[Bug 46205] New: Multiple kernel drivers need implementation of ' ntoskrnl.ObReferenceObjectByHandle' for 'PsThreadType' (PETHREAD)
https://bugs.winehq.org/show_bug.cgi?id=46205 Bug ID: 46205 Summary: Multiple kernel drivers need implementation of 'ntoskrnl.ObReferenceObjectByHandle' for 'PsThreadType' (PETHREAD) Product: Wine Version: 3.21 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: ntoskrnl Assignee: wine-bugs(a)winehq.org Reporter: focht(a)gmx.net Distribution: --- Hello folks, continuation of bug 44588 (and partially bug 44910) --- snip --- $ WINEDEBUG=+seh,+loaddll,+process,+service,+ntoskrnl wineboot >>log.txt 2>&1 ... 000f:trace:service:scmdatabase_load_services Loading service L"bizVSerial" 000f:trace:service:load_service_config Image path = L"System32\\drivers\\bizVSerialNT.sys" 000f:trace:service:load_service_config Group = (null) 000f:trace:service:load_service_config Service account name = L"LocalSystem" 000f:trace:service:load_service_config Display name = L"Franson VSerial" 000f:trace:service:load_service_config Service dependencies : (none) 000f:trace:service:load_service_config Group dependencies : (none) ... 0017:trace:service:service_thread 0x10d60 0017:trace:service:SERV_OpenSCManagerW ((null),(null),0x00000001) 0015:trace:service:svcctl_OpenSCManagerW ((null), (null), 1) 0017:trace:service:SERV_OpenSCManagerW returning 0x11920 0017:trace:service:RegisterServiceCtrlHandlerExW L"winedevice" 0x7f47d7011ab0 0x11800 0017:trace:service:SetServiceStatus 0x110c0 30 4 5 0 0 0 0 ... 000f:trace:service:process_send_start_message 0x143b0 L"bizVSerial" (nil) 0 0016:trace:service:service_handle_control L"winedevice" control 2147483648 data 0x11bb2 data_size 22 0016:trace:ntoskrnl:ZwLoadDriver (L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\bizVSerial") ... 0016:trace:service:QueryServiceConfigW Image path = L"System32\\drivers\\bizVSerialNT.sys" 0016:trace:service:QueryServiceConfigW Group = L"" 0016:trace:service:QueryServiceConfigW Dependencies = L"" 0016:trace:service:QueryServiceConfigW Service account name = L"LocalSystem" 0016:trace:service:QueryServiceConfigW Display name = L"Franson VSerial" 0016:trace:ntoskrnl:open_driver opened service for driver L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\bizVSerial" 0016:trace:service:SetServiceStatus 0x12e50 30 2 0 0 0 0 2710 0014:trace:service:svcctl_SetServiceStatus (0x15e80, 0x15754) 0016:trace:ntoskrnl:IoCreateDriver (L"\\Driver\\bizVSerial", 0x7f47c8c949c0) 0016:trace:ntoskrnl:load_driver loading driver L"System32\\drivers\\bizVSerialNT.sys" 0016:trace:loaddll:load_native_dll Loaded L"C:\\windows\\System32\\drivers\\bizVSerialNT.sys" at 0x460000: native 0016:trace:seh:NtRaiseException code=c0000005 flags=0 addr=0x468034 ip=468034 tid=0016 0016:trace:seh:NtRaiseException info[0]=0000000000000000 0016:trace:seh:NtRaiseException info[1]=fffff78000000320 0016:trace:seh:NtRaiseException rax=fffff78000000320 rbx=0000000000013178 rcx=0000000000013010 rdx=0000000000013178 0016:trace:seh:NtRaiseException rsi=00007f47d73b84b1 rdi=00007f47c8cd1c71 rbp=000000000033f8a0 rsp=000000000033f788 0016:trace:seh:NtRaiseException r8=0000000000466100 r9=00002b992ddfa232 r10=000000000000a000 r11=0000000000012ee0 0016:trace:seh:NtRaiseException r12=0000000000013010 r13=0000000000000000 r14=0000000000011b18 r15=0000000000468008 0016:trace:seh:call_vectored_handlers calling handler at 0x7f47c8c93260 code=c0000005 flags=0 0016:trace:seh:call_vectored_handlers handler at 0x7f47c8c93260 returned ffffffff 0016:trace:ntoskrnl:IoCreateDevice (0x13010, 496, L"\\Device\\bizvSerialMgr", 34, 0, 0, 0x33f790) 0016:trace:ntoskrnl:IoCreateSymbolicLink L"\\DosDevices\\bizSerialMgr" -> L"\\Device\\bizvSerialMgr" 0016:trace:ntoskrnl:KeInitializeEvent event 0x136e8, type 0, state 0. 