[Pidgin] #15521: ASLR Always On Crashes Pidgin

Sun Feb 17 12:46:18 EST 2013

#15521: ASLR Always On Crashes Pidgin
--------------------+---------------------------------
 Reporter:  Lloth   |      Owner:  rekkanoryo
     Type:  defect  |     Status:  new
Milestone:          |  Component:  unclassified
  Version:  2.10.7  |   Keywords:  aslr, emet,windows8
--------------------+---------------------------------
 Pidgin Version: 2.10.7
 OS version: Windows 8 x64

 When opening pidgin:
 The application was unable to start correctly (0xC00000142), click Ok to
 Close the application

 Crash error code in eventlog:
 Exception code: 0xc0000005
 Fault offset: 0x97560000

 Did a bit of debugging and I suspect it's related to the new patch
 introducing additional exploit hardening.
 I have EMET 3.5 (tech preview). Turning down ASLR from "Always on" to
 "Application opt in" resolves the issue, and allows pidgin to start.

 Debugging a bit further in the code it looks like one of the addresses is
 statically linked:

 The crash occurs in libssp-0

 CPU Disasm
 Address   Hex dump          Command
 Comments
 000211EC  |> \B8 00005697   MOV EAX,97560000                     ; It
 looks like jump location is set statically
 000211F1  |. EB A7         JMP SHORT 0002119A

 ....

 0002119A  |> /85C0          TEST EAX,EAX
 0002119C  |. |74 11         JZ SHORT 000211AF
 0002119E  |. |C74424 04 209 MOV DWORD PTR SS:[LOCAL.5],OFFSET 000290
 000211A6  |. |C70424 808402 MOV DWORD PTR SS:[LOCAL.6],OFFSET 000284
 000211AD  |. |FFD0          CALL EAX
 ; EAX is 97560000 , which then jumps to invalid location

 Because this crashes before the application fully loads, no crash dumps
 are created by pidgin itself.

 Just want to say I commend you guys for putting in ASLR/DEP to the most
 recent build, it's moving in the right direction.  There is a bit more
 that can be done however.  Currently other libraries are not built with
 ASLR:

 http://icebuddha.com/slopfinder.htm

 Current libraries without ASLR/DEP

 /Pidgin/libsilc-1-1-2.dll
 /Pidgin/libsilcclient-1-1-3.dll
 /Pidgin/libssp-0.dll  ; I suspect it's crashing because libssp-0.dll is
 not compiled to use ASLR.
 /Pidgin/libxml2-2.dll
 /Pidgin/exchndl.dll
 /Pidgin/libmeanwhile-1.dll
 /Pidgin/spellcheck/libenchant.dll
 /Pidgin/spellcheck/libgtkspell-0.dll
 /Pidgin/Gtk/bin/libgio-2.0-0.dll
 /Pidgin/Gtk/bin/freetype6.dll
 /Pidgin/Gtk/bin/gspawn-win32-helper-console.exe
 /Pidgin/Gtk/bin/gspawn-win32-helper.exe
 /Pidgin/Gtk/bin/gtk-query-immodules-2.0.exe
 /Pidgin/Gtk/bin/intl.dll
 /Pidgin/Gtk/bin/libatk-1.0-0.dll
 /Pidgin/Gtk/bin/libcairo-2.dll
 /Pidgin/Gtk/bin/libexpat-1.dll
 /Pidgin/Gtk/bin/libfontconfig-1.dll
 /Pidgin/Gtk/bin/libgailutil-18.dll
 /Pidgin/Gtk/bin/libgdk-win32-2.0-0.dll
 /Pidgin/Gtk/bin/libgdk_pixbuf-2.0-0.dll
 /Pidgin/Gtk/bin/gdk-pixbuf-query-loaders.exe
 /Pidgin/Gtk/bin/libglib-2.0-0.dll
 /Pidgin/Gtk/bin/libgmodule-2.0-0.dll
 /Pidgin/Gtk/bin/libgobject-2.0-0.dll
 /Pidgin/Gtk/bin/libgthread-2.0-0.dll
 /Pidgin/Gtk/bin/libgtk-win32-2.0-0.dll
 /Pidgin/Gtk/bin/libpango-1.0-0.dll
 /Pidgin/Gtk/bin/libpangocairo-1.0-0.dll
 /Pidgin/Gtk/bin/libpangoft2-1.0-0.dll
 /Pidgin/Gtk/bin/libpangowin32-1.0-0.dll
 /Pidgin/Gtk/bin/libpng14-14.dll
 /Pidgin/Gtk/bin/pango-querymodules.exe
 /Pidgin/Gtk/bin/zlib1.dll
 /Pidgin/spellcheck/lib/enchant/libenchant_ispell.dll
 /Pidgin/spellcheck/lib/enchant/libenchant_myspell.dll
 /Pidgin/Gtk/lib/gtk-2.0/modules/libgail.dll
 /Pidgin/Gtk/lib/gtk-2.0/2.10.0/engines/libpixmap.dll
 /Pidgin/Gtk/lib/gtk-2.0/2.10.0/engines/libwimp.dll

-- 
Ticket URL: <https://developer.pidgin.im/ticket/15521>
Pidgin <http://pidgin.im>
Pidgin