Closed Bug 1923376 Opened 1 year ago Closed 1 year ago

Browser updates repeatedly instead of launching when the interactive user account has admin permissions (without a UAC)

Categories

(Toolkit :: Application Update, defect, P1)

defect

Tracking

()

VERIFIED FIXED
135 Branch
Tracking Status
firefox-esr115 138+ fixed
firefox-esr128 138+ fixed
firefox131 --- unaffected
firefox132 + disabled
firefox133 + disabled
firefox134 --- disabled
firefox135 --- disabled
firefox136 --- disabled
firefox137 --- disabled
firefox138 --- fixed

People

(Reporter: chuacw, Assigned: bytesized)

References

(Regression)

Details

(Keywords: regression, Whiteboard: [fidedi-ope])

Attachments

(22 files)

13.24 KB, image/png
Details
8.26 KB, application/octet-stream
Details
2.60 KB, application/octet-stream
Details
62.82 KB, image/png
Details
14.40 KB, text/xml
Details
61.25 KB, image/png
Details
13.28 KB, application/octet-stream
Details
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0

Steps to reproduce:

Click on Firefox Nightly icon

Firefox Nightly 133.0.0.700
Product version 133.0a1

Actual results:

It shows "Firefox Nightly is installing your updates and will start in a few moments", then the dialog disappeared and Nightly didn't start.

Expected results:

Nightly should have started.

The Bugbug bot thinks this bug should belong to the 'Toolkit::Application Update' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Application Update
Product: Firefox → Toolkit
Version: other → unspecified

Could you please attach update logs?

  1. Navigate to about:support
  2. Find the "Update Folder" entry and click "Open Folder".
  3. Open the updates directory.
  4. Inside, you should find some .log files: last-update.log, last-update-elevated.log, backup-update.log, backup-update-elevated.log. They may not all exist. Please attach whichever ones do exist to this bug.
Flags: needinfo?(chuacw)

I've reinstalled Nightly from the Installer, so I don't have any logs in there.

Flags: needinfo?(chuacw)

Okay, it sounds like all possible debugging information is probably gone then. If this happens again, you can send us the information that we need and we can reopen this bug. But there isn't much we can do here until then.

Status: UNCONFIRMED → RESOLVED
Closed: 1 year ago
Resolution: --- → WORKSFORME

Ok, this happened again on the latest update.
How do I navigate to about:support if I can't even open Nightly?

Status: RESOLVED → UNCONFIRMED
Resolution: WORKSFORME → ---
Attached file backup-update.log
Attached file last-update.log

I think I found the files by looking at the latest date, and directory.
Hope these are the correct files.

Ah, yes. These are some of the correct files. I forgot about one detail though: since your updater is hanging, it will never successfully put the elevated update logs in the right place. Could you retrieve it from the the Maintenance Service directory? You should be able to find the log file at C:\Program Files (x86)\Mozilla Maintenance Service\UpdateLogs\<update_directory_name>.log.

Flags: needinfo?(chuacw)

Wait, hang on. I don't think I need it.

Flags: needinfo?(chuacw)

So, another issue here. Update failed, it should have rollback, so I can use the version of Nightly before the update, but it didn't rollback.
If I click the Nightly icon again, it tries to update again.

Are you sure these are the correct logs? This line sure doesn't seem likely from a Nightly installation

2024-10-08 19:24:02+0800: INSTALLATION DIRECTORY C:\Program Files\Firefox Developer Edition

They also don't really suggest any problem. They do suggest an unusual configuration

2024-10-08 19:24:02+0800: sUsingService=false
...
2024-10-08 19:24:02+0800: gIsElevated=false
...
2024-10-08 19:24:02+0800: INSTALLATION DIRECTORY C:\Program Files\Firefox Developer Edition
...
2024-10-08 19:24:02+0800: Successfully opened lock file
2024-10-08 19:24:02+0800: Going to update via this updater instance.

I'd be lying if I said I wasn't pretty curious how the heck it is updating an installation in Program Files without elevating. Suggests Firefox is either being run with privileges, which is alarming. Or Program Files is writable without elevated privileges. Which is also alarming.

Flags: needinfo?(chuacw)

Ok, I have no logs then, but I've attached a screenshot that shows the issue happens on local time 7 Oct 2024 8:40:02pm.

Flags: needinfo?(chuacw)

Oh, well I see that you at least have an update history file. That might at least give me a hint as to what's going on. That will be a file called updates.xml in the update directory. Can I see that?

Flags: needinfo?(chuacw)

Just logging info here for my own use for the next failure:
Update folder for Nightly:
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\6F193CCC56814779

Attached file updates.xml

attached updates.xml

Flags: needinfo?(chuacw)

screenshot of latest update failures

Attached file 6F193CCC56814779.log

This log is from C:\Program Files (x86)\Mozilla Maintenance Service\UpdateLogs

I'd be lying if I said I wasn't pretty curious how the heck it is updating an installation in Program Files without elevating. Suggests Firefox is either being run with privileges, which is alarming. Or Program Files is writable without elevated privileges. Which is also alarming.

I was doing some development work, so I ran all editions of Firefox (stable/Nightly/Developer) using an account that has UAC disabled.

Alright, I think I have tracked down the source of the problem. It actually has to do with exactly this:

I ran all editions of Firefox (stable/Nightly/Developer) using an account that has UAC disabled.

Usually, the updater runs unelevated initially and then, if necessary, it starts another instance of the updater with elevated privileges to operate on the installed files. The elevated updater saves its output (status, logs, etc) to another privileged directory. Then, when it exits, the unelevated updater examines its output to complete the final stages of the update.

But when we made this change, we changed how the updater detects if it is the first update process or the second one. We made the assumption that if the process has administrator privileges, it must be the second process run. This means that, in your case, the updater immediately thinks it is running for the second time. This causes it not to (a) on launch, change the status to show that the update is in-progress, (b) write its final status back to the original status file, or (c) start Firefox again after it exits. Normally the first updater process would do all of those things. Since we never change the status file, every time Firefox launches, it thinks it is seeing that update for the first time. And combined with missing behavior (c), this means that Firefox never launches successfully.

The audience for this is probably small because it requires that your account be set up in an unusual way. But the effect is to completely break Firefox in a way that requires either technical knowledge or reinstallation to recover from, and the trigger is updating completely normally. So this is a serious issue. I will try to get a patch up for this ASAP.

Chua Chee Wee, thank you for reporting this.

Severity: -- → S2
Keywords: regression
Priority: -- → P1
Regressed by: CVE-2025-2817
See Also: → 1922920

:nrishel, since you are the author of the regressor, bug 1917536, could you take a look?

For more information, please visit BugBot documentation.

Flags: needinfo?(nrishel)
Status: UNCONFIRMED → NEW
Ever confirmed: true

But when we made this change, we changed how the updater detects if it is the first update process or the second one. We made the assumption that if the process has administrator privileges, it must be the second process run. This means that, in your case, the updater immediately thinks it is running for the second time. This causes it not to (a) on launch, change the status to show that the update is in-progress, (b) write its final status back to the original status file, or (c) start Firefox again after it exits. Normally the first updater process would do all of those things. Since we never change the status file, every time Firefox launches, it thinks it is seeing that update for the first time. And combined with missing behavior (c), this means that Firefox never launches successfully.

Thanks for explaining this and letting me understand Firefox better, and it was interesting to read the code referred above, and I see you have code to detect whether the process is launched under an admin account with UAC disabled.

I looked at the error log in the other ticket, 1922920 and it appears to contain the same content as mine!

Could you help me understand why the change referred above, was made?

Thank you!

(In reply to Chua Chee Wee from comment #23)

Could you help me understand why the change referred above, was made?

I'm afraid that since Bug 1917536 is still marked as secure, I can't really get into it.

Assignee: nobody → bytesized
Flags: needinfo?(nrishel)
Duplicate of this bug: 1922920
Summary: Can't update Nightly → Browser updates repeatedly instead of launching when the interactive user account has admin permissions (without a UAC)

I've pushed a backout of bug 1917536 to the Beta branch for tomorrow's 132.0b6 build while we continue to work through this regression.

We need to add an argument to this executable, but it is made more difficult than it needs to be by the fact that we refer to arguments by number all over this code. Which, to be honest, also just makes the code harder to understand than necessary. This patch simply adds swaps out raw index values for variables in order to make this easier to understand.

There should only be one actual functionality change in this patch. This particular invocation of LaunchCallbackApp inexplicably passes the path to the callback binary as the first argument instead of the path to the callback's working directory. Presumably this is a bug.

Note that this patch does not implement the proper usage of the argument. It reads the argument but then does nothing with it.

After discussing with Robin, we've backed out the regressing change ahead of the next round of Nightly builds due to start shortly.

We won't be attempting to re-land the patch that caused this regression this cycle. Updating the tracking flags accordingly.

Attachment #9430515 - Attachment description: Bug 1923376 - Keep track of argument indicies with variables r=nalexander! → Bug 1923376 - Keep track of argument indicies with variables r=nrishel!,nalexander!
Attachment #9430516 - Attachment description: Bug 1923376 - Add an argument to the updater to convey which updater instance it is r=nalexander! → Bug 1923376 - Add an argument to the updater to convey which updater instance it is r=nrishel!,nalexander!
Attachment #9430517 - Attachment description: Bug 1923376 - Use argument value to determine which updater instance is running rather than elevation r=nalexander! → Bug 1923376 - Use argument value to determine which updater instance is running rather than elevation r=nrishel!,nalexander!

This patch basically reimplements this functionality (removed in Bug 1917536), but using the mechanism introduced by Bug 1923376 to convey which invocation the updater should run as.

Whiteboard: [fidedi-ope]
Status: NEW → RESOLVED
Closed: 1 year ago1 year ago
Resolution: --- → WORKSFORME
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
Status: REOPENED → ASSIGNED

I'm not really sure why you closed this bug. I am still working on a patch. The bug will be automatically closed when it merges.

Attachment #9430515 - Attachment description: Bug 1923376 - Keep track of argument indicies with variables r=nrishel!,nalexander! → Bug 1923376 - Keep track of argument indices with variables r=nrishel!,nalexander!

Setting Fx133 to disabled since Bug 1917536 was backed out before Fx133 went to beta

Pushed by rsteuber@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/4dcbb138e052 Keep track of argument indices with variables r=nalexander,nrishel https://hg.mozilla.org/integration/autoland/rev/20183df7b002 Add an argument to the updater to convey which updater instance it is r=nalexander,nrishel https://hg.mozilla.org/integration/autoland/rev/0372e17b9b6d Add MMS support for new updater args r=nrishel,nalexander https://hg.mozilla.org/integration/autoland/rev/98cb02543c02 Use argument value to determine which updater instance is running rather than elevation r=nalexander,nrishel https://hg.mozilla.org/integration/autoland/rev/1b17564efbdb Fix "force service fallback" update test feature r=nrishel,nalexander

Backed out for causing build bustages @updater.cpp.

Flags: needinfo?(bytesized)

I think I addressed the problem. Re-merging.

Flags: needinfo?(bytesized)
Pushed by rsteuber@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/258949ba2ec4 Keep track of argument indices with variables r=nalexander,nrishel https://hg.mozilla.org/integration/autoland/rev/5b26561eae74 Add an argument to the updater to convey which updater instance it is r=nalexander,nrishel https://hg.mozilla.org/integration/autoland/rev/7d71532633b3 Add MMS support for new updater args r=nrishel,nalexander https://hg.mozilla.org/integration/autoland/rev/f133a856cc4a Use argument value to determine which updater instance is running rather than elevation r=nalexander,nrishel https://hg.mozilla.org/integration/autoland/rev/f538ea57a5f9 Fix "force service fallback" update test feature r=nrishel,nalexander
See Also: 1922920

Backed out alongside Bug 1917536 for causing bustage @ updater.cpp in mozilla-central

Backout link

Push with failures

Failure log

Flags: needinfo?(bytesized)
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Target Milestone: 135 Branch → ---
Pushed by rsteuber@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/950417640ee4 Keep track of argument indices with variables r=nalexander,nrishel https://hg.mozilla.org/integration/autoland/rev/a01206f5887c Add an argument to the updater to convey which updater instance it is r=nalexander,nrishel https://hg.mozilla.org/integration/autoland/rev/4e87e80d48fd Add MMS support for new updater args r=nrishel,nalexander https://hg.mozilla.org/integration/autoland/rev/4c7c00c2a9eb Use argument value to determine which updater instance is running rather than elevation r=nalexander,nrishel https://hg.mozilla.org/integration/autoland/rev/e8abed69355a Fix "force service fallback" update test feature r=nrishel,nalexander

We should get extra QA smoke testing around Nightly updates for this and bug 1917536.

Flags: needinfo?(bytesized) → qe-verify+

(In reply to Ryan VanderMeulen [:RyanVM] from comment #45)

We should get extra QA smoke testing around Nightly updates for this and bug 1917536.

We are done with the testing from bug 1917536 where we also covered a few scenarios with admin user and no UAC and we did not find any issues updating to latest Beta version.

Status: RESOLVED → VERIFIED
Flags: qe-verify+
Regressions: 1937806

Backed out from 136 beta for causing bug 1945654 preventing shipping beta 1.

