hashtable_remove_range updates prev_e to point to freed memory #608
Labels
Comments
|
From [email protected] on November 15, 2011 15:10:01 This issue was closed by revision r1149 . Status: Fixed |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
From [email protected] on November 15, 2011 11:49:11
working on mspaint (drmem issue #500):
after redzone _dbg fix, mspaint crashes in post_call_lookup: use after free
10172340 8b11 mov edx,[ecx] ds:002b:cdcdcdcd=????????
0:000> kn
*** Stack trace for last set context - .thread/.cxr resets it
ChildEBP RetAddr
00 182a93c8 100d03b5 drmemorylib!hashtable_lookup+0x60 [c:\src\dr\git\src\ext\drcontainers\hashtable.c @ 262]
01 182a9428 100d016a drmemorylib!post_call_lookup+0x25 [c:\src\drmemory\git\src\common\alloc.c @ 1723]
02 182a9488 10023fea drmemorylib!alloc_instrument+0x2ca [c:\src\drmemory\git\src\common\alloc.c @ 5116]
03 182a9994 10009172 drmemorylib!instrument_bb+0xa0a [c:\src\drmemory\git\src\drmemory\readwrite.c @ 3491]
04 182a9a90 6d070a5d drmemorylib!event_basic_block+0x582 [c:\src\drmemory\git\src\drmemory\drmemory.c @ 479]
05 182a9b00 6d03c465 dynamorio!instrument_basic_block+0x2ad [c:\src\dr\git\src\core\x86\instrument.c @ 1300]
06 182a9ba4 6d033ada dynamorio!client_process_bb+0x65 [c:\src\dr\git\src\core\x86\interp.c @ 2392]
07 182a9dfc 6d03e7e8 dynamorio!build_bb_ilist+0x29ea [c:\src\dr\git\src\core\x86\interp.c @ 3295]
08 182a9f40 6cf2b4c3 dynamorio!build_basic_block_fragment+0x2e8 [c:\src\dr\git\src\core\x86\interp.c @ 4209]
09 182a9ff4 1825210e dynamorio!dispatch+0x7d3 [c:\src\dr\git\src\core\dispatch.c @ 189]
WARNING: Frame IP not in any known module. Following frames may be wrong.
0a 0015e720 769cf61a 0x1825210e
0b 0015e73 769e275f msvcrt!_ismbblead+0x13
0c 0015e754 6d667244 msvcrt!_splitpath_s+0xdc
0d 0015e9a4 6d667a29 sti!WiaTrcLib::InitTraceSettings+0x97
0e 0015e9b0 6d66712b sti!WiaTrace_Init_Trace+0x2a
0f 0015e9b8 6d666a8a sti!InitializeWIATracingLibrary+0x19
10 0015e9cc 754eaec6 sti!DllGetClassObject+0x67
11 0015e9e8 754c91ed ole32!CClassCache::CDllPathEntry::DllGetClassObject+0x30
12 0015ea00 754c8eb2 ole32!CClassCache::CDllFnPtrMoniker::BindToObjectNoSwitch+0x1f
13 0015ea38 754d1d44 ole32!CClassCache::GetClassObject+0x49
0:000> dv
table = 0x102812ac
key = 0x769cf645
e = 0xcdcdcdcd
hindex = 0x645
res = 0x00000000
0:000> U 0x769cf645
msvcrt!__initmbctable+0x31:
769cf645 751f jnz msvcrt!__initmbctable+0x51 (769cf666)
0:000> ?? table->table[hindex]
struct _hash_entry_t * 0x1a9f9d68
0:000> ?? table->table[hindex]->next
struct _hash_entry_t * 0xcdcdcdcd
0:000> ?? *table->table[hindex]
struct _hash_entry_t
+0x000 key : 0x1a9fa178
+0x004 payload : 0xcdcdcdcd
+0x008 next : 0xcdcdcdcd
0:000> ?? heapmgt->vmheap
struct vm_heap_t
+0x000 start_addr : 0x18210000 ""
+0x004 end_addr : 0x20210000 ""
not removed from consistency check b/c no message in log file
so must be module unload. there's only one:
module unload event: "KERNEL32.dll" 0x03b30000-0x03c40000
kind of weird that kernel32 would really be unmapped early during shutdown?
alloc unload event calls:
hashtable_remove_range(&post_call_table, info->start, info->end);
=> bug in hashtable_remove_range where it updates prev_e when deleted e
Original issue: http://code.google.com/p/dynamorio/issues/detail?id=608
The text was updated successfully, but these errors were encountered: