Closed Bug 646302 Opened 14 years ago Closed 11 months ago

crashes in [@ PKIX_RevocationChecker_Create ] and [@ Kazahook.dll@0x12f83 ] and other Kazahook.dll addresses were libpkix/pkix/checker/pkix_revocationchecker.c:6be9e31d01b4 is on the stack

Categories

(NSS :: Libraries, defect, P5)

x86
Windows XP

Tracking

(Not tracked)

RESOLVED INACTIVE

People

(Reporter: chofmann, Unassigned)

Details

Attachments

(1 file)

ran across several crashes like this https://crash-stats.mozilla.com/report/index/9dde3ef9-6d89-48ee-8c92-e7f792110328 0 @0x12fa37 1 @0x12fb03 2 nss3.dll PKIX_RevocationChecker_Create security/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.c:228 3 mozcrt19.dll arena_dalloc_small obj-firefox/memory/jemalloc/crtsrc/jemalloc.c:4162 4 mozcrt19.dll free obj-firefox/memory/jemalloc/crtsrc/jemalloc.c:6130 5 xul.dll CommandLine::Init ipc/chromium/src/base/command_line.cc:175 more reports like this at https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=exact&query=Kazahook.dll%400x12f83&date=03%2F29%2F2011%2017%3A47%3A18&range_value=1&range_unit=weeks&hang_type=any&process_type=any&plugin_field=&plugin_query_type=&plugin_query=&do_query=1&admin=1&signature=Kazahook.dll%400x12f83 and some other that have nearby code close to the top of the stack. https://crash-stats.mozilla.com/report/index/19cc1d3f-6e00-421a-a97f-3a1242110325 0 Kazahook.dll Kazahook.dll@0x12f83 1 oleaut32.dll GetAppData 2 Kazahook.dll Kazahook.dll@0x87fc 3 Kazahook.dll Kazahook.dll@0x215d3 4 xul.dll xul.dll@0xeacbf 5 nss3.dll PKIX_RevocationChecker_Create security/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.c:221 6 nss3.dll PK11_InitPin security/nss/lib/pk11wrap/pk11auth.c:472 7 mozjs.dll js::NodeBuilder::comprehensionExpression js/src/jsreflect.cpp:1209 8 Kazahook.dll Kazahook.dll@0x1ea90 more reports like this at https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=exact&query=Kazahook.dll%400x12f83&date=03%2F29%2F2011%2017%3A47%3A18&range_value=1&range_unit=weeks&hang_type=any&process_type=any&plugin_field=&plugin_query_type=&plugin_query=&do_query=1&admin=1&signature=Kazahook.dll%400x12f83
more complete list of all the signatures where code from libpkix/pkix/checker/pkix_revocationchecker.c is near the top of the stack. if these aren't all the same bug or sets of bugs we can turn this into a tracker and spin off other bugs. most of these don't have comments so code inspection might be the best place to start. not sure if the urls will be useful either. its a wide set of user facing sites and 4 www.google.com 4 www.facebook.com 2 www.youtube.com 2 vkontakte.ru 2 services.addons.mozilla.org 2 googleads.g.doubleclick.net 1 xartinos.gr 1 www.zumi.pl 1 www.yatra.com 1 www.yahoo.co.jp 1 www.thaicuties.net 1 www.teamliquid.net 1 www.sbs6.nl 1 www.roberthalf.com 1 www.papuaweb.org 1 www.ngc.pro.vn 1 www.net.hr 1 www.moddedmustangs.com 1 www.mocospace.com 1 www.miniclip.com 1 www.kaskus.us 1 www.intel.com 1 www.hotmail.com 1 www.hao123.com 1 www.habbo.com.br 1 www.google.co.jp 1 www.goo.ne.jp 1 www.disney.ro 1 www.declaration.urssaf.fr 1 www.debeka.de 1 www.connect.facebook.com 1 www.bobtv.fr 1 www.bild.de 1 www.bankofamerica.com
revised list of sites with the protocol added. looks like many of these are mixed content or http 4 1 http:www.facebook.com 3 1 http:www.google.com 2 1 https:services.addons.mozilla.org 2 1 http:www.youtube.com 2 1 http:vkontakte.ru 2 1 http:googleads.g.doubleclick.net 1 37 \N 1 11 1 4 jar:file: 1 4 about:blank 1 2 file: 1 2 about:sessionrestore 1 1 https:www.google.com 1 1 https:www.declaration.urssaf.fr 1 1 https:www.bankofamerica.com 1 1 https:webmailstaff.kmutt.ac.th 1 1 https:mail.google.com 1 1 https:addons.mozilla.org 1 1 http:xartinos.gr 1 1 http:www.zumi.pl 1 1 http:www.yatra.com 1 1 http:www.yahoo.co.jp 1 1 http:www.thaicuties.net 1 1 http:www.teamliquid.net 1 1 http:www.sbs6.nl 1 1 http:www.roberthalf.com 1 1 http:www.papuaweb.org 1 1 http:www.ngc.pro.vn 1 1 http:www.net.hr 1 1 http:www.moddedmustangs.com 1 1 http:www.mocospace.com 1 1 http:www.miniclip.com 1 1 http:www.kaskus.us 1 1 http:www.intel.com 1 1 http:www.hotmail.com 1 1 http:www.hao123.com 1 1 http:www.habbo.com.br 1 1 http:www.google.co.jp 1 1 http:www.goo.ne.jp 1 1 http:www.disney.ro 1 1 http:www.debeka.de 1 1 http:www.connect.facebook.com 1 1 http:www.bobtv.fr 1 1 http:www.bild.de 1 1 http:us.mg4.mail.yahoo.com 1 1 http:tieba.baidu.com 1 1 http:seg.sharethis.com 1 1 http:reviews.cnet.com 1 1 http:radiow.ourtoolbar.com 1 1 http:poczta.interia.pl 1 1 http:phim.kenh56.biz 1 1 http:likeidea.info 1 1 http:headlines.yahoo.co.jp 1 1 http:fpdownload.adobe.com 1 1 http:fb.me 1 1 http:fast.cam.demdex.net 1 1 http:download.pinyin.sogou.com
The crashing line at 2 nss3.dll PKIX_RevocationChecker_Create security/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.c:228 has this code: cleanup: PKIX_DECREF(checker); However, the stack looks unexpected. Is it ever possible that jemalloc makes a direct call to PKIX_RevocationChecker_Create? The implementation of PKIX_DECREF does a null check.
Is kazahook a malware? This stack looks like the flow of execution is redirected through kazahook each time we make a function call. 14 PKIX_RevocationChecker_Create hg: 9 Kazahook.dll@0x141d1 hg: 7 PKIX_RevocationChecker_Check hg: 5 Kazahook.dll@0x12f83 hg: 4 normaliz.dll@0x4efa hg: 4 kazahook.dll@0x1420b hg: 4 AcroForm.api@0x245ac1 hg: 3 vlsp.dll@0x7a46 hg: 3 GrabXpcom.dll@0x25a53 hg: 2 nss3.dll@0x80077 hg: 1 xul.dll@0x496658 hg:
> Is it ever possible that jemalloc makes a direct call to > PKIX_RevocationChecker_Create? Given that jemalloc is not part of NSS, and PKIX_RevocationChecker_Create is a private internal NSS function, I'm confident that jemalloc does not call the PKIX function directly.
kazahook is third party code for which we don't have symbols, there's no requirement that the stack trace past its frames is remotely valid...
Severity: normal → S3
Severity: S3 → N/A
Status: NEW → RESOLVED
Closed: 11 months ago
Priority: -- → P5
Resolution: --- → INACTIVE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: