Open Bug 1649485 Opened 4 years ago Updated 4 years ago

Crash in [@ ffm64.dll | SymCryptRngAesGenerate]

Categories

(External Software Affecting Firefox :: Other, defect, P3)

Product:
External Software Affecting Firefox
Component:
Other
Type:
defect

Tracking

(Not tracked)

People

(Reporter: achronop, Unassigned)

References

Details

(Keywords: regression)

Crash Data

This bug is for crash report bp-060a4985-35e7-4eb6-bfd8-2cdff0200629.

Top 7 frames of crashing thread:

0 ffm64.dll ffm64.dll@0xe79b 
1 ffm64.dll ffm64.dll@0xde20 
2 ffm64.dll ffm64.dll@0x6786f 
3 ffm64.dll ffm64.dll@0x67977 
4 bcryptprimitives.dll SymCryptRngAesGenerate 
5 bcryptprimitives.dll AesRNGState_generate 
6 bcryptprimitives.dll ProcessPrng

Not sure about the component, feel free to redirect.

ffm64.dll is from Symantec, and bcryptprimitives.dll from Windows. This might well be DLL injection into Firefox, though I thought that was shut off in 2019. Moving into core:security for more eyes

Assignee: nobody → nobody
Component: Libraries → Security
Product: NSS → Core
QA Contact: jjones
Version: trunk → unspecified
Crash Signature: [@ ffm64.dll | SymCryptRngAesGenerate] [@ ffm64.dll | AesRNGState_generate ]

The severity field is not set for this bug.
:dveditz, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(dveditz)

ffm64.dll is not explicitly listed in the mozglue dll blocklist I know about. I don't think we block all .dlls, and apparently ffm64.dll crashes enough that it was added to the signature skiplist. Moving to mozglue in case we do want to block it. Asking Aaron about the "is this evading a block" question.

Although the signatures are older they were at a very low rate in Release. There's a spike in Nightly crashes starting at the tail end of 79.0a1 (June 23-25) that might be something we introduced. If it were a Symantec update I'd expect it to hit a lot more versions. If that is true this this wouldn't be a dll blocklisting problem but trying to figure out what else we changed around then. Although in the end, the solution might be blocklisting if it's going to cause a stability issue.

Component: Security → General
Flags: needinfo?(dveditz) → needinfo?(aklotz)
Keywords: regression
Flags: needinfo?(aklotz) → needinfo?(tkikuchi)

We used to block ffm64.dll in the sandbox process, but it was unblocked by bug 1441801, discontinuing Chromium's DLL blocking. Blocking this the content process again with our current blocklist is less risky. Before doing that, however, I'll post a thread in our discussion group with Symantec.

Severity: -- → S3
Component: General → Other
Flags: needinfo?(tkikuchi)
Priority: -- → P3
Product: Core → External Software Affecting Firefox
See Also: → 1412827
Crash Signature: [@ ffm64.dll | SymCryptRngAesGenerate] [@ ffm64.dll | AesRNGState_generate ] → [@ ffm64.dll | SymCryptRngAesGenerate] [@ ffm64.dll | AesRNGState_generate ][@ ffm64.dll | AesRNGState_init ]

I sent an email about this bug to the mozilla-symantec-discuss discussion group on Jul 16 and received an acknowledging receipt from Broadcom.

You need to log in before you can comment on or make changes to this bug.