Closed
Bug 646302
Opened 14 years ago
Closed 11 months ago
crashes in [@ PKIX_RevocationChecker_Create ] and [@ Kazahook.dll@0x12f83 ] and other Kazahook.dll addresses were libpkix/pkix/checker/pkix_revocationchecker.c:6be9e31d01b4 is on the stack
Categories
(NSS :: Libraries, defect, P5)
Tracking
(Not tracked)
RESOLVED
INACTIVE
People
(Reporter: chofmann, Unassigned)
Details
Attachments
(1 file)
11.93 KB,
text/plain
|
Details |
ran across several crashes like this
https://crash-stats.mozilla.com/report/index/9dde3ef9-6d89-48ee-8c92-e7f792110328
0 @0x12fa37
1 @0x12fb03
2 nss3.dll PKIX_RevocationChecker_Create security/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.c:228
3 mozcrt19.dll arena_dalloc_small obj-firefox/memory/jemalloc/crtsrc/jemalloc.c:4162
4 mozcrt19.dll free obj-firefox/memory/jemalloc/crtsrc/jemalloc.c:6130
5 xul.dll CommandLine::Init ipc/chromium/src/base/command_line.cc:175
more reports like this at
https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=exact&query=Kazahook.dll%400x12f83&date=03%2F29%2F2011%2017%3A47%3A18&range_value=1&range_unit=weeks&hang_type=any&process_type=any&plugin_field=&plugin_query_type=&plugin_query=&do_query=1&admin=1&signature=Kazahook.dll%400x12f83
and some other that have nearby code close to the top of the stack.
https://crash-stats.mozilla.com/report/index/19cc1d3f-6e00-421a-a97f-3a1242110325
0 Kazahook.dll Kazahook.dll@0x12f83
1 oleaut32.dll GetAppData
2 Kazahook.dll Kazahook.dll@0x87fc
3 Kazahook.dll Kazahook.dll@0x215d3
4 xul.dll xul.dll@0xeacbf
5 nss3.dll PKIX_RevocationChecker_Create security/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.c:221
6 nss3.dll PK11_InitPin security/nss/lib/pk11wrap/pk11auth.c:472
7 mozjs.dll js::NodeBuilder::comprehensionExpression js/src/jsreflect.cpp:1209
8 Kazahook.dll Kazahook.dll@0x1ea90
more reports like this at https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=exact&query=Kazahook.dll%400x12f83&date=03%2F29%2F2011%2017%3A47%3A18&range_value=1&range_unit=weeks&hang_type=any&process_type=any&plugin_field=&plugin_query_type=&plugin_query=&do_query=1&admin=1&signature=Kazahook.dll%400x12f83
Reporter | ||
Comment 1•14 years ago
|
||
more complete list of all the signatures where code from libpkix/pkix/checker/pkix_revocationchecker.c is near the top of the stack.
if these aren't all the same bug or sets of bugs we can turn this into a tracker and spin off other bugs.
most of these don't have comments so code inspection might be the best place to start.
