derekbruening
commented
9 years ago From bruen...@google.com on November 14, 2012 09:31:54
KERNELBASE_a10000!BaseNlsThreadCleanup+0xf: 00a44350 64a118000000 mov eax,dword ptr fs:[00000018h] 00a44356 56 push esi 00a44357 8bb0a00f0000 mov esi,dword ptr [eax+0FA0h] ... KERNELBASE_a10000!BaseNlsThreadCleanup+0x47: 00a44388 64a118000000 mov eax,dword ptr fs:[00000018h] 00a4438e 8b4030 mov eax,dword ptr [eax+30h] 00a44391 56 push esi 00a44392 6a00 push 0 00a44394 ff7018 push dword ptr [eax+18h] 00a44397 ff151410a100 call dword ptr [KERNELBASE_a10000!_imp__RtlFreeHeap (00a11014)]
so it's freeing TEB->NlsCache
ok so that's the bug: private and app copies of kernelbase are sharing TEB->NlsCache, and the private copy tries to free it using a different Heap than it was allocated with.
ugh. too many more TEB swaps and we'll want issue #916
Owner: bruen...@google.com
From bruen...@google.com on November 14, 2012 12:08:01
running pattern mode on chrome:
I clicked on a video on the main youtube page and as it loaded a blank msgbox came up. there were 5 chrome processes: main, renderer, gpu-process, ppapi, and utility. the video did not make progress. two processes had no cpu time: gpu and utility. attaching to utility we see a DR crash message coming from a private kernelbase heap crash:
0:000> du dynamorio!debugbox_msg_buf 62d4a8c0 "Application C:\src\chromium\src\" 62d4a900 "out\Debug\chrome.exe (50020). U" 62d4a940 "nrecoverable Error at PC 0x772be" 62d4a980 "3be. Program aborted. .0xc00000" 62d4a9c0 "05 0x00000000 0x772be3be 0x772be" 62d4aa00 "3be 0x00000000 0xf74b6153.Base: " 62d4aa40 "0x62c30000.Registers: eax=0xf1fd" 62d4aa80 "f1fd ebx=0x00d0b680 ecx=0x012900" 62d4aac0 "00 edx=0x00d0b680. esi=0xf74b614" 62d4ab00 "f edi=0x00d0b678 esp=0x1bc6e904 " 62d4ab40 "ebp=0x1bc6e938. eflags=0x0001028" 62d4ab80 "2.version 3.2.1702, custom build" 0:000> U 772be3be ntdll!RtlpLowFragHeapFree+0x31: 772be3be 8b4604 mov eax,dword ptr [esi+4] 772be3c1 8945f4 mov dword ptr [ebp-0Ch],eax 772be3c4 c6470780 mov byte ptr [edi+7],80h 772be3c8 c6470600 mov byte ptr [edi+6],0 772be3cc 8b5e08 mov ebx,dword ptr [esi+8] 772be3cf 8b4e0c mov ecx,dword ptr [esi+0Ch] 772be3d2 895de0 mov dword ptr [ebp-20h],ebx 772be3d5 83c301 add ebx,1 0:000> kb =1bc6e938 1bc6e904 772be3be ChildEBP RetAddr Args to Child
1bc6e938 772be023 00d0b680 01290000 00000001 ntdll!RtlpLowFragHeapFree+0x31 1bc6e950 62ce48b8 01290000 00000000 00d0b680 ntdll!RtlFreeHeap+0x105 1bc6e968 00a4439d 01290000 00000000 00d0b680 dynamorio!redirect_RtlFreeHeap+0x78 [c:\src\dr\git\src\core\win32\loader.c @ 1912] 1bc6e97c 00a1710c 1bc08438 00a174b1 00000001 KERNELBASE_a10000!BaseNlsThreadCleanup+0x5c 1bc6eba8 62ce3dc2 00a10000 00000003 00000000 KERNELBASE_a10000!