0016:trace:ntoskrnl:KeInitializeEvent event 0x136c8, type 0, state 0. 0016:fixme:ntoskrnl:ObReferenceObjectByHandle stub: 0x3c 1fffff (nil) 0 0x136e0 (nil) 0016:trace:ntoskrnl:init_driver init done for L"bizVSerial" obj 0x13010 0016:trace:ntoskrnl:init_driver - DriverInit = 0x468008 0016:trace:ntoskrnl:init_driver - DriverStartIo = (nil) 0016:trace:ntoskrnl:init_driver - DriverUnload = 0x4613c0 0016:trace:ntoskrnl:init_driver - MajorFunction[0] = 0x461180 0016:trace:ntoskrnl:init_driver - MajorFunction[1] = 0x7f47c8c997b0 0016:trace:ntoskrnl:init_driver - MajorFunction[2] = 0x461228 0016:trace:ntoskrnl:init_driver - MajorFunction[3] = 0x46133c 0016:trace:ntoskrnl:init_driver - MajorFunction[4] = 0x461304 0016:trace:ntoskrnl:init_driver - MajorFunction[5] = 0x461398 0018:trace:ntoskrnl:KeWaitForMultipleObjects count 2, objs 0x56fd80, wait_type 1, reason 0, mode 0, alertable 0, timeout (nil), wait_blocks 0x56fd90. 0016:trace:ntoskrnl:init_driver - MajorFunction[6] = 0x461398 0016:trace:ntoskrnl:init_driver - MajorFunction[7] = 0x7f47c8c997b0 0016:trace:ntoskrnl:init_driver - MajorFunction[8] = 0x7f47c8c997b0 0016:trace:ntoskrnl:init_driver - MajorFunction[9] = 0x461398 0016:trace:ntoskrnl:init_driver - MajorFunction[10] = 0x7f47c8c997b0 0016:trace:ntoskrnl:init_driver - MajorFunction[11] = 0x7f47c8c997b0 0016:trace:ntoskrnl:init_driver - MajorFunction[12] = 0x7f47c8c997b0 0016:trace:ntoskrnl:init_driver - MajorFunction[13] = 0x7f47c8c997b0 0016:trace:ntoskrnl:init_driver - MajorFunction[14] = 0x4612e0 0016:trace:ntoskrnl:init_driver - MajorFunction[15] = 0x7f47c8c997b0 0016:trace:ntoskrnl:init_driver - MajorFunction[16] = 0x7f47c8c997b0 0016:trace:ntoskrnl:init_driver - MajorFunction[17] = 0x7f47c8c997b0 0016:trace:ntoskrnl:init_driver - MajorFunction[18] = 0x461374 0016:trace:ntoskrnl:init_driver - MajorFunction[19] = 0x7f47c8c997b0 0016:trace:ntoskrnl:init_driver - MajorFunction[20] = 0x7f47c8c997b0 0016:trace:ntoskrnl:init_driver - MajorFunction[21] = 0x7f47c8c997b0 0016:trace:ntoskrnl:init_driver - MajorFunction[22] = 0x7f47c8c997b0 0016:trace:ntoskrnl:init_driver - MajorFunction[23] = 0x7f47c8c997b0 0016:trace:ntoskrnl:init_driver - MajorFunction[24] = 0x7f47c8c997b0 0016:trace:ntoskrnl:init_driver - MajorFunction[25] = 0x7f47c8c997b0 0016:trace:ntoskrnl:init_driver - MajorFunction[26] = 0x7f47c8c997b0 0016:trace:ntoskrnl:init_driver - MajorFunction[27] = 0x7f47c8c997b0 0016:trace:service:SetServiceStatus 0x12e50 30 4 5 0 0 0 0 0015:trace:service:svcctl_SetServiceStatus (0x15e80, 0x15cf4) ... 0017:trace:ntoskrnl:unload_driver L"\\Driver\\bizVSerial" 0017:trace:service:SetServiceStatus 0x12e50 30 3 0 0 0 0 0 ... 0017:trace:ntoskrnl:KeSetEvent event 0x136c8, increment 0, wait 0. 0017:trace:ntoskrnl:KeWaitForMultipleObjects count 1, objs 0x44f900, wait_type 1, reason 6, mode 0, alertable 0, timeout (nil), wait_blocks (nil). 0018:trace:ntoskrnl:KeResetEvent event 0x136c8. 