not sure if the urls will be useful either. its a wide set of user facing sites
and
4 www.google.com
4 www.facebook.com
2 www.youtube.com
2 vkontakte.ru
2 services.addons.mozilla.org
2 googleads.g.doubleclick.net
1 xartinos.gr
1 www.zumi.pl
1 www.yatra.com
1 www.yahoo.co.jp
1 www.thaicuties.net
1 www.teamliquid.net
1 www.sbs6.nl
1 www.roberthalf.com
1 www.papuaweb.org
1 www.ngc.pro.vn
1 www.net.hr
1 www.moddedmustangs.com
1 www.mocospace.com
1 www.miniclip.com
1 www.kaskus.us
1 www.intel.com
1 www.hotmail.com
1 www.hao123.com
1 www.habbo.com.br
1 www.google.co.jp
1 www.goo.ne.jp
1 www.disney.ro
1 www.declaration.urssaf.fr
1 www.debeka.de
1 www.connect.facebook.com
1 www.bobtv.fr
1 www.bild.de
1 www.bankofamerica.com
Reporter | ||
Comment 2•14 years ago
|
||
revised list of sites with the protocol added. looks like many of these are mixed content or http
4 1 http:www.facebook.com
3 1 http:www.google.com
2 1 https:services.addons.mozilla.org
2 1 http:www.youtube.com
2 1 http:vkontakte.ru
2 1 http:googleads.g.doubleclick.net
1 37 \N
1 11
1 4 jar:file:
1 4 about:blank
1 2 file:
1 2 about:sessionrestore
1 1 https:www.google.com
1 1 https:www.declaration.urssaf.fr
1 1 https:www.bankofamerica.com
1 1 https:webmailstaff.kmutt.ac.th
1 1 https:mail.google.com
1 1 https:addons.mozilla.org
1 1 http:xartinos.gr
1 1 http:www.zumi.pl
1 1 http:www.yatra.com
1 1 http:www.yahoo.co.jp
1 1 http:www.thaicuties.net
1 1 http:www.teamliquid.net
1 1 http:www.sbs6.nl
1 1 http:www.roberthalf.com
1 1 http:www.papuaweb.org
1 1 http:www.ngc.pro.vn
1 1 http:www.net.hr
1 1 http:www.moddedmustangs.com
1 1 http:www.mocospace.com
1 1 http:www.miniclip.com
1 1 http:www.kaskus.us
1 1 http:www.intel.com
1 1 http:www.hotmail.com
1 1 http:www.hao123.com
1 1 http:www.habbo.com.br
1 1 http:www.google.co.jp
1 1 http:www.goo.ne.jp
1 1 http:www.disney.ro
1 1 http:www.debeka.de
1 1 http:www.connect.facebook.com
1 1 http:www.bobtv.fr
1 1 http:www.bild.de
1 1 http:us.mg4.mail.yahoo.com
1 1 http:tieba.baidu.com
1 1 http:seg.sharethis.com
1 1 http:reviews.cnet.com
1 1 http:radiow.ourtoolbar.com
1 1 http:poczta.interia.pl
1 1 http:phim.kenh56.biz
1 1 http:likeidea.info
1 1 http:headlines.yahoo.co.jp
1 1 http:fpdownload.adobe.com
1 1 http:fb.me
1 1 http:fast.cam.demdex.net
1 1 http:download.pinyin.sogou.com
Comment 3•13 years ago
|
||
The crashing line at
2 nss3.dll PKIX_RevocationChecker_Create
security/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.c:228
has this code:
cleanup:
PKIX_DECREF(checker);
However, the stack looks unexpected.
Is it ever possible that jemalloc makes a direct call to PKIX_RevocationChecker_Create?
The implementation of PKIX_DECREF does a null check.
Comment 4•13 years ago
|
||
Is kazahook a malware?
This stack looks like the flow of execution is redirected through kazahook each time we make a function call.
14 PKIX_RevocationChecker_Create hg:
9 Kazahook.dll@0x141d1 hg:
7 PKIX_RevocationChecker_Check hg:
5 Kazahook.dll@0x12f83 hg:
4 normaliz.dll@0x4efa hg:
4 kazahook.dll@0x1420b hg:
4 AcroForm.api@0x245ac1 hg:
3 vlsp.dll@0x7a46 hg:
3 GrabXpcom.dll@0x25a53 hg:
2 nss3.dll@0x80077 hg:
1 xul.dll@0x496658 hg:
Comment 5•13 years ago
|
||
> Is it ever possible that jemalloc makes a direct call to
> PKIX_RevocationChecker_Create?
Given that jemalloc is not part of NSS, and PKIX_RevocationChecker_Create
is a private internal NSS function, I'm confident that jemalloc does not
call the PKIX function directly.
kazahook is third party code for which we don't have symbols, there's no requirement that the stack trace past its frames is remotely valid...
Updated•2 years ago
|
Severity: normal → S3
Updated•11 months ago
|
Severity: S3 → N/A
Status: NEW → RESOLVED
Closed: 11 months ago
Priority: -- → P5
Resolution: --- → INACTIVE
You need to log in
before you can comment on or make changes to this bug.
Description
•