_KernelBaseDllInitialize+0x49 1bc6ebc0 62c8f4e1 1bc08438 00000003 0000c380 dynamorio!privload_call_entry+0x82 [c:\src\dr\git\src\core\win32\loader.c @ 1232] 1bc6ebd0 62c5e71d 1bcd9800 1ccc19f4 00c17b00 dynamorio!loader_thread_exit+0x31 [c:\src\dr\git\src\core\loader_shared.c @ 216] 1bc6ebe8 62c5eaa3 00000000 1cb16ce0 1ccc19f4 dynamorio!dynamo_thread_exit_common+0xfd [c:\src\dr\git\src\core\dynamo.c @ 2339] 1bc6ec04 62c8e855 1cb16ce0 00000000 1ccc19f4 dynamorio!dynamo_other_thread_exit+0x273 [c:\src\dr\git\src\core\dynamo.c @ 2444] 1bc6ed70 62c8ec70 0000c380 00000000 00000001 dynamorio!synch_with_thread+0x365 [c:\src\dr\git\src\core\synch.c @ 993] 1bc6edd4 62ccc9a7 00000002 1bc6ee08 1bc6ee14 dynamorio!synch_with_all_threads+0x3f0 [c:\src\dr\git\src\core\synch.c @ 1270] 1bc6ef54 62ccd96e 1bc17b80 1bc17b80 1bc17b80 dynamorio!presys_TerminateProcess+0xf7 [c:\src\dr\git\src\core\win32\syscall.c @ 1390] 1bc6ef7c 62c7152e 1bc17b80 1bc17b80 1bc17b80 dynamorio!pre_system_call+0x23e [c:\src\dr\git\src\core\win32\syscall.c @ 2437] 1bc6ef9c 62c72048 1bc17b01 1bc17b80 77392100 dynamorio!handle_system_call+0x19e [c:\src\dr\git\src\core\dispatch.c @ 1774] 1bc6efbc 62c720c2 1bc17b80 77392100 0018fe60 dynamorio!dispatch_enter_dynamorio+0x3c8 [c:\src\dr\git\src\core\dispatch.c @ 752] 1bc6eff4 1bc21b4e 1bc17b80 00000000 00000000 dynamorio!dispatch+0x12 [c:\src\dr\git\src\core\dispatch.c @ 142] WARNING: Frame IP not in any known module. Following frames may be wrong. 0018fe60 00000000 00000000 77e8f3b0 ffffffff 0x1bc21b4e 0:000> ?? dynamorio!heapmgt->vmheap struct vm_heap_t +0x000 start_addr : 0x1bbd0000 "--- memory read error at address 0x1bbd0000 ---" +0x004 end_addr : 0x23bd0000 "--- memory read error at address 0x23bd0000 ---" +0x008 alloc_start : (null) +0x00c alloc_size : 0x8000000 +0x010 num_blocks : 0x800 +0x014 lock : _mutex_t +0x01c num_free_blocks : 0x69e +0x020 blocks : [256] 0 0:000> ?? dynamorio!private_peb->ProcessHeap void * 0x01290000 0:000> !peb ProcessHeap: 00ca0000 0:000> !heap -x 00d0b680 Entry User Heap Segment Size PrevSize Unused Flags
00d0b668 00d0b670 00ca0000 00ca0000 608 148 c busy 0:000> !heap -s LFH Key : 0x0785867d Termination on corruption : DISABLED Heap Flags Reserv Commit Virt Free List UCR Virt Lock Fast (k) (k) (k) (k) length blocks cont. heap
00ca0000 00000002 1024 488 1024 3 1 1 0 0 LFH 00910000 00000002 256 208 256 2 2 1 0 0 LFH 00ee0000 00001002 1088 168 1088 6 3 2 0 0 LFH 012e0000 00001002 1088 908 1088 2 9 2 0 0 LFH 11bc0000 00001002 256 4 256 2 1 1 0 0
11d90000 00011002 256 4 256 2 1 1 0 0
11f80000 00001002 64 4 64 2 1 1 0 0
11b80000 00001002 256 156 256 1 1 1 0 0 LFH
so it's passing the private heap as the Heap but the pointer is from the process default Heap. perhaps the peb swap was off and when it allocated this it got the app heap.
Original issue: http://code.google.com/p/dynamorio/issues/detail?id=977