Error thrown in console when running target.cppunittest.tests
Categories
(Core :: mozglue, defect)
Tracking
()
People
(Reporter: mboldan, Assigned: toshi)
References
Details
(Keywords: regressionwindow-wanted)
Attachments
(4 files)
dllinterceptor.png
[Affected versions]:
- Firefox 78.0b1
[Affected platforms]:
- Windows 7 64
[Steps to reproduce]:
- Download target.cppunittest.tests.zip from https://treeherder.mozilla.org/#/jobs?repo=mozilla-beta&revision=d8660eabf305&selectedJob=178353557 (Fx61.0b5 - Windows 2012 x64 opt N) if using Windows 64bit, otherwise use https://treeherder.mozilla.org/#/jobs?repo=mozilla-beta&revision=d8660eabf305&selectedJob=178353575
- Unzip the content
- Open CMD in the folder the content was extracted in the previous step.
- Type 'TestDllInterceptor.exe' and hit Enter
[Expected result]:
- Bunch of tests run in CMD without issues
[Actual result]:
- One fail test is displayed - TEST-FAILED | WindowsDllInterceptor | Failed to hook ntdll!NtMapViewOfSection v
a 10-byte patch
[Regression]:
I will search for a regression ASAP.
[Notes]:
- This issue was reproducible with AVG (20.3.3120)and Avast (20.3.2405) turned on.
- Note that the issue was not reproducible with Kaspersky AV, or with the antiviruses from previous note, turned off.
|
Reporter | |
Updated•4 years ago
|
|
||
Updated•4 years ago
|
|
||
Comment 1•4 years ago
|
||
(In reply to Mihai Boldan, QA [:mboldan] from comment #0)
- Download target.cppunittest.tests.zip from https://treeherder.mozilla.org/#/jobs?repo=mozilla-beta&revision=d8660eabf305&selectedJob=178353557 (Fx61.0b5 - Windows 2012 x64 opt N) if using Windows 64bit, otherwise use https://treeherder.mozilla.org/#/jobs?repo=mozilla-beta&revision=d8660eabf305&selectedJob=178353575
The correct URL we used for downloading Fx and the tests is https://treeherder.mozilla.org/#/jobs?repo=mozilla-beta&fromchange=6deceec9bafc3947e6456ba87072f7e93c53e95d&selectedTaskRun=dNtButehRRiTNDnlzL3dcw-0
|
Assignee | |
Comment 2•4 years ago
|
||
I could reproed TestDllInterceptor.exe's failure with AVG. I also confirmed Firefox 76 or 79 Nightly could launch on the same environment with AVG. Let me figure out what's going on..
|
|
Assignee | |
Comment 3•4 years ago
|
||
The test failure is caused by AVG's hook which our detour cannot handle as shown below. This is not a regression on our side.
AVG does not break Firefox because their hook is applied after we applied our hook onto NtMapViewOfSection. This means we did our hook, but it was overwritten by AVG. As a result, Firefox runs normally but our blocklist does not work.
Because they have a kernel driver, there is no easy way to keep our full functionality with AVG. What we can do is to update our detour to support this pattern.
ntdll!NtMapViewOfSection:
00007ffa`f287c560 e9d33cfebf jmp 00007ffa`b2860238
00007ffa`b2860238 ff25f2ffffff jmp qword ptr [00007ffa`b2860230] --> 00007ffa`e57a2ad0
aswhook+0x2ad0:
00007ffa`e57a2ad0 4055 push rbp
00007ffa`e57a2ad2 53 push rbx
00007ffa`e57a2ad3 56 push rsi
|
|
Assignee | |
Updated•4 years ago
|
|
|
Assignee | |
Comment 4•4 years ago
|
||
This patch moves the logics of jump detection from ResolveRedirectedAddress to
ReadOnlyTargetFunction to simplify ReadOnlyTargetFunction.
|
|
Assignee | |
Comment 5•4 years ago
|
||
Depends on D81580
|
|
Assignee | |
Comment 6•4 years ago
|
||
AVG AntiVirus hooks ntdll!NtMapViewOfSection by planting two JMP instructions,
jumping to a trampoline area first, then jumping to aswhook.dll.
ntdll!NtMapViewOfSection:
00007ffa`6d77c560 e9d33cfebf jmp 00007ffa`2d760238
00007ffa`2d760238 ff25f2ffffff jmp qword ptr [00007ffa`2d760230] --> 00007ffa`541e2ad0
aswhook+0x2ad0:
00007ffa`541e2ad0 4055 push rbp
00007ffa`541e2ad2 53 push rbx
00007ffa`541e2ad3 56 push rsi
With this patch, our detour can detour on top of that pattern. The first part is
to remove the MEM_IMAGE check from IsPageAccessible. The second part is to introduce
a loop in ResolveRedirectedAddress to resolve a chain of jumps.
