Closed Bug 960556 Opened 11 years ago Closed 9 years ago

crash in _invoke_watson from TmBpFfCore.dll (Trend Micro Browser Exploit Prevention)

Categories

(External Software Affecting Firefox :: Other, defect)

Product:
External Software Affecting Firefox
Component:
Other
Platform:
x86
Windows NT
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: tracy, Unassigned)

Details

(Keywords: crash)

Crash Data

This bug was filed from the Socorro interface and is report bp-ff1690c1-3179-474c-84c0-e99a82140115. ============================================================= Frame Module Signature Source 0 msvcr110.dll _invoke_watson 1 msvcr110.dll _invalid_parameter 2 msvcr110.dll _invalid_parameter_noinfo 3 msvcr110.dll _fcloseall 4 TmBpFfCore.dll TmBpFfCore.dll@0x4f457 5 TmBpFfCore.dll TmBpFfCore.dll@0x4a987 6 TmBpFfCore.dll TmBpFfCore.dll@0x240ad 7 TmBpFfCore.dll TmBpFfCore.dll@0x2126d 8 TmBpFfCore.dll TmBpFfCore.dll@0x1d98d 9 xul.dll nsJSUtils::EvaluateString(JSContext *,nsAString_internal const &,JS::Handle<JSObject *>,JS::CompileOptions &,nsJSUtils::EvaluateOptions &,JS::Value *,void * *) dom/base/nsJSUtils.cpp 10 xul.dll XPCJSContextStack::Push(JSContext *) js/xpconnect/src/XPCJSContextStack.cpp This crash has been around in very very low volume but just spiked in volume. Something from MS patch Tuesday? Many crashes at popular sites. facebook, yahoo finanaces, etc. Total Count URL 38 https://www.facebook.com/ 20 about:blank 11 http://movies.yahoo.com/photos/kids-of-oscar-legends-slideshow/ 8 http://finance.yahoo.com/ 6 https://www.facebook.com/login.php?login_attempt=1 6 http://my.yahoo.com/ 4 https://www.facebook.com/?ref=tn_tnmn 3 http://l.yimg.com/rq/darla/2-7-2/html/r-sf.html 3 http://slightlyviral.com/getting-the-best-deals-at-costco/ 3 http://www.wunderground.com/cgi-bin/findweather/getForecast?query=zmw:95652.5.99999 2 https://finance.yahoo.com/portfolio/pf_2/view/v1 Interestingly, there are no reports of this on Fx versions > 26
From IRC: <bsmedberg> KaiRo: it's an invalid-parameter call to _fcloseall from tmbbffcore.dll, which the internet claims is "Trend Micro Browser Exploit Prevention"
According to http://www.herdprotect.com/tmbpffcore.dll-1356df9cb716e9afa65e8357d879866365c82e3e.aspx this is Trend Micro browser exploit prevention. I expect that a Microsoft update on patch Tuesday is causing their code to throw this new exception. This is delivered via a Firefox extension: tmbepff@trendmicro.com. I'm collecting some data to see whether this extension is ever enabled in Firefox 26.
Summary: crash in _invoke_watson → crash in _invoke_watson from TmBpFfCore.dll (Trend Micro Browser Exploit Prevention)
I randomly looked at several reports. Each of them have tmbepff@trendmicro.com, version - 8.0.0.1135 installed.
Release managers, do you know if we have any contacts at Trend Micro?
From the data, it does seem to be correct that this crash doesn't appear in FF27, but it does appear in FF26 and 25. This could be because this software has version-specific XPCOM components or JSAPI usage. The extension is enabled in FF27 betas, because I'm seeing other unrelated crash reports with the addon present.
Flags: needinfo?(release-mgmt)
Flags: needinfo?(jorge)
In my debugger I'm seeing msvcr110!wcscpy_s rather than _fcloseall. The CRT is terminating the process because wcscpy_s received a destination buffer too small for the copy. (It would also terminate if the source or destination were null, but that's not what I'm seeing on the stack) In the frames below TmBpFfCore, xul tried to call through an import into mozjs!JS::Evaluate. Maybe the extension hooks Evaluate in order to do validation? I can't see the string being copied, but I can see the length. It's always 2083 (0x823) characters long, across reports from different machines and URLs. That would suggest it's either a string from the TmBpFfCore or from some common JS library.
Some searching reveals that 2083 is the maximum length of an URL on some other browsers. I installed a trial version of this software on a VM and can reproduce the crash by visiting a sufficiently long URL. longurlmaker.com can help with this. I suspect the code has a stack buffer in the typical pattern: wchar_t buf[MAX]; wcscpy_s(buf, MAX, src); or similar. Maybe FF doesn't have the length limitation so longer stuff can get through to this code and crash it. With the symptoms I'm seeing, I'm more inclined to suspect a version update of the extension rather than Patch Tuesday of the OS. Since this crash is specific to version 8.0.0.1135 and it's pretty new (timestamp mid December), maybe it was released just recently.
Crash Signature: [@ _invoke_watson] → [@ _invoke_watson] [@ tmbpffcore.dll@0xa98b7]
(In reply to David Major [:dmajor] from comment #7) > With the symptoms I'm seeing, I'm more inclined to suspect a version update > of the extension rather than Patch Tuesday of the OS. Since this crash is > specific to version 8.0.0.1135 and it's pretty new (timestamp mid December), > maybe it was released just recently. I've confirmed that crash does not occur with extension version 8.0.1095 (that's the version you get in the download package, if you don't let it auto-update after installation).
I believe Release Management had a contact and was pursuing it. Let me know if you need any action on my part.
Flags: needinfo?(jorge)
(In reply to Jorge Villalobos [:jorgev] from comment #9) > I believe Release Management had a contact and was pursuing it. Let me know > if you need any action on my part. There's been no reply on that mail thread. But there are still no reports on versions >= 27, so I guess this issue will just go away after next week's release.
We didn't hear back from the contact, and as mentioned in comment 10, this should no longer be an issue as of next Tuesday.
Flags: needinfo?(release-mgmt)
I posted a note on the Trend Micro community forum and they replied that the extension is now compatible with Firefox 26 (as of today). See http://community.trendmicro.com/t5/Titanium/Trend-Micro-BEP-Firefox-extenion-8-0-0-1135-causes-Firefox-to/m-p/147051/highlight/false#M13202 Barbara
Jorge, can we mark older versions incompatible with Firefox 26 from AMO, or do we need to deploy a blocklist entry in order for that to happen?
Flags: needinfo?(jorge)
I think I can add it to the compatibility override list without it being listed on AMO. Versions 0 - 8.0.0.1135 incompatible with 26 - *, right?
Flags: needinfo?(jorge)
Let's make sure the problem is fixed first. I've been trying to verify on my repro VM, but the update utility hasn't offered me anything beyond 8.0.0.1135 yet. Maybe it takes a while to roll out...
Component: General → Other
Product: Firefox → External Software Affecting Firefox
Version: 26 Branch → unspecified
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.