Closed Bug 1700281 Opened 3 years ago Closed 3 years ago

Crash in [@ LdrpMapAndSnapDependency] | WebRoot AV

Categories

(External Software Affecting Firefox :: Other, defect)

x86
Windows 10
defect

Tracking

(firefox89 fixed)

RESOLVED FIXED
Tracking Status
firefox89 --- fixed

People

(Reporter: gsvelto, Assigned: toshi)

References

Details

(Keywords: crash)

Crash Data

Attachments

(2 files)

Crash report: https://crash-stats.mozilla.org/report/index/ff7e6c4b-a0c1-48da-92cb-0942b0210320

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 9 frames of crashing thread:

0  @0x56b0000 
1 ntdll.dll LdrpMapAndSnapDependency 
2 ntdll.dll LdrpMapDllWithSectionHandle 
3 ntdll.dll LdrpMapDllNtFileName 
4 ntdll.dll LdrpMapDllFullPath 
5 ntdll.dll LdrpProcessWork 
6 ntdll.dll LdrpLoadDllInternal 
7 ntdll.dll LdrLoadDll 
8 firefox.exe mozilla::freestanding::patched_LdrLoadDll browser/app/winlauncher/freestanding/DllBlocklist.cpp:356

Filing this under networking because the crashes appear to be happening in the socket thread but I'm unsure if the problem is actually related to networking. All the crashes are happening on 32-bit Windows 10. By inspecting the minidumps it appears that we were attempting to load kernel.appcore.dll.

One thing to note about this crash is that it is apparently only happening on nightly but that's because it's a socket process crash: on non-nightly builds the crash report will be written out but the user will not be informed and the crash will not be submitted unless he/she deliberately goes into about:crashes and manually submits it.

The environment data shows:
"sec": {
-"antivirus": [
"Webroot SecureAnywhere"
],
"antispyware": null,
-"firewall": [
"Windows Firewall"
]
}

The correlations say:
(100.0% in signature vs 00.28% overall) Module "WRFCSUser.x86.dll" = true
(100.0% in signature vs 00.28% overall) Module "WRDll.x86.dll" = true
(100.0% in signature vs 01.62% overall) Module "wow64cpu.dll" = true

These DLLs are associated with the webroot AV solution.

Component: Networking → Other
Product: Core → External Software Affecting Firefox
Summary: Crash in [@ LdrpMapAndSnapDependency] → Crash in [@ LdrpMapAndSnapDependency] | WebRoot AV

I installed a trial version of SecureAnywhere Internet Security Complete (https://www.webroot.com/us/en/home/products/trials/complete), but it didn't have WRDll.[x86|x64].dll. It injected wrusr.dll to firefox.exe instead.

Crash Signature: [@ LdrpMapAndSnapDependency] → [@ LdrpMapAndSnapDependency] [@ LdrpMapAndSnapModules]

Upon analyzing our telemetry, the version of WRDll.[x86|x64].dll in the crash reports in the last 3 months is 1.1.0.226 or 1.1.0.227, while the loading events in the last 7 days contain only v1.2.1.24. It seems this crash is caused by older versions of WebRoot. So we may be able to block the module safely.

Crash Signature: [@ LdrpMapAndSnapDependency] [@ LdrpMapAndSnapModules] → [@ LdrpMapAndSnapDependency] [@ LdrpMapAndSnapModules] [@ NewUnloadInfo]
Assignee: nobody → tkikuchi
Status: NEW → ASSIGNED
Pushed by tkikuchi@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/888c08402b23
Block Webroot SecureAnywhere's module.  r=gcp
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: