Closed Bug 1334244 Opened 7 years ago Closed 7 months ago

null pointer dereference in sandbox::InitHeap

Categories

(Core :: Security: Process Sandboxing, defect, P2)

Product:
Core
Component:
Security: Process Sandboxing
Platform:
x86_64
Windows 8.1
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox54 --- wontfix
firefox55 --- fixed

People

(Reporter: geeknik, Assigned: bobowen)

References

Details

(4 keywords, Whiteboard: [sg:dos], sb+, qa-not-actionable)

Attachments

(1 file)

application verifier settings
21.26 KB, image/png
Details 
While starting up Firefox Nightly (Build ID 20170126030209) with Application Verifier and a clean profile, this null pointer dereference was triggered.

Thu Jan 26 14:56:56.020 2017 (GMT-6): (2108.1180): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
ntdll!RtlpWaitOnCriticalSection+0xb6:
00007ffd`d67cdd8e ff4024          inc     dword ptr [rax+24h] ds:00000000`00000024=????????
2:057> ~* kp

. 57  Id: 2108.1180 Suspend: 1 Teb: 00007ff7`9a1ce000 Unfrozen
Child-SP          RetAddr           Call Site
000000d1`3496e680 00007ffd`d67cb784 ntdll!RtlpWaitOnCriticalSection+0xb6
000000d1`3496e750 00007ffd`d67b0801 ntdll!RtlpEnterCriticalSectionContended+0xa4
000000d1`3496e790 00007ffd`d67afe26 ntdll!RtlpMoveHeapBetweenLists+0x69
000000d1`3496e7c0 00007ff7`9af40a68 ntdll!RtlCreateHeap+0x6c6
000000d1`3496e9b0 00007ff7`9af43dd1 firefox!sandbox::InitHeap(void)+0x2c [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\security\sandbox\chromium\sandbox\win\src\sandbox_nt_util.cc @ 166]
000000d1`3496e9f0 00007ff7`9af38881 firefox!TargetNtMapViewOfSection(<function> * orig_MapViewOfSection = 0x00007ffd`d68c05d8, void * section = 0x00000000`00000000, void * process = 0x000000d1`3496ebe0, void ** base = 0x00007ff7`9af388ce, unsigned int64 zero_bits = 0, unsigned int64 commit_size = 0, union _LARGE_INTEGER * offset = 0x00000000`00000000, unsigned int64 * view_size = 0x000000d1`3496ebc8, unsigned long inherit = 1, unsigned long allocation_type = 0, unsigned long protect = 4)+0xbd [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\security\sandbox\chromium\sandbox\win\src\target_interceptions.cc @ 37]
000000d1`3496ea70 00007ffd`d685a32f firefox!TargetNtMapViewOfSection64(void * section = 0x00000000`00000001, void * process = 0x000000d1`3496ebe0, void ** base = 0x00000000`00000000, unsigned int64 zero_bits = 0, unsigned int64 commit_size = 0, union _LARGE_INTEGER * offset = 0x00000000`00000000, unsigned int64 * view_size = 0x000000d1`3496ebc8, unsigned long inherit = 1, unsigned long allocation_type = 0, unsigned long protect = 4)+0x65 [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\security\sandbox\chromium\sandbox\win\src\interceptors_64.cc @ 34]
000000d1`3496eae0 00007ffd`d6858d16 ntdll!AvrfMiniLoadDll+0x35b
000000d1`3496ef90 00007ffd`d6851f7d ntdll!AVrfInitializeVerifier+0x396
000000d1`3496f020 00007ffd`d6852533 ntdll!LdrpInitializeApplicationVerifierPackage+0xf5
000000d1`3496f080 00007ffd`d68528f4 ntdll!LdrpInitializeExecutionOptions+0x49f
000000d1`3496f370 00007ffd`d683245e ntdll!LdrpInitializeProcess+0x250
000000d1`3496f690 00007ffd`d67a8c8e ntdll!_LdrpInitialize+0x8977e
000000d1`3496f700 00000000`00000000 ntdll!LdrInitializeThunk+0xe
2:057> !analyze -v -f
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************


FAULTING_IP: 
ntdll!RtlpWaitOnCriticalSection+b6
00007ffd`d67cdd8e ff4024          inc     dword ptr [rax+24h]

EXCEPTION_RECORD:  ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 00007ffdd67cdd8e (ntdll!RtlpWaitOnCriticalSection+0x00000000000000b6)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000001
   Parameter[1]: 0000000000000024
Attempt to write to address 0000000000000024

FAULTING_THREAD:  0000000000001180

PROCESS_NAME:  firefox.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1:  0000000000000001

EXCEPTION_PARAMETER2:  0000000000000024

WRITE_ADDRESS:  0000000000000024 

FOLLOWUP_IP: 
firefox!sandbox::InitHeap+2c [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\security\sandbox\chromium\sandbox\win\src\sandbox_nt_util.cc @ 166]
00007ff7`9af40a68 488bc8          mov     rcx,rax

