Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CRASH at exit when launched from ConEmu #1675

Closed
derekbruening opened this issue Feb 2, 2015 · 1 comment
Closed

CRASH at exit when launched from ConEmu #1675

derekbruening opened this issue Feb 2, 2015 · 1 comment
Assignees
@derekbruening
Labels
Bug-ToolCrash OpSys-Windows

Comments

@derekbruening
Copy link
Contributor

Running Dr. Memory from ConEmu after fixing the injection bug
(DynamoRIO/dynamorio#1597), Dr. Memory crashes
during exit.

This works: -leaks_only -no_count_leaks -no_track_allocs

It's sthg in alloc teardown

(343e4.343e8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=000343e8 ebx=239af000 ecx=00000000 edx=00f10000 esi=239ae324 edi=239ae230
eip=5c037f5b esp=239ae1e4 ebp=239ae1e4 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
dynamorio!acquire_recursive_lock+0xb:
5c037f5b 39414c cmp dword ptr [ecx+4Ch],eax ds:002b:0000004c=????????
0:000> kn

ChildEBP RetAddr

00 239ae1e4 5c11f4cc dynamorio!acquire_recursive_lock+0xb [c:\src\dr\git\src\core\utils.c @ 993]
01 239ae1f0 739927a5 dynamorio!dr_recurlock_lock+0xc [c:\src\dr\git\src\core\lib\instrument.c @ 3373]
02 239ae230 739bb02c drmemorylib!iterator_lock+0x35 [c:\src\drmemory\git\src\common\alloc_replace.c @ 567]
03 239ae308 739c59c3 drmemorylib!alloc_iter_own_arena+0x7cc [c:\src\drmemory\git\src\common\alloc_replace.c @ 2129]
04 239ae384 73a6480f drmemorylib!rb_iter_cb+0x3e3 [c:\src\drmemory\git\src\common\heap.c @ 1020]
05 239ae3cc 73a647f4 drmemorylib!iterate_helper+0x3ef [c:\src\drmemory\git\src\common\redblack.c @ 670]
06 239ae41c 73a647f4 drmemorylib!iterate_helper+0x3d4 [c:\src\drmemory\git\src\common\redblack.c @ 668]
07 239ae46c 73a64406 drmemorylib!iterate_helper+0x3d4 [c:\src\drmemory\git\src\common\redblack.c @ 668]
08 239ae4b8 739c5597 drmemorylib!rb_iterate+0x3c6 [c:\src\drmemory\git\src\common\redblack.c @ 684]
09 239ae4dc 739ba368 drmemorylib!heap_region_iterate+0x37 [c:\src\drmemory\git\src\common\heap.c @ 1031]
0a 239ae5dc 739bcfbd drmemorylib!alloc_iterate+0x758 [c:\src\drmemory\git\src\common\alloc_replace.c @ 2171]
0b 239ae728 7395e16f drmemorylib!alloc_replace_exit+0x111d [c:\src\drmemory\git\src\common\alloc_replace.c @ 4553]
0c 239ae730 739edd94 drmemorylib!alloc_exit+0x3f [c:\src\drmemory\git\src\common\alloc.c @ 3031]
0d 239ae738 7380d3e4 drmemorylib!alloc_drmem_exit+0x14 [c:\src\drmemory\git\src\drmemory\alloc_drmem.c @ 257]
0e 239ae778 5c119833 drmemorylib!event_exit+0xf4 [c:\src\drmemory\git\src\drmemory\drmemory.c @ 411]
0f 239ae7ac 5bf839c1 dynamorio!instrument_exit+0xa3 [c:\src\dr\git\src\core\lib\instrument.c @ 692]
10 239ae7d4 5bf84076 dynamorio!dynamo_shared_exit+0x221 [c:\src\dr\git\src\core\dynamo.c @ 974]
11 239ae7fc 5bf83ecb dynamorio!dynamo_process_exit_cleanup+0x196 [c:\src\dr\git\src\core\dynamo.c @ 1238]
12 239ae80c 5c1bbc64 dynamorio!dynamo_process_exit+0x12b [c:\src\dr\git\src\core\dynamo.c @ 1297]
13 239ae81c 2395f440 dynamorio!cleanup_and_terminate+0x47 [C:\src\dr\git\build_x86_dbg\core\CMakeFiles\dynamorio.dir\arch\x86\x86.asm.obj.s @ 1666]

0:000> dv
iter_arena_start = 0x00f10000 "MZ???"
iter_arena_end = 0x00fbc000 "--- memory read error at address 0x00fbc000 ---"
flags = 2
0:000> dt arena
Local var @ 0x239ae2f8 Type _arena_header_t*
0x00f10000
+0x000 start_chunk : 0x00905a4d "--- memory read error at address 0x00905a4d ---"
+0x004 next_chunk : 0x00000003 "--- memory read error at address 0x00000003 ---"
+0x008 commit_end : 0x00000004 "--- memory read error at address 0x00000004 ---"
+0x00c reserve_end : 0x0000ffff "--- memory read error at address 0x0000ffff ---"
+0x010 free_list : 0x000000b8 _free_lists_t
+0x014 dr_lock : (null)
+0x018 lock : 0x00000040 Void
+0x01c flags : 0
+0x020 prev_free_sz : 0
+0x024 magic : 0
+0x028 alloc_set_member : (null)
+0x02c modbase : (null)
+0x030 handle : (null)
+0x034 next_arena : (null)

other heap_tree arena entries look ok:
0:000> ?? _((arena_header_t)(heap_tree->root->left->base))
struct _arena_header_t
+0x000 start_chunk : 0x011100f8 ""
+0x004 next_chunk : 0x01120380 ""
+0x008 commit_end : 0x01130000 "--- memory read error at address 0x01130000 ---"
+0x00c reserve_end : 0x01510000 "--- memory read error at address 0x01510000 ---"
+0x010 free_list : 0x01110038 _free_lists_t
+0x014 dr_lock : 0x239146c8 Void
+0x018 lock : 0x23914668 Void
+0x01c flags : 0xa
+0x020 prev_free_sz : 0
+0x024 magic : 0x5244
+0x028 alloc_set_member : (null)
+0x02c modbase : (null)
+0x030 handle : (null)
+0x034 next_arena : (null)

HEAP_ARENA    = 0x02,

module load event: "msvcrt.dll" 0x00f10000-0x00fbc000 modid: 12 C:\Windows\SysWOW64\msvcrt.dll
new default Heap for libc set type=0 @0x00f1f43b modbase=0x00f10000 is 0x01910000

system call #21==21.0 NtAllocateVirtualMemory
#0 KERNELBASE.dll!VirtualAllocEx+0x44 (0x7705efa9 <KERNELBASE.dll+0xefa9>) modid:0
#1 fp=0x00c0efe4 parent=0x00c0f000 KERNELBASE.dll!VirtualAlloc  +0x17 (0x7705f01a <KERNELBASE.dll+0xf01a>) modid:0
#2 fp=0x00c0f000 parent=0x00c0f034 ConEmuHk.dll!SetHookCallbacks+0xa404 (0x7e144a65 <ConEmuHk.dll+0x34a65>) modid:0
NtAllocateVirtualMemory res=0xc0000018 : 0x00f10000-0x00f11000
  ...
system call #21==21.0 NtAllocateVirtualMemory
#0 KERNELBASE.dll!VirtualAllocEx+0x44 (0x7705efa9 <KERNELBASE.dll+0xefa9>) modid:0
#1 fp=0x00c0f590 parent=0x00c0f5ac KERNELBASE.dll!VirtualAlloc  +0x17 (0x7705f01a <KERNELBASE.dll+0xf01a>) modid:0
#2 fp=0x00c0f5ac parent=0x00c0f5e0 ConEmuHk.dll!SetHookCallbacks+0xa404 (0x7e144a65 <ConEmuHk.dll+0x34a65>) modid:0
#3 fp=0x00c0f5e0 parent=0x00c0f610 ConEmuHk.dll!SetHookCallbacks+0x1a85 (0x7e13c0e6 <ConEmuHk.dll+0x2c0e6>) modid:0
#4 fp=0x00c0f610 parent=0x00c0fc5c ConEmuHk.dll!SetHookCallbacks+0x1d34 (0x7e13c395 <ConEmuHk.dll+0x2c395>) modid:0
#5 fp=0x00c0fc5c parent=0x00c0fc78 ConEmuHk.dll!GetWriteConsoleW+0x78a (0x7e13a55b <ConEmuHk.dll+0x2a55b>) modid:0
#6 fp=0x00c0fc78 parent=0x00c0fca8 ConEmuHk.dll!SetFarHookMode+0xe558 (0x7e129fb9 <ConEmuHk.dll+0x19fb9>) modid:0
#7 fp=0x00c0fca8 parent=0x00c0fcbc ConEmuHk.dll!SetFarHookMode+0xf3e7 (0x7e12ae48 <ConEmuHk.dll+0x1ae48>) modid:0
#8 fp=0x00c0fcbc parent=0x00c0fccc ConEmuHk.dll!SetFarHookMode+0xf466 (0x7e12aec7 <ConEmuHk.dll+0x1aec7>) modid:0
#9 fp=0x00c0fccc parent=0x00c0fd0c ConEmuHk.dll!SetHookCallbacks+0xf0ef (0x7e149750 <ConEmuHk.dll+0x39750>) modid:0
#10 fp=0x00c0fd0c parent=0x00c0fd2c ntdll.dll!LdrpCallInitRoutine+0x13 (0x779499a0 <ntdll.dll+0x399a0>) modid:0
Adding unknown heap region 0x00f10000-0x00fbc000
adding heap region 0x00f10000-0x00fbc000 arena
system call #21==21.0 NtAllocateVirtualMemory failed with error 0xc0000018
NtAllocateVirtualMemory res=0xc0000018 : 0x00f10000-0x00f11000

define STATUS_CONFLICTING_ADDRESSES ((NTSTATUS)0xC0000018L)

So we need to not add until post-syscall.

A second bug is that we need to remove on unmap:

NtMapViewOfSection: 0x04bb0000
mmap_walk add 0x04bb0000: alloc base is 0x04bb0000
mmap file 0x04bb0000-0x04fc0000
NtAllocateVirtualMemory: 0x04bb0000-0x04bc1000 commit in-heap
Adding unknown heap region 0x04bb0000-0x04fc0000
adding heap region 0x04bb0000-0x04fc0000 arena
NtAllocateVirtualMemory: 0x04bc1000-0x04bc2000 commit in-heap
NtUnmapViewOfSection: 0x04bb0000
@derekbruening derekbruening self-assigned this Feb 2, 2015
@derekbruening
Copy link
Contributor Author

After fixing the bugs we have 2 leaks reported in ConEmuHk.dll:

Error #1: LEAK 20 direct bytes 0x039d8908-0x039d891c + 0 indirect bytes
# 0 replace_RtlAllocateHeap               [c:\src\drmemory\git\src\common\alloc_replace.c:3436]
# 1 ConEmuHk.dll!RequestLocalServer      +0x8c4a   (0x7e1356cb <ConEmuHk.dll+0x256cb>)
# 2 ConEmuHk.dll!SetFarHookMode          +0xe31f   (0x7e129d80 <ConEmuHk.dll+0x19d80>)
# 3 ConEmuHk.dll!SetFarHookMode          +0xe4cf   (0x7e129f30 <ConEmuHk.dll+0x19f30>)
# 4 ConEmuHk.dll!SetFarHookMode          +0x1c1    (0x7e11bc22 <ConEmuHk.dll+0xbc22>)
# 5 __crtExitProcess                      [f:\dd\vctools\crt_bld\self_x86\crt\src\crt0dat.c:708]
# 6 doexit                                [f:\dd\vctools\crt_bld\self_x86\crt\src\crt0dat.c:621]
# 7 exit                                  [f:\dd\vctools\crt_bld\self_x86\crt\src\crt0dat.c:393]
# 8 __tmainCRTStartup                     [f:\dd\vctools\crt_bld\self_x86\crt\src\crt0.c:282]
# 9 KERNEL32.dll!BaseThreadInitThunk

Error #2: LEAK 20 direct bytes 0x039d8940-0x039d8954 + 0 indirect bytes
# 0 replace_RtlAllocateHeap               [c:\src\drmemory\git\src\common\alloc_replace.c:3436]
# 1 ConEmuHk.dll!RequestLocalServer      +0x8c4a   (0x7e1356cb <ConEmuHk.dll+0x256cb>)
# 2 ConEmuHk.dll!SetFarHookMode          +0xe31f   (0x7e129d80 <ConEmuHk.dll+0x19d80>)
# 3 ConEmuHk.dll!SetFarHookMode          +0xe4cf   (0x7e129f30 <ConEmuHk.dll+0x19f30>)
# 4 ConEmuHk.dll!SetFarHookMode          +0xf3e7   (0x7e12ae48 <ConEmuHk.dll+0x1ae48>)
# 5 ConEmuHk.dll!SetFarHookMode          +0xf466   (0x7e12aec7 <ConEmuHk.dll+0x1aec7>)
# 6 ConEmuHk.dll!SetHookCallbacks        +0xf0ef   (0x7e149750 <ConEmuHk.dll+0x39750>)
# 7 ntdll.dll!LdrpCallInitRoutine
# 8 ntdll.dll!LdrShutdownProcess
# 9 ntdll.dll!RtlExitUserProcess
#10 KERNEL32.dll!ExitProcessStub
#11 ConEmuHk.dll!SetFarHookMode          +0x1f5    (0x7e11bc56 <ConEmuHk.dll+0xbc56>)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@derekbruening derekbruening

Labels
Bug-ToolCrash OpSys-Windows
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@derekbruening