0017:trace:seh:NtRaiseException code=c0000005 flags=0 addr=0x7f47c8ca3183 ip=7f47c8ca3183 tid=0017 0017:trace:seh:NtRaiseException info[0]=0000000000000001 0017:trace:seh:NtRaiseException info[1]=00000000deadbeb7 0017:trace:seh:NtRaiseException rax=00000000deadbeaf rbx=000000000044f900 rcx=00007f47d6aed879 rdx=0000000000000000 0017:trace:seh:NtRaiseException rsi=000000000044f5c0 rdi=0000000000000000 rbp=000000000044f8a0 rsp=000000000044f580 0017:trace:seh:NtRaiseException r8=0000000000000000 r9=0000000000000000 r10=000000000044f340 r11=0000000000000246 0017:trace:seh:NtRaiseException r12=0000000000013010 r13=0000000000000001 r14=000000000044f908 r15=000000000044f900 0017:trace:seh:call_vectored_handlers calling handler at 0x7f47c8c93260 code=c0000005 flags=0 ... wine: Unhandled page fault on write access to 0xdeadbeb7 at address 0x7f47c8ca3183 (thread 0017), starting debugger... 0017:trace:seh:start_debugger Starting debugger "winedbg --auto 17 60" 0017:trace:process:CreateProcessInternalW app (null) cmdline L"winedbg --auto 17 60" 0017:trace:process:find_exe_file looking for L"winedbg" 0017:trace:process:find_exe_file Trying native exe L"C:\\windows\\system32\\winedbg.exe" 0017:trace:process:CreateProcessInternalW starting L"C:\\windows\\system32\\winedbg.exe" as Win64 binary (10000000-10018000, x86_64) 0017:err:seh:start_debugger Couldn't start debugger ("winedbg --auto 17 60") (1115) --- snip --- The kernel driver creates a secondary thread via 'PsCreateSystemThread' and wait s in driver unload routine for the thread to exit. Wine's 'ObReferenceObjectByHandle' is currently a stub, returning a fake (invalid) handle. This causes 'KeWaitForSingleObject' to dereference an invalid handle later. The sequence is pretty standard for Windows kernel drivers. One of the many driver examples on Github: https://github.com/Microsoft/Windows-driver-samples/blob/master/general/canc... --- snip --- ... NTSTATUS DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath) { ... // // Start the polling thread. // devExtension->ThreadShouldStop = FALSE; status = PsCreateSystemThread(&threadHandle, (ACCESS_MASK)0, NULL, (HANDLE) 0, NULL, CsampPollingThread, deviceObject ); if ( !NT_SUCCESS( status )) { IoDeleteSymbolicLink( &unicodeDosDeviceName ); IoDeleteDevice( deviceObject ); return status; } // // Convert the Thread object handle into a pointer to the Thread object // itself. Then close the handle. // ObReferenceObjectByHandle(threadHandle, THREAD_ALL_ACCESS, NULL, KernelMode, &devExtension->ThreadObject, NULL ); ZwClose(threadHandle); } ... VOID CsampPollingThread( _In_ PVOID Context) { ... // // Now enter the main IRP-processing loop // for(;;) { ... // // See if thread was awakened because driver is unloading itself... // if ( DevExtension->ThreadShouldStop ) { PsTerminateSystemThread( STATUS_SUCCESS ); } ... } ... } ... VOID CsampUnload( _In_ PDRIVER_OBJECT DriverObject) { ... // // Set the Stop flag // devExtension->ThreadShouldStop = TRUE; ... // // Wait for the thread to terminate // KeWaitForSingleObject(devExtension->ThreadObject, Executive, KernelMode, FALSE, NULL ); ObDereferenceObject(devExtension->ThreadObject); ... } --- snip --- Microsoft docs: https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/nf... Wine source: https://source.winehq.org/git/wine.git/blob/HEAD:/dlls/ntoskrnl.exe/ntoskrnl... --- snip --- 2580 /*********************************************************************** 2581 * ObReferenceObjectByHandle (NTOSKRNL.EXE.@) 2582 */ 2583 NTSTATUS WINAPI ObReferenceObjectByHandle( HANDLE obj, ACCESS_MASK access, 2584 POBJECT_TYPE type, 2585 KPROCESSOR_MODE mode, PVOID* ptr, 2586 POBJECT_HANDLE_INFORMATION info) 2587 { 2588 FIXME( "stub: %p %x %p %d %p %p\n", obj, access, type, mode, ptr, info); 2589 2590 if(ptr) 2591 *ptr = UlongToHandle(0xdeadbeaf); 2592 2593 return STATUS_SUCCESS; 2594 } --- snip --- $ sha1sum GpsGateClient.exe bd5ac140199054a7b4502994439fcc78009fee35 GpsGateClient.exe $ du -sh GpsGateClient.exe 2.5M GpsGateClient.exe $ wine --version wine-3.21-87-g65677e2b2f Regards -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=46205 Anastasius Focht <focht(a)gmx.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download, hardware, | |obfuscation URL| |http://update.gpsgate.com/i | |nstall/GpsGateClient.exe -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=46205 mirh <mirh(a)protonmail.ch> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mirh(a)protonmail.ch -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=46205 Anastasius Focht <focht(a)gmx.net> changed: What |Removed |Added ---------------------------------------------------------------------------- URL|http://update.gpsgate.com/i |https://web.archive.org/web |nstall/GpsGateClient.exe |/20170608071455/http://upda | |te.gpsgate.com/install/GpsG | |ateClient.exe Resolution|--- |FIXED Fixed by SHA1| |b0b89cb569823da908bd75dfff6 | |4f44ebeceefd9 Status|NEW |RESOLVED --- Comment #1 from Anastasius Focht <focht(a)gmx.net> --- Hello folks, this is fixed by commits: * https://source.winehq.org/git/wine.git/commitdiff/4c0e81728f6db575d9cbd8feb8... ("server: Allow creating thread kernel objects.") * https://source.winehq.org/git/wine.git/commitdiff/b0b89cb569823da908bd75dfff... ("ntoskrnl.exe: Implement thread object constructor.") Thanks Jacek --- snip --- ... 0016:trace:ntoskrnl:open_driver opened service for driver L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\bizVSerial" 0016:trace:service:SetServiceStatus 0x136f0 30 2 0 0 0 0 2710 0014:trace:service:svcctl_SetServiceStatus (0x16700, 0x15d04) 0016:trace:ntoskrnl:IoCreateDriver (L"\\Driver\\bizVSerial", 0x7ff1e800d930) 0016:trace:ntoskrnl:load_driver loading driver L"System32\\drivers\\bizVSerialNT.sys" 0016:trace:loaddll:load_native_dll Loaded L"C:\\windows\\System32\\drivers\\bizVSerialNT.sys" at 0x450000: native ... 0016:trace:ntoskrnl:KeInitializeEvent event 0x14008, type 0, state 0. 0016:trace:ntoskrnl:KeInitializeEvent event 0x13fe8, type 0, state 0. 0016:trace:ntoskrnl:ObReferenceObjectByHandle 0x38 1fffff (nil) 0 0x14000 (nil) 0018:trace:ntoskrnl:KeWaitForMultipleObjects count 2, objs 0x55fd60, wait_type 1, reason 0, mode 0, alertable 0, timeout (nil), wait_blocks 0x55fd70. 0016:trace:ntoskrnl:ObReferenceObject (0x13820) ref=1 0016:trace:ntoskrnl:init_driver init done for L"bizVSerial" obj 0x138a0 ... 0017:trace:ntoskrnl:unload_driver L"\\Driver\\bizVSerial" ... 0017:trace:ntoskrnl:KeSetEvent event 0x13fe8, increment 0, wait 0. 0017:trace:ntoskrnl:KeWaitForMultipleObjects count 1, objs 0x43f790, wait_type 1, reason 6, mode 0, alertable 0, timeout (nil), wait_blocks (nil). 0018:trace:ntoskrnl:KeResetEvent event 0x13fe8. 0017:trace:ntoskrnl:ObDereferenceObject (0x13820) ref=0 0017:trace:ntoskrnl:IoDeleteDevice 0x13d00 0017:trace:ntoskrnl:ObDereferenceObject (0x13d00) ref=0 0017:trace:loaddll:free_modref Unloaded module L"C:\\windows\\System32\\drivers\\bizVSerialNT.sys" : native 0017:trace:ntoskrnl:IoDeleteDriver (0x138a0) 0017:trace:ntoskrnl:ObDereferenceObject (0x138a0) ref=0 0017:trace:service:SetServiceStatus 0x136f0 30 1 0 0 0 0 0 ... --- snip --- $ wine --version wine-4.5-271-g18883a7676 Regards -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=46205 Alexandre Julliard <julliard(a)winehq.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #2 from Alexandre Julliard <julliard(a)winehq.org> --- Closing bugs fixed in 4.6. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
participants (1)
-
wine-bugs@winehq.org