[tor-bugs] #4956 [Tor Client]: TBB for Windows plus Kaspersky 2012 equals BSOD

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Thu May 24 16:01:21 UTC 2012 

#4956: TBB for Windows plus Kaspersky 2012 equals BSOD
---------------------------+------------------------------------------------
    Reporter:  runa        |       Owner:  sebastian         
        Type:  defect      |      Status:  reopened          
    Priority:  major       |   Milestone:  Tor: 0.2.2.x-final
   Component:  Tor Client  |     Version:                    
  Resolution:              |    Keywords:                    
      Parent:              |      Points:                    
Actualpoints:              |  
---------------------------+------------------------------------------------

Comment(by marshray):

 I got someone who knows a lot more about kernel debugging than I do to
 help me look at the crash dump from
 http://bayfiles.com/file/a3cf/07Lr8P/myMEMORY3.zip . Here are the
 findings, they may be useful to Kaspersky:

 * The address 4c0748 is in the tor.exe process and is the address of the
 next instruction for Tor.exe to run. This code has been paged out. When
 the OS goes to execute the instruction it causes a page fault, which is
 normal. But when the OS tries to load it from the pagefile the kernel
 encounters a corrupted PTE (page table entry). This creates a double-fault
 situation which results in a bluescreen.

 * The PTE for address 4c0748 is damaged. It should have a prototype PTE
 one of its Base Pte/Pts In Subsect ranges, but it doesn't. This looks like
 a good article on these structures
 http://www.codemachine.com/article_protopte.html

 * Tor has no drivers or any other code in the kernel.

 * There is nothing Tor.exe is doing wrong with mapped files that could
 this. The 'mapping' that triggers the crash is the tor.exe image itself.
 The PTEs were corrupted at some point before that.

 * There is no reason to think that changing Tor to not use a mapped file
 would be a real fix for the problem, although it may mask it for a while.

 * The problem is most likely Kaspersky's kernel code.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/4956#comment:45>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list