Re: Issue 379218 in chromium: Chrome: `anonymous namespace'::GetGranularAlignedRandomOffset

[csh...@chromium.org]

Comment #9 on issue 379218 by csh...@chromium.org: Chrome: `anonymous
namespace'::GetGranularAlignedRandomOffset
http://code.google.com/p/chromium/issues/detail?id=379218

I looked at some of the crash numbers and they don't all seem that bad,
I'll follow up offline.

--
You received this message because you were CC'd on the issue.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings

Reply to this email to add a comment.

[w...@chromium.org]

Comment #15 on issue 379218 by w...@chromium.org: Chrome: `anonymous
namespace'::GetGranularAlignedRandomOffset
http://code.google.com/p/chromium/issues/detail?id=379218

This didn't completely prevent the crashes.

Upon further investigation, the One Key Theater software hooks LoadLibrary:

0:006> p
KERNELBASE!LoadLibraryExW:
000007fe`fd1c8ef0 e9c371e7ff jmp 000007fe`fd0400b8
0:006> p
000007fe`fd0400b8 48b8702d008001000000 mov rax,offset
ActiveDetect64!RemoveR3APIHook64+0xc0 (00000001`80002d70)

and this is causing a suspected race condition in rand_s when it tries to
load ADVAPI32.dll to call RtlGenRandom(), returning NULL and causing rand_s
to throw an invalid parameter.

There isn't much we can do about this, unfortunately. Perhaps adding a
delay before calling rand_s would work, but this would negatively impact
the performance of everyone else.

I think the best option is to try and fix their incompatability, or that
affected users simply uninstall One Key Theater - since this software seems
to cause general system instability -
https://www.google.com/search?q=one%20key%20theater%20crash

[w...@chromium.org]

Comment #16 on issue 379218 by w...@chromium.org: Chrome: `anonymous
namespace'::GetGranularAlignedRandomOffset
http://code.google.com/p/chromium/issues/detail?id=379218

Issue 387634 has been merged into this issue.

[ami...@chromium.org]

Updates:
Labels: -M-37 -ReleaseBlock-Stable M-38

Comment #17 on issue 379218 by amin...@chromium.org: Chrome: `anonymous
namespace'::GetGranularAlignedRandomOffset
http://code.google.com/p/chromium/issues/detail?id=379218

Crash levels are at an acceptable level for M37. If we want to clean up
the rest, we can do that in a subsequent release. Removing release block,
punting full resolution to M38.

[w...@chromium.org]

Comment #19 on issue 379218 by w...@chromium.org: Chrome: `anonymous
namespace'::GetGranularAlignedRandomOffset
https://code.google.com/p/chromium/issues/detail?id=379218

Taking version with most samples (40.0.2182.3) this is causing 106 browser
crashes out of 55921 which is 0.18% of crashes. This is still caused by
3rd party software putting hooks into LoadLibraryExW and there still isn't
much we can do about this, unfortunately. See comment #15.

[ashe...@chromium.org]

Comment #18 on issue 379218 by ashej...@chromium.org: Chrome: `anonymous
namespace'::GetGranularAlignedRandomOffset
https://code.google.com/p/chromium/issues/detail?id=379218

Crash is still observed on latest M40 version i.e 40.0.2183.0"

https://crash.corp.google.com/browse?q=product.name%3D%27Chrome%27%20AND%20custom_data.ChromeCrashProto.ptype%3D%27browser%27%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27%60anonymous%20namespace\%27%3A%3AGetGranularAlignedRandomOffset%27.


Thank you!

[mfo...@chromium.org]

Comment #20 on issue 379218 by mfo...@chromium.org: Chrome: `anonymous
namespace'::GetGranularAlignedRandomOffset
https://code.google.com/p/chromium/issues/detail?id=379218

Issue 446675 has been merged into this issue.

[jsc...@chromium.org]

Comment #21 on issue 379218 by jsc...@chromium.org: Chrome: `anonymous
namespace'::GetGranularAlignedRandomOffset
https://code.google.com/p/chromium/issues/detail?id=379218

Issue 462120 has been merged into this issue.

