Closed Bug 1642626 Opened 2 years ago Closed 2 years ago

Error thrown in console when running target.cppunittest.tests

Categories

(Core :: mozglue, defect)

78 Branch
All
Windows 7
defect

Tracking

()

RESOLVED FIXED
mozilla80
Tracking Status
firefox-esr78 --- wontfix
firefox78 --- wontfix
firefox79 --- wontfix
firefox80 --- fixed

People

(Reporter: mboldan, Assigned: toshi)

References

Details

(Keywords: regressionwindow-wanted)

Attachments

(4 files)

[Affected versions]:

  • Firefox 78.0b1

[Affected platforms]:

  • Windows 7 64

[Steps to reproduce]:

  1. Download target.cppunittest.tests.zip from https://treeherder.mozilla.org/#/jobs?repo=mozilla-beta&revision=d8660eabf305&selectedJob=178353557 (Fx61.0b5 - Windows 2012 x64 opt N) if using Windows 64bit, otherwise use https://treeherder.mozilla.org/#/jobs?repo=mozilla-beta&revision=d8660eabf305&selectedJob=178353575
  2. Unzip the content
  3. Open CMD in the folder the content was extracted in the previous step.
  4. Type 'TestDllInterceptor.exe' and hit Enter

[Expected result]:

  • Bunch of tests run in CMD without issues

[Actual result]:

  • One fail test is displayed - TEST-FAILED | WindowsDllInterceptor | Failed to hook ntdll!NtMapViewOfSection v
    a 10-byte patch

[Regression]:
I will search for a regression ASAP.

[Notes]:

  • This issue was reproducible with AVG (20.3.3120)and Avast (20.3.2405) turned on.
  • Note that the issue was not reproducible with Kaspersky AV, or with the antiviruses from previous note, turned off.
Has Regression Range: --- → no
Has STR: --- → yes
Component: General → mozglue
Product: Firefox Build System → Core

I could reproed TestDllInterceptor.exe's failure with AVG. I also confirmed Firefox 76 or 79 Nightly could launch on the same environment with AVG. Let me figure out what's going on..

The test failure is caused by AVG's hook which our detour cannot handle as shown below. This is not a regression on our side.

AVG does not break Firefox because their hook is applied after we applied our hook onto NtMapViewOfSection. This means we did our hook, but it was overwritten by AVG. As a result, Firefox runs normally but our blocklist does not work.

Because they have a kernel driver, there is no easy way to keep our full functionality with AVG. What we can do is to update our detour to support this pattern.

ntdll!NtMapViewOfSection:
00007ffa`f287c560 e9d33cfebf      jmp     00007ffa`b2860238

00007ffa`b2860238 ff25f2ffffff    jmp     qword ptr [00007ffa`b2860230] --> 00007ffa`e57a2ad0

aswhook+0x2ad0:
00007ffa`e57a2ad0 4055            push    rbp
00007ffa`e57a2ad2 53              push    rbx
00007ffa`e57a2ad3 56              push    rsi
Assignee: nobody → tkikuchi

This patch moves the logics of jump detection from ResolveRedirectedAddress to
ReadOnlyTargetFunction to simplify ReadOnlyTargetFunction.

AVG AntiVirus hooks ntdll!NtMapViewOfSection by planting two JMP instructions,
jumping to a trampoline area first, then jumping to aswhook.dll.

ntdll!NtMapViewOfSection:
00007ffa`6d77c560 e9d33cfebf      jmp     00007ffa`2d760238

00007ffa`2d760238 ff25f2ffffff    jmp     qword ptr [00007ffa`2d760230] --> 00007ffa`541e2ad0

aswhook+0x2ad0:
00007ffa`541e2ad0 4055            push    rbp
00007ffa`541e2ad2 53              push    rbx
00007ffa`541e2ad3 56              push    rsi

With this patch, our detour can detour on top of that pattern. The first part is
to remove the MEM_IMAGE check from IsPageAccessible. The second part is to introduce
a loop in ResolveRedirectedAddress to resolve a chain of jumps.

