Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#15521 closed defect (fixed)

ASLR Always On Crashes Pidgin

Reported by: Lloth Owned by: datallah
Milestone: 2.10.8 Component: winpidgin (gtk)
Version: 2.10.7 Keywords: aslr, emet,windows8
Cc:

Description

Pidgin Version: 2.10.7 OS version: Windows 8 x64

When opening pidgin: The application was unable to start correctly (0xC00000142), click Ok to Close the application

Crash error code in eventlog: Exception code: 0xc0000005 Fault offset: 0x97560000

Did a bit of debugging and I suspect it's related to the new patch introducing additional exploit hardening. I have EMET 3.5 (tech preview). Turning down ASLR from "Always on" to "Application opt in" resolves the issue, and allows pidgin to start.

Debugging a bit further in the code it looks like one of the addresses is statically linked:

The crash occurs in libssp-0

CPU Disasm Address Hex dump Command Comments 000211EC |> \B8 00005697 MOV EAX,97560000 ; It looks like jump location is set statically 000211F1 |. EB A7 JMP SHORT 0002119A

....

0002119A |> /85C0 TEST EAX,EAX 0002119C |. |74 11 JZ SHORT 000211AF 0002119E |. |C74424 04 209 MOV DWORD PTR SS:[LOCAL.5],OFFSET 000290 000211A6 |. |C70424 808402 MOV DWORD PTR SS:[LOCAL.6],OFFSET 000284 000211AD |. |FFD0 CALL EAX ; EAX is 97560000 , which then jumps to invalid location

Because this crashes before the application fully loads, no crash dumps are created by pidgin itself.

Just want to say I commend you guys for putting in ASLR/DEP to the most recent build, it's moving in the right direction. There is a bit more that can be done however. Currently other libraries are not built with ASLR:

http://icebuddha.com/slopfinder.htm

Current libraries without ASLR/DEP

/Pidgin/libsilc-1-1-2.dll /Pidgin/libsilcclient-1-1-3.dll /Pidgin/libssp-0.dll ; I suspect it's crashing because libssp-0.dll is not compiled to use ASLR. /Pidgin/libxml2-2.dll /Pidgin/exchndl.dll /Pidgin/libmeanwhile-1.dll /Pidgin/spellcheck/libenchant.dll /Pidgin/spellcheck/libgtkspell-0.dll /Pidgin/Gtk?/bin/libgio-2.0-0.dll /Pidgin/Gtk?/bin/freetype6.dll /Pidgin/Gtk?/bin/gspawn-win32-helper-console.exe /Pidgin/Gtk?/bin/gspawn-win32-helper.exe /Pidgin/Gtk?/bin/gtk-query-immodules-2.0.exe /Pidgin/Gtk?/bin/intl.dll /Pidgin/Gtk?/bin/libatk-1.0-0.dll /Pidgin/Gtk?/bin/libcairo-2.dll /Pidgin/Gtk?/bin/libexpat-1.dll /Pidgin/Gtk?/bin/libfontconfig-1.dll /Pidgin/Gtk?/bin/libgailutil-18.dll /Pidgin/Gtk?/bin/libgdk-win32-2.0-0.dll /Pidgin/Gtk?/bin/libgdk_pixbuf-2.0-0.dll /Pidgin/Gtk?/bin/gdk-pixbuf-query-loaders.exe /Pidgin/Gtk?/bin/libglib-2.0-0.dll /Pidgin/Gtk?/bin/libgmodule-2.0-0.dll /Pidgin/Gtk?/bin/libgobject-2.0-0.dll /Pidgin/Gtk?/bin/libgthread-2.0-0.dll /Pidgin/Gtk?/bin/libgtk-win32-2.0-0.dll /Pidgin/Gtk?/bin/libpango-1.0-0.dll /Pidgin/Gtk?/bin/libpangocairo-1.0-0.dll /Pidgin/Gtk?/bin/libpangoft2-1.0-0.dll /Pidgin/Gtk?/bin/libpangowin32-1.0-0.dll /Pidgin/Gtk?/bin/libpng14-14.dll /Pidgin/Gtk?/bin/pango-querymodules.exe /Pidgin/Gtk?/bin/zlib1.dll /Pidgin/spellcheck/lib/enchant/libenchant_ispell.dll /Pidgin/spellcheck/lib/enchant/libenchant_myspell.dll /Pidgin/Gtk?/lib/gtk-2.0/modules/libgail.dll /Pidgin/Gtk?/lib/gtk-2.0/2.10.0/engines/libpixmap.dll /Pidgin/Gtk?/lib/gtk-2.0/2.10.0/engines/libwimp.dll

Change History (6)

comment:1 Changed 4 years ago by Lloth

http://iweb.dl.sourceforge.net/project/mingw/MinGW/Base/gcc/Version4/gcc-4.7.2-1/libssp-4.7.2-1-mingw32-dll-0.tar.lzma

Updating to the most recent library and replacing that DLL allows for ASLR to be on Always allow in EMET as well as for pidgin to start. Still doesn't enable ASLR on the library itself though.

comment:2 Changed 4 years ago by datallah

  • Component changed from unclassified to winpidgin (gtk)
  • Owner changed from rekkanoryo to datallah

The libssp-0.dll (gcc stack smashing protection library) shipped with Pidgin 2.10.7 is the one from mingw gcc 4.4.0.

The Pidgin 2.10.7 windows binaries were compiled with gcc 4.7.2, so it makes sense we'd need to use the newer library.

It'd be best if libssp could be linked statically instead of having to ship a dll that we need to maintain the versions of - IIRC there as some issues doing that with gcc 4.4.0, but I'll need to do some testing with gcc 4.7.2 to see if it works now.

The list of dlls built without ASLR are all third party except exchnd.dll.

Last edited 4 years ago by datallah (previous) (diff)

comment:3 Changed 4 years ago by Daniel Atallah <datallah@…>

  • Milestone set to 2.10.8
  • Resolution set to fixed
  • Status changed from new to closed

(In [910bab8c9dac]):
win32: Use the libssp-0.dll from the gcc bin directory instead of based on a separate dependency.

comment:4 follow-up: Changed 4 years ago by dbeusee

I am using Windows 7 x64 and I have the same crash at startup in libssp-0.dll which is not fixed by downloading the latest libssp-0.dll. My only recourse seems to be reinstalling 2.10.6 which works fine, even with 2.10.7 gdk libs.

Here is the detailed event data:

Log Name: Application Source: Application Error Date: 3/5/2013 2:32:16 AM Event ID: 1000 Task Category: (100) Level: Error Keywords: Classic User: N/A Computer: XXXX Description: Faulting application name: pidgin.exe, version: 2.10.7.0, time stamp: 0x511b1a52 Faulting module name: libssp-0.dll, version: 0.0.0.0, time stamp: 0x4a404128 Exception code: 0xc000001d Fault offset: 0x000012d5 Faulting process id: 0xbbb4 Faulting application start time: 0x01ce198cb48bbacd Faulting application path: C:\Program Files (x86)\Pidgin\pidgin.exe Faulting module path: C:\Program Files (x86)\Pidgin\libssp-0.dll Report Id: f29daa2c-857f-11e2-9fc1-00059a3c7a00 Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

<System>

<Provider Name="Application Error" /> <EventID Qualifiers="0">1000</EventID> <Level>2</Level> <Task>100</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated? SystemTime?="2013-03-05T10:32:16.000000000Z" /> <EventRecordID>12268</EventRecordID> <Channel>Application</Channel> <Computer>XXXX</Computer> <Security />

</System> <EventData?>

<Data>pidgin.exe</Data> <Data>2.10.7.0</Data> <Data>511b1a52</Data> <Data>libssp-0.dll</Data> <Data>0.0.0.0</Data> <Data>4a404128</Data> <Data>c000001d</Data> <Data>000012d5</Data> <Data>bbb4</Data> <Data>01ce198cb48bbacd</Data> <Data>C:\Program Files (x86)\Pidgin\pidgin.exe</Data> <Data>C:\Program Files (x86)\Pidgin\libssp-0.dll</Data> <Data>f29daa2c-857f-11e2-9fc1-00059a3c7a00</Data>

</EventData?>

</Event>

Please advise.

Last edited 4 years ago by dbeusee (previous) (diff)

comment:5 in reply to: ↑ 4 Changed 4 years ago by datallah

Replying to dbeusee:

I am using Windows 7 x64 and I have the same crash at startup in libssp-0.dll which is not fixed by downloading the latest libssp-0.dll. My only recourse seems to be reinstalling 2.10.6 which works fine, even with 2.10.7 gdk libs.

This is going to be a different issue. If #15520 isn't the problem, please get a crash report and file a separate ticket.

comment:6 Changed 4 years ago by datallah

Ticket #15587 has been marked as a duplicate of this ticket.

Note: See TracTickets for help on using tickets.
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!