Depends on D81581
|
||
Updated•4 years ago
|
|
|
Assignee | |
Comment 7•4 years ago
|
||
I was wrong in the following part of my comment 3. AVG's hook comes after our hook, but their hook calls our hook as the original function. Thus our blocklist functions normally with AVG.
AVG does not break Firefox because their hook is applied after we applied our hook onto
NtMapViewOfSection. This means we did our hook, but it was overwritten by AVG. As a result, Firefox runs normally but our blocklist does not work.
|
|
||
Updated•4 years ago
|
Pushed by cbrindusan@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/9b129ac9f2d7 Part1: Take out jump detection from ReadOnlyTargetFunction. r=handyman https://hg.mozilla.org/integration/autoland/rev/9e7f86782589 Part2: Handle JAE and Opcode83 on x64 without REX Prefix. r=handyman https://hg.mozilla.org/integration/autoland/rev/313b964013b6 Part3: Handle a detour pattern of multple jumps. r=handyman
|
||
Comment 9•4 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/9b129ac9f2d7
https://hg.mozilla.org/mozilla-central/rev/9e7f86782589
https://hg.mozilla.org/mozilla-central/rev/313b964013b6
|
||
Comment 10•4 years ago
|
||
Since the status are different for nightly and release, what's the status for beta?
For more information, please visit auto_nag documentation.
|
|
||
Comment 11•4 years ago
|
||
Is this something we should consider uplifting or can it ride the trains to release?
|
|
Assignee | |
Comment 12•4 years ago
|
||
This is not causing a real user's problem on Firefox so far. No need to uplift to ESR78.
|
|
||
Comment 13•4 years ago
|
||
The patch landed in nightly and beta is affected.
:toshi, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.
For more information, please visit auto_nag documentation.
|
|
Assignee | |
Updated•4 years ago
|
|
|
||
Updated•4 years ago
|
|
||
Comment 14•4 years ago
•
|
||
Reproduced the issue with Firefox 78.0b1 (20200601095246) unit tests on Windows 7x64 with AVG Free v20.6 and Avast Free v20.6.
Sadly when verifying this with 80.0RC2 (20200818235255) I get this error: TEST-UNEXPECTED-FAIL | WindowsDllInterceptor | Failed to detour LdrLoadDll from ntdll.dll. This happens both with Avast Free and Avg Free. If I disable the antivirus all checks passed. I don't know if it's the same issue as bug 1588243 or, if it’s not, should we file another bug on this matter? Thank you!
|
|
Assignee | |
Updated•4 years ago
|
|
||
Comment 15•4 years ago
|
||
Happened to me too on Windows 7 and Avast Free Antivirus, the same output in terminal, with Firefox 82.0b1
|
|
Assignee | |
Comment 16•4 years ago
|
||
(In reply to Catalin Sasca, QA [:csasca] from comment #15)
Happened to me too on Windows 7 and Avast Free Antivirus, the same output in terminal, with Firefox 82.0b1
Thank you for reporting it. I confirmed the error with Avast (both on Win7 and Win10), too. It seems that the assembly of aswhook's function was changed. The same symptom, but the root cause is different. I'll file a new bug.
ntdll!LdrLoadDll:
00007ff9`d8f04380 e933c304c0 jmp 00007ff9`98f506b8
00007ff9`98f506b8 ff25f2ffffff jmp qword ptr [00007ff9`98f506b0] --> 00007ff9`b6814140
aswhook+0x4140:
00007ff9`b6814140 4053 push rbx
00007ff9`b6814142 4883ec20 sub rsp,20h
00007ff9`b6814146 ff157c6b0000 call qword ptr [aswhook+0xacc8 (00007ff9`b681acc8)]
00007ff9`b681414c 8bd8 mov ebx,eax
00007ff9`b681414e e88d100000 call aswhook+0x51e0 (00007ff9`b68151e0)
Description
•