Sandboxie leaks paged pool when Sandman is running

[hg421]

The sandboxie driver appears to leak paged pool memory continuously whenever Sandman is running.
I've noticed this after letting Sandman run in the background for some longer time and then seeing a ridiculously large paged pool size (>20GB).
The rate of leaking seems to be proportional to the number of boxes.
This behavior can be also be reproduced in a clean virtual machine, as follows:

1. Install Sandboxie Plus 0.6.0 into a clean system
2. (optional) Create lots of sandboxes to make the leak faster (example ini with 50 boxes)
3. Start Sandman.exe
4. Observe the system pool usage with poolmon.exe -e -b -p -p

The offending tag is Strg, which is apparently the default tag used by several Rtl* family functions dealing with strings that dynamically allocate memory.
To filter the output for Strg tag only, use poolmon.exe -e -b -p -p -iStrg.

In the case of 50 boxes, the Diff value (difference between allocs and frees) will rise at a rate of 400/sec (slower if you have less boxes).
The leak stops as soon as Sandman.exe is terminated, and does not occur with SbieCtrl.
It seems that the only way to free the memory is to reboot the system; unloading the driver does not help.

Unfortunately this issue makes it pretty much impossible to leave Sandman constantly running in the background, especially when you have lots of boxes, so I really hope this can be fixed!

[hg421]

Further observation shows that the unmatched allocs occur in 4 batches per second, each time amounting to 2*(number of boxes) allocations, and a size of 96 Bytes/allocation.
In the case of 50 Boxes this works out to 50*8*96 = 38400 Bytes/second, or about 132 MB/hour.

[DavidXanatos]

Thanks for the excellent bug report looking into it right now.

[DavidXanatos]

Sooo... the issue is as follows, SandMan.exe when updating boxes is querying all box paths, in case they changed,
so far so good, unfortunately the driver seams to have a memory leak in that routine. The issue does not affect SbieCtrl.exe as that one is only querying paths when it wants to use one of them.

The issue seams to be present since the Sophos days and its actually worst than anticipated, whenever a application is started on the system, dome memory is leaked.

[bastik-1001]

Does that mean Sandboxie Plus 0.5.5 has the same issue? (I am asking as I did not update to the latest version, yet. As I saw the issue.)

[hg421]

Does that mean Sandboxie Plus 0.5.5 has the same issue? (I am asking as I did not update to the latest version, yet. As I saw the issue.)

Yes, pretty sure it is. In fact I discovered this using version 0.5.4b, then tested with the latest version to make sure the issue is still there. As David wrote the problem has existed for quite some time now...

[bastik-1001]

Alright, thank you @hg421

It could have been that only a recent change triggered the issue, but if an earlier version shows that issue I can update without having to worry.

[DavidXanatos]

Ok, i have found a fix for the problem, the next build of the driver will be working correctly.