Use the same ida instance, open two different executable files, trigger a crash for the second time

Question

Use the same ida instance, open two different executable files, trigger a crash for the second time

x64bugreport opened this issue 4 years ago · comments

ida version 7.5 sp2 in win10

Use the same ida instance, open two different executable files, and trigger a crash when the second program loads. The dump shows that the crash location is in ida.dll, which may be a memory corruption. Hope this bug will be repaired soon.

x64bugreport · Answer 1 · Sun Oct 11 2020 09:42:04 GMT+0800 (China Standard Time)

When the executable file was loaded for the second time, the same ida instance triggered a null pointer exception. It has been determined that this is caused by the plug-in. Deleting other plug-ins and leaving only the HexRaysCodeXplorer plug-in can still reproduce the crash problem. The crash problem disappeared after deleting the HexRaysCodeXplorer plugin.

x64bugreport · Answer 2 · Sun Oct 11 2020 09:46:05 GMT+0800 (China Standard Time)

Crash stack traceback

Crash stack traceback

Alex Matrosov · Answer 3 · Thu Oct 15 2020 05:36:55 GMT+0800 (China Standard Time)

Thanks for reporting, I will check this issue.

x64bugreport · Answer 4 · Sat Oct 31 2020 21:49:49 GMT+0800 (China Standard Time)

@matrosov (ida version 7.5 sp2 in win10)
This problem disappeared after modifying the plug-in initialization flags, the reason is not very clear.
use this method PLUGIN_HIDE | PLUGIN_MULTI no crash.
crash from g_replace_id = register_place_class(&replace_template, /*flag == 0???/* PCF_EA_CAPABLE | PCF_MAKEPLACE_ALLOCATES/*0| PCF_EA_CAPABLE*/, &PLUGIN);
After testing, if there is no PLUGIN_MULTI in the initialization flag, a crash will occur when the executable file F5 plug-in register_place_class is loaded for the second time. But the first load will not crash.

I got the reference code from the following link.
https://engineering.avast.io/magic-probably-behind-hex-rays/
https://github.com/avast/hexrays-demo

Although the crash problem disappeared after the modification, I still don't know the cause of the crash. I have little experience in developing ida plugins. If you know the cause of the crash, hope to reply and inform, thank you!

Alex Barney · Answer 5 · Fri Dec 18 2020 13:17:43 GMT+0800 (China Standard Time)

PLUGIN_MULTI doesn't fix the problem here.
And register_place_class isn't called a second time when opening a new database as the previous comment suggests.

pr701 · Answer 6 · Thu Jul 08 2021 07:16:31 GMT+0800 (China Standard Time)

After I checked the available versions of the app, the problem with IDA 7.5 was resolved.

The crash was related to the register_place_class fucntion.

On plugin unload, when closing its database, IDA should auntomatically unregister the element (place_t) as mentioned in documentaton: In addition, the place_t will be automatically unregistered when the owner plugin is unloaded from memory.
However, this fails. From what has been noticed, the corresponding function in ida64.dll is malformed (this is partially disassembled code).

The condition fails due to the comparison against pointers to different elements.

After the plugin is unloaded, pointer values will not be deleted, so register_place_class called from any extension will initiate a search through pointers (place_t) in memory. Once it will try to dereferencing the pointer values, a call for the name() function will throw an access violation exception.

The solution is to update the plugin with PLUGIN_MULTI, as noted in kernwin.hpp:
/// Deprecated, please update your plugins to use PLUGIN_MULTI.