Closed Bug 637600 Opened 13 years ago Closed 11 years ago

Crash with several add-on names of the same toolbar, mainly Smiley Central 1.1

Categories

(Toolkit :: Blocklist Policy Requests, defect)

Product:
Toolkit
Component:
Blocklist Policy Requests
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: scoobidiver, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash)

Crash Data

It is #67 top crasher in 4.0b12 and #70 top crasher in 3.6.13.
Correlations by add-ons give:
1vbar.dll@0x3ab27|EXCEPTION_STACK_OVERFLOW (37 crashes)
    100% (37/37) vs.   0% (66/19440) 1vffxtbr@SmileyCentral_1v.com (1.1)

Its website is:
http://smiley.smileycentral.com/download/index.jhtml

Signature	1vbar.dll@0x3ab27
UUID	53143182-15e1-4921-be7d-f03ed2110301
Time 	2011-03-01 00:56:41.245658
Uptime	55
Last Crash	62 seconds before submission
Install Age	48730 seconds (13.5 hours) since version was first installed.
Product	Firefox
Version	4.0b12
Build ID	20110222210221
Branch	2.0
OS	Windows NT
OS Version	6.1.7600
CPU	x86
CPU Info	GenuineIntel family 6 model 23 stepping 10
Crash Reason	EXCEPTION_STACK_OVERFLOW
Crash Address	0x585ab27
App Notes 	AdapterVendorID: 8086, AdapterDeviceID: 2a42, AdapterDriverVersion: 8.15.10.1883

Frame 	Module 	Signature [Expand] 	Source
0 	1vbar.dll 	1vbar.dll@0x3ab27 	
1 	1vbar.dll 	1vbar.dll@0x558b 	
2 	1vPlugin.dll 	1vPlugin.dll@0x34f5 	
3 	1vPlugin.dll 	1vPlugin.dll@0x381d 	
4 	xul.dll 	CallNPMethodInternal 	modules/plugin/base/src/nsJSNPRuntime.cpp:1489
5 	xul.dll 	CallNPMethod 	modules/plugin/base/src/nsJSNPRuntime.cpp:1542
6 	xul.dll 	NPObjWrapper_Call 	modules/plugin/base/src/nsJSNPRuntime.cpp:1717
7 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:653
8 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:733
9 	mozjs.dll 	js_fun_apply 	js/src/jsfun.cpp:2206
10 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:4766
11 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:653
12 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:733
13 	mozjs.dll 	js::InvokeSessionGuard::invoke 	js/src/jsinterpinlines.h:596
14 	mozjs.dll 	array_extra 	js/src/jsarray.cpp:2857
15 	mozjs.dll 	array_forEach 	js/src/jsarray.cpp:2914
16 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:4766
17 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:653
18 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:733
19 	mozjs.dll 	js_fun_apply 	js/src/jsfun.cpp:2206
20 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:4766
21 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:653
22 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:733
23 	mozjs.dll 	js::ExternalInvoke 	js/src/jsinterp.cpp:849
24 	mozjs.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:5173
25 	xul.dll 	nsXPCWrappedJSClass::CallMethod 	js/src/xpconnect/src/xpcwrappedjsclass.cpp:1672
26 	xul.dll 	nsXPCWrappedJS::CallMethod 	js/src/xpconnect/src/xpcwrappedjs.cpp:588
27 	xul.dll 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:114
28 	xul.dll 	SharedStub 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:141
29 	xul.dll 	nsBrowserStatusFilter::OnStateChange 	toolkit/components/statusfilter/nsBrowserStatusFilter.cpp:183
30 	xul.dll 	nsDocLoader::FireOnStateChange 	uriloader/base/nsDocLoader.cpp:1334
31 	xul.dll 	nsDocLoader::FireOnStateChange 	uriloader/base/nsDocLoader.cpp:1341
32 	xul.dll 	nsDocLoader::doStopURLLoad 	uriloader/base/nsDocLoader.cpp:907
33 	xul.dll 	nsDocLoader::OnStopRequest 	uriloader/base/nsDocLoader.cpp:691
34 	xul.dll 	nsLoadGroup::RemoveRequest 	netwerk/base/src/nsLoadGroup.cpp:680
35 	xul.dll 	xul.dll@0xb38dd3 	
36 	xul.dll 	imgRequestProxy::RemoveFromLoadGroup 	
37 	xul.dll 	imgRequestProxy::OnStopRequest 	modules/libpr0n/src/imgRequestProxy.cpp:726
38 	xul.dll 	imgRequest::OnStopRequest 	modules/libpr0n/src/imgRequest.cpp:956
39 	xul.dll 	ProxyListener::OnStopRequest 	modules/libpr0n/src/imgLoader.cpp:2008
40 	xul.dll 	nsBaseChannel::OnStopRequest 	netwerk/base/src/nsBaseChannel.cpp:727
41 	xul.dll 	nsInputStreamPump::OnStateStop 	netwerk/base/src/nsInputStreamPump.cpp:578
42 	xul.dll 	nsInputStreamPump::OnInputStreamReady 	netwerk/base/src/nsInputStreamPump.cpp:403
43 	xul.dll 	nsInputStreamReadyEvent::Run 	xpcom/io/nsStreamUtils.cpp:112
44 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:633
45 	xul.dll 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:110
46 	xul.dll 	xul.dll@0xb2f7a7 	
47 	xul.dll 	MessageLoop::RunInternal 	ipc/chromium/src/base/message_loop.cc:219
48 	xul.dll 	MessageLoop::RunHandler 	ipc/chromium/src/base/message_loop.cc:202
49 	mozcrt19.dll 	_VEC_memzero 	
50 	xul.dll 	xul.dll@0x359b4d 	
51 	firefox.exe 	firefox.exe@0x1bb7 	
52 	ntdll.dll 	WinSqmSetIfMaxDWORD 	
53 	ntdll.dll 	_RtlUserThreadStart 	
54 	firefox.exe 	firefox.exe@0x186f 	
55 	firefox.exe 	firefox.exe@0x186f 

