crash in _invoke_watson from TmBpFfCore.dll (Trend Micro Browser Exploit Prevention)

RESOLVED INCOMPLETE

Status

External Software Affecting Firefox
Other
--
critical
RESOLVED INCOMPLETE
5 years ago
2 years ago

People

(Reporter: tracy, Unassigned)

Tracking

({crash})

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

(Reporter)

Description

5 years ago
This bug was filed from the Socorro interface and is 
report bp-ff1690c1-3179-474c-84c0-e99a82140115.
=============================================================

Frame 	Module 	Signature 	Source
0 	msvcr110.dll 	_invoke_watson 	
1 	msvcr110.dll 	_invalid_parameter 	
2 	msvcr110.dll 	_invalid_parameter_noinfo 	
3 	msvcr110.dll 	_fcloseall 	
4 	TmBpFfCore.dll 	TmBpFfCore.dll@0x4f457 	
5 	TmBpFfCore.dll 	TmBpFfCore.dll@0x4a987 	
6 	TmBpFfCore.dll 	TmBpFfCore.dll@0x240ad 	
7 	TmBpFfCore.dll 	TmBpFfCore.dll@0x2126d 	
8 	TmBpFfCore.dll 	TmBpFfCore.dll@0x1d98d 	
9 	xul.dll 	nsJSUtils::EvaluateString(JSContext *,nsAString_internal const &,JS::Handle<JSObject *>,JS::CompileOptions &,nsJSUtils::EvaluateOptions &,JS::Value *,void * *) 	dom/base/nsJSUtils.cpp
10 	xul.dll 	XPCJSContextStack::Push(JSContext *) 	js/xpconnect/src/XPCJSContextStack.cpp

This crash has been around in very very low volume but just spiked in volume.  Something from MS patch Tuesday? 
Many crashes at popular sites. facebook, yahoo finanaces, etc.

Total Count 	URL
38 	https://www.facebook.com/
20 	about:blank
11 	http://movies.yahoo.com/photos/kids-of-oscar-legends-slideshow/
8 	http://finance.yahoo.com/
6 	https://www.facebook.com/login.php?login_attempt=1
6 	http://my.yahoo.com/
4 	https://www.facebook.com/?ref=tn_tnmn
3 	http://l.yimg.com/rq/darla/2-7-2/html/r-sf.html
3 	http://slightlyviral.com/getting-the-best-deals-at-costco/
3 	http://www.wunderground.com/cgi-bin/findweather/getForecast?query=zmw:95652.5.99999
2 	https://finance.yahoo.com/portfolio/pf_2/view/v1

Interestingly, there are no reports of this on Fx versions > 26

Comment 1

5 years ago
From IRC:

<bsmedberg> KaiRo: it's an invalid-parameter call to _fcloseall from tmbbffcore.dll, which the internet claims is "Trend Micro Browser Exploit Prevention"

Comment 2

5 years ago
According to http://www.herdprotect.com/tmbpffcore.dll-1356df9cb716e9afa65e8357d879866365c82e3e.aspx this is Trend Micro browser exploit prevention. I expect that a Microsoft update on patch Tuesday is causing their code to throw this new exception.

This is delivered via a Firefox extension: tmbepff@trendmicro.com. I'm collecting some data to see whether this extension is ever enabled in Firefox 26.
Summary: crash in _invoke_watson → crash in _invoke_watson from TmBpFfCore.dll (Trend Micro Browser Exploit Prevention)
(Reporter)

Comment 3

5 years ago
I randomly looked at several reports.  Each of them have tmbepff@trendmicro.com,  version - 8.0.0.1135 installed.

Comment 4

5 years ago
Release managers, do you know if we have any contacts at Trend Micro?

Comment 5

5 years ago
From the data, it does seem to be correct that this crash doesn't appear in FF27, but it does appear in FF26 and 25. This could be because this software has version-specific XPCOM components or JSAPI usage. The extension is enabled in FF27 betas, because I'm seeing other unrelated crash reports with the addon present.
Flags: needinfo?(release-mgmt)
Flags: needinfo?(jorge)
In my debugger I'm seeing msvcr110!wcscpy_s rather than _fcloseall.

The CRT is terminating the process because wcscpy_s received a destination buffer too small for the copy. (It would also terminate if the source or destination were null, but that's not what I'm seeing on the stack)

In the frames below TmBpFfCore, xul tried to call through an import into mozjs!JS::Evaluate. Maybe the extension hooks Evaluate in order to do validation?

I can't see the string being copied, but I can see the length. It's always 2083 (0x823) characters long, across reports from different machines and URLs. That would suggest it's either a string from the TmBpFfCore or from some common JS library.
Some searching reveals that 2083 is the maximum length of an URL on some other browsers.

I installed a trial version of this software on a VM and can reproduce the crash by visiting a sufficiently long URL. longurlmaker.com can help with this.

I suspect the code has a stack buffer in the typical pattern:
  wchar_t buf[MAX];
  wcscpy_s(buf, MAX, src);
or similar.

Maybe FF doesn't have the length limitation so longer stuff can get through to this code and crash it.

With the symptoms I'm seeing, I'm more inclined to suspect a version update of the extension rather than Patch Tuesday of the OS. Since this crash is specific to version 8.0.0.1135 and it's pretty new (timestamp mid December), maybe it was released just recently.

Updated

5 years ago
Crash Signature: [@ _invoke_watson] → [@ _invoke_watson] [@ tmbpffcore.dll@0xa98b7]
(In reply to David Major [:dmajor] from comment #7)
> With the symptoms I'm seeing, I'm more inclined to suspect a version update
> of the extension rather than Patch Tuesday of the OS. Since this crash is
> specific to version 8.0.0.1135 and it's pretty new (timestamp mid December),
> maybe it was released just recently.

I've confirmed that crash does not occur with extension version 8.0.1095 (that's the version you get in the download package, if you don't let it auto-update after installation).
I believe Release Management had a contact and was pursuing it. Let me know if you need any action on my part.
Flags: needinfo?(jorge)
(In reply to Jorge Villalobos [:jorgev] from comment #9)
> I believe Release Management had a contact and was pursuing it. Let me know
> if you need any action on my part.

There's been no reply on that mail thread.

But there are still no reports on versions >= 27, so I guess this issue will just go away after next week's release.
We didn't hear back from the contact, and as mentioned in comment 10, this should no longer be an issue as of next Tuesday.
Flags: needinfo?(release-mgmt)

Comment 12

5 years ago
I posted a note on the Trend Micro community forum and they replied that the extension is now compatible with Firefox 26 (as of today).  See http://community.trendmicro.com/t5/Titanium/Trend-Micro-BEP-Firefox-extenion-8-0-0-1135-causes-Firefox-to/m-p/147051/highlight/false#M13202 

Barbara

Comment 13

5 years ago
Jorge, can we mark older versions incompatible with Firefox 26 from AMO, or do we need to deploy a blocklist entry in order for that to happen?
Flags: needinfo?(jorge)
I think I can add it to the compatibility override list without it being listed on AMO. Versions 0 - 8.0.0.1135 incompatible with 26 - *, right?
Flags: needinfo?(jorge)
Let's make sure the problem is fixed first. I've been trying to verify on my repro VM, but the update utility hasn't offered me anything beyond 8.0.0.1135 yet. Maybe it takes a while to roll out...
Component: General → Other
Product: Firefox → External Software Affecting Firefox
Version: 26 Branch → unspecified

Updated

2 years ago
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.