Closed Bug 538998 Opened 10 years ago Closed 4 years ago

Spike in crashes [@ WSAStartup ] in early Jan 2010

Categories

(Core :: General, defect, critical)

x86
Windows XP
defect
Not set
critical

Tracking

()

RESOLVED INCOMPLETE

People

(Reporter: chofmann, Unassigned)

References

Details

(Keywords: crash, Whiteboard: [crashkill][crashkill-thirdparty][crashkill-outreach][explosive])

Crash Data

early reports from 3.6 rc1 show this as the #10 top crash

http://crash-stats.mozilla.com/report/index/d371a460-3506-41ed-a883-001792100110

Frame  	Module  	Signature [Expand]  	Source
0 		@0x11a1626 	
1 	ws2_32.dll 	WSAStartup

all reports are within seconds of startup.

and we are seeing a flood of these across all releases with a big ramp up on 2010 01 10

checking --- 20100110-crashdata.csv WSAStartup
release total-crashes
              WSAStartup crashes
                         pct.
all     215352  3763    0.0174737
3.0.15  1958    34      0.0173647
3.0.16  4940    85      0.0172065
3.5.5   5270    53      0.0100569
3.5.6   16510   186     0.0112659
3.6     10425   192     0.0184173
3.6b5   14884   64      0.00429992
3.6b4   1505            0
3.6b3   721             0
3.6b2   729             0
3.6b1   2102    18      0.00856327

date WSAStartupcrashes
20100101-crashdata 0 WSAStartup
20100102-crashdata 0 WSAStartup
20100103-crashdata 0 WSAStartup
20100104-crashdata 0 WSAStartup
20100105-crashdata 60 WSAStartup
20100106-crashdata 115 WSAStartup
20100107-crashdata 100 WSAStartup
20100108-crashdata 94 WSAStartup
20100109-crashdata 115 WSAStartup
20100110-crashdata 3763 WSAStartup
os breakdown
2037    0.541323        Windows NT5.1.2600 Service Pack 3
1234    0.32793 Windows NT5.1.2600 Service Pack 2
196     0.0520861       Windows NT6.0.6001 Service Pack 1
151     0.0401276       Windows NT6.0.6002 Service Pack 2
73      0.0193994       Windows NT6.0.6000
54      0.0143503       Windows NT5.1.2600 Service Pack 1
9       0.00239171      Windows NT5.1.2600 Service Pack 3, v.5857
8       0.00212596      Windows NT5.1.2600
1       0.000265745     Windows NT5.1.2600 Service Pack 3, v.3264
Summary: Firefox 3.6 Crash Report [@ WSAStartup ] → Spike in crashes [@ WSAStartup ] in early Jan 2010
no urls reported and the big upswing seems to have started at 1pm pacific time yesterday with 599 crash reports in that hour.

hourly frequency of reports
  10 2010011001
   4 2010011002
   9 2010011003
   6 2010011004
  12 2010011005
   4 2010011006
   9 2010011007
   3 2010011008
   9 2010011009
   4 2010011010
  12 2010011011
   5 2010011012
 599 2010011013
 455 2010011014
 368 2010011015
 494 2010011016
 351 2010011017
 311 2010011018
 206 2010011019
 158 2010011020
 101 2010011021
 292 2010011022
 341 2010011023
Whiteboard: [crashkill][crashkill-thirdparty][crashkill-outreach][explosive]
3.5.7 correlation report from 2010 01 11 shows

  WSAStartup|EXCEPTION_ACCESS_VIOLATION (2107 crashes)
     90% (1898/2107) vs.  74% (64614/87631) ws2help.dll
     99% (2090/2107) vs.  91% (79341/87631) wininet.dll
     72% (1517/2107) vs.  67% (58507/87631) normaliz.dll

but just scanning some random reports a few instances of H8SRT malware shows up
here is a sample.

http://crash-stats.mozilla.com/report/index/fe4abdd7-0050-447f-b862-ffb022100110
	ws2_32.dll	5.1.2600.21801
http://crash-stats.mozilla.com/report/index/fe3034e5-8724-4fc8-a86c-fb8b62100110
	ws2_32.dll	6.0.6001.180001
http://crash-stats.mozilla.com/report/index/fe2213d0-93eb-41ce-b98c-0e7ff2100110
	H8SRTqmgdikjoot.dll		
        ws2_32.dll	5.1.2600.55121
http://crash-stats.mozilla.com/report/index/fe12187e-4f27-4bc6-8a66-5d36f2100110
	ws2_32.dll	6.0.6001.180001
http://crash-stats.mozilla.com/report/index/fdea125b-11eb-4363-bcf2-f73d92100110
	H8SRTfubvpiexjh.dll		
        ws2_32.dll	5.1.2600.21801
http://crash-stats.mozilla.com/report/index/fde288e0-3db2-4706-88a0-43fd72100110
	H8SRTxsapbvvxqq.dll		
        ws2_32.dll	6.0.6001.180001
http://crash-stats.mozilla.com/report/index/fdde3e84-54a6-42c2-ae26-4a6d32100110
	ws2_32.dll	5.1.2600.55121
http://crash-stats.mozilla.com/report/index/fdd921b7-703d-42d5-8d86-05deb2100110
	H8SRTcyftodxobx.dll		
        ws2_32.dll	5.1.2600.21801
http://crash-stats.mozilla.com/report/index/fdd859ed-ed7b-498e-b4af-9806d2100110
	ws2_32.dll	5.1.2600.55121
http://crash-stats.mozilla.com/report/index/fd9028b9-3216-4e6b-85b3-c3cec2100110
	H8SRTunbmlidujy.dll		
        ws2_32.dll	5.1.2600.21801
http://crash-stats.mozilla.com/report/index/fd8caaba-edf7-4900-9885-551322100110
	ws2_32.dll	5.1.2600.55121
http://crash-stats.mozilla.com/report/index/fd896616-280d-45f2-804c-daf8e2100110
	H8SRTjymeaufurv.dll		
        ws2_32.dll	5.1.2600.55121
there are a few places where we seem to call this windows library in nspr, and in an ogg player test program.

http://mxr.mozilla.org/mozilla1.9.2/search?string=WSAStartup

/nsprpub/pr/src/md/windows/ntio.c (View Hg log or Hg annotations)
    * line 879 -- err = WSAStartup( WSAVersion, &WSAData );

/nsprpub/pr/src/md/windows/w95io.c (View Hg log or Hg annotations)
    * line 283 -- err = WSAStartup( WSAVersion, &WSAData );

/media/liboggplay/src/liboggplay/oggplay_tcp_reader.c (View Hg log or Hg annotations)
    * line 128 -- if (WSAStartup(wVersionRequested, &wsaData) == -1) {
WSAStartup initializes WinSock/Networking; I'd assume LSPs get initialized underneath this call.
yep. this should be yet another instance of LSP malware/badware/bugware.

I have a patch which will let us seal off all of this gunk for at least 3 months (until the badware gets more aggressive which will be really fun).
Blocks: 540309
http://test.kairo.at/socorro/2011-06-23.firefox.4.0.explosiveness.html shows a small spike in crashes in this signature showing up in recent 4.0 data.
Crash Signature: [@ WSAStartup ]
Severity: normal → critical
Keywords: crash
bp-7e4d67af-231a-408f-8f0f-7293f2160608 is only Thunderbird crash in 2.5 months.
Whatever this is, it's rare and not enough info to be actionable
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.