Skip to content
This repository has been archived by the owner on Dec 27, 2023. It is now read-only.

Latest commit

 

History

History

dwarf64-doublefree

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
crash-EXCEPTION_ACCESS_VIOLATION_READ-7ff92a182656
crash-EXCEPTION_ACCESS_VIOLATION_READ-7ff92a182656
 
 

README.md

Double-free in dwarf64

Reproduction steps:

reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ida64.exe" /v "GlobalFlag" /t REG_SZ /d "0x2000000" /f
windbgx -g "C:\Program Files\IDA Pro 7.5\ida64.exe" -B crash-EXCEPTION_ACCESS_VIOLATION_READ-7ff92a182656

Output from windbg:

0:000> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

APPLICATION_VERIFIER_HEAPS_DOUBLE_FREE (7)
Heap block already freed.
This situation happens if the block is freed twice. Freed blocks are marked in a
special way and are kept around for a while in a delayed free queue. If a buggy
program tries to free the block again this will be caught assuming the block was not
dequeued from delayed free queue and its memory reused for other allocations.
The depth of the delay free queue is in the order of thousands of blocks therefore
there are good chances that most double frees will be caught. 
Arguments:
Arg1: 000001b298471000, Heap handle for the heap owning the block. 
Arg2: 000001b2b49184e0, Heap block being freed again. 
Arg3: 0000000000000001, Size of the heap block. 
Arg4: 0000000000000000, Not used 

CONTEXT:  (.ecxr)
rax=0000009917ba1000 rbx=0000000000000007 rcx=0000009917ffb6c0
rdx=0000009917ffb760 rsi=000001b2b49184e0 rdi=000001b298471000
rip=00007fffc1626318 rsp=0000009917ffb690 rbp=0000009917ffb790
 r8=000000000000000f  r9=0000009917ffb6c0 r10=0000000000000000
r11=0000009917ffb680 r12=000001b2b49184e0 r13=0000000000000001
r14=0000000000000001 r15=0000000000000000
iopl=0         nv up ei pl nz na pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000200
verifier!VerifierCaptureContextAndReportStop+0x100:
00007fff`c1626318 cc              int     3
Resetting default scope

STACK_TEXT:  
00000099`17ffb690 00007fff`c1626626     : 00000000`00000000 00000000`00000000 00000000`00000007 000001b2`98471000 : verifier!VerifierCaptureContextAndReportStop+0x100
00000099`17ffbc50 00007fff`c162501a     : 000001b2`b49184e0 00007fff`c1649340 000001b2`ba95a000 00007fff`c1649110 : verifier!VerifierStopMessage+0x2c6
00000099`17ffbd00 00007fff`c1622636     : 00000000`00000000 000001b2`98471000 000001b2`b49184e0 000001b2`b4298ff0 : verifier!AVrfpDphReportCorruptedBlock+0x1ce
00000099`17ffbdc0 00007fff`c16226dc     : 000001b2`98471000 000001b2`b4298ff0 000001b2`98471000 00000000`00001000 : verifier!AVrfpDphFindBusyMemoryNoCheck+0x6a
00000099`17ffbe20 00007fff`c16228ad     : 000001b2`b4298ff0 00000000`01000002 000001b2`98471000 000001b2`b6966a90 : verifier!AVrfpDphFindBusyMemory+0x20
00000099`17ffbe60 00007fff`c16242cd     : 000001b2`b4298ff0 000001b2`98470000 00000000`01000002 000001b2`98471000 : verifier!AVrfpDphFindBusyMemoryAndRemoveFromBusyList+0x25
00000099`17ffbe90 00007fff`f6d25204     : 000001b2`98470000 00000000`01000002 000001b2`98470000 00007fff`f6cd56b0 : verifier!AVrfDebugPageHeapFree+0x8d
00000099`17ffbef0 00007fff`f6cd56b0     : 000001b2`98470000 000001b2`a7ef1590 00000000`01000002 000001b2`a712cfa0 : ntdll!RtlDebugFreeHeap+0x3c
00000099`17ffbf50 00007fff`f6c60810     : 000001b2`98470000 000001b2`98470000 00000000`00000000 000001b2`b4298ff0 : ntdll!RtlpFreeHeap+0x73d50
00000099`17ffc0b0 00007fff`f6c5fc11     : 00000000`00000001 000001b2`98470000 00000000`00000000 00000000`00000000 : ntdll!RtlpFreeHeapInternal+0x790
00000099`17ffc160 00007fff`f3c714cb     : 00000099`17ffc2c0 00000000`00000000 ffffffff`fffffffe 00000000`ffffffef : ntdll!RtlFreeHeap+0x51
00000099`17ffc1a0 00007fff`c0a712c3     : 00000099`17ffc2c0 00000000`00000000 00007fff`c0ab9feb 00000000`00000000 : ucrtbase!_free_base+0x1b
00000099`17ffc1d0 00007fff`c0a9cce4     : 00007fff`c0ab9feb 000001b2`a706bfd0 00000000`00000001 00007fff`c0ab9feb : dwarf64+0x212c3
00000099`17ffc200 00000000`74cac809     : 00000000`73facf24 00000000`00000001 000001b2`b8562fb0 00000000`00000001 : dwarf64+0x4cce4
00000099`17ffcaa0 00000000`73fa7ea5     : 00000000`74e4c6c0 00000099`17ffcc40 000001b2`b0cbef50 00000000`00000012 : ida64!user2bin+0x69b9
00000099`17ffcb40 00000000`74cac809     : 00000000`00000000 000001b2`b7afefb0 00000000`00000000 00000000`00000000 : dbg64+0x7ea5
00000099`17ffd110 00007ff7`758feb90     : 00000000`00000000 00000000`74e4c6c0 000001b2`b7afefb0 00000000`00000000 : ida64!user2bin+0x69b9
00000099`17ffd1b0 00007ff7`7583ce41     : 00000000`00000000 00000000`00000000 00000099`17ffd320 000001b2`a63c1d70 : ida64_exe+0x18eb90
00000099`17ffd220 00007ff7`757c5729     : 00000000`00000000 00000000`00000001 00000000`00000000 00007fff`c1625388 : ida64_exe+0xcce41
00000099`17ffd420 00007fff`c0b6e27c     : 00000000`00000490 00000000`00000000 00000000`74e4c6c0 ffffffff`ffffffff : ida64_exe+0x55729
00000099`17ffd890 00007fff`c0b580de     : 00000099`17ffdfa0 000001b2`9d3cffe0 000001b2`bb51afd0 00000000`74e4c6c0 : elf64+0x2e27c
00000099`17ffdf70 00000000`74c123a4     : 00000000`74e4c6c0 00000000`74cde8b0 000001b2`9d43dfa0 000001b2`9d3cffe0 : elf64+0x180de
00000099`17ffe1d0 00000000`74c1229e     : 000001b2`0000002d 00000000`00000002 000001b2`9d0e8e78 00000099`17ffe220 : ida64!user2str+0x3314
00000099`17ffe210 00000000`74c127a4     : 000001b2`b3dc8fa0 00000000`00000000 00000000`74e4c6c0 000001b2`a510dfd8 : ida64!user2str+0x320e
00000099`17ffe4f0 00000000`74c16200     : 00000000`00000000 00000099`17ffe6b0 ff000000`0000000b 000001b2`b7bc6fa0 : ida64!user2str+0x3714
00000099`17ffe570 00007ff7`758e3f8d     : 00007ff7`75a045d8 00000000`00000000 00000000`00000085 000001b2`b3dc8fa0 : ida64!load_nonbinary_file+0x30
00000099`17ffe5b0 00007ff7`758e4563     : 00000099`17ffeb40 00000000`00000000 000001b2`b5dc4fd0 00000000`00000056 : ida64_exe+0x173f8d
00000099`17ffeab0 00007ff7`757c3a9b     : 00000099`17fff330 00000000`74e4c6c0 00000099`17fff108 00000000`00000085 : ida64_exe+0x174563
00000099`17ffec30 00000000`74b2130a     : 00000000`00000027 00000099`17fff330 000001b2`9d098c40 00000099`17fff108 : ida64_exe+0x53a9b
00000099`17fff0a0 00007ff7`758ea37f     : 00000000`00000002 00000000`00000004 000001b2`ab101fb0 00000000`00000002 : ida64!init_database+0xa9a
00000099`17fff4b0 00007ff7`758eb989     : 00007ff7`759b7500 00000000`74613766 00000000`00000001 00000099`17fff628 : ida64_exe+0x17a37f
00000099`17fff530 00007ff7`758eae1a     : 00007ff7`759b7500 00000099`17fff5e0 000001b2`9f386fe0 00000000`00000010 : ida64_exe+0x17b989
00000099`17fff570 00007ff7`758eaf52     : 00000000`00000001 000001b2`9f386fe0 00000099`17fff6d0 00000000`00000000 : ida64_exe+0x17ae1a
00000099`17fff620 00007ff7`758eaf7c     : 00000099`00000060 00007ff7`0000000f 00000001`00000003 00000099`17fff6d0 : ida64_exe+0x17af52
00000099`17fff660 00007ff7`758ebccd     : 00000099`17fff738 000001b2`b207cfb0 000001b2`9db6cff0 000001b2`aa93afd0 : ida64_exe+0x17af7c
00000099`17fff6a0 00007ff7`758ebe5f     : 00000000`00000003 00000000`00000018 000001b2`a1484fe0 000001b2`a1356fb0 : ida64_exe+0x17bccd
00000099`17fff940 00007ff7`759995e2     : 00000000`0000000a 00000000`00000000 00000000`00000000 00000000`00000000 : ida64_exe+0x17be5f
00000099`17fff990 00007fff`f5967bd4     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ida64_exe+0x2295e2
00000099`17fff9d0 00007fff`f6c8ced1     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0x14
00000099`17fffa00 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21