startup Crash in [@ ntdll.dll | inprocessclient64.dll | mozilla::interceptor::FuncHook<T>::operator()] with SentinelOne
Categories
(External Software Affecting Firefox :: Other, defect)
Tracking
(firefox-esr115 unaffected, firefox-esr140 unaffected, firefox146+ fixed, firefox147 fixed, firefox148 fixed)
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox-esr140 | --- | unaffected |
| firefox146 | + | fixed |
| firefox147 | --- | fixed |
| firefox148 | --- | fixed |
People
(Reporter: aryx, Assigned: gstoll)
References
Details
(Keywords: crash)
Crash Data
Attachments
(3 files)
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
phab-bot
:
approval-mozilla-beta+
|
Details | Review |
|
48 bytes,
text/x-phabricator-request
|
phab-bot
:
approval-mozilla-release+
|
Details | Review |
33 startup crashes from 23 installs of Firefox 146.0 on Windows 11, no crash reports for version <=145.
Greg:
a) Do you contacts there?
b) Should the .dll be blocklisted is a short term mitigation?
Crash report: https://crash-stats.mozilla.org/report/index/470c4f88-f246-4e7e-8266-8ee2b0251210
Reason:
EXCEPTION_ILLEGAL_INSTRUCTION
Top 10 frames:
0 ntdll.dll ntdll.dll@0xb9b3c
1 InProcessClient64.dll InProcessClient64.dll@0x81140
2 InProcessClient64.dll InProcessClient64.dll@0x80e80
3 mozglue.dll mozilla::interceptor::FuncHook<mozilla::interceptor::WindowsDllInterceptor<mo... toolkit/xre/dllservices/mozglue/nsWindowsDllInterceptor.h:144
3 mozglue.dll patched_LdrLoadDll(wchar_t*, unsigned long*, _UNICODE_STRING*, void**) toolkit/xre/dllservices/mozglue/WindowsDllBlocklist.cpp:513
4 KERNELBASE.dll KERNELBASE.dll@0xf4944
5 mozglue.dll mozilla::detail::DynamicallyLinkedFunctionPtrBase<int (*)(void*, _PROCESS_MIT... mozglue/misc/DynamicallyLinkedFunctionPtr.h:50
5 mozglue.dll mozilla::StaticDynamicallyLinkedFunctionPtr<int (*)(void*, _PROCESS_MITIGATIO... mozglue/misc/DynamicallyLinkedFunctionPtr.h:106
5 mozglue.dll mozilla::FetchGetProcessMitigationPolicyFunc() mozglue/misc/WindowsProcessMitigations.cpp:19
5 mozglue.dll mozilla::IsWin32kLockedDown::<lambda_0>::operator()() const mozglue/misc/WindowsProcessMitigations.cpp:30
|
Reporter | |
Comment 1•4 months ago
|
||
SentinelOne has been contacted.
|
Assignee | |
Updated•4 months ago
|
|
||
Comment 2•4 months ago
|
||
The bug is marked as tracked for firefox146 (release). However, the bug still isn't assigned and has low severity.
:jstutte, could you please find an assignee and increase the severity for this tracked bug? If you disagree with the tracking decision, please talk with the release managers.
For more information, please visit BugBot documentation.
|
|
Assignee | |
Comment 3•4 months ago
|
||
This is a fairly high-volume startup crash, so I'm going to block the offending DLL.
|
||
Updated•4 months ago
|
|
|
Assignee | |
Comment 4•4 months ago
|
||
It looks like the crash is happening when we call LoadLibrary on kernel32.dll in order to call GetProcessMitigationPolicy, and that LoadLibrary call is being intercepted by InProcessClient64.dll, which is crashing.
I'm not sure why this only shows up in Fx 146; it doesn't seem like the relevant Fx code has changed?
|
|
Assignee | |
Comment 5•4 months ago
|
||
Windows DLLBlocklist request form
-
How were we aware of the problem?
topcrasher in Fx 146 -
What is a suspicious product causing the problem?
InProcessClient64.dll published by SentinelOne. -
Is the product downloadable? If so, do we have a local repro?
It does not appear to be downloadable. -
Which OS versions does the problem occur on?
Windows 11 only -
Which process types does the problem occur on?
parent process -
What is the maximum version of the module in the crash reports?
25.1.4.434 -
Is the issue fixed by a newer version of the product?
I don't think so; there are no newer versions in our telemetry. -
Do we have data about the module in the third-party-module ping?
Yes -
Do we know how the module is loaded?
It appears to load through a normal mechanism -
Describe your conclusion.
We should block all versions of InProcessClient64.dll in the parent process.
|
|
Assignee | |
Comment 6•4 months ago
|
||
|
||
Comment 9•4 months ago
|
||
firefox-beta Uplift Approval Request
- User impact if declined: topcrash startup crash in Fx 146
- Code covered by automated testing: no
- Fix verified in Nightly: no
- Needs manual QE test: no
- Steps to reproduce for manual QE testing: n/a
- Risk associated with taking this patch: low
- Explanation of risk level: just blocking a DLL that's crashing on startup, probably can't make things worse :-)
- String changes made/needed: no
- Is Android affected?: no
|
|
Assignee | |
Comment 10•4 months ago
|
||
Original Revision: https://phabricator.services.mozilla.com/D276001
|
|
||
Comment 11•4 months ago
|
||
firefox-release Uplift Approval Request
- User impact if declined: topcrash startup crash in Fx 146
- Code covered by automated testing: no
- Fix verified in Nightly: no
- Needs manual QE test: no
- Steps to reproduce for manual QE testing: n/a
- Risk associated with taking this patch: low
- Explanation of risk level: just blocking a DLL that's crashing on startup, probably can't make things worse :-)
- String changes made/needed: no
- Is Android affected?: no
|
|
Assignee | |
Comment 12•4 months ago
|
||
Original Revision: https://phabricator.services.mozilla.com/D276001
|
|
||
Updated•4 months ago
|
|
||
Updated•4 months ago
|
|
||
Comment 13•4 months ago
|
||
| uplift | ||
|
|
||
Updated•4 months ago
|
|
|
||
Updated•4 months ago
|
|
|
||
Comment 14•4 months ago
|
||
| uplift | ||
|
|
Assignee | |
Comment 15•3 months ago
|
||
Sigh, I didn't notice that these are all ARM64 crashes. This is basically a duplicate of bug 1936029.
Description
•