Closed Bug 1882424 Opened 11 months ago Closed 5 months ago

Crash in [@ memset | s_mp_setz]

Categories

(NSS :: Libraries, defect, P4)

Product:
NSS
Component:
Libraries
Platform:
x86
Windows 10
Type:
defect

Tracking

(firefox125 wontfix)

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox125 --- wontfix

People

(Reporter: release-mgmt-account-bot, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, Whiteboard: [nss-monitor][nss-fx])

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/19fdcc13-adbb-4605-bad3-7ef870240226

Reason: EXCEPTION_ACCESS_VIOLATION_WRITE

Top 10 frames of crashing thread:

0  VCRUNTIME140.dll  memset  D:\a\_work\1\s\src\vctools\crt\vcruntime\src\string\i386\memset.asm:137
1  freebl3.dll  s_mp_setz  security/nss/lib/freebl/mpi/mpi.c:3099
1  freebl3.dll  s_mp_pad  security/nss/lib/freebl/mpi/mpi.c:3080
1  freebl3.dll  s_mp_add_3arg  security/nss/lib/freebl/mpi/mpi.c:3843
2  freebl3.dll  mp_add  security/nss/lib/freebl/mpi/mpi.c:747
3  freebl3.dll  s_mp_invmod_odd_m  security/nss/lib/freebl/mpi/mpi.c:2449
4  freebl3.dll  s_mp_invmod_even_m  security/nss/lib/freebl/mpi/mpi.c:2622
4  freebl3.dll  mp_invmod  security/nss/lib/freebl/mpi/mpi.c:2685
5  freebl3.dll  rsa_build_from_primes  security/nss/lib/freebl/rsa.c:159
6  freebl3.dll  RSA_NewKey  security/nss/lib/freebl/rsa.c:358

By querying Nightly crashes reported within the last 2 months, here are some insights about the signature:

  • First crash report: 2024-01-27
  • Process type: Parent
  • Is startup crash: No
  • Has user comments: No
  • Is null crash: Yes - all crashes happened on null or near null memory address
Component: General → Security: PSM
Assignee: nobody → nobody
Component: Security: PSM → Libraries
Product: Core → NSS

Haven't looked at this closely, but I wanted to rule out a change we made to the RSA code in NSS 3.98. The first uplift of NSS 3.98 beta was on 2024-01-31, so this crash predates it. Also, I found a similar crash from 2023-10-11 / Firefox 118.

The severity field is not set for this bug.
:beurdouche, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(bbeurdouche)

@Anna, that feels familiar somehow. Any thoughts ?

Flags: needinfo?(bbeurdouche) → needinfo?(nkulatova)

Making it sec just in case for now.

Group: crypto-core-security

I don't remember the bug, but I will try to investigate :)

Flags: needinfo?(nkulatova)

In the past 6 months (the crash-stats search window) there have been 30 crashes, and I'm 99% sure 22 of those were from the same person. If you only look at the 32-bit crashes:

  • they are all the same version of windows (platform version = 10.0.19045)
  • they are all the same processor (GenuineIntel family 6 model 183 stepping 1 with 24 CPUs)
  • they all have the same graphic driver version (31.0.15.5152) except the most recent 126.0a1 crash that came 6 weeks after the previous
  • there are different install times, but all the crashes with the same buildID have the same install time. consistent with a nightly user.
  • The most recent half of the crashes have the same GPU vendor and model (NVIDIA GeForce RTX 4070 Ti)
  • The older half have Intel Raptor Lake-S GT1 [UHD Graphics 770], but the "app note" indicate it's a Dual GPU system and the other GPU is the identical GeForce model above
  • the web extensions are very similar, including some uncommon ones
    • Privacy Possum 75k users (vs 1.2M for Privacy Badger)
    • WebGL Fingerprint Defender (2K, vs Mozilla recommended CanvasBlocker that also blocks WebGL 25K)
    • Canvas Fingerprint Defender (same author as above, pulled from AMO?)
    • Twitch Chat pronouns (15K)

These all seem to be generating an RSA key during a TLS handshake. Oddly very few of the crashes have a URL associated with them; if we're doing a handshake and it's not startup you'd think there should be an active page. Gmail, facebook, and "about:home" show up on the 5 or 6 crashes with a URL.

Are the crashes a 32-bit issue? Is that person's machine haunted? All the loaded modules are signed by Mozilla or Microsoft Windows and seem completely standard, except "klhkum.{58.0.28.0}.{F0C263AF-95C1-4C51-A302-BCFA7F5B7F93}.dll" signed by Microsoft Windows Hardware Compatibility Publisher (some kind of 3rd party driver); appears associated with Kaspersky Total Security. Is it generating MITM certs with a specific shape that tickles this bug?

As these are all near-null crashes I'm not too worried that they might be exploitable, and it's just one person.

The 64-bit crashes have a very different stack. Five are crashing under VerifyContentSignatureTask::CalculateResult() (remote settings?), three crash under mozilla::psm::SSLServerCertVerificationJob::Run(), and the ESR-115.6 crash was verifying a COSE add-on signature.

I don't think there's enough here to be worth pursuing. Could be 9 random x-rays over 6 months.

Severity: -- → S3
Priority: -- → P3
Whiteboard: [nss-monitor][nss-fx]
Priority: P3 → P4

This is rare and random enough to not need hiding.

Group: crypto-core-security

Closing because no crashes reported for 12 weeks.

Status: NEW → RESOLVED
Closed: 5 months ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.