Another kernel memory leak with SBIE 5.x

Please post your problem description here

Moderator: Barb@Invincea

Post Reply
DR_LaRRY_PEpPeR
Posts: 291
Joined: Wed Jul 04, 2012 6:40 pm
Location: St. Louis area

Another kernel memory leak with SBIE 5.x

Post by DR_LaRRY_PEpPeR » Mon Jun 12, 2017 12:52 pm

Hi all!

I'm back again, with another one of these threads. ;) This is another "system-wide performance killed" thing... After that previous problem was fixed in v4.14, I noticed this leak over a year ago, but didn't really try to look into it until yesterday -- argh, it turned out to be pretty simple to narrow down!

I first really realized it when starting to boot XP with the /3GB switch, which reduces the available pool sizes. It's been a nightmare having the same slowdowns, all over again, after 2-3 weeks of uptime. Nothing short of restarting will fix it.

Using Poolmon, look at the Paged Strg tag.

On my main system, during normal operation, there are more than 36,000 leaks per day (for reference, if there are no leaks, the system starts with 104 net allocs and remains steady); or ~2.5MB/day. The other system doesn't seem to have any leaks during normal operation...

BUT there is a way to trigger the leaks (on any system, I assume), en masse, with a "stress test," by simply running Process Hacker! (Not sandboxed or anything; I've never tried that.) I had it running for an extended period when I first noticed the leak.

Reverting back to Sandboxie 4.20 (which I didn't try last year!) makes everything OK. (There's lots of Strg activity, but allocs are matched by frees.) 5.04, the oldest 5.x I have, does leak... Stopping the Sandboxie service has no effect. Only having it Disabled at startup prevents the leak. It seems that once the driver is started, the leaks will happen.


I think that's it... I'm just glad it turned out to be a simple and obvious leak that should be easily reproduced by running Process Hacker, and I didn't have to try messing with a kernel debugger or such to do more work for you guys to figure out what was happening. I'll leave that to you! :P

Looking forward to also having this one fixed soon, hopefully? Thanks!
XP Home-as-Pro SP3 (Admin) w/ continued updates (Embedded/POSReady 2009)
> Permissions + "2-level" SRP, latest Sandboxie (Pro/registered), EMET 4, no anti-anything (ever)
Did I make tzuk crazed... in his last days? :o

Barb@Invincea
Sandboxie Support
Sandboxie Support
Posts: 2476
Joined: Mon Nov 07, 2016 3:10 pm

Re: Another kernel memory leak with SBIE 5.x

Post by Barb@Invincea » Mon Jun 12, 2017 2:01 pm

Hello DR_LaRRY_PEpPeR,

Could you please provide the exact steps to test the behavior?
Once I get that, I'll reach out to the devs.

Regards,
Barb.-

DR_LaRRY_PEpPeR
Posts: 291
Joined: Wed Jul 04, 2012 6:40 pm
Location: St. Louis area

Re: Another kernel memory leak with SBIE 5.x

Post by DR_LaRRY_PEpPeR » Mon Jun 12, 2017 2:34 pm

Barb, Curt or others should be VERY familiar with the stuff (and me, haha) from 3 years ago. :shock: :oops: (BTW, why don't I have a badge?!? :mrgreen:)

But, using Windows XP (haven't checked newer Windows myself): install any SBIE 5.x, enable pool tagging, run Poolmon, and run Process Hacker. Observe [in Poolmon] continuously-increasing Strg allocations! That's it; don't need to ever run anything in a sandbox. Just as long as the service is not disabled at startup, SBIE 5's mere presence will cause leaks...

Barb@Invincea
Sandboxie Support
Sandboxie Support
Posts: 2476
Joined: Mon Nov 07, 2016 3:10 pm

Re: Another kernel memory leak with SBIE 5.x

Post by Barb@Invincea » Mon Jun 12, 2017 3:02 pm

Hello DR_LaRRY_PEpPeR,

Thanks for the steps. I'll let the devs know.

We'll update this thread once new information becomes available.

Regards,
Barb.-

Mr.X
Posts: 583
Joined: Sat Jul 13, 2013 9:34 am
Location: Mexico

Re: Another kernel memory leak with SBIE 5.x

Post by Mr.X » Tue Jun 13, 2017 11:18 am

I'm very concerned about this issue. Will keep an eye on this thread. Thank you.

PS: I wonder whether this issue affects Win 8.1 as well.
Windows 8.1 x64/x86 EN | Sandboxie latest beta or stable | All software latest versions unless stated otherwise

Mr.X
Posts: 583
Joined: Sat Jul 13, 2013 9:34 am
Location: Mexico

Re: Another kernel memory leak with SBIE 5.x

Post by Mr.X » Sat Jun 17, 2017 11:57 am

Any news on this?
Windows 8.1 x64/x86 EN | Sandboxie latest beta or stable | All software latest versions unless stated otherwise

Barb@Invincea
Sandboxie Support
Sandboxie Support
Posts: 2476
Joined: Mon Nov 07, 2016 3:10 pm

Re: Another kernel memory leak with SBIE 5.x

Post by Barb@Invincea » Mon Jun 19, 2017 1:22 pm

Hello Mr. X,

I made the devs aware last week.
We'll post an update when new info becomes available.

Regards,
Barb.-

Mr.X
Posts: 583
Joined: Sat Jul 13, 2013 9:34 am
Location: Mexico

Re: Another kernel memory leak with SBIE 5.x

Post by Mr.X » Mon Jun 19, 2017 1:32 pm

Thank you.
Windows 8.1 x64/x86 EN | Sandboxie latest beta or stable | All software latest versions unless stated otherwise

DR_LaRRY_PEpPeR
Posts: 291
Joined: Wed Jul 04, 2012 6:40 pm
Location: St. Louis area

Re: Another kernel memory leak with SBIE 5.x

Post by DR_LaRRY_PEpPeR » Wed Jul 26, 2017 5:40 pm

Had been waiting for the next beta, thinking that after 6 weeks now it might be fixed, but nope. Still leaking away! :(

I wanted to ask before as a follow-up, but was waiting... HAS this been reproduced by the devs (< 5 mins), or Barb even?? If it takes longer to find/fix it, fine, but I'd like to know that it's been observed!

Syrinx
Sandboxie Guru
Sandboxie Guru
Posts: 620
Joined: Fri Nov 13, 2015 4:11 pm

Re: Another kernel memory leak with SBIE 5.x

Post by Syrinx » Wed Jul 26, 2017 6:49 pm

I don't normally use Process Hacker but I was able to reproduce this issue in both Windows XP x86 SP3 and Windows 7 x64 SP1 quite easily ~so long as Process Hacker was running~. Out of curiosity I also tried Process Explorer, which I normally use, and didn't encounter the same leak thankfully. As it turns out, in my tests at least...the leak only begins when the sandboxie plugin that comes in some builds is enabled (remember to restart Process Hacker to see the different behaviors). I recall reading something, maybe on wilders¿, where they removed that particular sandboxie plugin on newer builds, I wonder if the leak has anything to do with why? /shrug

https://github.com/processhacker2/plugi ... bieSupport

Keeping in mind that I'm not a programmer (but I AM drunk if that helps) I noticed that the addon makes use of official Sandboxie API's from the sbiedll.dll

SbieApi_QueryBoxPath
SbieApi_EnumBoxes
SbieApi_EnumProcessEx
SbieDll_KillAll

[Pure speculation] Could it be something as simple as those APIs were never written to be called from 'outside' the sandbox and don't clean up after themselves if so or maybe only if nothing is even running inside for it to find?
I think having some SBIE devs simply checking that plugins source code might make it rather easy to figure out as they'll also have access to the involved source code w SBIE.

ok, that was fun. Back to drinking!
Last edited by Syrinx on Wed Jul 26, 2017 7:16 pm, edited 1 time in total.
Goo.gl/p8qFCf

DR_LaRRY_PEpPeR
Posts: 291
Joined: Wed Jul 04, 2012 6:40 pm
Location: St. Louis area

Re: Another kernel memory leak with SBIE 5.x

Post by DR_LaRRY_PEpPeR » Wed Jul 26, 2017 7:15 pm

Thanks for posting Syrinx, as well as confirming that it's not just on XP. :) (I haven't felt like trying anything else myself, yet, as I feel like I've done enough previously debugging Sandboxie issues, haha.)

I had never thought of disabling the Sandboxie plugin part of PH. (And I quit using Explorer because of bugs I found in it that Mark doesn't seem to want to fix!) But I had assumed that that integration was the responsible part (but not a PH bug, AFAICT). And thanks for their code link... (I know the latest version doesn't work on XP anyway, or so it says, so I didn't realize it had been removed.)


I had seen that the Strg pool tag is related to "String translations" or such, so I guess a certain (code) path in Sandboxie triggers that. Process Hacker happens to really exercise it! As well as something else, slightly, on my main system otherwise (but can't isolate anything). While the other system has no leaks at all, for months, unless running Hacker...

Syrinx
Sandboxie Guru
Sandboxie Guru
Posts: 620
Joined: Fri Nov 13, 2015 4:11 pm

Re: Another kernel memory leak with SBIE 5.x

Post by Syrinx » Wed Jul 26, 2017 7:20 pm

Hey sorry, missed your new post while editing the previous one. No problem as it was easy to check out & reproduce!
As for the rest, well, I'll just smile nod and pretend I understand what you just said :P
Goo.gl/p8qFCf

Mr.X
Posts: 583
Joined: Sat Jul 13, 2013 9:34 am
Location: Mexico

Re: Another kernel memory leak with SBIE 5.x

Post by Mr.X » Wed Jul 26, 2017 7:31 pm

Syrinx wrote:
Wed Jul 26, 2017 6:49 pm
(but I AM drunk if that helps)

Back to drinking!
:lol: :lol: Priceless!

I love you my friend, as in friendship. /for-the-record
:mrgreen:
Windows 8.1 x64/x86 EN | Sandboxie latest beta or stable | All software latest versions unless stated otherwise

Barb@Invincea
Sandboxie Support
Sandboxie Support
Posts: 2476
Joined: Mon Nov 07, 2016 3:10 pm

Re: Another kernel memory leak with SBIE 5.x

Post by Barb@Invincea » Thu Jul 27, 2017 9:46 am

All,

We tried reproducing this issue when it was posted, but other problems came up that required immediate attention.
We were able to see the behavior once, but then...never again. We are still testing.
The devs are aware and we'll provide a response/ask further questions as needed.

Thanks for your patience, and..please, let's keep the comments on-topic :) , use PMs for anything else.

Regards,
Barb.-

Post Reply

Who is online

Users browsing this forum: No registered users and 10 guests