AS3.02 (x64) crashes sometimes at start
Posted: 08 Jun 2014, 07:18
For me Salamander crashes on start. Here is what Windbg tells me from the dmp:
does the issue come from TGit or Salamander? I'm also worried about the potential security issue
Code: Select all
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
*** ERROR: Symbol file could not be found. Defaulted to export symbols for TortoiseOverlays.dll -
*** ERROR: Module load completed but symbols could not be loaded for salamand.exe
*** ERROR: Symbol file could not be found. Defaulted to export symbols for salrtl9.dll -
FAULTING_IP:
ntdll!RtlReportCriticalFailure+89
000007ff`aded9a65 eb00 jmp ntdll!RtlReportCriticalFailure+0x8b (000007ff`aded9a67)
EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 000007ffaded9a65 (ntdll!RtlReportCriticalFailure+0x0000000000000089)
ExceptionCode: c0000374
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 000007ffadf2dd20
CONTEXT: 0000000000000000 -- (.cxr 0x0;r)
rax=000000000b290000 rbx=0000000000000000 rcx=000000000b290000
rdx=0000000000000000 rsi=0000000000000000 rdi=000000000a290000
rip=000007ffaddf2c2a rsp=000000000abcb2e8 rbp=000000000abcbe90
r8=0000000000000000 r9=0000000000000040 r10=0000000000000000
r11=0000000000000286 r12=0000000000000000 r13=0000000000000000
r14=000000000a290000 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
ntdll!NtWaitForSingleObject+0xa:
000007ff`addf2c2a c3 ret
PROCESS_NAME: salamand.exe
ERROR_CODE: (NTSTATUS) 0xc0000374 - Ein Heap wurde besch digt.
EXCEPTION_CODE: (NTSTATUS) 0xc0000374 - Ein Heap wurde besch digt.
EXCEPTION_PARAMETER1: 000007ffadf2dd20
NTGLOBALFLAG: 400
APPLICATION_VERIFIER_FLAGS: 0
APP: salamand.exe
ANALYSIS_VERSION: 6.3.9600.17029 (debuggers(dbg).140219-1702) amd64fre
BUGCHECK_STR: APPLICATION_FAULT_ACTIONABLE_HEAP_CORRUPTION_heap_failure_lfh_bitmap_mismatch_EXPLOITABLE
PRIMARY_PROBLEM_CLASS: ACTIONABLE_HEAP_CORRUPTION_heap_failure_lfh_bitmap_mismatch_EXPLOITABLE
DEFAULT_BUCKET_ID: ACTIONABLE_HEAP_CORRUPTION_heap_failure_lfh_bitmap_mismatch_EXPLOITABLE
STACK_TEXT:
000007ff`adf2dd88 000007ff`addf5911 ntdll!RtlpLowFragHeapAllocFromContext+0x35e
000007ff`adf2dd90 000007ff`addf564a ntdll!RtlAllocateHeap+0xfa
000007ff`adf2dd98 000007ff`9e0f6a57 msvcr120!malloc+0x5b
000007ff`adf2dda0 000007ff`9e0f6967 msvcr120!operator new+0x1f
000007ff`adf2dda8 00000000`7068236c tortoisegit!std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >::_Copy+0x9c
000007ff`adf2ddb0 00000000`70682238 tortoisegit!std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >::assign+0xb8
000007ff`adf2ddb8 00000000`7068f8c9 tortoisegit!std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >::substr+0x29
000007ff`adf2ddc0 00000000`706b4628 tortoisegit!CRegStdBase::CRegStdBase+0xc8
000007ff`adf2ddc8 00000000`706b57d4 tortoisegit!CShellExt::CShellExt+0x1a4
000007ff`adf2ddd0 00000000`706b705a tortoisegit!CShellExtClassFactory::CreateInstance+0x6a
000007ff`adf2ddd8 00000000`707319d2 tortoiseoverlays+0x19d2
000007ff`adf2dde0 00000000`7073185b tortoiseoverlays+0x185b
000007ff`adf2dde8 00000000`707312fd tortoiseoverlays+0x12fd
000007ff`adf2ddf0 000007f7`8bca256c salamand+0x14256c
000007ff`adf2ddf8 000007f7`8bca25b6 salamand+0x1425b6
000007ff`adf2de00 000007f7`8bca2c59 salamand+0x142c59
000007ff`adf2de08 000007f7`8bbb7ca2 salamand+0x57ca2
000007ff`adf2de10 000007f7`8bbb9505 salamand+0x59505
000007ff`adf2de18 000007f7`8bbb956a salamand+0x5956a
000007ff`adf2de20 00000000`6fd02a6f salrtl9!endthreadex+0x3f
000007ff`adf2de28 00000000`6fd02b08 salrtl9!endthreadex+0xd8
000007ff`adf2de30 000007ff`adb91842 kernel32!BaseThreadInitThunk+0x1a
000007ff`adf2de38 000007ff`ade0a2b9 ntdll!RtlUserThreadStart+0x1d
FOLLOWUP_IP:
msvcr120!operator new+1f [f:\dd\vctools\crt\crtw32\heap\new.cpp @ 59]
000007ff`9e0f6967 4885c0 test rax,rax
FAULTING_SOURCE_LINE: f:\dd\vctools\crt\crtw32\heap\new.cpp
FAULTING_SOURCE_FILE: f:\dd\vctools\crt\crtw32\heap\new.cpp
FAULTING_SOURCE_LINE_NUMBER: 59
IMAGE_NAME: msvcr120.dll
STACK_COMMAND: dps 7ffadf2dd88 ; kb
FAILURE_BUCKET_ID: ACTIONABLE_HEAP_CORRUPTION_heap_failure_lfh_bitmap_mismatch_EXPLOITABLE_c0000374_msvcr120.dll!operator_new
BUCKET_ID: APPLICATION_FAULT_ACTIONABLE_HEAP_CORRUPTION_heap_failure_lfh_bitmap_mismatch_EXPLOITABLE_msvcr120!operator_new+1f
FAILURE_ID_HASH_STRING: um:actionable_heap_corruption_heap_failure_lfh_bitmap_mismatch_exploitable_c0000374_msvcr120.dll!operator_new
0:010> dps 7ffadf2dd88 ; kb
000007ff`adf2dd88 000007ff`addf5911 ntdll!RtlpLowFragHeapAllocFromContext+0x35e
000007ff`adf2dd90 000007ff`addf564a ntdll!RtlAllocateHeap+0xfa
000007ff`adf2dd98 000007ff`9e0f6a57 msvcr120!malloc+0x5b
000007ff`adf2dda0 000007ff`9e0f6967 msvcr120!operator new+0x1f
000007ff`adf2dda8 00000000`7068236c TortoiseGit!std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >::_Copy+0x9c
000007ff`adf2ddb0 00000000`70682238 TortoiseGit!std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >::assign+0xb8
000007ff`adf2ddb8 00000000`7068f8c9 TortoiseGit!std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >::substr+0x29
000007ff`adf2ddc0 00000000`706b4628 TortoiseGit!CRegStdBase::CRegStdBase+0xc8
000007ff`adf2ddc8 00000000`706b57d4 TortoiseGit!CShellExt::CShellExt+0x1a4
000007ff`adf2ddd0 00000000`706b705a TortoiseGit!CShellExtClassFactory::CreateInstance+0x6a
000007ff`adf2ddd8 00000000`707319d2 TortoiseOverlays+0x19d2
000007ff`adf2dde0 00000000`7073185b TortoiseOverlays+0x185b
000007ff`adf2dde8 00000000`707312fd TortoiseOverlays+0x12fd
000007ff`adf2ddf0 000007f7`8bca256c salamand+0x14256c
000007ff`adf2ddf8 000007f7`8bca25b6 salamand+0x1425b6
000007ff`adf2de00 000007f7`8bca2c59 salamand+0x142c59
# RetAddr : Args to Child : Call Site
00 000007ff`adeb0ee0 : 00000000`00000000 00000000`0abcb428 00000000`0abcb424 00000000`0abcb440 : ntdll!NtWaitForSingleObject+0xa
01 000007ff`adeb129b : 00000000`00000644 00000000`00000390 00000000`0abcc4f0 01ceb9c2`ebedf471 : ntdll!RtlReportExceptionEx+0x22c
02 000007ff`aded9ae2 : 000007ff`adf2018c 00000000`0abcc4a0 00000000`00000000 ffffffff`ee1e5d00 : ntdll!RtlReportException+0xbb
03 000007ff`ade0dcba : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlReportCriticalFailure$filt$0+0x33
04 000007ff`adee7e82 : 000007ff`adf20190 00000000`0abcc4a0 00000000`0abcc4f0 00000000`0abcc4a0 : ntdll!_C_specific_handler+0x8e
