[Pidgin] #15521: ASLR Always On Crashes Pidgin

Pidgin trac at pidgin.im
Sun Feb 17 12:46:18 EST 2013

#15521: ASLR Always On Crashes Pidgin
 Reporter:  Lloth   |      Owner:  rekkanoryo
     Type:  defect  |     Status:  new
Milestone:          |  Component:  unclassified
  Version:  2.10.7  |   Keywords:  aslr, emet,windows8
 Pidgin Version: 2.10.7
 OS version: Windows 8 x64

 When opening pidgin:
 The application was unable to start correctly (0xC00000142), click Ok to
 Close the application

 Crash error code in eventlog:
 Exception code: 0xc0000005
 Fault offset: 0x97560000

 Did a bit of debugging and I suspect it's related to the new patch
 introducing additional exploit hardening.
 I have EMET 3.5 (tech preview). Turning down ASLR from "Always on" to
 "Application opt in" resolves the issue, and allows pidgin to start.

 Debugging a bit further in the code it looks like one of the addresses is
 statically linked:

 The crash occurs in libssp-0

 CPU Disasm
 Address   Hex dump          Command
 000211EC  |> \B8 00005697   MOV EAX,97560000                     ; It
 looks like jump location is set statically
 000211F1  |. EB A7         JMP SHORT 0002119A


 0002119A  |> /85C0          TEST EAX,EAX
 0002119C  |. |74 11         JZ SHORT 000211AF
 0002119E  |. |C74424 04 209 MOV DWORD PTR SS:[LOCAL.5],OFFSET 000290
 000211A6  |. |C70424 808402 MOV DWORD PTR SS:[LOCAL.6],OFFSET 000284
 000211AD  |. |FFD0          CALL EAX
 ; EAX is 97560000 , which then jumps to invalid location

 Because this crashes before the application fully loads, no crash dumps
 are created by pidgin itself.

 Just want to say I commend you guys for putting in ASLR/DEP to the most
 recent build, it's moving in the right direction.  There is a bit more
 that can be done however.  Currently other libraries are not built with


 Current libraries without ASLR/DEP

 /Pidgin/libssp-0.dll  ; I suspect it's crashing because libssp-0.dll is
 not compiled to use ASLR.

Ticket URL: <https://developer.pidgin.im/ticket/15521>
Pidgin <http://pidgin.im>

More information about the Tracker mailing list