More reports at:
https://crash-stats.mozilla.com/report/list?range_value=4&range_unit=weeks&signature=1vbar.dll%400x3ab27
Searching for signatures across all versions and branches that contain "bar.sll@0x3ab27" you'll find that there's a whole family of those crashes around, and for me, this sounds very much like malware given the randomized first two letters of the name. Chris, do we know this one?
> Chris, do we know this one?

I haven't seen this one before, but its interesting.

Looks like its about 1500-1700 crashes per day against all versions of firefox.

I wonder if there is some wildcard blocklisting mechanism we could employ here like /^..bar.dll/ without hitting to many false positives?  I wonder if its worth filing a bug to add that as a blocklisting feature.

There also seems to be a concentration around a few names, and the crash address spans a variety of variations on the .dll name.  The most for mar2 popular being these combo's with more than 10 crashes per day.

Also note that the version number seems to have strong correlation to the crash address.

 138 1vbar.dll@0x3ab27 3.6.13
  74 1vbar.dll@0x3ab27 3.6.14
  68 1vbar.dll@0x3ab27 4.0b12
                               - 100% of these might be version 2.3.72.6

  42 7dbar.dll@0x3ab27 3.6.13
  29 7dbar.dll@0x3ab27 4.0b12
  25 7dbar.dll@0x3ab27 3.6.14
                               - 100% of these might be version 2.3.72.6

  33 79bar.dll@0x3ab27 3.6.13
                               - 100% of these might be version 2.3.72.6

  32 64bar.dll@0x3ab27 3.6.13
  31 9ubar.dll@0x3ab27 3.6.13

  24 9ubar.dll@0x3ab27 3.6.14

  24 2zbar.dll@0x3b3c7 4.0b12  -- 100% = 2.3.77.10
                       
  22 64bar.dll@0x3ab27 4.0b12
  22 2zbar.dll@0x3b3c7 3.6.13
  22 1vbar.dll@0x1b787 3.6.13
  20 79bar.dll@0x3ab27 3.6.14
  17 64bar.dll@0x3ab27 3.6.14
  15 jfbar.dll@0x3ab27 3.6.14
  15 2zbar.dll@0x3b3c7 3.6.14
  13 79bar.dll@0x3ab27 4.0b12
  12 u4bar.dll@0x3b317 3.6.13
  12 pabar.dll@0x3b317 4.0b12
  12 2vbar.dll@0x3ad37 3.6.14
  12 27bar.dll@0x3ab27 3.6.13
  11 u4bar.dll@0x3b317 4.0b12
  11 pabar.dll@0x3ab27 3.6.13
  11 2vbar.dll@0x3ad37 3.6.13
  10 pabar.dll@0x3b317 3.6.13
  10 1vbar.dll@0x38237 3.6.13
...

