question

VRonnie-8719 avatar image
0 Votes"
VRonnie-8719 asked VRonnie-8719 edited

Crash in mswsock!SockAsyncThread while releasing loader lock from FreeLibraryAndExitThread

Crash occurred while unloading mswsock.dll. Only microsoft code is present in the callstack. Is there a hotfix available for the below callstack:

 0:009> kb
  # RetAddr               : Args to Child                                                           : Call Site
 00 00007ffa`8dd49ac8     : 00007ffa`8de7a568 00000000`00000000 000001ee`4d72b940 00000000`00000000 : ntdll!RtlpWakeByAddress+0x79
 01 00007ffa`8dd5d2c0     : 00000000`00000000 000001ee`4d72b940 00007ffa`8de803f0 00000000`00000000 : ntdll!RtlLeaveCriticalSection+0x78
 02 00007ffa`8dd45cc0     : 000000c9`ea4b4000 000001ee`4d72b940 00000000`00000000 00007ffa`8dd62324 : ntdll!LdrpReleaseLoaderLock+0x20
 03 00007ffa`8dd8241e     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000001 : ntdll!LdrShutdownThread+0x1e0
 04 00007ffa`8a42b9c3     : 00007ffa`88fb0000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlExitUserThread+0x3e
 05 00007ffa`88fbfc90     : 000001ee`46c88e60 00007ffa`88fb0000 00007ffa`88fb0000 00000000`00000000 : KERNELBASE!FreeLibraryAndExitThread+0x43
 06 00007ffa`5e07d684     : 00007ffa`88fb2c70 00000000`00000000 00000000`00000000 00000000`00000000 : mswsock!SockAsyncThread+0xd0
 07 00007ffa`8cde84d4     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : verifier!AVrfpStandardThreadFunction+0x44
 08 00007ffa`8dd81821     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0x14
 09 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21

Is this a known issue in mswsock ?

Update:

0:009> .exr -1
ExceptionAddress: 00007ffa8dd96039 (ntdll!RtlpWakeByAddress+0x0000000000000079)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 000000c9eb3ff720
Attempt to read from address 000000c9eb3ff720


0:009> .ecxr
rax=000000c9eb3ff700 rbx=00007ffa8de7a568 rcx=00007ffa8de7a570
rdx=000000c9eb3ff702 rsi=000000c9ea49b000 rdi=000000000000002b
rip=00007ffa8dd96039 rsp=000000c9eb2ff970 rbp=0000000000000000
r8=000000c9eb3ff700 r9=000000c9eb3ff700 r10=0000000000000000
r11=000000c9eb2ffa00 r12=0000000000000000 r13=000000c9ea49b000
r14=00007ffa8de7a570 r15=00007ffa8de80300
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010204
ntdll!RtlpWakeByAddress+0x79:
00007ffa`8dd96039 4983792000 cmp qword ptr [r9+20h],0 ds:000000c9`eb3ff720=????????????????


Memory status of address 000000c9`eb3ff720 that caused access violation:
0:009> !address 000000c9`eb3ff720
Usage: Free
Base Address: 000000c9`eb300000
End Address: 000000c9`eb500000
Region Size: 00000000`00200000 ( 2.000 MB)
State: 00010000 MEM_FREE
Protect: 00000001 PAGE_NOACCESS
Type: <info not present at the target>


details of dlls in callstack:

0:009> lmvm ntdll
Browse full module list
start end module name
00007ffa`8dd30000 00007ffa`8deff000 ntdll (pdb symbols) c:\mssymbols\ntdll.pdb\EB5133649C474E7E870B35471E9298B31\ntdll.pdb
Loaded symbol image file: ntdll.dll
Image path: C:\Windows\System32\ntdll.dll
Image name: ntdll.dll
Browse all global symbols functions data
Timestamp: Thu Mar 4 10:24:02 2021 (604067EA)
CheckSum: 001D1714
ImageSize: 001CF000
File version: 6.2.14393.4283
Product version: 10.0.14393.4283
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0


0:009> lmvm mswsock
Browse full module list
start end module name
00007ffa`88fb0000 00007ffa`8900d000 mswsock (pdb symbols) c:\mssymbols\mswsock.pdb\DAA810367BC04CDD8EBFE12DA2EB501C1\mswsock.pdb
Loaded symbol image file: mswsock.dll
Image path: C:\Windows\System32\mswsock.dll
Image name: mswsock.dll
Browse all global symbols functions data
Timestamp: Sat Apr 11 09:35:50 2020 (5E91421E)
CheckSum: 000580C1
ImageSize: 0005D000
File version: 6.2.14393.3659
Product version: 10.0.14393.3659
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0


0:009> lmvm KERNELBASE
Browse full module list
start end module name
00007ffa`8a3c0000 00007ffa`8a5de000 KERNELBASE (pdb symbols) c:\mssymbols\kernelbase.pdb\5DE48160519A40E8A1BBB3F53C004C431\kernelbase.pdb
Loaded symbol image file: KERNELBASE.dll
Image path: C:\Windows\System32\KERNELBASE.dll
Image name: KERNELBASE.dll
Browse all global symbols functions data
Timestamp: Sat Oct 3 09:56:03 2020 (5F77FD5B)
CheckSum: 00224E00
ImageSize: 0021E000
File version: 6.2.14393.3986
Product version: 10.0.14393.3986
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0


0:009> lmvm kernel32
Browse full module list
start end module name
00007ffa`8cde0000 00007ffa`8ce8c000 kernel32 (pdb symbols) c:\mssymbols\kernel32.pdb\AAA77DC9E6BB45109138907C1E3415F71\kernel32.pdb
Loaded symbol image file: kernel32.dll
Image path: C:\Windows\System32\kernel32.dll
Image name: kernel32.dll
Browse all global symbols functions data
Timestamp: Wed Apr 8 09:04:43 2020 (5E8D4653)
CheckSum: 000B8F0F
ImageSize: 000AC000
File version: 6.2.14393.3630
Product version: 10.0.14393.3630
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0


0:009> lmvm verifier
Browse full module list
start end module name
00007ffa`5e060000 00007ffa`5e0ce000 verifier (pdb symbols) c:\mssymbols\verifier.pdb\DCFC37DA2F6E4567B06FC84BCF9BEDAF1\verifier.pdb
Loaded symbol image file: verifier.dll
Image path: C:\Windows\System32\verifier.dll
Image name: verifier.dll
Browse all global symbols functions data
Timestamp: Sat Jul 16 07:51:03 2016 (57899A0F)
CheckSum: 00062029
ImageSize: 0006E000
File version: 6.2.14393.0
Product version: 10.0.14393.0
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0


0:009> !avrf
Application verifier settings (00008000):

  • fast fill heap (a.k.a light page heap)

    No verifier stop active.


windows-apiwindows-platform-network
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I'm sorry I can't reproduce the problem by describing it, maybe you can use Windbg to check the cause of the error, or provide a minimal, reproducible sample without private information to help us reproduce the problem.

1 Vote 1 ·

I have added all dll versions to the question. also app verifier with light page heap was enabled. This is not reproducible issue. If you can help me understand why\what it was trying to access at the free address it may help me create sample. Please let me know if you need any more info from dump.
This issue looks similar to https://stackoverflow.com/questions/39635817/windows-10-specific-crash-on-call-leavecriticalsection

0 Votes 0 ·

0 Answers