AppVerifier failure after PageHeap enabled
Reported by
petermb...@gmail.com,
Oct 9 2016
|
||||||||
Issue descriptionThis template is ONLY for reporting security bugs. If you are reporting a Download Protection Bypass bug, please use the "Security - Download Protection" template. For all other reports, please use a different template. Please READ THIS FAQ before filing a bug: https://www.chromium.org/Home /chromium-security/security-faq Please see the following link for instructions on filing security bugs: http://www.chromium.org/Home/chromium-security/reporting-security-bugs NOTE: Security bugs are normally made public once a fix has been widely deployed. VULNERABILITY DETAILS Please provide a brief explanation of the security issue. Access violation while writing using a NULL ptr VERSION Chrome Version: chrome.exe: 53.0.2785.143 ,ntdll.dll: 10.0.10586.0 Operating System: Windows 10 Home, Version 10.0.10586 Build 10586 REPRODUCTION CASE Open Chrome with a debugger (in my case, I opened it using BugId (https://github.com/SkyLined/BugId)which uses cdb.exe using this command : BugId.py --bSaveReport=true "C:\Program Files (x86) \Google\Chrome\Application\chrome.exe". The crash will happen shortly after the application starts. (find crash info attached) FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION Type of crash: [tab, browser, etc.] Crash State: [see link above: stack trace, registers, exception record] Client ID (if relevant): [see link above]
,
Oct 10 2016
.dmp attached. No, does not reproduce *only* when debugger is attached. Windbg is my post-mortem debugger and it kicks in by even just opening chrome.
,
Oct 13 2016
@elawrence Could you please look in to this issue.
,
Oct 13 2016
I suspect the issue here is that when you ran BugId, it set Application Verifier flags on Chrome.exe using gflags, and one of those Verifier checks is now failing. See https://github.com/SkyLined/BugId/blob/cf688be6973c850cfc6bc4b34e9e01ff74f8e9c9/PageHeap-Chrome.cmd for where BugId does that. If you run gflags.exe and go to the Image File tab, put chrome.exe in the box at the top and tab out of it, do you find that the "Page Heap" box is checked? If so, uncheck it. I suspect the crash is occurring because you've got Page Heap enabled without the CHROME_ALLOCATOR set to winheap, an incompatible combination.
,
Oct 13 2016
CONTEXT: (.ecxr) rax=0000000000000000 rbx=00007ffec4b065ee rcx=0000000000000000 rdx=0000000000000000 rsi=00007ffec4bf27e4 rdi=000000682abfef70 rip=00007ffec4b788ea rsp=000000682abfef50 rbp=000000000000001e r8=00007ffe00001f80 r9=00007ffe9aba7a75 r10=00007ffe9aba6d8a r11=00007ffe9aba712d r12=0000000000000000 r13=0000000000000001 r14=000000682abff0a0 r15=00000000000006b4 iopl=0 nv up ei pl nz na po nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000204 ntdll!KiRaiseUserExceptionDispatcher+0x3a: 00007ffe`c4b788ea 8b8424c0000000 mov eax,dword ptr [rsp+0C0h] ss:00000068`2abff010=c0000008 Resetting default scope FAULTING_IP: ntdll!KiRaiseUserExceptionDispatcher+3a 00007ffe`c4b788ea 8b8424c0000000 mov eax,dword ptr [rsp+0C0h] EXCEPTION_RECORD: (.exr -1) ExceptionAddress: 00007ffec4b788ea (ntdll!KiRaiseUserExceptionDispatcher+0x000000000000003a) ExceptionCode: c0000008 (Invalid handle) ExceptionFlags: 00000000 NumberParameters: 0 Thread tried to close a handle that was invalid or illegal to close PROCESS_NAME: chrome.exe ERROR_CODE: (NTSTATUS) 0xc0000008 - An invalid HANDLE was specified. EXCEPTION_CODE: (NTSTATUS) 0xc0000008 - An invalid HANDLE was specified. EXCEPTION_CODE_STR: c0000008 WATSON_BKT_PROCSTAMP: 57e76668 WATSON_BKT_PROCVER: 53.0.2785.143 WATSON_BKT_MODULE: ntdll.dll WATSON_BKT_MODSTAMP: 5632d193 WATSON_BKT_MODOFFSET: a88ea WATSON_BKT_MODVER: 6.2.10586.0 MODULE_VER_PRODUCT: Microsoft® Windows® Operating System MODLIST_WITH_TSCHKSUM_HASH: 441bb73872d66203bb7a25d1ea93148559898a1a MODLIST_SHA1_HASH: 016ab86bc510d490f380212d0f5b375a2e669c73 DUMP_FLAGS: 0 DUMP_TYPE: 2 APPLICATION_VERIFIER_LOADED: 1 APP: chrome.exe ANALYSIS_SESSION_HOST: ELAWRENCE0-W ANALYSIS_SESSION_TIME: 10-13-2016 10:10:16.0107 ANALYSIS_VERSION: 10.0.10586.567 x86fre THREAD_ATTRIBUTES: PROBLEM_CLASSES: Tid [0x0] Frame [0x00] String [STATUS_INVALID_HANDLE] Data Bucketing AVRF Tid [0x998] Frame [0x00]: ntdll!KiRaiseUserExceptionDispatcher Failure Bucketing BUGCHECK_STR: STATUS_INVALID_HANDLE_AVRF DEFAULT_BUCKET_ID: STATUS_INVALID_HANDLE_AVRF LAST_CONTROL_TRANSFER: from 00007ffec4a7cf28 to 00007ffec4b788ea STACK_TEXT: 00000068`2abfef50 00007ffe`c4a7cf28 : 00000000`00000028 00000000`00000000 0000018e`1d9e0000 00000000`00000998 : ntdll!KiRaiseUserExceptionDispatcher+0x3a 00000068`2abff020 00007ffe`c127ee78 : 00000000`00000034 00000068`2abff320 0000018e`2475a618 00007ffe`c4a7e4cf : verifier!AVrfpNtSetInformationFile+0x58 00000068`2abff070 00000000`00000034 : 00000068`2abff320 0000018e`2475a618 00007ffe`c4a7e4cf 0000018e`0000001e : KERNELBASE+0x5ee78 00000068`2abff078 00000068`2abff320 : 0000018e`2475a618 00007ffe`c4a7e4cf 0000018e`0000001e 00007ffe`c4a849b2 : 0x34 00000068`2abff080 0000018e`2475a618 : 00007ffe`c4a7e4cf 0000018e`0000001e 00007ffe`c4a849b2 00000000`00000034 : 0x00000068`2abff320 00000068`2abff088 00007ffe`c4a7e4cf : 0000018e`0000001e 00007ffe`c4a849b2 00000000`00000034 0000018e`2475a618 : 0x0000018e`2475a618 00000068`2abff090 00007ffe`c4af21cb : 00000000`00000000 00007ffe`9abdb8b8 0000018e`2475a5f0 00000000`00000034 : verifier!AVrfpLeaveHeapCall+0x1f 00000068`2abff0c0 00000000`00000000 : 0000018e`1d9e0000 00007ffe`c4a61cec 0000018e`1da49fc0 00007ffe`009185e9 : ntdll!RtlpFreeHeap+0x9b THREAD_SHA1_HASH_MOD_FUNC: 43e5de0d5b72fde8ce75239df07f7898d19f36b8 THREAD_SHA1_HASH_MOD_FUNC_OFFSET: ff1b8bbd6830080a970efdcbcf9df2cd70bea1ec THREAD_SHA1_HASH_MOD: 20624d9f9b8e919578fc37502bc960a5e2f3a988 FOLLOWUP_IP: verifier!AVrfpNtSetInformationFile+58 00007ffe`c4a7cf28 833d9dc0010000 cmp dword ptr [verifier!AVrfIoCheckEnabled (00007ffe`c4a98fcc)],0 FAULT_INSTR_CODE: c09d3d83 SYMBOL_STACK_INDEX: 1 SYMBOL_NAME: verifier!AVrfpNtSetInformationFile+58 FOLLOWUP_NAME: MachineOwner MODULE_NAME: verifier IMAGE_NAME: verifier.dll DEBUG_FLR_IMAGE_TIMESTAMP: 5632d84f STACK_COMMAND: .ecxr ; kb BUCKET_ID: STATUS_INVALID_HANDLE_AVRF_verifier!AVrfpNtSetInformationFile+58 PRIMARY_PROBLEM_CLASS: STATUS_INVALID_HANDLE_AVRF_verifier!AVrfpNtSetInformationFile+58 BUCKET_ID_OFFSET: 58 BUCKET_ID_MODULE_STR: verifier BUCKET_ID_MODTIMEDATESTAMP: 5632d84f BUCKET_ID_MODCHECKSUM: 5b53a BUCKET_ID_MODVER_STR: 6.2.10586.0 BUCKET_ID_PREFIX_STR: STATUS_INVALID_HANDLE_AVRF_ FAILURE_PROBLEM_CLASS: STATUS_INVALID_HANDLE_AVRF FAILURE_EXCEPTION_CODE: c0000008 FAILURE_IMAGE_NAME: verifier.dll FAILURE_FUNCTION_NAME: AVrfpNtSetInformationFile BUCKET_ID_FUNCTION_STR: AVrfpNtSetInformationFile FAILURE_SYMBOL_NAME: verifier.dll!AVrfpNtSetInformationFile FAILURE_BUCKET_ID: STATUS_INVALID_HANDLE_AVRF_c0000008_verifier.dll!AVrfpNtSetInformationFile WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/chrome.exe/53.0.2785.143/57e76668/ntdll.dll/6.2.10586.0/5632d193/c0000008/000a88ea.htm?Retriage=1 TARGET_TIME: 2016-10-10T17:19:44.000Z OSBUILD: 9200 OSSERVICEPACK: 0 SERVICEPACK_NUMBER: 0 OS_REVISION: 0 SUITE_MASK: 768 PRODUCT_TYPE: 1 OSPLATFORM_TYPE: x64 OSNAME: Windows 8 OSEDITION: Windows 8 WinNt SingleUserTS Personal OS_LOCALE: USER_LCID: 0 OSBUILD_TIMESTAMP: 2015-10-29 21:27:54 ANALYSIS_SESSION_ELAPSED_TIME: 17a29 ANALYSIS_SOURCE: UM FAILURE_ID_HASH_STRING: um:status_invalid_handle_avrf_c0000008_verifier.dll!avrfpntsetinformationfile FAILURE_ID_HASH: {eda9cc61-d261-3740-63ae-c01f9e7a839c} Followup: MachineOwner --------- 0:003> ~*kp 0 Id: 75c.ac4 Suspend: 1 Teb: 00000068`2a648000 Unfrozen # Child-SP RetAddr Call Site 00 00000068`2a5ae5a8 00007ffe`c4a80898 ntdll!NtWaitForSingleObject+0x14 01 00000068`2a5ae5b0 00007ffe`c123aadf verifier!AVrfpNtWaitForSingleObject+0x38 02 00000068`2a5ae5e0 00000000`000007e8 KERNELBASE+0x1aadf 03 00000068`2a5ae5e8 00000000`00000000 0x7e8 1 Id: 75c.df4 Suspend: 1 Teb: 00000068`2a64a000 Unfrozen # Child-SP RetAddr Call Site 00 00000068`2a8ffb48 00007ffe`c4a7cae2 ntdll!NtRemoveIoCompletion+0x14 01 00000068`2a8ffb50 00007ffe`c1271782 verifier!AVrfpNtRemoveIoCompletion+0x62 02 00000068`2a8ffba0 00000068`2a8ffc38 KERNELBASE+0x51782 03 00000068`2a8ffba8 00000068`2a8ffd00 0x00000068`2a8ffc38 04 00000068`2a8ffbb0 00000000`00000000 0x00000068`2a8ffd00 2 Id: 75c.458 Suspend: 1 Teb: 00000068`2a64e000 Unfrozen # Child-SP RetAddr Call Site 00 00000068`2aaff9e8 00007ffe`c4afb2e8 ntdll!NtWaitForWorkViaWorkerFactory+0x14 01 00000068`2aaff9f0 00007ffe`c2328102 ntdll!TppWorkerThread+0x298 02 00000068`2aaffe00 00007ffe`c4b2c264 kernel32!BaseThreadInitThunk+0x22 03 00000068`2aaffe30 00000000`00000000 ntdll!RtlUserThreadStart+0x34 # 3 Id: 75c.998 Suspend: 1 Teb: 00000068`2a650000 Unfrozen # Child-SP RetAddr Call Site 00 00000068`2abfef50 00007ffe`c4a7cf28 ntdll!KiRaiseUserExceptionDispatcher+0x3a 01 00000068`2abff020 00007ffe`c127ee78 verifier!AVrfpNtSetInformationFile+0x58 02 00000068`2abff070 00000000`00000034 KERNELBASE+0x5ee78 03 00000068`2abff078 00000068`2abff320 0x34 04 00000068`2abff080 0000018e`2475a618 0x00000068`2abff320 05 00000068`2abff088 00007ffe`c4a7e4cf 0x0000018e`2475a618 06 00000068`2abff090 00007ffe`c4af21cb verifier!AVrfpLeaveHeapCall+0x1f 07 00000068`2abff0c0 00000000`00000000 ntdll!RtlpFreeHeap+0x9b 4 Id: 75c.11ec Suspend: 1 Teb: 00000068`2a652000 Unfrozen # Child-SP RetAddr Call Site 00 00000068`2acff978 00000000`00000000 ntdll!RtlUserThreadStart 5 Id: 75c.604 Suspend: 0 Teb: 00000068`2a654000 Unfrozen # Child-SP RetAddr Call Site 00 00000068`2adffc68 00000000`00000000 ntdll!RtlUserThreadStart
,
Oct 13 2016
"If you run gflags.exe and go to the Image File tab, put chrome.exe in the box at the top and tab out of it, do you find that the "Page Heap" box is checked? If so, uncheck it" --this was not the case. Page heap was not checked, however it was checked in the system registry. This issue can be closed. Thanks
,
Oct 13 2016
There are two gflags.exe builds, one looks at the 64bit registry and one looks at the 32bit registry. Looks like you got it cleaned up, either way. |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by elawrence@chromium.org
, Oct 10 2016Summary: Near-null AV when debugger attached (was: Security: Access violation while writing using a NULL ptr)