Closed
Bug 1334244
Opened 7 years ago
Closed 7 months ago
null pointer dereference in sandbox::InitHeap
Categories
(Core :: Security: Process Sandboxing, defect, P2)
Tracking
()
RESOLVED
FIXED
People
(Reporter: geeknik, Assigned: bobowen)
References
Details
(4 keywords, Whiteboard: [sg:dos], sb+, qa-not-actionable)
Attachments
(1 file)
21.26 KB,
image/png
|
Details |
While starting up Firefox Nightly (Build ID 20170126030209) with Application Verifier and a clean profile, this null pointer dereference was triggered. Thu Jan 26 14:56:56.020 2017 (GMT-6): (2108.1180): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. ntdll!RtlpWaitOnCriticalSection+0xb6: 00007ffd`d67cdd8e ff4024 inc dword ptr [rax+24h] ds:00000000`00000024=???????? 2:057> ~* kp . 57 Id: 2108.1180 Suspend: 1 Teb: 00007ff7`9a1ce000 Unfrozen Child-SP RetAddr Call Site 000000d1`3496e680 00007ffd`d67cb784 ntdll!RtlpWaitOnCriticalSection+0xb6 000000d1`3496e750 00007ffd`d67b0801 ntdll!RtlpEnterCriticalSectionContended+0xa4 000000d1`3496e790 00007ffd`d67afe26 ntdll!RtlpMoveHeapBetweenLists+0x69 000000d1`3496e7c0 00007ff7`9af40a68 ntdll!RtlCreateHeap+0x6c6 000000d1`3496e9b0 00007ff7`9af43dd1 firefox!sandbox::InitHeap(void)+0x2c [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\security\sandbox\chromium\sandbox\win\src\sandbox_nt_util.cc @ 166] 000000d1`3496e9f0 00007ff7`9af38881 firefox!TargetNtMapViewOfSection(<function> * orig_MapViewOfSection = 0x00007ffd`d68c05d8, void * section = 0x00000000`00000000, void * process = 0x000000d1`3496ebe0, void ** base = 0x00007ff7`9af388ce, unsigned int64 zero_bits = 0, unsigned int64 commit_size = 0, union _LARGE_INTEGER * offset = 0x00000000`00000000, unsigned int64 * view_size = 0x000000d1`3496ebc8, unsigned long inherit = 1, unsigned long allocation_type = 0, unsigned long protect = 4)+0xbd [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\security\sandbox\chromium\sandbox\win\src\target_interceptions.cc @ 37] 000000d1`3496ea70 00007ffd`d685a32f firefox!TargetNtMapViewOfSection64(void * section = 0x00000000`00000001, void * process = 0x000000d1`3496ebe0, void ** base = 0x00000000`00000000, unsigned int64 zero_bits = 0, unsigned int64 commit_size = 0, union _LARGE_INTEGER * offset = 0x00000000`00000000, unsigned int64 * view_size = 0x000000d1`3496ebc8, unsigned long inherit = 1, unsigned long allocation_type = 0, unsigned long protect = 4)+0x65 [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\security\sandbox\chromium\sandbox\win\src\interceptors_64.cc @ 34] 000000d1`3496eae0 00007ffd`d6858d16 ntdll!AvrfMiniLoadDll+0x35b 000000d1`3496ef90 00007ffd`d6851f7d ntdll!AVrfInitializeVerifier+0x396 000000d1`3496f020 00007ffd`d6852533 ntdll!LdrpInitializeApplicationVerifierPackage+0xf5 000000d1`3496f080 00007ffd`d68528f4 ntdll!LdrpInitializeExecutionOptions+0x49f 000000d1`3496f370 00007ffd`d683245e ntdll!LdrpInitializeProcess+0x250 000000d1`3496f690 00007ffd`d67a8c8e ntdll!_LdrpInitialize+0x8977e 000000d1`3496f700 00000000`00000000 ntdll!LdrInitializeThunk+0xe 2:057> !analyze -v -f ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* FAULTING_IP: ntdll!RtlpWaitOnCriticalSection+b6 00007ffd`d67cdd8e ff4024 inc dword ptr [rax+24h] EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 00007ffdd67cdd8e (ntdll!RtlpWaitOnCriticalSection+0x00000000000000b6) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 0000000000000001 Parameter[1]: 0000000000000024 Attempt to write to address 0000000000000024 FAULTING_THREAD: 0000000000001180 PROCESS_NAME: firefox.exe ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_PARAMETER1: 0000000000000001 EXCEPTION_PARAMETER2: 0000000000000024 WRITE_ADDRESS: 0000000000000024 FOLLOWUP_IP: firefox!sandbox::InitHeap+2c [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\security\sandbox\chromium\sandbox\win\src\sandbox_nt_util.cc @ 166] 00007ff7`9af40a68 488bc8 mov rcx,rax NTGLOBALFLAG: 100 APPLICATION_VERIFIER_FLAGS: 80643027 BUGCHECK_STR: APPLICATION_FAULT_NULL_CLASS_PTR_DEREFERENCE_INVALID_POINTER_WRITE PRIMARY_PROBLEM_CLASS: NULL_CLASS_PTR_DEREFERENCE DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE LAST_CONTROL_TRANSFER: from 00007ffdd67cb784 to 00007ffdd67cdd8e STACK_TEXT: 000000d1`3496e680 00007ffd`d67cb784 : 000000d1`34a202c0 00000000`0000007f 00007ffd`d68c0260 00007ffd`d67b0f44 : ntdll!RtlpWaitOnCriticalSection+0xb6 000000d1`3496e750 00007ffd`d67b0801 : 000000d1`34a20000 00000000`00000080 00000000`00000000 00000000`00000001 : ntdll!RtlpEnterCriticalSectionContended+0xa4 000000d1`3496e790 00007ffd`d67afe26 : 00000000`00000001 00000000`00000000 00000000`00000002 00000000`00000000 : ntdll!RtlpMoveHeapBetweenLists+0x69 000000d1`3496e7c0 00007ff7`9af40a68 : 00000000`00000000 00007ff7`9af33284 00000000`00000000 00000000`00000000 : ntdll!RtlCreateHeap+0x6c6 000000d1`3496e9b0 00007ff7`9af43dd1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : firefox!sandbox::InitHeap+0x2c [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\security\sandbox\chromium\sandbox\win\src\sandbox_nt_util.cc @ 166] 000000d1`3496e9f0 00007ff7`9af38881 : 00007ffd`d68c05d8 00000000`00000000 000000d1`3496ebe0 00007ff7`9af388ce : firefox!TargetNtMapViewOfSection+0xbd [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\security\sandbox\chromium\sandbox\win\src\target_interceptions.cc @ 37] 000000d1`3496ea70 00007ffd`d685a32f : 00000000`00000001 000000d1`3496ebe0 00000000`00000000 00000000`00000000 : firefox!TargetNtMapViewOfSection64+0x65 [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\security\sandbox\chromium\sandbox\win\src\interceptors_64.cc @ 34] 000000d1`3496eae0 00007ffd`d6858d16 : 00000000`00000048 00000000`00000000 00000000`00000048 00007ffd`d67fe522 : ntdll!AvrfMiniLoadDll+0x35b 000000d1`3496ef90 00007ffd`d6851f7d : 00007ff7`9a1cb000 000000d1`3496f440 00000000`00000000 00007ffd`d67fe672 : ntdll!AVrfInitializeVerifier+0x396 000000d1`3496f020 00007ffd`d6852533 : 00007ff7`9a1cb000 000000d1`3496f180 00000000`00000000 00000000`00000000 : ntdll!LdrpInitializeApplicationVerifierPackage+0xf5 000000d1`3496f080 00007ffd`d68528f4 : 00000000`00000001 00000000`f0770018 00000000`00000000 000000d1`3496f418 : ntdll!LdrpInitializeExecutionOptions+0x49f 000000d1`3496f370 00007ffd`d683245e : 00007ffd`d6790000 00000000`00000000 00007ff7`9a1cb000 00000000`00000000 : ntdll!LdrpInitializeProcess+0x250 000000d1`3496f690 00007ffd`d67a8c8e : 000000d1`3496f750 00000000`00000000 00007ff7`9a1cb000 00000000`00000000 : ntdll!_LdrpInitialize+0x8977e 000000d1`3496f700 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!LdrInitializeThunk+0xe FAULTING_SOURCE_CODE: 162: 163: bool InitHeap() { 164: if (!g_heap) { 165: // Create a new heap using default values for everything. > 166: void* heap = g_nt.RtlCreateHeap(HEAP_GROWABLE, NULL, 0, 0, NULL, NULL); 167: if (!heap) 168: return false; 169: 170: if (NULL != _InterlockedCompareExchangePointer(&g_heap, heap, NULL)) { 171: // Somebody beat us to the memory setup. SYMBOL_STACK_INDEX: 4 SYMBOL_NAME: firefox!sandbox::InitHeap+2c FOLLOWUP_NAME: MachineOwner MODULE_NAME: firefox IMAGE_NAME: firefox.exe DEBUG_FLR_IMAGE_TIMESTAMP: 5889e6e1 STACK_COMMAND: dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; ~57s ; kb FAILURE_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE_c0000005_firefox.exe!sandbox::InitHeap BUCKET_ID: X64_APPLICATION_FAULT_NULL_CLASS_PTR_DEREFERENCE_INVALID_POINTER_WRITE_firefox!sandbox::InitHeap+2c WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/firefox_exe/54_0_0_6235/5889e6e1/ntdll_dll/6_3_9600_18438/57ae642e/c0000005/0003dd8e.htm?Retriage=1 Followup: MachineOwner
Updated•7 years ago
|
Assignee | ||
Updated•7 years ago
|
Flags: needinfo?(bobowencode)
Assignee | ||
Comment 1•7 years ago
|
||
Thanks for reporting this. It looks like it is failing in one of the sandbox interceptors during the Application Verifier DLL load. I think it is the one they use for preventing certain DLL injections. I'm working on updating the chromium sandbox code that we use, so I'll add a dependency on that bug, so we can retest once it has landed.
Depends on: 1337331
Flags: needinfo?(bobowencode)
Updated•7 years ago
|
Whiteboard: [sg:dos] → [sg:dos], sb+
Updated•6 years ago
|
Priority: -- → P2
Updated•2 years ago
|
Severity: critical → S2
Comment 2•7 months ago
|
||
I believe this was fixed when Bob Owen landed bug 1337331. If I'm wrong, please reopen.
Severity: S2 → S3
Status: NEW → RESOLVED
Closed: 7 months ago
Resolution: --- → FIXED
Updated•7 months ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•