http://bugs.winehq.org/show_bug.cgi?id=21542 Summary: SOFTPUB_LoadCatalogMessage should use catalog members instead of file ones for retrieving msg data Product: Wine Version: 1.1.37 Platform: x86 OS/Version: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: wintrust AssignedTo: wine-bugs(a)winehq.org ReportedBy: focht(a)gmx.net Hello, recent wintrust refactoring patch series broke PowerShell 1.x/2.x installers by revealing a previously hidden bug... --- snip --- 0036:Call wintrust.SoftpubInitialize(001e86f8) ret=7974e691 0036:trace:wintrust:SoftpubInitialize (0x1e86f8) 0036:trace:wintrust:SoftpubInitialize returning 00000000 0036:Ret wintrust.SoftpubInitialize() retval=00000000 ret=7974e691 0036:Call wintrust.SoftpubLoadMessage(001e86f8) ret=7974e691 0036:trace:wintrust:SoftpubLoadMessage (0x1e86f8) 0036:Call KERNEL32.CreateFileW(0033b53c L"C:\\windows\\system32\\catroot\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\KB968930xp.cat",80000000,00000001,00000000,00000003,00000080,00000000) ret=7974bf32 0036:Ret KERNEL32.CreateFileW() retval=0000007c ret=7974bf32 0036:Call crypt32.CryptSIPRetrieveSubjectGuid(0033b53c L"C:\\windows\\system32\\catroot\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\KB968930xp.cat",0000007c,001640dc) ret=7974bf70 ... 0036:Call KERNEL32.GetFileSize(0000007c,00000000) ret=686fa459 0036:Ret KERNEL32.GetFileSize() retval=0000e8d2 ret=686fa459 ... 0036:Ret crypt32.CryptSIPRetrieveSubjectGuid() retval=00000001 ret=7974bf70 ... 0036:Call crypt32.CryptSIPLoad(001640dc,00000000,001ed4c0) ret=7974b4f9 ... 0036:Ret crypt32.CryptSIPLoad() retval=00000001 ret=7974b4f9 0036:trace:wintrust:SOFTPUB_GetSIP returning 0 ... 0036:Call wintrust.CryptSIPGetSignedDataMsg(001e8780,001e8730,00000000,0033b188,00000000) ret=686fb39a 0036:trace:wintrust:CryptSIPGetSignedDataMsg (0x1e8780 0x1e8730 0 0x33b188 (nil)) 0036:trace:wintrust:WINTRUST_GetSignedMsgFromCatFile (0x1e8780 0x1e8730 0 0x33b188 (nil)) 0036:Call KERNEL32.GetFileSize(0033b53c,00000000) ret=7974418b 0036:Ret KERNEL32.GetFileSize() retval=ffffffff ret=7974418b 0036:trace:wintrust:CryptSIPGetSignedDataMsg returning 1 0036:Ret wintrust.CryptSIPGetSignedDataMsg() retval=00000001 ret=686fb39a 0036:Call KERNEL32.GetProcessHeap() ret=7974e07e 0036:Ret KERNEL32.GetProcessHeap() retval=00110000 ret=7974e07e 0036:Call ntdll.RtlAllocateHeap(00110000,00000008,ffffffff) ret=7974e095 0036:Ret ntdll.RtlAllocateHeap() retval=00000000 ret=7974e095 0036:Call KERNEL32.CloseHandle(0000007c) ret=7974bfff 0036:Ret KERNEL32.CloseHandle() retval=00000001 ret=7974bfff 0036:trace:wintrust:SoftpubLoadMessage returning 1 (0000000e) 0036:Ret wintrust.SoftpubLoadMessage() retval=00000001 ret=7974e691 0036:trace:wintrust:WINTRUST_DefaultVerify returning 0000000e 0036:trace:wintrust:WINTRUST_DefaultClose ((nil), {00aac56b-cd44-11d0-8cc2-00c04fc295ee}, 0x33b4e8) 0036:Call wintrust.SoftpubCleanup(001e86f8) ret=7974eb81 ... --- snip --- SoftpubLoadMessage -> (WTD_CHOICE_CATALOG) SOFTPUB_LoadCatalogMessage -> SOFTPUB_GetMessageFromFile WINTRUST_GetSignedMsgFromCatFile -> GetFileSize() gets passed invalid file handle (stack garbage) -> following alloc fails and error is propagated to top ... --- snip dlls/wintrust/softpub.c --- static DWORD SOFTPUB_LoadCatalogMessage(CRYPT_PROVIDER_DATA *data) { DWORD err; HANDLE catalog = INVALID_HANDLE_VALUE; if (!data->pWintrustData->u.pCatalog) { SetLastError(ERROR_INVALID_PARAMETER); return FALSE; } catalog = CreateFileW(data->pWintrustData->u.pCatalog->pcwszCatalogFilePath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (catalog == INVALID_HANDLE_VALUE) return GetLastError(); if (!CryptSIPRetrieveSubjectGuid( data->pWintrustData->u.pCatalog->pcwszCatalogFilePath, catalog, &data->u.pPDSip->gSubject)) { err = GetLastError(); goto error; } err = SOFTPUB_GetSIP(data); if (err) goto error; err = SOFTPUB_GetMessageFromFile(data, data->pWintrustData->u.pFile->hFile, data->pWintrustData->u.pFile->pcwszFilePath); if (err) goto error; ... } --- snip dlls/wintrust/softpub.c --- This is a catalog type file hence the pFile members can't be used for SOFTPUB_GetMessageFromFile(), e.g. "data->pWintrustData->u.pFile->hFile" and "data->pWintrustData->u.pFile->pcwszFilePath" will be invalid upon entry. You must use "catalog" file handle and "data->pWintrustData->u.pCatalog->pcwszCatalogFilePath" just like you do with CryptSIPRetrieveSubjectGuid() for SOFTPUB_GetMessageFromFile(). Regards -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.