Skip to content
GitLab
Closed
Issue created by Administrator@rootContributor

APP CRASH: x64 Windows & TLS under drcov

Created by: expend20

Hi! I've got a simple app which tries to extract thumbnail from image. The problem is it causes a crash being run under DR, and runs fine without DR. When I run it under DR, the post-mortem debugger attaches to the process and I'm able to see the cause of it, which seems related to TLS structure.

(2798.3964): Access violation - code c0000005 (!!! second chance !!!)
CompPkgSup!CacheCodecExtensions+0x33:
00007ffd`bcd07f2f 428b0401        mov     eax,dword ptr [rcx+r8] ds:00000000`00000004=????????
0:000> k
 # Child-SP          RetAddr           Call Site
00 000000b7`f28fc5d0 00007ffd`bcd0b602 CompPkgSup!CacheCodecExtensions+0x33
01 000000b7`f28fc690 00007ffd`bcd0c424 CompPkgSup!GetMediaComponentPackageInfoInternal+0x4fe
02 000000b7`f28fc7b0 00007ffd`bd486309 CompPkgSup!GetMediaComponentPackageInfo+0x64
03 000000b7`f28fc800 00007ffd`bd48362f MFPlat!EnumPackagedMFTs+0x141
04 000000b7`f28fc9f0 00007ffd`bdff1df6 MFPlat!MFTEnumEx+0x25f
05 000000b7`f28fcb30 00007ffd`bdff274c MSRAWImage!CreateWICComponent+0x2ee
06 000000b7`f28fccb0 00007ffd`c7df70b5 MSRAWImage!CWICRAWDecoderClassFactory::CreateInstance+0x4c
07 000000b7`f28fcd00 00007ffd`c7db4840 combase!CServerContextActivator::CreateInstance+0x1d5 [onecore\com\combase\objact\actvator.cxx @ 881] 
08 000000b7`f28fce80 00007ffd`c7df6c3c combase!ActivationPropertiesIn::DelegateCreateInstance+0x90 [onecore\com\combase\actprops\actprops.cxx @ 1983] 
09 000000b7`f28fcf10 00007ffd`c7e54228 combase!CApartmentActivator::CreateInstance+0x9c [onecore\com\combase\objact\actvator.cxx @ 2189] 
0a 000000b7`f28fcfc0 00007ffd`c7e58890 combase!CProcessActivator::CCICallback+0x58 [onecore\com\combase\objact\actvator.cxx @ 1640] 
0b 000000b7`f28fd010 00007ffd`c7e50971 combase!CProcessActivator::AttemptActivation+0x40 [onecore\com\combase\objact\actvator.cxx @ 1527] 
0c 000000b7`f28fd060 00007ffd`c7e54730 combase!CProcessActivator::ActivateByContext+0x91 [onecore\com\combase\objact\actvator.cxx @ 1371] 
0d 000000b7`f28fd0f0 00007ffd`c7db4840 combase!CProcessActivator::CreateInstance+0x80 [onecore\com\combase\objact\actvator.cxx @ 1271] 
0e 000000b7`f28fd140 00007ffd`c7e01cff combase!ActivationPropertiesIn::DelegateCreateInstance+0x90 [onecore\com\combase\actprops\actprops.cxx @ 1983] 
0f 000000b7`f28fd1d0 00007ffd`c7db4840 combase!CClientContextActivator::CreateInstance+0x17f [onecore\com\combase\objact\actvator.cxx @ 570] 
10 000000b7`f28fd480 00007ffd`c7de6047 combase!ActivationPropertiesIn::DelegateCreateInstance+0x90 [onecore\com\combase\actprops\actprops.cxx @ 1983] 
11 000000b7`f28fd510 00007ffd`c7de4b09 combase!ICoCreateInstanceEx+0x917 [onecore\com\combase\objact\objact.cxx @ 2028] 
12 000000b7`f28fe400 00007ffd`c7de494c combase!CComActivator::DoCreateInstance+0x169 [onecore\com\combase\objact\immact.hxx @ 386] 
13 (Inline Function) --------`-------- combase!CoCreateInstanceEx+0xd1 [onecore\com\combase\objact\actapi.cxx @ 177] 
14 000000b7`f28fe560 00007ffd`b9d46702 combase!CoCreateInstance+0x10c [onecore\com\combase\objact\actapi.cxx @ 121] 
15 000000b7`f28fe600 00007ffd`b9d1fa9c windowscodecs!CCodecInfo::CreateInstance+0xe2
16 000000b7`f28fe640 00007ffd`b9d21b6e windowscodecs!CCodecFactory::HrArbitrateDecoderList+0x5e4
17 000000b7`f28fe790 00007ffd`b9d47cb2 windowscodecs!CCodecFactory::HrCreateDecoderFromStreamInternalNew+0x30e
18 000000b7`f28fe870 00007ffd`a78a76f4 windowscodecs!CCodecFactory::CreateDecoderFromStream+0x72
19 000000b7`f28fe8d0 00007ffd`c56f65fe PhotoMetadataHandler!CPhotoThumbnailProvider::Initialize+0x104
1a 000000b7`f28fe960 00007ffd`c56f5e21 windows_storage!InitializeFileHandlerWithStream+0x16e
1b 000000b7`f28fea20 00007ffd`c5678e74 windows_storage!CFileSysItemString::HandlerCreateInstance+0x2e9
1c 000000b7`f28feb10 00007ffd`c56b1c3c windows_storage!CFileSysItemString::LoadHandler+0x1f4
1d 000000b7`f28fec60 00007ffd`c567a456 windows_storage!CFSFolder::s_GetThumbnailExtractor+0x18c
1e 000000b7`f28feff0 00007ffd`c574e4b2 windows_storage!CFSFolder::_BindHandler+0x5c6
1f 000000b7`f28ff380 00007ffd`c56c20a9 windows_storage!CFSFolder::GetThumbnailHandler+0x62
20 000000b7`f28ff400 00007ffd`c566e71d windows_storage!_CreateThumbnailHandler+0xa9
*** WARNING: Unable to verify checksum for z:\s\bb\ms\ms-thumbnail\vs-thumb-get\open\x64\Release\open.exe
21 000000b7`f28ff4c0 00007ff6`ec2d108f windows_storage!CShellItem::BindToHandler+0x69d
22 000000b7`f28ff820 00007ff6`ec2d120d open!fuzz+0x8f [z:\s\bb\ms\ms-thumbnail\vs-thumb-get\open\open\Source.cpp @ 36] 
23 000000b7`f28ff890 00007ff6`ec2d1474 open!main+0xfd [z:\s\bb\ms\ms-thumbnail\vs-thumb-get\open\open\Source.cpp @ 87] 
24 (Inline Function) --------`-------- open!invoke_main+0x22 [d:\agent\_work\4\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 78] 
25 000000b7`f28ffaf0 00007ffd`c9706fd4 open!__scrt_common_main_seh+0x10c [d:\agent\_work\4\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 288] 
26 000000b7`f28ffb30 00007ffd`c9ca2c41 KERNEL32!BaseThreadInitThunk+0x14
27 000000b7`f28ffb60 00000000`00000000 ntdll!RtlUserThreadStart+0x21
0:000> ub
CompPkgSup!CacheCodecExtensions+0xc:
00007ffd`bcd07f08 4157            push    r15
00007ffd`bcd07f0a 488bec          mov     rbp,rsp
00007ffd`bcd07f0d 4881ec80000000  sub     rsp,80h
00007ffd`bcd07f14 65488b042558000000 mov   rax,qword ptr gs:[58h]
00007ffd`bcd07f1d 4c8be1          mov     r12,rcx
00007ffd`bcd07f20 8b1572630200    mov     edx,dword ptr [CompPkgSup!tls_index (00007ffd`bcd2e298)]
00007ffd`bcd07f26 b904000000      mov     ecx,4
00007ffd`bcd07f2b 4c8b04d0        mov     r8,qword ptr [rax+rdx*8]

To Reproduce Steps to reproduce the behavior:

  1. The binary takes path to the file as command line parameter. You should run it like this:
open.exe <path to attached bmp without extension> .bmp
  • open.exe
  • bmp The program just prints (via OutputDebugString) "-" in this sample.
  1. Running the same command under DR leads to aforementioned APP CRASH.
drrun.exe -t drcov -- open.exe bmp .bmp

Please also answer these questions:

  • What happens when you run without any client?
    • "-" is printed to dbgview.exe
  • What happens when you run with debug build ("-debug" flag to drrun/drconfig/drinject)?
    • I actually didn't find the way how I can feed "-debug" to drcov

Versions

  • What version of DynamoRIO are you using?
    • 7.91.18301.2
  • Does the latest build from https://github.com/DynamoRIO/dynamorio/wiki/Latest-Build solve the problem?
    • nope
  • What operating system version are you running on? ("Windows 10" is not sufficient: give the release number.)
    • Version 10.0.18363.657
  • Is your application 32-bit or 64-bit?
    • 64 bit

Additional context

Here is full crashdump