Skip to content
This repository has been archived by the owner on Dec 27, 2023. It is now read-only.

Latest commit

 

History

History

libdwarf-doublefree

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
crash-doublefree-32a7b19838d132dc4e1f3f2ba772e056
crash-doublefree-32a7b19838d132dc4e1f3f2ba772e056
 
 

README.md

Double free in libdwarf64!dwarf_loclist_n

Reproduction steps:

reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ida64.exe" /v "GlobalFlag" /t REG_SZ /d "0x2000000" /f
windbgx -g "C:\Program Files\IDA Pro 7.5\ida64.exe" -B crash-doublefree-32a7b19838d132dc4e1f3f2ba772e056

Output from windbg:

0:000> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

APPLICATION_VERIFIER_HEAPS_DOUBLE_FREE (7)
Heap block already freed.
This situation happens if the block is freed twice. Freed blocks are marked in a
special way and are kept around for a while in a delayed free queue. If a buggy
program tries to free the block again this will be caught assuming the block was not
dequeued from delayed free queue and its memory reused for other allocations.
The depth of the delay free queue is in the order of thousands of blocks therefore
there are good chances that most double frees will be caught. 
Arguments:
Arg1: 0000021235981000, Heap handle for the heap owning the block. 
Arg2: 00000212438fc888, Heap block being freed again. 
Arg3: 0000000000000070, Size of the heap block. 
Arg4: 0000000000000000, Not used 

CONTEXT:  (.ecxr)
rax=000000f367ac7000 rbx=0000000000000007 rcx=000000f367ff8870
rdx=000000f367ff8910 rsi=00000212438fc888 rdi=0000021235981000
rip=00007ffd6d1e6318 rsp=000000f367ff8840 rbp=000000f367ff8940
 r8=000000000000000f  r9=000000f367ff8870 r10=0000000000000000
r11=000000f367ff8830 r12=00000212438fc888 r13=0000000000000070
r14=0000000000000070 r15=0000000000000000
iopl=0         nv up ei pl nz na pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000200
verifier!VerifierCaptureContextAndReportStop+0x100:
00007ffd`6d1e6318 cc              int     3
Resetting default scope

STACK_TEXT:  
000000f3`67ff8840 00007ffd`6d1e6626     : 00000000`00000000 00000000`00000000 00000000`00000007 00000212`35981000 : verifier!VerifierCaptureContextAndReportStop+0x100
000000f3`67ff8e00 00007ffd`6d1e501a     : 00000212`438fc888 00007ffd`6d209340 00000000`00000000 00007ffd`6d209110 : verifier!VerifierStopMessage+0x2c6
000000f3`67ff8eb0 00007ffd`6d1e2636     : 00000000`00000000 00000212`35981000 00000212`438fc888 00000212`4b301f90 : verifier!AVrfpDphReportCorruptedBlock+0x1ce
000000f3`67ff8f70 00007ffd`6d1e26dc     : 00000212`35981000 00000212`4b301f90 00000212`35981000 00000000`00001000 : verifier!AVrfpDphFindBusyMemoryNoCheck+0x6a
000000f3`67ff8fd0 00007ffd`6d1e28ad     : 00000212`4b301f90 00000000`01000002 00000212`35981000 00000212`4d93e958 : verifier!AVrfpDphFindBusyMemory+0x20
000000f3`67ff9010 00007ffd`6d1e42cd     : 00000212`4b301f90 00000212`35980000 00000000`01000002 00000212`35981000 : verifier!AVrfpDphFindBusyMemoryAndRemoveFromBusyList+0x25
000000f3`67ff9040 00007ffd`95285204     : 00000212`35980000 00000000`01000002 00000000`00000000 00007ffd`00000001 : verifier!AVrfDebugPageHeapFree+0x8d
000000f3`67ff90a0 00007ffd`952356b0     : 00000212`35980000 00000000`01000002 00000000`00000006 00000000`00000060 : ntdll!RtlDebugFreeHeap+0x3c
000000f3`67ff9100 00007ffd`951c0810     : 00000212`35980000 00000212`35980000 00000000`00000000 00000212`4b301f90 : ntdll!RtlpFreeHeap+0x73d50
000000f3`67ff9260 00007ffd`951bfc11     : 00000000`00000060 00000212`35980000 00000212`5a8dda40 00000000`00000000 : ntdll!RtlpFreeHeapInternal+0x790
000000f3`67ff9310 00007ffd`931414cb     : 00000212`41da4fe0 00000000`00000000 00000000`00000000 00000212`41da4fe0 : ntdll!RtlFreeHeap+0x51
000000f3`67ff9350 00007ffd`606a7922     : 00000000`00000001 00000000`00000000 00000000`0000012c 00000000`00000060 : ucrtbase!_free_base+0x1b
000000f3`67ff9380 00007ffd`606a77e6     : 00000000`00000000 000000f3`67ff9460 000000f3`67ff9478 000000f3`67ff94c0 : libdwarf!dwarf_loclist_n+0x1162
000000f3`67ff9430 00007ffd`606b76d7     : 00000000`00000000 00000212`5a8dda40 00000212`5a8dda78 00000000`00000000 : libdwarf!dwarf_loclist_n+0x1026
000000f3`67ff9460 00007ffd`60693743     : 00000212`506ccff4 00000212`5a8dda78 00000212`35981000 00007ffd`6d1e2e28 : libdwarf!dwarf_types_dealloc+0x1257
000000f3`67ff9490 00007ffd`60694a83     : 00000000`00000001 00000000`00000010 00000212`35980000 00007ffd`951bbabb : libdwarf!dwarf_get_cu_die_offset+0x873
000000f3`67ff96a0 00007ffd`68b25470     : 00000212`485d7890 00000000`00000000 00007ffd`68b5a0ab 00000212`3a8f17dd : libdwarf!dwarf_next_cu_header_c+0x83
000000f3`67ff9730 00007ffd`68b418a7     : 00000000`00000001 00000000`00000000 00000000`00000000 000000f3`67ff98b8 : dwarf64+0x35470
000000f3`67ff9860 00007ffd`68b2a14d     : 01d67fbf`db82330b 000000f3`67ff9a38 000000f3`67ff9a01 00007ffd`68afea7a : dwarf64+0x518a7
000000f3`67ff9920 00007ffd`68b0bab4     : 00000212`47e6d680 000000f3`67ffc5d0 00007ffd`68b5a0ab 00000212`47e6d680 : dwarf64+0x3a14d
000000f3`67ff9980 00007ffd`68b3d229     : 000000f3`67ffc590 00000212`00000000 00000000`0000004e 00007ffd`68b5a0ab : dwarf64+0x1bab4
000000f3`67ffc4d0 00000000`506dc809     : 00000000`5027cf24 00000000`00000001 00000212`408f2fb0 00000000`00000001 : dwarf64+0x4d229
000000f3`67ffcd70 00000000`50277ea5     : 00000000`5087c6c0 000000f3`67ffcf10 00000212`3c9faf50 00000000`00000012 : ida64!user2bin+0x69b9
000000f3`67ffce10 00000000`506dc809     : 00000000`00000000 00000212`47f07fb0 00000000`00000000 00000000`00000000 : dbg64+0x7ea5
000000f3`67ffd3e0 00007ff7`742aeb90     : 00000000`00000000 00000000`5087c6c0 00000212`47f07fb0 00000000`00000000 : ida64!user2bin+0x69b9
000000f3`67ffd480 00007ff7`741ece41     : 00000000`00000000 00000000`00000000 000000f3`67ffd5f0 000000f3`67ffd5b0 : ida64_exe+0x18eb90
000000f3`67ffd4f0 00007ff7`74175729     : 00000000`00000000 00000000`00000001 00000000`00000000 00000000`50646200 : ida64_exe+0xcce41
000000f3`67ffd6f0 00007ffd`69a0e27c     : 000000f3`00000490 00000000`00000000 00000000`5087c6c0 ffffffff`ffffffff : ida64_exe+0x55729
000000f3`67ffdb60 00007ffd`699f80de     : 000000f3`67ffe270 00000212`3a8dbfe0 00000212`515a6fe0 00000000`5087c6c0 : elf64+0x2e27c
000000f3`67ffe240 00000000`506423a4     : 00000000`5087c6c0 00000000`5070e8b0 00000212`3a949fa0 00000212`3a8dbfe0 : elf64+0x180de
000000f3`67ffe4a0 00000000`5064229e     : 00000212`0000002d 00000000`00000002 00000212`3a5f4e78 000000f3`67ffe4f0 : ida64!user2str+0x3314
000000f3`67ffe4e0 00000000`506427a4     : 00000212`515befa0 00000000`00000000 00000000`5087c6c0 00000212`578e2fd8 : ida64!user2str+0x320e
000000f3`67ffe7c0 00000000`50646200     : 00000000`00000000 000000f3`67ffe980 ff000000`0000000b 00000212`553acfb0 : ida64!user2str+0x3714
000000f3`67ffe840 00007ff7`74293f8d     : 00007ff7`743b45d8 00000000`00000000 00000000`00000085 00000212`515befa0 : ida64!load_nonbinary_file+0x30
000000f3`67ffe880 00007ff7`74294563     : 000000f3`67ffee10 00000000`00000000 00000212`578cefd0 00000000`0000004f : ida64_exe+0x173f8d
000000f3`67ffed80 00007ff7`74173a9b     : 000000f3`67fff600 00000000`5087c6c0 000000f3`67fff3d8 00000000`00000085 : ida64_exe+0x174563
000000f3`67ffef00 00000000`5055130a     : 00000000`00000027 000000f3`67fff600 00000212`3a5a4c40 000000f3`67fff3d8 : ida64_exe+0x53a9b
000000f3`67fff370 00007ff7`7429a37f     : 00000000`00000002 00000000`00000004 00000212`501eafb0 00000000`00000002 : ida64!init_database+0xa9a
000000f3`67fff780 00007ff7`7429b989     : 00007ff7`74367500 00000000`775d3766 00000000`00000001 000000f3`67fff8f8 : ida64_exe+0x17a37f
000000f3`67fff800 00007ff7`7429ae1a     : 00007ff7`74367500 000000f3`67fff8b0 00000212`3c6acfe0 00000000`00000010 : ida64_exe+0x17b989
000000f3`67fff840 00007ff7`7429af52     : 00000000`00000001 00000212`3c6acfe0 000000f3`67fff9a0 00000000`00000000 : ida64_exe+0x17ae1a
000000f3`67fff8f0 00007ff7`7429af7c     : 000000f3`0000008f 00007ff7`0000000f 00000001`00000003 000000f3`67fff9a0 : ida64_exe+0x17af52
000000f3`67fff930 00007ff7`7429bccd     : 000000f3`67fffa08 00000212`4f5c0fb0 00000212`3b080ff0 00000212`47e8efd0 : ida64_exe+0x17af7c
000000f3`67fff970 00007ff7`7429be5f     : 00000000`00000003 00000000`00000018 00000212`3e990fe0 00000212`3e862fb0 : ida64_exe+0x17bccd
000000f3`67fffc10 00007ff7`743495e2     : 00000000`0000000a 00000000`00000000 00000000`00000000 00000000`00000000 : ida64_exe+0x17be5f
000000f3`67fffc60 00007ffd`947d7bd4     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ida64_exe+0x2295e2
000000f3`67fffca0 00007ffd`951eced1     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0x14
000000f3`67fffcd0 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21