NTGLOBALFLAG:  100

APPLICATION_VERIFIER_FLAGS:  80643027

BUGCHECK_STR:  APPLICATION_FAULT_NULL_CLASS_PTR_DEREFERENCE_INVALID_POINTER_WRITE

PRIMARY_PROBLEM_CLASS:  NULL_CLASS_PTR_DEREFERENCE

DEFAULT_BUCKET_ID:  NULL_CLASS_PTR_DEREFERENCE

LAST_CONTROL_TRANSFER:  from 00007ffdd67cb784 to 00007ffdd67cdd8e

STACK_TEXT:  
000000d1`3496e680 00007ffd`d67cb784 : 000000d1`34a202c0 00000000`0000007f 00007ffd`d68c0260 00007ffd`d67b0f44 : ntdll!RtlpWaitOnCriticalSection+0xb6
000000d1`3496e750 00007ffd`d67b0801 : 000000d1`34a20000 00000000`00000080 00000000`00000000 00000000`00000001 : ntdll!RtlpEnterCriticalSectionContended+0xa4
000000d1`3496e790 00007ffd`d67afe26 : 00000000`00000001 00000000`00000000 00000000`00000002 00000000`00000000 : ntdll!RtlpMoveHeapBetweenLists+0x69
000000d1`3496e7c0 00007ff7`9af40a68 : 00000000`00000000 00007ff7`9af33284 00000000`00000000 00000000`00000000 : ntdll!RtlCreateHeap+0x6c6
000000d1`3496e9b0 00007ff7`9af43dd1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : firefox!sandbox::InitHeap+0x2c [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\security\sandbox\chromium\sandbox\win\src\sandbox_nt_util.cc @ 166]
000000d1`3496e9f0 00007ff7`9af38881 : 00007ffd`d68c05d8 00000000`00000000 000000d1`3496ebe0 00007ff7`9af388ce : firefox!TargetNtMapViewOfSection+0xbd [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\security\sandbox\chromium\sandbox\win\src\target_interceptions.cc @ 37]
000000d1`3496ea70 00007ffd`d685a32f : 00000000`00000001 000000d1`3496ebe0 00000000`00000000 00000000`00000000 : firefox!TargetNtMapViewOfSection64+0x65 [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\security\sandbox\chromium\sandbox\win\src\interceptors_64.cc @ 34]
000000d1`3496eae0 00007ffd`d6858d16 : 00000000`00000048 00000000`00000000 00000000`00000048 00007ffd`d67fe522 : ntdll!AvrfMiniLoadDll+0x35b
000000d1`3496ef90 00007ffd`d6851f7d : 00007ff7`9a1cb000 000000d1`3496f440 00000000`00000000 00007ffd`d67fe672 : ntdll!AVrfInitializeVerifier+0x396
000000d1`3496f020 00007ffd`d6852533 : 00007ff7`9a1cb000 000000d1`3496f180 00000000`00000000 00000000`00000000 : ntdll!LdrpInitializeApplicationVerifierPackage+0xf5
000000d1`3496f080 00007ffd`d68528f4 : 00000000`00000001 00000000`f0770018 00000000`00000000 000000d1`3496f418 : ntdll!LdrpInitializeExecutionOptions+0x49f
000000d1`3496f370 00007ffd`d683245e : 00007ffd`d6790000 00000000`00000000 00007ff7`9a1cb000 00000000`00000000 : ntdll!LdrpInitializeProcess+0x250
000000d1`3496f690 00007ffd`d67a8c8e : 000000d1`3496f750 00000000`00000000 00007ff7`9a1cb000 00000000`00000000 : ntdll!_LdrpInitialize+0x8977e
000000d1`3496f700 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!LdrInitializeThunk+0xe


FAULTING_SOURCE_CODE:  
   162: 
   163: bool InitHeap() {
   164:   if (!g_heap) {
   165:     // Create a new heap using default values for everything.
>  166:     void* heap = g_nt.RtlCreateHeap(HEAP_GROWABLE, NULL, 0, 0, NULL, NULL);
   167:     if (!heap)
   168:       return false;
   169: 
   170:     if (NULL != _InterlockedCompareExchangePointer(&g_heap, heap, NULL)) {
   171:       // Somebody beat us to the memory setup.


SYMBOL_STACK_INDEX:  4

SYMBOL_NAME:  firefox!sandbox::InitHeap+2c

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: firefox

IMAGE_NAME:  firefox.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  5889e6e1

STACK_COMMAND:  dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; ~57s ; kb

FAILURE_BUCKET_ID:  NULL_CLASS_PTR_DEREFERENCE_c0000005_firefox.exe!sandbox::InitHeap

BUCKET_ID:  X64_APPLICATION_FAULT_NULL_CLASS_PTR_DEREFERENCE_INVALID_POINTER_WRITE_firefox!sandbox::InitHeap+2c

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/firefox_exe/54_0_0_6235/5889e6e1/ntdll_dll/6_3_9600_18438/57ae642e/c0000005/0003dd8e.htm?Retriage=1

Followup: MachineOwner
Group: core-security
Keywords: csectype-nullptr, testcase-wanted
Whiteboard: [sg:dos]
Flags: needinfo?(bobowencode)
Thanks for reporting this.

It looks like it is failing in one of the sandbox interceptors during the Application Verifier DLL load.
I think it is the one they use for preventing certain DLL injections.

I'm working on updating the chromium sandbox code that we use, so I'll add a dependency on that bug, so we can retest once it has landed.
Depends on: 1337331
Flags: needinfo?(bobowencode)
Whiteboard: [sg:dos] → [sg:dos], sb+
Priority: -- → P2
Whiteboard: [sg:dos], sb+ → [sg:dos], sb+, qa-not-actionable
Severity: critical → S2

I believe this was fixed when Bob Owen landed bug 1337331. If I'm wrong, please reopen.

Severity: S2 → S3
Status: NEW → RESOLVED
Closed: 7 months ago
Resolution: --- → FIXED
Assignee: nobody → bobowencode
status-firefox54: affectedwontfix
status-firefox55: --- → fixed
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: