TBB for Windows plus Kaspersky 2012 equals BSOD

I've heard about this issue from three different users; running TBB for Windows (version 2.2.35-4) on a machine with Kaspersky 2012 installed will result in a bluescreen. Will see if I can debug more.

changed milestone to %Tor: 0.2.2.x-final

added component::core tor/tor milestone::Tor: 0.2.2.x-final owner::sebastian priority::high resolution::fixed status::closed tor-client type::defect labels

Trac:
Cc: N/A to g.koppen@jondos.de

One user is running the "Internet Security 2012" version.

Windows 7, 64-bit, TBB version 2.2.35-4, Kaspersky Internet Security v.12.0.0.374; I can run TBB successfully the first time, the second time the system freezes up when Vidalia is starting the Tor software.

Have you tried contacting Kaspersky?

Also, does it happen if you just launch tor, or does it have to be Vidalia that's launching Tor?

Replying to Sebastian:

Have you tried contacting Kaspersky?

Only via Twitter, so I guess that doesn't count. It's on my list of things to do.

Trac:
Status: new to assigned
Owner: erinn to runa

Thank you for contacting Kaspersky Lab Technical Support!. I'll update this ticket when I hear back.

Do you have an update?

Replying to runa:

Thank you for contacting Kaspersky Lab Technical Support!. I'll update this ticket when I hear back.''

Trac:
Username: elian

Kaspersky had a look and came back with the following:

Dear customer,

Dear Runa, I have just heard back from our escalation team.
This is what they have found.

I was able to reproduce bsod and the newly created dump was analyzed by our developers.

There is a bsod while system makes call from tor driver:
Call Site
ntMiResolvePageFileFault
nt! ?? ::FNODOBFM::`string'
ntMiDispatchFault
ntMmAccessFault
ntKiPageFault
tor

This info should be analyzed by Tor developers for further investigation.

They also uploaded dump to mentioned above ftp folder (Lisa\myMEMORY3.zip)

So it would seem the issue needs to be passed back to Tor for further testing

The myMEMORY3.zip dump file can be found on http://bayfiles.com/file/a3cf/07Lr8P/myMEMORY3.zip

Trac:
Owner: runa to sebastian

Maybe Nick knows what to do with that, I certainly don't. I wonder if someone can reproduce the bsod with just tor and kaspersky?

There is no Tor driver -- it seems that whoever wrote that thinks Tor runs some drivers, rather than just a program called Tor.

rransom suggests that it could be the fact that Tor uses mmap to interact with its cached descriptor file. That's a plausible guess. Runa, can you ask your contact if an ordinary program using mmap might produce the behavior he saw? And if so, if he still thinks it's a bug in the ordinary program?

Replying to Sebastian:

Maybe Nick knows what to do with that, I certainly don't. I wonder if someone can reproduce the bsod with just tor and kaspersky?

I can give it a try tomorrow.

Replying to arma:

There is no Tor driver -- it seems that whoever wrote that thinks Tor runs some drivers, rather than just a program called Tor.

rransom suggests that it could be the fact that Tor uses mmap to interact with its cached descriptor file. That's a plausible guess. Runa, can you ask your contact if an ordinary program using mmap might produce the behavior he saw? And if so, if he still thinks it's a bug in the ordinary program?

I can test it tomorrow if you can name "an ordinary program using mmap"?

The "ordinary program using mmap" is called Tor.

If a) Kaspersky can't solve it (e.g. it's a Windows bug), and b) it is in fact mmap-related, then a next step is to investigate a torrc option to opt not to use mmap.

Trac:
Cc: g.koppen@jondos.de to g.koppen@jondos.de, nextgens

Our unnamed friend on irc points out http://www.auslogics.com/en/software/disk-defrag/history/ which has a changelog entry of "fixed BSOD for computers that have Kaspersky Internet Security installed".

Seems very likely that our mmap, or a race with disk access, is the issue here.

I have no idea what to do with that file; yeesh. Also, I have no idea what the "tor driver" is. Does that computer have some weird driver claiming to be tor?

To experiment with a windows tor with no mmap, just change the "#elif defined(_WIN32)" on compat.c line 216 to something like #elif 0, so that it uses the fallback implementation. If that makes the problem go away, it looks like it's time to implement "kaspersky mode".

Trac:
Component: Tor bundles/installation to Tor Client
Milestone: N/A to Tor: 0.2.2.x-final

(If you're tweaking the Tor 0.2.2.x code, the case to disable is the "#elif defined(MS_WINDOWS)" around line 171 of compat.c)

In case the mmap theory turns out to be right, let's get a head start on that with a torrc option; the branch enable_mmap_option in my public repository would be the seed of a fix there. It's a branch on 0.2.2. It needs documentation; it might be b0rken.

Hello! While i tested this case from our side (tried to find problem component in KIS), i got several dumps, one of that is linked above by runa. Another dump leads to problem with disk access as arma sad:

ntfsNtfsPagingFileIo_04BAD9A0

ntKeBugCheckEx+0x0
ntfsNtfsPagingFileIo+0x155
ntfs! ?? ::FNODOBFM::`string'+0x8a29
fltmgrFltpLegacyProcessingAfterPreCallbacksCompleted+0x24f
fltmgrFltpDispatch+0xcf
ntIoPageRead+0x252
ntMiIssueHardFault+0x255
ntMmAccessFault+0x14bb
ntKiPageFault+0x16e
0x75733b05

As additional, sometimes system was OK, but i get next error (leaded to Vidalia):

Hope it will help you. Regards.

Trac:
Username: VenZe

I downloaded TBB 2.2.35-12 and got a BSOD on the third run.

I downloaded and installed the Expert Bundle, but was not been able to trigger a BSOD in the 30-or-so times I used it.

I installed the Vidalia Bundle with just Tor and Vidalia; I got a BSOD the second time I allowed Tor to start via the Vidalia interface.

Hey BSODers! Report your processor and graphics controller.

#4179 (closed) related.

Replying to cypherpunks:

Hey BSODers! Report your processor and graphics controller.

I'm running Kaspersky 2012 and did have blue screen two times after installation. However, since two weeks ago I haven't had any issues. I cannot say for sure my BSOD was from Kasperskay and TBB issue. This is the first I have read about this issue with Tor.

That said, when the BSODs happened, I had this on-board graphics card and processor:

Intel i5-2300 2.3 GHz Intel HD graphics (is that what you requested?)

After I upgraded my graphics card (to an EVGA GeForce GTX 560Ti) I haven't seen any BSODs, however: Post hoc ergo propter hoc ;-)

(Windows 7 Home Premium 64bit SP1)

Replying to cypherpunks:

I'm running Kaspersky 2012 and did have blue screen two times after installation. However, since two weeks ago I haven't had any issues. I cannot say for sure my BSOD was from Kasperskay and TBB issue. This is the first I have read about this issue with Tor.

That said, when the BSODs happened

When your BSODs happened? Are you writing about instant BSOD during TBB start or random crashes during surf?

Folks, why you need this task if you can't report what processor type used?

NOBODY CARE

Trac:
Status: assigned to closed
Resolution: N/A to wontfix

Don't do that.

Trac:
Status: closed to reopened
Resolution: wontfix to N/A

Runa, when you managed to reproduce the bsod, what processor(s) did you have? How long did it take, what version of windows, what version of KIS, etc?

For me, the BSOD occurs during TBB start, I never get to see the browser.

Some system specs: Intel Core 2 Duo Radeon 5770 Windows 7 64 bit KIS 2012

Trac:
Username: elian

Clarification: I never get to see the browser when a BSOD occurs. It's not that I always get a BSOD.

Replying to elian:

For me, the BSOD occurs during TBB start, I never get to see the browser.

Some system specs: Intel Core 2 Duo Radeon 5770 Windows 7 64 bit KIS 2012

Trac:
Username: elian

I can reproduce the bug too (win7 x64 with KIS2012)

• disabling mmap fixes it
• 'pausing' KIS fixes it

processor/graphic controller is irrelevant, I've reproduced it with a minimal installation in a VM.

I didn't manage to get a mem-dump where KIS appears on the stack-trace, but then again, it doesn't prove anything...

10:01 < armadev> next step i guess is we need to decide if we can just disable mmap preemptively for windows users, simply because a few of them want to run a buggy program

Replying to nextgens:

processor/graphic controller is irrelevant, I've reproduced it with a minimal installation in a VM.

Double BullShit. Processor is relevant. VM is not emulator.

Replying to nextgens:

• disabling mmap fixes it

10:01 < armadev> next step i guess is we need to decide if we can just disable mmap preemptively for windows users, simply because a few of them want to run a buggy program

Or better to fix way that tor mmaping files?

How can mmap trigger bsod only for case of vidalia running tor? It's problem with vidalia that runs tor so it never can use mmap safely.

Replying to nickm:

Runa, when you managed to reproduce the bsod, what processor(s) did you have? How long did it take, what version of windows, what version of KIS, etc?

I can't check processor info at the moment, but I can say that I have managed to reproduce the bsod on two different laptops and one virtual machine. All have Windows 7 64-bit and Kaspersky Internet Security v.12.0.0.374.

With TBB version 2.2.35-4; I can run TBB successfully the first time, the second time the system freezes up when Vidalia is starting the Tor software.

With TBB version 2.2.35-12; I don't always get a bsod the second time I run TBB, but it usually happens three or four times when you run TBB ten times in total.

My system is Core i5 750 + Radeon HD4500 series. Test environment was VM-Win7x64 + TBB 2.2.35-12+KIS2012. 2Runa: Could you try to reproduce problem with disabled Web-AV in KIS settings?

Trac:
Username: VenZe

I've been using the latest TBB (2.2.35-12) since it was released but I've only suffered this issue for past two days. There has only been one instance when I've started TBB in the past two days that the computer didn't freeze. The only change to the computer in the past two days has been from updating KAV database.

---

Specs

CPU: Intel Core 2 Q6600 GFX: EVGA GTX 460

OS : Windows 7 Pro x64 KAS: KAV 2012 TOR: TBB 2.2.35-12

I don't get a dump because the computer only freezes and requires a hard reboot, but the Windows Application Event Log has an entry for the issue from TBB.

Faulting application name: tor.exe, version: 0.0.0.0, time stamp: 0x4fad69a1
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x77b89c12
Faulting process id: 0x12e4
Faulting application start time: 0x01cd38a3371570d2
Faulting application path: C:\Program Files (x86)\TBB\App\tor.exe
Faulting module path: unknown
Report Id: 76b59e20-a496-11e1-8f3f-0018f336c734

Trac:
Username: dumbnewbie

Intel Core i7 740 AMD Radeon HD6500M VM with: Windows 7 Ultimate 64-bit TBB 2.2.35-12 KIS 2012

I've noticed different forms of crashing. The most common one is a freeze as mentioned in comment 3. Sometimes it's a full-blown blue screen.

Trac:
Cc: g.koppen@jondos.de, nextgens to g.koppen@jondos.de, nextgens, Shondoit

Sounds like we should patch Tor to not use mmap on Windows, and then we will have some breathing room to solve the problem in peace (or not bother to) without making our Windows users think we suck.

Trac:
Priority: normal to major

Replying to VenZe:

2Runa: Could you try to reproduce problem with disabled Web-AV in KIS settings?

Yes, I am able to reproduce with Web-AV disabled.

Tor runs fine after I disable the Kaspersky network filter (obviously not a good idea to recommend people do this).

Replying to arma:

Sounds like we should patch Tor to not use mmap on Windows, and then we will have some breathing room to solve the problem in peace (or not bother to) without making our Windows users think we suck.

Will this actually help? Tor itself is not the problem, Vidalia is. Unless there is a difference in the way Tor starts up when it's standalone-Tor vs TBB-Tor.

I got someone who knows a lot more about kernel debugging than I do to help me look at the crash dump from http://bayfiles.com/file/a3cf/07Lr8P/myMEMORY3.zip . Here are the findings, they may be useful to Kaspersky:

• The address 4c0748 is in the tor.exe process and is the address of the next instruction for Tor.exe to run. This code has been paged out. When the OS goes to execute the instruction it causes a page fault, which is normal. But when the OS tries to load it from the pagefile the kernel encounters a corrupted PTE (page table entry). This creates a double-fault situation which results in a bluescreen.

• The PTE for address 4c0748 is damaged. It should have a prototype PTE one of its Base Pte/Pts In Subsect ranges, but it doesn't. This looks like a good article on these structures http://www.codemachine.com/article_protopte.html

• Tor has no drivers or any other code in the kernel.

• There is nothing Tor.exe is doing wrong with mapped files that could this. The 'mapping' that triggers the crash is the tor.exe image itself. The PTEs were corrupted at some point before that.

• There is no reason to think that changing Tor to not use a mapped file would be a real fix for the problem, although it may mask it for a while.

• The problem is most likely Kaspersky's kernel code.

Trac:
Username: marshray

Replying to nextgens:

• disabling mmap fixes it It doesn't for me. 3 runs, 2 bsods.

Replying to cypherpunks:

How can mmap trigger bsod only for case of vidalia running tor? Apparently it doesn't. It's one big red herring.

I'll send marshray's message to our developers. Thx

Trac:
Username: VenZe

Please, try to update KIS from ftp://dnl-test.kaspersky-labs.com/test/ids (uncheck Kaspersky Lab update servers) and tell me if it helps or not? I am not able to reproduce this issue on my VM machine anymore.

Trac:
Username: VenZe