Crash in [@ hmpalert.dll | ReadProcessMemory] caused by HitmanPro.Alert from Sophos
Categories
(External Software Affecting Firefox :: Other, defect, P1)
Tracking
(firefox-esr91 unaffected, firefox100 wontfix, firefox101 fixed, firefox102 fixed)
| Tracking | Status | |
|---|---|---|
| firefox-esr91 | --- | unaffected |
| firefox100 | --- | wontfix |
| firefox101 | --- | fixed |
| firefox102 | --- | fixed |
People
(Reporter: bobowen, Assigned: bobowen)
References
(Regression)
Details
(Keywords: crash, regression)
Crash Data
Attachments
(1 file)
|
48 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
|
Details | Review |
Breaking this out as a separate thing from bug 1752733.
This particular signature has spiked because of win32k lockdown.
I had seen it briefly in extracts, but it always disappeared because the same signature occurs without win32k lockdown, but it would seem nowhere near as much.
My suspicion is that these are older versions of HitmanPro Alert that are still linked to user32.dll and possibly try to use win32k APIs.
I'll see if blocking the current version works and if it does block from the last version for which we're actually seeing crashes in the content process.
Crash report: https://crash-stats.mozilla.org/report/index/c38efb33-8cd5-4ac9-9741-f7a6e0220513
Reason: EXCEPTION_ACCESS_VIOLATION_WRITE
Top 10 frames of crashing thread:
0 hmpalert.dll hmpalert.dll@0x000000000002ae5e
1 hmpalert.dll hmpalert.dll@0x0000000000028621
2 kernelbase.dll ReadProcessMemory
3 kernelbase.dll <unknown in kernelbase.dll>
4 kernelbase.dll K32EnumProcessModules
5 xul.dll static SharedLibraryInfo::GetInfoForSelf tools/profiler/core/shared-libraries-win32.cc:138
6 xul.dll mozilla::Telemetry::BatchProcessedStackGenerator::BatchProcessedStackGenerator toolkit/components/telemetry/other/ProcessedStack.cpp:72
7 xul.dll mozilla::UntrustedModulesProcessor::CompleteProcessing toolkit/xre/dllservices/UntrustedModulesProcessor.cpp:876
8 xul.dll mozilla::MozPromise<mozilla::Maybe<mozilla::UntrustedModulesProcessor::ModulesMapResultWithLoads>, nsresult, 1>::ThenValue<`lambda at /builds/worker/checkouts/gecko/toolkit/xre/dllservices/UntrustedModulesProcessor.cpp:563:9', `lambda at /builds/worker/checkouts/gecko/toolkit/xre/dllservices/UntrustedModulesProcessor.cpp:572:9'>::DoResolveOrRejectInternal xpcom/threads/MozPromise.h:846
9 xul.dll mozilla::MozPromise<CopyableTArray<bool>, bool, 0>::ThenValueBase::ResolveOrRejectRunnable::Run xpcom/threads/MozPromise.h:487
|
||
Updated•2 years ago
|
|
|
||
Comment 1•2 years ago
|
||
Set release status flags based on info from the regressing bug 1759168
|
Assignee | |
Comment 2•2 years ago
|
||
Blocking seems to work fine, so patch coming up.
|
|
Assignee | |
Comment 3•2 years ago
|
||
The version from a fresh install from Sophos website is 3.8.19.923. Only blocking in child processes.
|
||
Comment 5•2 years ago
|
||
| bugherder | ||
|
|
Assignee | |
Comment 6•2 years ago
|
||
Comment on attachment 9276574 [details]
Bug 1769309: Block hmpalert.dll v3.8.8.889 and earlier due to crashes with win32k lockdown. r=gcp!
Beta/Release Uplift Approval Request
- User impact if declined: Users with older versions of HitmanPro.Alert will continue to see many content process crashes.
- Is this code covered by automated tests?: No
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Simple block of older version of hmpalert.dll from the latest version for which we have seen these crashes.
Block was tested on the latest trial version from their website, although we are not blocking that version because it doesn't currently appear to cause this issue. - String changes made/needed: None
- Is Android affected?: No
|
|
||
Updated•2 years ago
|
|
||
Comment 7•2 years ago
|
||
Comment on attachment 9276574 [details]
Bug 1769309: Block hmpalert.dll v3.8.8.889 and earlier due to crashes with win32k lockdown. r=gcp!
Approved for 101.0b8.
|
|
||
Comment 8•2 years ago
|
||
| bugherder uplift | ||
|
||
Comment 9•2 years ago
|
||
Hello! We encountered the following regression for talos on mozilla-beta. Would it be possible for this push to have triggered that regression ?
|
|
||
Updated•2 years ago
|
Description
•