[mbo...@chromium.org]

Comment #22 on issue 379218 by mbo...@chromium.org: Chrome: `anonymous
namespace'::GetGranularAlignedRandomOffset
https://code.google.com/p/chromium/issues/detail?id=379218

This is #1 crash in Dev build# 43.0.2357.18

The crash percentage(32.14% as of now) with 9 instances:
https://crash.corp.google.com/browse?q=product.name%3D%27Chrome%27%20AND%20product.version%3D%2743.0.2357.18%27%20AND%20custom_data.ChromeCrashProto.ptype%3D%27browser%27

The crashes continue to happen in M42, M43 & M44 builds:
https://crash.corp.google.com/browse?q=product.name%3D%27Chrome%27%20AND%20custom_data.ChromeCrashProto.ptype%3D%27browser%27%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27%60anonymous%20namespace%5C%27%3A%3AGetGranularAlignedRandomOffset%27

[ami...@chromium.org]

Comment #23 on issue 379218 by amin...@chromium.org: Chrome: `anonymous
namespace'::GetGranularAlignedRandomOffset
https://code.google.com/p/chromium/issues/detail?id=379218

This is still a malware crash:

1 %ProgramFiles%\lenovo\energy management\batterytestdll.dll 100.00% 17
2 %ProgramFiles%\lenovo\onekey theater\activedetect64.dll 100.00% 17
3 %ProgramFiles%\lenovo\onekey theater\windowsapihookdll64.dll 100.00% 17

wfh@, we already have a blacklist entry for this; per c#15, is there
anything further we can do with the blacklist to prevent this? If so,
let's do it; if not, let's close WontFix

[w...@chromium.org]

Updates:
Status: ExternalDependency

Comment #24 on issue 379218 by w...@chromium.org: Chrome: `anonymous
namespace'::GetGranularAlignedRandomOffset
https://code.google.com/p/chromium/issues/detail?id=379218

Nothing more we can do on the blacklist, they are already on there but
still loading. I think the only thing remaining is to reach out to Lenovo
and see if they can fix the issue. I can do this.

[pbom...@chromium.org]

Comment #26 on issue 379218 by pbom...@chromium.org: Chrome: `anonymous
namespace'::GetGranularAlignedRandomOffset
https://code.google.com/p/chromium/issues/detail?id=379218

Issue 501813 has been merged into this issue.

[mman...@chromium.org]

Comment #27 on issue 379218 by mman...@chromium.org: Chrome: `anonymous
namespace'::GetGranularAlignedRandomOffset
https://code.google.com/p/chromium/issues/detail?id=379218

Any updates on this one? It is still one of the canary top crashers today:
https://crash.corp.google.com/browse?q=product.name%3D%27Chrome%27%20AND%20product.version%3D%2745.0.2449.0%27%20AND%20custom_data.ChromeCrashProto.ptype%3D%27browser%27#-signatures-header,-component

[bugd...@chromium.org]

Comment #28 on issue 379218 by bugd...@chromium.org: Chrome: `anonymous
namespace'::GetGranularAlignedRandomOffset
https://code.google.com/p/chromium/issues/detail?id=379218#c28

The following revision refers to this bug:

https://chromium.googlesource.com/chromium/src.git/+/f4b1928eaa63736de442317980682bcf1244bd17

commit f4b1928eaa63736de442317980682bcf1244bd17
Author: wfh <w...@chromium.org>
Date: Fri Sep 18 20:02:52 2015

Replace calls to rand_s with calls to RtlGenRandom.

Add a test for GetGranularAlignedRandomOffset.

This potentially fixes two similar crashes in
sandbox::ApplyProcessMitigationsToSuspendedProcess and
sandbox::InterceptionManager::PatchNtdll.

