dll DllMain nsprpub/pr/src/md/windows/w95dllmain.c:32
3 nss3.dll dllmain_dispatch /builds/worker/workspace/obj-build/security/f:/dd/vctools/crt/vcstartup/src/startup/dll_dllmain.cpp:200
4 ntdll.dll LdrShutdownThread 
5 ntdll.dll RtlExitUserThread 
6  @0x93b0022 
7 kernel32.dll BaseThreadInitThunk 
8 ntdll.dll RtlUserThreadStart

DllMain is "The DLL entry point (DllMain) for NSPR." and I see these correlations:

(100.0% in signature vs 00.18% overall) Module "PavLspHook64.DLL" = true
(100.0% in signature vs 00.18% overall) Module "sysHelper64.dll" = true
(100.0% in signature vs 00.18% overall) Module "PavTrc64.dll" = true
(100.0% in signature vs 09.29% overall) address = 0x0
(96.25% in signature vs 12.45% overall) Module "secur32.dll" = true
(100.0% in signature vs 28.01% overall) reason = EXCEPTION_ACCESS_VIOLATION_READ
(75.00% in signature vs 00.11% overall) Module "PAVSHOOK64.DLL" = true
(100.0% in signature vs 36.76% overall) Module "api-ms-win-crt-multibyte-l1-1-0.dll" = true
(100.0% in signature vs 36.76% overall) Module "api-ms-win-crt-environment-l1-1-0.dll" = true
(100.0% in signature vs 36.76% overall) Module "api-ms-win-crt-string-l1-1-0.dll" = true

I found a site that says that PavLspHook64.DLL is part of Panda Security. So, I'm going to guess the issue is the interaction with external software.

Component: XPCOM → Other
Product: Core → External Software Affecting Firefox
Summary: Crash in [@ PR_MD_UNLOCK | PRI_DetachThread] → Crash in [@ PR_MD_UNLOCK | PRI_DetachThread] with Panda Security

The crashing thread was running nss3!Dllmain with DLL_THREAD_DETACH. When releasing the PRThread object, nss3!_PR_MD_UNLOCK tried to execute movaps but the stack pointer was not aligned on a 128-bit. Probably the injected module PavLspHook64 shifted the stack by 8 bytes.

The severity field is not set for this bug.
:gcp, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(gpascutto)

Topcrasher, so at least S2.

Severity: -- → S2
Flags: needinfo?(gpascutto)

Looking at the version of PavLspHook64.dll in the crash reports, the crashing modules are all 9.2.x.x, while we can see the version 9.3.x.x in the loading events. Thus blocking PavLspHook64.dll older than 9.3.0.0 is an option.

One concern is the loading events do not clearly tell how it's loaded because the callstack is incomplete because of a module-less address, which looks a dynamically-allocated trampoline region. Plus, as the name suggests, PavLspHook64.dll may be related to Layered Service Provider, and blocking a LSP on Win8+ breaks browser functionality.

Given that this signature is coming from only Win7, blocking the older PavLspHook64.dll on Win7 is a realistic option.

Another possible workaround other than blocking would be to make a stack pointer aligned on a 128-bit, but the code is a part of NSPR and we don't want to change NSPR for such an ad-hoc workaround.

This crash happened because movaps was executed. I think it didn't happen on version 75 even though the stack pointer was not aligned because the assembly layout around this area is different and movaps was not executed in this scenario.

Assignee: nobody → tkikuchi
Depends on: 1643200

This patch introduces a new flag BLOCK_WIN7_AND_OLDER with which the blocklist
blocks a module on Win7 or older.

Pushed by btara@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/34592f2d9495
Part 1: Introduce a new blocklist flag BLOCK_WIN7_AND_OLDER. r=mhowell
https://hg.mozilla.org/integration/autoland/rev/a1d2876231fc
Part 2: Block PavLspHook64.dll on Win7 and older. r=gcp

https://hg.mozilla.org/mozilla-central/rev/34592f2d9495
https://hg.mozilla.org/mozilla-central/rev/a1d2876231fc

Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox79: --- → fixed
Resolution: --- → FIXED
See Also: → 1694215

The crashes reappear since February. Correlations show 58.54% of them loaded another Panda's module PavSHook64.dll (not PavLspHook64). Let's consider to block it on Win7, too.

(100.0% in signature vs 31.97% overall) platform_pretty_version = Windows 7
(58.54% in signature vs 00.04% overall) Module "PAVSHOOK64.DLL" = true
(48.78% in signature vs 03.69% overall) Module "WLIDNSP.DLL" = true

See Also: → 1705125
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: