Open Bug 1768707 Opened 3 years ago Updated 3 years ago

Crash in [@ RtlpFindAndCommitPages | RtlpExtendHeap | RtlpAllocateHeap | RtlpAllocateHeapInternal | RtlpAllocateUserBlockFromHeap | RtlpAllocateUserBlock | RtlpLowFragHeapAllocFromContext | RtlpAllocateHeapInternal | RtlAnsiStringToUnicodeString | RegQ...

Categories

(External Software Affecting Firefox :: Other, defect)

Product:
External Software Affecting Firefox
Component:
Other
Platform:
All
Windows
Type:
defect

Tracking

(firefox-esr91 unaffected, firefox100 wontfix, firefox101 fix-optional, firefox102 fix-optional)

Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox100 --- wontfix
firefox101 --- fix-optional
firefox102 --- fix-optional

People

(Reporter: bobowen, Unassigned)

Details

(Keywords: crash)

Crash Data

This appears to be win32k lockdown related.
For 09/05 reports now have 8 clients and 8 crashes in crash pings.
Found earlier reports, but becomes more clearly related as we ramp up.

All have cyinjct.dll (Palo Alto Networks (Netherlands) B.V.) in the stack.

Crash report: https://crash-stats.mozilla.org/report/index/c2e6c830-399b-434b-b1b6-1d2ab0220506

Reason: STATUS_HEAP_CORRUPTION

Top 10 frames of crashing thread:

0 ntdll.dll RtlReportFatalFailure 
1 ntdll.dll RtlReportCriticalFailure 
2 ntdll.dll RtlpHeapHandleError 
3 ntdll.dll RtlpHpHeapHandleError 
4 ntdll.dll RtlpLogHeapFailure 
5 ntdll.dll RtlpAnalyzeHeapFailure 
6 ntdll.dll RtlpFindAndCommitPages 
7 ntdll.dll RtlpExtendHeap 
8 ntdll.dll RtlpAllocateHeap 
9 ntdll.dll RtlpAllocateHeapInternal
Component: Security: Process Sandboxing → Other
Product: Core → External Software Affecting Firefox

Set release status flags based on info from the regressing bug 1759168

status-firefox100: --- → affected
status-firefox101: --- → affected
status-firefox102: --- → affected
status-firefox-esr91: --- → unaffected

Looking across the crash pings for Fx100 as a whole, looks like this is happening for win32k lockdown disabled as well.
So may not be related, could just be a quirk of the data.

Has Regression Range: --- → yes

Adding this signature because it also seems to appear for cyinjct.dll.
However it looks like many of the same signature are to do with mbae64.dll (Malwarebytes Inc), so that might need a separate bug.
Not sure if this is all to do with win32k lockdown, but possibly makes the crashes more frequent.

Crash Signature: RegQueryValueExA] → RegQueryValueExA] [@ RtlpFindAndCommitPages | RtlpExtendHeap | RtlpAllocateHeap | RtlpAllocateHeapInternal | RtlpAllocateUserBlockFromHeap | RtlpAllocateUserBlock | RtlpLowFragHeapAllocFromContext | RtlpAllocateHeapInternal | RtlpAddDebugInfoToCriticalS…
Crash Signature: RtlpAddDebugInfoToCriticalSection] → RtlpAddDebugInfoToCriticalSection | RtlpWaitOnC... ]

Bob, the volume is pretty low, should we mark this as S3 or could it become more frequent with win32k broader rollout?

Flags: needinfo?(bobowencode)

(In reply to Marco Castelluccio [:marco] from comment #4)

Bob, the volume is pretty low, should we mark this as S3 or could it become more frequent with win32k broader rollout?

I now think that nearly all of this probably has nothing to do with win32k lockdown.
Probably more just to do with the third-parties, although I guess the signature could have more than one cause.
I might look at splitting them as well.

Flags: needinfo?(bobowencode)
Keywords: regression
No longer regressed by: 1759168
Severity: S2 → S3
Has Regression Range: yes → ---
You need to log in before you can comment on or make changes to this bug.