05 000007ff`ade0d31d : 00000000`00000000 00000000`0abcb6b0 00000000`0abcc4a0 00000000`00000000 : ntdll!_GSHandlerCheck_SEH+0x76
06 000007ff`ade0e35c : 00000000`0abcc4f0 00000000`0abcbe90 00000000`00000002 00000000`00000000 : ntdll!RtlpExecuteHandlerForException+0xd
07 000007ff`ade0e800 : 00000000`00000002 000007ff`9dd56b11 00000000`0abcc4f0 00000000`00000000 : ntdll!RtlDispatchException+0x392
08 000007ff`aded9a65 : 00000000`00000000 00000000`c0000374 00000000`00000000 000007ff`adf2dd20 : ntdll!RtlRaiseException+0x27e
09 000007ff`adede880 : 00000000`006f0000 00000000`00000400 00000000`006f0000 00000000`00000000 : ntdll!RtlReportCriticalFailure+0x89
0a 000007ff`addf5911 : 00000000`007bf1d0 00000000`007b6670 00000000`007be990 00000000`00000101 : ntdll!RtlpLogHeapFailure+0xa4
0b 000007ff`addf564a : 00000000`00000000 00000000`00000020 00000000`00000030 00000000`00000000 : ntdll!RtlpLowFragHeapAllocFromContext+0x35e
0c 000007ff`9e0f6a57 : 00000000`0abcdda0 00000000`00000000 00000000`00000040 00000000`00000000 : ntdll!RtlAllocateHeap+0xfa
0d (Inline Function) : --------`-------- --------`-------- --------`-------- --------`-------- : msvcr120!_heap_alloc+0x3e
0e 000007ff`9e0f6967 : 00000000`00000030 00000000`00000000 00000000`00000000 00000000`707100f0 : msvcr120!malloc+0x5b
0f 00000000`7068236c : 00007d5b`39f8fe22 00000000`0abcc880 00000000`0abcdda0 00000000`0abcdd9c : msvcr120!operator new+0x1f
10 (Inline Function) : --------`-------- --------`-------- --------`-------- --------`-------- : TortoiseGit!std::_Allocate+0x23
11 (Inline Function) : --------`-------- --------`-------- --------`-------- --------`-------- : TortoiseGit!std::allocator<wchar_t>::allocate+0x23
12 (Inline Function) : --------`-------- --------`-------- --------`-------- --------`-------- : TortoiseGit!std::_Wrap_alloc<std::allocator<wchar_t> >::allocate+0x23
13 00000000`70682238 : 00000000`0abcc928 00000000`00000014 00000000`00000000 00000000`00000000 : TortoiseGit!std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >::_Copy+0x9c
14 (Inline Function) : --------`-------- --------`-------- --------`-------- --------`-------- : TortoiseGit!std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >::_Grow+0x35
15 00000000`7068f8c9 : 00000000`0abcc928 00000000`0abcca30 00000000`0abd26a0 00000000`0000001e : TortoiseGit!std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >::assign+0xb8
16 (Inline Function) : --------`-------- --------`-------- --------`-------- --------`-------- : TortoiseGit!std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >::{ctor}+0x1e
17 00000000`706b4628 : 00000000`0abd26b0 00000000`0abd26a0 00000000`0abd26d0 00000000`00000000 : TortoiseGit!std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >::substr+0x29
18 00000000`706b57d4 : 00000000`00000000 00000000`00000004 00000000`0abd26a0 00000000`0abcca19 : TortoiseGit!CRegStdBase::CRegStdBase+0xc8
19 (Inline Function) : --------`-------- --------`-------- --------`-------- --------`-------- : TortoiseGit!CRegTypedBase<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,CRegStdBase>::{ctor}+0x13