Regressions: 1945654
No longer regressions: 1945654

When uplifting this, Bug 1946084 and Bug 1945654 will be required on ESR128/ESR115

We need to add an argument to this executable, but it is made more difficult than it needs to be by the fact that we refer to arguments by number all over this code. Which, to be honest, also just makes the code harder to understand than necessary. This patch simply swaps out raw index values for variables in order to make this easier to understand.

There should only be one actual functionality change in this patch. This particular invocation of LaunchCallbackApp inexplicably passes the path to the callback binary as the first argument instead of the path to the callback's working directory. Presumably this is a bug.

Original Revision: https://phabricator.services.mozilla.com/D225420

Attachment #9473490 - Flags: approval-mozilla-esr128?

Note that this patch does not implement the proper usage of the argument. It reads the argument but then does nothing with it.

Original Revision: https://phabricator.services.mozilla.com/D225421

Attachment #9473491 - Flags: approval-mozilla-esr128?
Attachment #9473492 - Flags: approval-mozilla-esr128?
Attachment #9473493 - Flags: approval-mozilla-esr128?

This patch basically reimplements this functionality (removed in Bug 1917536), but using the mechanism introduced by Bug 1923376 to convey which invocation the updater should run as.

Original Revision: https://phabricator.services.mozilla.com/D225743

Attachment #9473494 - Flags: approval-mozilla-esr128?

We need to add an argument to this executable, but it is made more difficult than it needs to be by the fact that we refer to arguments by number all over this code. Which, to be honest, also just makes the code harder to understand than necessary. This patch simply swaps out raw index values for variables in order to make this easier to understand.

There should only be one actual functionality change in this patch. This particular invocation of LaunchCallbackApp inexplicably passes the path to the callback binary as the first argument instead of the path to the callback's working directory. Presumably this is a bug.

Original Revision: https://phabricator.services.mozilla.com/D225420

Attachment #9473501 - Flags: approval-mozilla-esr115?

Note that this patch does not implement the proper usage of the argument. It reads the argument but then does nothing with it.

Original Revision: https://phabricator.services.mozilla.com/D225421

Attachment #9473502 - Flags: approval-mozilla-esr115?
Attachment #9473503 - Flags: approval-mozilla-esr115?
Attachment #9473504 - Flags: approval-mozilla-esr115?

This patch basically reimplements this functionality (removed in Bug 1917536), but using the mechanism introduced by Bug 1923376 to convey which invocation the updater should run as.

Original Revision: https://phabricator.services.mozilla.com/D225743

Attachment #9473505 - Flags: approval-mozilla-esr115?

This bug is backed out on 137 beta, thanks.

Attachment #9473504 - Attachment description: Bug 1923376 - Use argument value to determine which updater instance is running rather than elevation → Bug 1923376 - Use argument value to determine which updater instance is running rather than elevation r=nrishel!,nalexander!
Attachment #9473493 - Flags: approval-mozilla-esr128? → approval-mozilla-esr128+
Attachment #9473492 - Flags: approval-mozilla-esr128? → approval-mozilla-esr128+
Attachment #9473491 - Flags: approval-mozilla-esr128? → approval-mozilla-esr128+
Attachment #9473490 - Flags: approval-mozilla-esr128? → approval-mozilla-esr128+
Attachment #9473494 - Flags: approval-mozilla-esr128? → approval-mozilla-esr128+
Attachment #9473501 - Flags: approval-mozilla-esr115? → approval-mozilla-esr115+
Attachment #9473502 - Flags: approval-mozilla-esr115? → approval-mozilla-esr115+
Attachment #9473503 - Flags: approval-mozilla-esr115? → approval-mozilla-esr115+
Attachment #9473504 - Flags: approval-mozilla-esr115? → approval-mozilla-esr115+
Attachment #9473505 - Flags: approval-mozilla-esr115? → approval-mozilla-esr115+
Flags: qe-verify+
QA Whiteboard: [qa-triaged]

After discussing on slack with :nrishel there will be no manual QA needed here due to complications, we'll rely on automated tests. Dropping qa-verify+

QA Whiteboard: [qa-triaged] → [qa-triaged] [uplift] [qa-ver-done-c140/b139]
Flags: qe-verify+
QA Whiteboard: [qa-triaged] [uplift] [qa-ver-done-c140/b139] → [qa-triaged] [uplift] [qa-ver-blocked-c140/b139]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: