Microsoft Edge crash

c++ / delphi package - dll injection and api hooking
Post Reply
EaSy
Posts: 150
Joined: Tue Oct 23, 2012 12:33 pm

Microsoft Edge crash

Post by EaSy »

Hi,
we are testing w10 support and we found some crash in Edge in MCH function CreateMetroSd.

Code: Select all

MicrosoftEdgeCP.exe(5).408.dmp
---------------------------------------------

FAULTING_IP:
iertutil!IEConfiguration_GetBool+318
00007fff`cec35bc8 488b04c8 mov rax,qword ptr [rax+rcx*8]

EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 00007fffcec35bc8 (iertutil!IEConfiguration_GetBool+0x0000000000000318)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: 0000000000000008
Attempt to read from address 0000000000000008

PROCESS_NAME: microsoftedgecp.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukce na adrese 0x%08lx odkazovala na adresu pam

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukce na adrese 0x%08lx odkazovala na adresu pam

EXCEPTION_PARAMETER1: 0000000000000000

EXCEPTION_PARAMETER2: 0000000000000008

READ_ADDRESS: 0000000000000008

FOLLOWUP_IP:
iertutil!IEConfiguration_GetBool+318
00007fff`cec35bc8 488b04c8 mov rax,qword ptr [rax+rcx*8]

NTGLOBALFLAG: 0

APPLICATION_VERIFIER_FLAGS: 0

FAULTING_THREAD: 00000000000016a0

BUGCHECK_STR: APPLICATION_FAULT_NULL_CLASS_PTR_DEREFERENCE_ONE_BIT_INVALID_POINTER_READ

PRIMARY_PROBLEM_CLASS: NULL_CLASS_PTR_DEREFERENCE_ONE_BIT

DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE_ONE_BIT

LAST_CONTROL_TRANSFER: from 00007fffd11076c9 to 00007fffcec35bc8

STACK_TEXT:
0000000a`85efd050 00007fff`d11076c9 : 0000000a`8601b780 00000000`00000001 00000000`00000090 00007fff`d76a341b : iertutil!IEConfiguration_GetBool+0x318
0000000a`85efd0b0 00007fff`d1107487 : 0000000a`8601b780 0000000a`8601b8e0 00000000`0000000e 0000000a`8600d690 : eshims!CShimBindings::_GetNeededShims+0x69
0000000a`85efd0e0 00007fff`d1107337 : 0000000a`8601b780 00000000`00000001 0000000a`85efd130 00007fff`00000000 : eshims!CShimBindings::_InitializeLoadedModules+0xbf
0000000a`85efd110 00007fff`d1106ee4 : 0000000a`00000004 0000000a`8601b780 00000000`00000090 00000000`00000001 : eshims!CShimBindings::ApplyShims+0x3b
0000000a`85efd140 00007fff`d1107043 : 0000000a`8601b780 00000000`00000001 00000000`00000000 00000000`00000001 : eshims!CShimBindings::DllMainHook+0x80
0000000a`85efd1b0 00007fff`da183d70 : 00000000`00000001 0000000a`85efd4d0 00000000`00000000 0000000a`8601b780 : eshims!CShimBindings::s_DllMainHook+0x73
0000000a`85efd200 00007fff`da1a6be6 : 0000000a`8602e7e0 00007fff`d5e60000 0000000a`00000001 0000000a`8601b780 : ntdll!LdrpCallInitRoutine+0x4c
0000000a`85efd260 00007fff`da1a6a0b : 0000000a`86050dc0 00007fff`da1a1200 0000000a`86050dc0 00007fff`d1106fd0 : ntdll!LdrpInitializeNode+0x182
0000000a`85efd390 00007fff`da1a009d : 00000000`00000000 00000000`00000000 0000000a`85efd420 0000000a`85efd4d0 : ntdll!LdrpInitializeGraphRecurse+0x73
0000000a`85efd3d0 00007fff`da18096c : 0000000a`85efd4d0 00000000`00000000 00000000`00000000 0000000a`85efd640 : ntdll!LdrpPrepareModuleForExecution+0xc5
0000000a`85efd410 00007fff`da1c5b9e : 0000000a`85efd640 0000000a`85efd7e0 0000000a`86008e40 0000000a`86008e40 : ntdll!LdrpLoadDllInternal+0x1a8
0000000a`85efd490 00007fff`da1c5a0d : 00007fff`d7d58bc0 0000000a`86008e40 00007fff`d7d8adf8 00000000`00000000 : ntdll!LdrpLoadForwardedDll+0x132
0000000a`85efd7a0 00007fff`da176b69 : 00007fff`001a0018 00007fff`d7d7a344 0000000a`00000000 00000000`00000000 : ntdll!LdrpGetDelayloadExportDll+0x85
0000000a`85efd890 00007fff`da176e58 : 00000000`00000000 0000000a`8604a6b0 00007fff`d7d7a344 00007fff`d7cf0000 : ntdll!LdrpHandleProtectedDelayload+0x65
0000000a`85efdd80 00007fff`d7d0868c : 0000000a`85efdf78 00000000`00000002 0000000a`85efe018 0000000a`8604aaa0 : ntdll!LdrResolveDelayLoadedAPI+0x88
0000000a`85efdde0 00007fff`d7d0f4ff : 0000000a`86034e00 00007fff`da18a963 0000000a`86052770 00007fff`c5466ce6 : advapi32!_delayLoadHelper2+0x2c
0000000a`85efde20 00007fff`d7d0d8a9 : 00000000`00000002 0000000a`85efdf90 00000000`00000000 0000000a`85efdf78 : advapi32!_tailMerge_api_ms_win_security_provider_l1_1_0_dll+0x3f
0000000a`85efde90 00007fff`c544365d : 00007fff`c54decc8 00007fff`d7d0d7f0 00000000`00000000 0000000a`85efdf78 : advapi32!SetEntriesInAclA+0xb9
0000000a`85efdf00 00007fff`c5443301 : 0000000a`85efe270 00000000`00000000 00000000`00000000 00000000`00000000 : Guard!CreateMetroSd+0x24d [common\libraries\madcodehook\sources\c++\objecttools.cpp @ 357]
0000000a`85efe040 00007fff`c54427ff : 0000000a`85efe238 0000000a`85efe270 00000000`00000001 0000000a`8604aaa0 : Guard!InitSecurityAttributes+0x4b1 [common\libraries\madcodehook\sources\c++\objecttools.cpp @ 440]
0000000a`85efe1f0 00007fff`c54429de : 0000000a`86054590 00007fff`00000008 00000000`00000000 0000000a`86054590 : Guard!InternalCreateFileMapping+0x3f [common\libraries\madcodehook\sources\c++\objecttools.cpp @ 118]
0000000a`85efe2d0 00007fff`c54529b6 : 0000000a`86054590 0000000a`00000008 ffffe001`00000001 00007fff`c5466ce6 : Guard!CreateLocalFileMapping+0x1e [common\libraries\madcodehook\sources\c++\objecttools.cpp @ 233]
0000000a`85efe300 00007fff`c5445e2a : 0000000a`86050be0 0000000a`85efe590 00007fff`d7d21a10 00007fff`d7d21a10 : Guard!CHookQueue::Initialize+0x46 [common\libraries\madcodehook\sources\c++\chookqueue.cpp @ 37]
0000000a`85efe360 00007fff`c54443ba : 0000000a`86046af0 0000000a`85efe540 0000000a`85efe590 00007fff`d7d21a10 : Guard!CCodeHook::InitializeQueue+0x48a [common\libraries\madcodehook\sources\c++\ccodehook.cpp @ 528]
0000000a`85efe4e0 00007fff`c5439d7b : 0000000a`86046af0 00007fff`d7cf0000 0000000a`85efede0 00007fff`d7d21a10 : Guard!CCodeHook::CCodeHook+0x3da [common\libraries\madcodehook\sources\c++\ccodehook.cpp @ 118]
0000000a`85efe7d0 00007fff`c54396f7 : 00007fff`c5290000 00007fff`d7cf0000 00007fff`c547a490 0000000a`85efede0 : Guard!HookCodeInternal+0x17b [common\libraries\madcodehook\sources\c++\hooking.cpp @ 336]
0000000a`85efed70 00007fff`c534c029 : 00007fff`c547a490 0000000a`85efede0 00007fff`c536eec0 00007fff`c54decc8 : Guard!HookAPI+0x127 [common\libraries\madcodehook\sources\c++\hooking.cpp @ 153]
0000000a`85efef00 00007fff`c534c162 : 0000000a`8604a620 0000000a`860504b0 0000000a`8604de90 00007fff`c54d7ae0 : Guard!CHooker::HookFunction+0x139 [client service\modules\hooking\hooker.cpp @ 278]
0000000a`85efef40 00007fff`c539382e : 00007fff`c54d7ae0 0000000a`8604aac4 00000000`00000009 0000000a`86034d58 : Guard!CHooker::HookAllToBeHookedFunctions+0x52 [client service\modules\hooking\hooker.cpp @ 359]
0000000a`85efef70 00007fff`c53930e3 : 00007fff`c54e7ee0 00000000`000016a0 0000000a`86038100 0000000a`86038100 : Guard!DCCInjectionDll::InitHookingEngine+0x72e [client service\modules\injectiondll\injectiondll.cpp @ 605]
0000000a`85eff0b0 00007fff`c5391a08 : 00007fff`c54e7ee0 0000000a`8603bc10 0000000a`8603ba00 0000000a`8608bbf0 : Guard!DCCInjectionDll::Init+0x11a3 [client service\modules\injectiondll\injectiondll.cpp @ 489]
0000000a`85eff190 00007fff`c5453afd : 00000000`00000001 00000000`00000001 0000000a`85eff534 00000000`00000601 : Guard!DllMain+0x208 [client service\modules\injectiondll\injectiondll.cpp @ 80]
0000000a`85eff220 00007fff`da183d70 : 00000000`00000001 00007fff`c5453a30 00007fff`c5290000 00007fff`da1a6cc8 : Guard!__DllMainCRTStartup+0x8d [f:\dd\vctools\crt\crtw32\dllstuff\crtdll.c @ 508]
0000000a`85eff260 00007fff`da1a6be6 : 0000000a`8602dca0 00007fff`c5290000 0000000a`00000001 0000000a`8602ea20 : ntdll!LdrpCallInitRoutine+0x4c
0000000a`85eff2c0 00007fff`da1a6a0b : 0000000a`86014e60 0000000a`86014e00 0000000a`85eff430 00007fff`c5453a30 : ntdll!LdrpInitializeNode+0x182
0000000a`85eff3f0 00007fff`da1a009d : 00000000`00000000 00000000`00000000 0000000a`85eff480 0000000a`85eff534 : ntdll!LdrpInitializeGraphRecurse+0x73
0000000a`85eff430 00007fff`da18096c : 0000000a`85eff534 00000000`00000000 00000000`00000000 0000000a`85eff540 : ntdll!LdrpPrepareModuleForExecution+0xc5
0000000a`85eff470 00007fff`da1805ca : 0000000a`85eff540 0000000a`85eff6d0 00000000`00000000 00000000`00000001 : ntdll!LdrpLoadDllInternal+0x1a8
0000000a`85eff4f0 00007fff`da17af86 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!LdrpLoadDll+0xf2
0000000a`85eff690 00007fff`fffd0322 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!LdrLoadDll+0x96
0000000a`85eff790 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 0000000a`85eff7d0 : 0x7fff`fffd0322


STACK_COMMAND: ~1s; .ecxr ; kb

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: iertutil!IEConfiguration_GetBool+318

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: iertutil

IMAGE_NAME: iertutil.dll

DEBUG_FLR_IMAGE_TIMESTAMP: 55a72874

FAILURE_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE_ONE_BIT_c0000005_iertutil.dll!IEConfiguration_GetBool

BUCKET_ID: X64_APPLICATION_FAULT_NULL_CLASS_PTR_DEREFERENCE_ONE_BIT_INVALID_POINTER_READ_iertutil!IEConfiguration_GetBool+318

WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/microsoftedgecp_exe/11_0_10240_16384/559f3853/iertutil_dll/11_0_10240_16391/55a72874/c0000005/00045bc8.htm?Retriage=1

Followup: MachineOwner
--------- 
Thx.

Sincerely
PP
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Microsoft Edge crash

Post by madshi »

Hmmmm... After a quick check I didn't find any obvious errors in my code. Is there an easy way to reproduce this problem? Running my demos in Windows 10 seems to work fine.
EaSy
Posts: 150
Joined: Tue Oct 23, 2012 12:33 pm

Re: Microsoft Edge crash

Post by EaSy »

Hi,
we will try to reproduce it with your demo.

PP
Post Reply