1a (Inline Function) : --------`-------- --------`-------- --------`-------- --------`-------- : TortoiseGit!CRegStringCommon<CRegStdBase>::{ctor}+0x13
1b 00000000`706b705a : 00000000`7073b310 00000000`00000000 00000000`007a0010 00000000`707114e0 : TortoiseGit!CShellExt::CShellExt+0x1a4
1c 00000000`707319d2 : 00000000`70710000 00000000`0abcddb0 00000000`09f17680 00000000`0abd2380 : TortoiseGit!CShellExtClassFactory::CreateInstance+0x6a
1d 00000000`7073185b : 00000000`09f10000 000007ff`ade18475 00000000`09f177aa 00000000`00000000 : TortoiseOverlays+0x19d2
1e 00000000`707312fd : 00000000`00000000 00000000`7073d850 00000000`0abcdd9c 00000000`00000004 : TortoiseOverlays+0x185b
1f 000007f7`8bca256c : 00000000`00000000 00000000`00000000 00009cdc`f89d1ca9 00000000`000001f0 : TortoiseOverlays+0x12fd
20 000007f7`8bca25b6 : 00007994`3f161f6d 00000000`00000004 00000000`00000000 00000000`00000000 : salamand+0x14256c
21 000007f7`8bca2c59 : 00000000`00000000 00000000`0093eac0 00000000`0abcde40 00000000`00000000 : salamand+0x1425b6
22 000007f7`8bbb7ca2 : 00000000`0097af60 00000000`0097af60 00000000`00000000 00000000`00000000 : salamand+0x142c59
23 000007f7`8bbb9505 : 00000000`00000000 00000000`0097af60 00000000`00000000 00000000`00000000 : salamand+0x57ca2
24 000007f7`8bbb956a : 00000000`0abce8a0 00000000`0097af60 00000000`00000000 00000000`00000000 : salamand+0x59505
25 00000000`6fd02a6f : 00000000`6fd8cb90 00000000`00000000 00000000`00000000 00000000`00000000 : salamand+0x5956a
26 00000000`6fd02b08 : 00000000`6fd8c5c0 00000000`00983640 00000000`00000000 00000000`00000000 : salrtl9!endthreadex+0x3f
27 000007ff`adb91842 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : salrtl9!endthreadex+0xd8
28 000007ff`ade0a2b9 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0x1a
29 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d
0:010> lmvm TortoiseGit
Browse full module list
start end module name
00000000`70680000 00000000`7070b000 TortoiseGit (private pdb symbols) C:\ProgramData\dbg\sym\TortoiseGit.pdb\EFDE6FB66EEC4C64AD95C4B9A00B8CFC1\TortoiseGit.pdb
Image path: C:\Program Files\TortoiseGit\bin\TortoiseGit.dll
Image name: TortoiseGit.dll
Browse all global symbols functions data
Timestamp: Tue Apr 01 18:02:09 2014 (533AE301)
CheckSum: 0009481E
ImageSize: 0008B000
File version: 1.8.8.0
Product version: 1.8.8.0
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0400.04e4
CompanyName: http://tortoisegit.org/
ProductName: TortoiseGit
InternalName: TortoiseGit.dll
OriginalFilename: TortoiseGit.dll
ProductVersion: 1.8.8.0
FileVersion: 1.8.8.0
FileDescription: TortoiseGit shell extension client
LegalCopyright: Copyright (C) 2008-2014 - TortoiseGit and Copyright (C) 2003-2013 - TortoiseSVN
0:010> .load MSEC
0:010> !exploitable
!exploitable 1.6.0.0
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Heap Corruption starting at ntdll!RtlReportCriticalFailure+0x0000000000000089 called from msvcr120!malloc+0x000000000000005b (Hash=0x55961209.0x0e271ed6)
Heap Corruption has been detected. This is considered exploitable, and must be fixed.
does the issue come from TGit or Salamander? I'm also worried about the potential security issue