Socket process top crash in IPSEng64 (Symantec Intrusion Detection)
Categories
(External Software Affecting Firefox :: Other, defect, P2)
Tracking
(firefox97 fixed)
| Tracking | Status | |
|---|---|---|
| firefox97 | --- | fixed |
People
(Reporter: jimm, Assigned: toshi)
References
()
Details
Crash Data
Attachments
(1 file)
New top crash in the Socket process for 94. This module represents six of the top ten crashes for this process in 94 and accounts fro around 95% of the crashes we see on a regular basis. There is no visibility into these crashes on crash stats currently.
Signatures -
IPSEng64.pdb@0xfc1a2
IPSEng32.pdb@0xe31fd
IPSEng64.pdb@0xf89e2
IPSEng64.pdb@0xfbc72
IPSEng64.pdb@0x112d37
IPSEng32.pdb@0xe0ddd
IPSEng32.pdb@0xe2d9d
IPSEng32.pdb@0xf374a
The stacks are pretty worthless. Every frame is in this module after a thread start. Unknown what thread this is on. Example stack -
0
KERNELBASE.dll
RaiseException
1
IPSEng64.pdb
0xfc1a2
2
IPSEng64.pdb
0xfc468
3
IPSEng64.pdb
0x1e15ad
4
IPSEng64.pdb
0x1e1930
5
IPSEng64.pdb
0xd6c77
6
IPSEng64.pdb
0x31426
7
IPSEng64.pdb
0x50a45
8
kernel32.dll
BaseThreadInitThunk
9
ntdll.dll
RtlUserThreadStart
|
||
Comment 1•2 years ago
•
|
||
The fact that these are all RROR_MOD_NOT_FOUND makes me wonder about https://bugzilla.mozilla.org/show_bug.cgi?id=1546154 which landed in Fx94.
|
Reporter | |
Comment 2•2 years ago
|
||
We have similar crashes for another 3rd party (HitmanPro) in the same release.
|
|
Reporter | |
Comment 3•2 years ago
|
||
I wonder if all the new delay loading triggered an issue with some 3rd party libs. We can post to the symantec list about this if you think it would help.
|
||
Comment 4•2 years ago
|
||
(In reply to Jim Mathies [:jimm] from comment #3)
I wonder if all the new delay loading triggered an issue with some 3rd party libs. We can post to the symantec list about this if you think it would help.
I don't quite see how it would directly affect a third party DLL, but maybe they are relying on something being loaded which isn't.
Either way I guess they would have a better chance of working out exactly what is failing, given that we don't even have crash dumps.
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Comment 5•2 years ago
|
||
Added the signature indicating a socket process crash with ERROR_MOD_NOT_FOUND.
|
|
Assignee | |
Comment 6•2 years ago
|
||
Ipseng64.dll that I have delayloads the following modules.
- oleaut32.dll
- shell32.dll
- shlwapi.dll
- user32.dll
- userenv.dll
- version.dll
- ws2_32.dll
- ole32.dll
- urlmon.dll
|
|
||
Comment 7•2 years ago
|
||
Guessing at severity, users with this software might have broken WebRTC? Toshihito, do we have a contact at Symantec we can alert to this?
|
|
Reporter | |
Updated•2 years ago
|
|
|
Reporter | |
Comment 8•2 years ago
|
||
(In reply to Gian-Carlo Pascutto [:gcp] from comment #7)
Guessing at severity, users with this software might have broken WebRTC? Toshihito, do we have a contact at Symantec we can alert to this?
From looking at the code and testing a bit by killing the socket process in task manager, networking will fall back to parent and socket process use will be disabled for the session. So generally everything will continue to work and active connections should continue.
|
|
Assignee | |
Comment 9•2 years ago
•
|
||
I downloaded Norton 360 from https://us.norton.com/downloads and installed it. The latest version contains IPSEng64.dll 17.2.6.25, which matches the crash at IPSEng64+0xfc1a2, the 1st rank crash at https://www.mathies.com/mozilla/crashes/sockrelease.html.
The crash ping data indicates this happens on all platforms Win7/8/8.1/10.
I could not reproduce the crash, but upon analyzing the assembly, I figured out the crashing address IPSEng64+0xfc1a2 does delay-load shlwapi.dll. Pre-loading shlwapi.dll could be a workaround, but this can be caused by any modules to be delayloaded.
(In reply to Gian-Carlo Pascutto [:gcp] from comment #7)
Guessing at severity, users with this software might have broken WebRTC? Toshihito, do we have a contact at Symantec we can alert to this?
We have a discussion group with Symantec. I'll post an email to let them know this issue. A possible fix on their side is to use dynamic linking instead of delayload.
|
|
Assignee | |
Comment 10•2 years ago
|
||
Sent an email to our discussion group with Symantec on Nov-30
|
|
Reporter | |
Comment 11•2 years ago
•
|
||
Hey Toshi, can we block the injection of libraries like IPSEng*, hmpalert*, and kwsui* from the Socket process?
|
|
Assignee | |
Comment 12•2 years ago
|
||
For socket process, we've enabled delayed CIG for years (bug 1611290). I think it's time to move on to pre-spawn CIG for socket.
|
|
Assignee | |
Comment 13•2 years ago
|
||
Since socket process can be launched before GeckoDependentInitialize,
we cache the install directory in InitSignedPolicyRulesToBypassCig
instead of using sBinDir.
This patch moves GetInstallDirectory to WinHeaderOnlyUtils.h to reuse
and removes WinUtils::GetModuleFullPath that is unused.
|
||
Updated•2 years ago
|
|
||
Comment 14•2 years ago
|
||
Pushed by tkikuchi@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/2e0fda2938e9 Enable pre-spawn CIG for socket process. r=bobowen
|
||
Comment 15•2 years ago
|
||
| bugherder | ||
Description
•