[Bug 54609] New: 32-bit LDAP Administrator crashes in internal Wine function proxy_manager_destroy
https://bugs.winehq.org/show_bug.cgi?id=54609 Bug ID: 54609 Summary: 32-bit LDAP Administrator crashes in internal Wine function proxy_manager_destroy Product: Wine Version: 8.2 Hardware: x86 OS: Linux Status: NEW Severity: normal Priority: P2 Component: rpc Assignee: wine-bugs(a)winehq.org Reporter: alexhenrie24(a)gmail.com Distribution: --- Created attachment 74138 --> https://bugs.winehq.org/attachment.cgi?id=74138 WINEDEBUG=+ole If I am reading the OLE trace correctly, the application: 1. Creates a proxy interface: 0110:trace:ole:proxy_manager_construct 01505048 created for OXID 2000000100, OID 3e 2. Sends the pointer to that interface to another thread: 0110:trace:ole:NdrBaseTypeMarshall value: 1505048 3. Releases and frees the interface: 0110:trace:ole:NdrInterfacePointerFree (04D4F594,01505048,1025B69C) 4. Receives the interface pointer on the other thread: 0100:trace:ole:NdrBaseTypeUnmarshall value: 1505048 5. Uses the interface on the other thread, despite it being freed: 0100:trace:ole:ClientIdentity_AddRef 01505048 - before 0 6. Releases and frees the interface again, which crashes: 0100:trace:ole:ClientIdentity_Release 01505048 - after 0 I don't understand how this works without crashing on Windows. Here are all the traces that mention that interface pointer: 0110:trace:ole:proxy_manager_construct 01505048 created for OXID 2000000100, OID 3e 0110:trace:ole:ClientIdentity_AddRef 01505048 - before 1 0110:trace:ole:ClientIdentity_Release 01505048 - after 1 0110:trace:ole:std_unmarshal_interface Successfully created proxy 01505048 0110:trace:ole:NdrBaseTypeMarshall value: 1505048 0110:trace:ole:NdrInterfacePointerFree (04D4F594,01505048,1025B69C) 0110:trace:ole:ClientIdentity_Release 01505048 - after 0 0100:trace:ole:NdrBaseTypeUnmarshall value: 1505048 0100:trace:ole:ClientIdentity_AddRef 01505048 - before 0 0100:trace:ole:ClientIdentity_Release 01505048 - after 0 The 64-bit version also crashes, but in a different way, see Bug 54606. $ sha256sum ldapadmin-4.21.24429.0-x86-eng.msi 9d3e062b9c30d4bd73630b969414f65f969f0eafc5a3835f1ebb246c5c657d2a -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=54609 Zeb Figura <z.figura12(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download Summary|32-bit LDAP Administrator |32-bit Softerra LDAP |crashes in internal Wine |Administrator crashes due |function |to proxy use-after-free |proxy_manager_destroy | CC| |z.figura12(a)gmail.com URL| |https://softerra-downloads. | |com/ldapadmin/ldapadmin-4.2 | |1.24429.0-x86-eng.msi --- Comment #1 from Zeb Figura <z.figura12(a)gmail.com> --- As far as I can tell the remoted method is doing something like the following: HRESULT remote_Method(IScpMTAMarshaller *this, [in] IUnknown *unk, [out] int64 *ptr) { *ptr = (int64)unk; return S_OK; } Which, yes, can't possibly work. There are a few possibilities that occur to me: * the IUnknown isn't actually supposed to be proxied (i.e. it's supposed to be passed directly). Seems unlikely though given that 0100 (the calling thread) is an STA. Though it's odd that 0110 (the stub thread) never has COM initialized, and I'm not sure why it's hosting objects in the first place? * Windows zeroes the vtbl or something after destroying a proxy, and then the resulting exception is caught by the COM RPC exception handler. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=54609 Alex Henrie <alexhenrie24(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.winehq.org/sho | |w_bug.cgi?id=54606 -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=54609 Alex Henrie <alexhenrie24(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|NEW |RESOLVED Fixed by SHA1| |a42f5f197093f0942d1c1ee60f1 | |cf0d8a7b610cd --- Comment #2 from Alex Henrie <alexhenrie24(a)gmail.com> --- Fixed by https://gitlab.winehq.org/wine/wine/-/commit/a42f5f197093f0942d1c1ee60f1cf0d... -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=54609 Alexandre Julliard <julliard(a)winehq.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #3 from Alexandre Julliard <julliard(a)winehq.org> --- Closing bugs fixed in 8.13. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=54609 Michael Stefaniuc <mstefani(a)winehq.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |8.0.x -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=54609 Michael Stefaniuc <mstefani(a)winehq.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|8.0.x |--- -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
participants (1)
-
WineHQ Bugzilla