It's also interesting that there are *zero* e-mail addresses associated with any of the reports for all of feb. and march.
Blocks: malware-attacks
With combined signatures, it is #42 top crasher in 4.0b12 and #41 in 3.6.13.

It is not several dlls that are generated by one add-on, each dll matches one different add-on name.
For instance:
  1vbar.dll@0x3ab27|EXCEPTION_STACK_OVERFLOW (68 crashes)
     99% (67/68) vs.   0% (175/62143) 1vffxtbr@SmileyCentral_1v.com (1.1)
  7dbar.dll@0x3ab27|EXCEPTION_STACK_OVERFLOW (28 crashes)
     89% (25/28) vs.   0% (121/62143) 7dffxtbr@Webfetti.com (1.1)
  2zbar.dll@0x3b3c7|EXCEPTION_STACK_OVERFLOW (24 crashes)
    100% (24/24) vs.   0% (51/62143) 2zffxtbr@Retrogamer_2z.com (1.1)
  64bar.dll@0x3ab27|EXCEPTION_STACK_OVERFLOW (22 crashes)
    100% (22/22) vs.   0% (103/62143) 64ffxtbr@TelevisionFanatic.com (1.1)
  79bar.dll@0x3ab27|EXCEPTION_STACK_OVERFLOW (15 crashes)
    100% (15/15) vs.   0% (72/62143) 79ffxtbr@MyFunCardsbar.com (1.1)
Summary: Crash [@ 1vbar.dll@0x3ab27 ] with Smiley Central 1.1 → Crash [@ 1vbar.dll@0x3ab27 ][@ 7dbar.dll@0x3ab27 ][@ 2zbar.dll@0x3b3c7 ][@ 64bar.dll@0x3ab27][@ 79bar.dll@0x3ab27 ][@ pabar.dll@0x3b317 ][@ u4bar.dll@0x3b317 ] with several add-on names of the same toolbar, mainly Smiley Central 1.1
kev, can you find a contact at smileycentral?  It hard to say if something legitimate is going on here or if it malware/adware attacks on firefox or smiley, or both.

but it is clear that its causing a pretty significant volume of crashes just in these two signatures and possibly more.
Crash Signature: [@ 1vbar.dll@0x3ab27 ] [@ 7dbar.dll@0x3ab27 ] [@ 2zbar.dll@0x3b3c7 ] [@ 64bar.dll@0x3ab27] [@ 79bar.dll@0x3ab27 ] [@ pabar.dll@0x3b317 ] [@ u4bar.dll@0x3b317 ]
It's now a low volume crash. I don't think the blocklisting is still required.
Crash Signature: [@ 1vbar.dll@0x3ab27 ] [@ 7dbar.dll@0x3ab27 ] [@ 2zbar.dll@0x3b3c7 ] [@ 64bar.dll@0x3ab27] [@ 79bar.dll@0x3ab27 ] [@ pabar.dll@0x3b317 ] [@ u4bar.dll@0x3b317 ] → [@ 1vbar.dll@0x3ab27 ] [@ 7dbar.dll@0x3ab27 ] [@ 2zbar.dll@0x3b3c7 ] [@ 64bar.dll@0x3ab27] [@ 79bar.dll@0x3ab27 ] [@ pabar.dll@0x3b317 ] [@ u4bar.dll@0x3b317 ] [@ 3vbar.dll@0x3b317 ]
Summary: Crash [@ 1vbar.dll@0x3ab27 ][@ 7dbar.dll@0x3ab27 ][@ 2zbar.dll@0x3b3c7 ][@ 64bar.dll@0x3ab27][@ 79bar.dll@0x3ab27 ][@ pabar.dll@0x3b317 ][@ u4bar.dll@0x3b317 ] with several add-on names of the same toolbar, mainly Smiley Central 1.1 → Crash with several add-on names of the same toolbar, mainly Smiley Central 1.1
Closing old blocklist bugs. Please reopen if the problem still exists.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WONTFIX
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.