Depends on D81581

Attachment #9160163 - Attachment description: Bug 1642626 - Part3: Handle a detour pattern of multple jumps. r=handyman → Bug 1642626 - Part3: Handle a detour pattern of multiple jumps. r=handyman

I was wrong in the following part of my comment 3. AVG's hook comes after our hook, but their hook calls our hook as the original function. Thus our blocklist functions normally with AVG.

AVG does not break Firefox because their hook is applied after we applied our hook onto NtMapViewOfSection. This means we did our hook, but it was overwritten by AVG. As a result, Firefox runs normally but our blocklist does not work.

Attachment #9160163 - Attachment description: Bug 1642626 - Part3: Handle a detour pattern of multiple jumps. r=handyman → Bug 1642626 - Part3: Handle a detour pattern of multple jumps. r=handyman
Pushed by cbrindusan@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/9b129ac9f2d7
Part1: Take out jump detection from ReadOnlyTargetFunction.  r=handyman
https://hg.mozilla.org/integration/autoland/rev/9e7f86782589
Part2: Handle JAE and Opcode83 on x64 without REX Prefix.  r=handyman
https://hg.mozilla.org/integration/autoland/rev/313b964013b6
Part3: Handle a detour pattern of multple jumps.  r=handyman

Since the status are different for nightly and release, what's the status for beta?
For more information, please visit auto_nag documentation.

Is this something we should consider uplifting or can it ride the trains to release?

Flags: needinfo?(tkikuchi)

This is not causing a real user's problem on Firefox so far. No need to uplift to ESR78.

Flags: needinfo?(tkikuchi)

The patch landed in nightly and beta is affected.
:toshi, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(tkikuchi)
Flags: needinfo?(tkikuchi)
Regressions: 1655680
Attached image dllinterceptor.png

Reproduced the issue with Firefox 78.0b1 (20200601095246) unit tests on Windows 7x64 with AVG Free v20.6 and Avast Free v20.6.

Sadly when verifying this with 80.0RC2 (20200818235255) I get this error: TEST-UNEXPECTED-FAIL | WindowsDllInterceptor | Failed to detour LdrLoadDll from ntdll.dll. This happens both with Avast Free and Avg Free. If I disable the antivirus all checks passed. I don't know if it's the same issue as bug 1588243 or, if it’s not, should we file another bug on this matter? Thank you!

Flags: needinfo?(tkikuchi)
Regressions: 1659398
Flags: needinfo?(tkikuchi)

Happened to me too on Windows 7 and Avast Free Antivirus, the same output in terminal, with Firefox 82.0b1

(In reply to Catalin Sasca, QA [:csasca] from comment #15)

Happened to me too on Windows 7 and Avast Free Antivirus, the same output in terminal, with Firefox 82.0b1

Thank you for reporting it. I confirmed the error with Avast (both on Win7 and Win10), too. It seems that the assembly of aswhook's function was changed. The same symptom, but the root cause is different. I'll file a new bug.

ntdll!LdrLoadDll:
00007ff9`d8f04380 e933c304c0      jmp     00007ff9`98f506b8

00007ff9`98f506b8 ff25f2ffffff    jmp     qword ptr [00007ff9`98f506b0] --> 00007ff9`b6814140

aswhook+0x4140:
00007ff9`b6814140 4053            push    rbx
00007ff9`b6814142 4883ec20        sub     rsp,20h
00007ff9`b6814146 ff157c6b0000    call    qword ptr [aswhook+0xacc8 (00007ff9`b681acc8)]
00007ff9`b681414c 8bd8            mov     ebx,eax
00007ff9`b681414e e88d100000      call    aswhook+0x51e0 (00007ff9`b68151e0)
See Also: → 1666571
You need to log in before you can comment on or make changes to this bug.