BUG=379218,501813
TEST=sbox_unittests

Review URL: https://codereview.chromium.org/1342303003

Cr-Commit-Position: refs/heads/master@{#349748}

[modify]
http://crrev.com/f4b1928eaa63736de442317980682bcf1244bd17/sandbox/win/BUILD.gn
[modify]
http://crrev.com/f4b1928eaa63736de442317980682bcf1244bd17/sandbox/win/sandbox_win.gypi
[modify]
http://crrev.com/f4b1928eaa63736de442317980682bcf1244bd17/sandbox/win/src/interception.cc
[modify]
http://crrev.com/f4b1928eaa63736de442317980682bcf1244bd17/sandbox/win/src/interception_unittest.cc
[modify]
http://crrev.com/f4b1928eaa63736de442317980682bcf1244bd17/sandbox/win/src/process_mitigations.cc
[add]
http://crrev.com/f4b1928eaa63736de442317980682bcf1244bd17/sandbox/win/src/sandbox_rand.cc
[add]
http://crrev.com/f4b1928eaa63736de442317980682bcf1244bd17/sandbox/win/src/sandbox_rand.h

[w...@chromium.org]

Comment #29 on issue 379218 by w...@chromium.org: Chrome: `anonymous
namespace'::GetGranularAlignedRandomOffset
https://code.google.com/p/chromium/issues/detail?id=379218

Issue 534449 has been merged into this issue.

[w...@chromium.org]

Updates:
Cc: so...@chromium.org

Comment #30 on issue 379218 by w...@chromium.org: Chrome: `anonymous
namespace'::GetGranularAlignedRandomOffset
https://code.google.com/p/chromium/issues/detail?id=379218

The core issue here is that rand_s.c source changed between VS2010 and
VS2012, this when the crashes started. We saw similar crashes in omaha as
well (+sorin).

In VS2010 it was a LoadLibary and in VS2012/VS2013 this became a
LoadLibaryExW with LOAD_LIBRARY_SEARCH_SYSTEM32. This broke the 3rd party
software hooking LoadLibary and started causing the crashes. See screenshot
for the diff.

base::RandBytes implementation on Windows works around this by using the
technique in
https://msdn.microsoft.com/en-us/library/windows/desktop/aa387694.aspx to
use the export from advapi32.

Attachments:
rand_s_diff.png 73.7 KB

[jsc...@chromium.org]

Comment #31 on issue 379218 by jsc...@chromium.org: Chrome: `anonymous
namespace'::GetGranularAlignedRandomOffset
https://code.google.com/p/chromium/issues/detail?id=379218

To be even clearer, the core issue is that third-party code was injecting
hooks relying on the old implementation. So yes, wfh@'s change should
reduce the rate of crashes from broken (or malicious) third-party code,
because it simplifies the code path.

[bugd...@chromium.org]

Comment #32 on issue 379218 by bugd...@chromium.org: Chrome: `anonymous
namespace'::GetGranularAlignedRandomOffset
https://code.google.com/p/chromium/issues/detail?id=379218#c32

The following revision refers to this bug:

https://chromium.googlesource.com/chromium/src.git/+/cb35f4e7250d6f4ee65e283bd2d13dc7c231c921

commit cb35f4e7250d6f4ee65e283bd2d13dc7c231c921
Author: wfh <w...@chromium.org>
Date: Tue Sep 22 18:10:11 2015

Use RandBytes instead of rand_s for pipe names.

BUG=534449,379218

Review URL: https://codereview.chromium.org/1357023005

Cr-Commit-Position: refs/heads/master@{#350193}

[modify]
http://crrev.com/cb35f4e7250d6f4ee65e283bd2d13dc7c231c921/base/sync_socket_win.cc

[bugd...@chromium.org]

Comment #33 on issue 379218 by bugd...@chromium.org: Chrome: `anonymous
namespace'::GetGranularAlignedRandomOffset
https://code.google.com/p/chromium/issues/detail?id=379218#c33

The following revision refers to this bug:

[w...@chromium.org]

Updates:
Status: Fixed
Labels: -M-38

Comment #35 on issue 379218 by w...@chromium.org: Chrome: `anonymous
namespace'::GetGranularAlignedRandomOffset
https://code.google.com/p/chromium/issues/detail?id=379218

I think all the rand_s crashes should be gone now.