Re: "Attempt to execute non-executable address" on Server 2008 when ??Terminal Services installed

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Is the function being called in a DLL or in the EXE? Does the call's target
address contain a fixup jump or actual code? Are the Cygwin DLLs loaded on
the preferred address under TS?

"Corinna Vinschen" <corinna@xxxxxxxxxxxxxxxx> wrote in message
news:gea613$3a1$1@xxxxxxxxxxxxxxxxxx
roger.orr@xxxxxxxxx wrote:
Sorry the suggestion didn't help.

No worries.

Just a thought -- if you run this inside windbg what does !vadump
report for the segment containing the faulting address?

Thanks, that was very helpful!

I just did that and the single page which contains the function is not
executable when the crash happens. This looks like a OS problem,
but read further.

For my private test application (an augmented bash built in debug mode),
the .text segment is at 0x401000 up to 46b000. `objdump -h' prints

bash-g.exe: file format pei-i386

Sections:
Idx Name Size VMA LMA File off Algn
0 .text 00069510 00401000 00401000 00000400 2**4
CONTENTS, ALLOC, LOAD, CODE
1 .data 00002380 0046b000 0046b000 00069600 2**5
CONTENTS, ALLOC, LOAD, DATA
[...]

The start address of the crashing function is 0x419d97. The printout of
!vadump for the pages in the .text segment looks like this when the crash
occurs:

BaseAddress: 00401000
RegionSize: 0000c000
State: 00001000 MEM_COMMIT
Protect: 00000080 PAGE_EXECUTE_WRITECOPY
Type: 01000000 MEM_IMAGE

BaseAddress: 0040d000
RegionSize: 00001000
State: 00001000 MEM_COMMIT
Protect: 00000040 PAGE_EXECUTE_READWRITE
Type: 01000000 MEM_IMAGE

[...]

BaseAddress: 00419000
RegionSize: 00001000
State: 00001000 MEM_COMMIT
Protect: 00000008 PAGE_WRITECOPY !!!!!
Type: 01000000 MEM_IMAGE

BaseAddress: 0041a000
RegionSize: 00002000
State: 00001000 MEM_COMMIT
Protect: 00000080 PAGE_EXECUTE_WRITECOPY
Type: 01000000 MEM_IMAGE

[...]

!vprot 0x419000 prints additionally

AllocationBase 00400000
AllocationProtect 00000080 PAGE_EXECUTE_WRITECOPY

So *something* has actually changed the protection. Not only on this
page but also on some other arbitrary pages in the .text segment.

When debugging the same on a non-TS Server 2008 machine, all pages in
the .text segment are still either PAGE_EXECUTE_WRITECOPY or
PAGE_EXECUTE_READWRITE when setting a breakpoint to the instruction
which crashes on the TS machine.

I debugged this further with WinDbg and the change of protection already
occurs before any Cygwin code ran. I set a breakpoint at the start of
the DLL entry routine and at the time it's called from the Windows
loader for the DLL_PROCESS_ATTACH rat race, the protection is already
PAGE_WRITECOPY. The test application loads three other Cygwin specific
DLLs, but as far as I can see, all these libs are loaded *after* the
Cygwin DLL. So, if I didn't miss anything, the protection of this page
has actually changed before any application code has been called.

What now? I'm not overly fluent in WinDbg since I'm using GDB all the
time. Is there a way in WinDbg to break on a page protection change?
The `ba' command can't be used before the application has been started
and I don't know if it would be triggered by a protection change anyway.
I also tried to set a breakpoint to VirtualProtect, but it's not hit
at load time.

Does that description qualify for a re-evaluation of the support case at
Microsoft Professional Support, maybe?


Corinna

--
Corinna Vinschen
Cygwin Project Co-Leader
Red Hat


.

Relevant Pages

  • Re: "Attempt to execute non-executable address" on Server 2008 when ??Terminal Services installe
    ... !vadump for the pages in the .text segment looks like this when the crash ... BaseAddress: 0040d000 ... So *something* has actually changed the protection. ... The test application loads three other Cygwin specific ...
    (microsoft.public.win32.programmer.kernel)
  • Re: Kernel support for peer-to-peer protection models...
    ... Kernel support for peer-to-peer protection models... ... app calls a paranoid server DLL passing in a function, ... can see and expose to the debugger), then a hunk of DLL function activations ...
    (Linux-Kernel)
  • Re: software protection and licensing question
    ... Thanks for the info. Armadillo is one of the packages I have come ... allow debugging for the application code written by users of our SDK, ... I'm also well aware that code protection can never be perfect - people ... >>supplied dll, and it is the dll which needs to be protected. ...
    (comp.programming)
  • Re: software protection and licensing question
    ... Thanks for the info. Armadillo is one of the packages I have come ... allow debugging for the application code written by users of our SDK, ... I'm also well aware that code protection can never be perfect - people ... >>supplied dll, and it is the dll which needs to be protected. ...
    (comp.lang.cpp)
  • Re: software protection and licensing question
    ... Thanks for the info. Armadillo is one of the packages I have come ... allow debugging for the application code written by users of our SDK, ... I'm also well aware that code protection can never be perfect - people ... >>supplied dll, and it is the dll which needs to be protected. ...
    (comp.security.misc)