[Bug 20896] New: Use-after-free in DdeClientTransaction in user32 dde tests
http://bugs.winehq.org/show_bug.cgi?id=20896 Summary: Use-after-free in DdeClientTransaction in user32 dde tests Product: Wine Version: 1.1.33 Platform: PC OS/Version: Linux Status: NEW Keywords: download, source, testcase Severity: normal Priority: P2 Component: user32 AssignedTo: wine-bugs(a)winehq.org ReportedBy: dank(a)kegel.com http://kegel.com/wine/valgrind/logs/2009-11-30-19.16/vg-user32_dde.txt says Invalid read of size 2 at GlobalFree (heap.c:767) by WDML_FreeTransaction (dde_misc.c:2439) by DdeClientTransaction (dde_client.c:1228) by test_ddeml_client (dde.c:392) by func_dde (dde.c:2357) by run_test (test.h:535) by main (test.h:585) Address 0x7f075e80 is not stack'd, malloc'd or (recently) free'd It's a little hard to see what's going on, but it appears that the memory in question was indeed recently freed, judging by the attached log, which was generated by the command WINEDEBUG=+relay,+heap valgrind --trace-children=yes wine user32_test.exe.so dde.c and edited to show just the area of interest. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=20896 --- Comment #1 from Dan Kegel <dank(a)kegel.com> 2009-12-01 20:36:21 --- Created an attachment (id=25042) --> (http://bugs.winehq.org/attachment.cgi?id=25042) Section of log showing what happens during DdeClientTransaction The log shows the memory getting allocated early in DdeClientTransaction, freed towards the end, and then freed again. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=20896 --- Comment #2 from Austin English <austinenglish(a)gmail.com> 2011-02-09 19:47:26 CST --- Still present: http://austinenglish.com/logs/valgrind/2011-02-08-15.53/vg-user32_dde.txt -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=20896 --- Comment #3 from Dan Kegel <dank(a)kegel.com> 2011-10-15 16:42:43 CDT --- Still present. Log seems more informative now: Invalid read of size 2 at GlobalFree (heap.c:758) by WDML_FreeTransaction (dde_misc.c:2444) by DdeClientTransaction (dde_client.c:1228) by func_dde (dde.c:406) by run_test (test.h:556) by main (test.h:624) Address 0x7f033e68 is 0 bytes inside a block of size 8 free'd at notify_free (heap.c:262) by RtlFreeHeap (heap.c:1748) by HeapFree (heap.c:272) by GlobalFree (heap.c:770) by WDML_HandleReply (dde_client.c:781) by WDML_SyncWaitTransactionReply (dde_client.c:1053) by WDML_ClientHandle (dde_client.c:1126) by DdeClientTransaction (dde_client.c:1224) by func_dde (dde.c:406) by run_test (test.h:556) by main (test.h:624) -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=20896 --- Comment #4 from Dan Kegel <dank(a)kegel.com> 2011-10-19 20:38:15 CDT --- Here's an slightly less inlined stack: Invalid read of size 2 at GlobalFree (heap.c:758) by WDML_FreeTransaction (dde_misc.c:2444) by DdeClientTransaction (dde_client.c:1228) by test_ddeml_client (dde.c:406, 416) by func_dde (dde.c:2702) Address 0x7f032ab8 is 0 bytes inside a block of size 8 free'd at notify_free (heap.c:262) by RtlFreeHeap (heap.c:1748) by HeapFree (heap.c:272) by GlobalFree (heap.c:770) by WDML_HandlePokeReply (dde_client.c:781) by WDML_HandleReply (dde_client.c:946) by WDML_SyncWaitTransactionReply (dde_client.c:1053) by WDML_ClientHandle (dde_client.c:1126) by DdeClientTransaction (dde_client.c:1224) by test_ddeml_client (dde.c:406) by func_dde (dde.c:2702) -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=20896 --- Comment #5 from Austin English <austinenglish(a)gmail.com> --- Still in wine-1.7.11-206-g82b3813 ==21199== Invalid read of size 2 ==21199== at 0x7B84490C: GlobalFree (heap.c:758) ==21199== by 0x534B100: WDML_FreeTransaction (dde_misc.c:1985) ==21199== by 0x5347579: DdeClientTransaction (dde_client.c:1226) ==21199== by 0x4EEBDEF: test_ddeml_client (dde.c:403) ==21199== by 0x4EF2D8A: func_dde (dde.c:2697) ==21199== by 0x4EC9EEB: main (test.h:584) -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=20896 --- Comment #6 from Austin English <austinenglish(a)gmail.com> --- Created attachment 47388 --> http://bugs.winehq.org/attachment.cgi?id=47388 valgrind log -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=20896 Austin English <austinenglish(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |valgrind -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=20896 Thomas Faller <tfaller1(a)gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |tfaller1(a)gmx.de --- Comment #7 from Thomas Faller <tfaller1(a)gmx.de> --- I can't reproduce this bug with wine 1.9.0. Can someone confirm this please? -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=20896 --- Comment #8 from Nikolay Sivov <bunglehead(a)gmail.com> --- Yes, I can reproduce invalid read on current Wine + valgrind-svn: --- ==13031== Invalid read of size 2 ==13031== at 0x7B843878: GlobalFree (heap.c:762) ==13031== by 0x4F5F4F1: WDML_FreeTransaction (dde_misc.c:1985) ==13031== by 0x4F5BF33: DdeClientTransaction (dde_client.c:1226) ==13031== by 0x4D06233: test_ddeml_client (dde.c:403) ==13031== by 0x4D0BBD8: func_dde (dde.c:2696) ==13031== by 0x4CE9003: main (test.h:584) ==13031== Address 0x495f8f0 is 16 bytes after a recently re-allocated block of size 48 alloc'd ==13031== at 0x7BC507E9: RtlAllocateHeap (heap.c:254) ==13031== by 0x4F5F3C8: WDML_AllocTransaction (dde_misc.c:1919) ==13031== by 0x4F5BBEE: DdeClientTransaction (dde_client.c:721) ==13031== by 0x4D06233: test_ddeml_client (dde.c:403) ==13031== by 0x4D0BBD8: func_dde (dde.c:2696) ==13031== by 0x4CE9003: main (test.h:584) --- -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=20896 Jactry Zeng <jactry92(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jactry92(a)gmail.com -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=20896 Thomas Faller <tfaller1(a)gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1| |4e7a7d01ffd1bbbb07acfe08ebf | |74046ad1f9d9a Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #9 from Thomas Faller <tfaller1(a)gmx.de> --- Fixed by 4e7a7d01ffd1bbbb07acfe08ebf74046ad1f9d9a. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=20896 Alexandre Julliard <julliard(a)winehq.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #10 from Alexandre Julliard <julliard(a)winehq.org> --- Closing bugs fixed in 1.9.2. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=20896 Michael Stefaniuc <mstefani(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |1.8.x CC| |mstefani(a)redhat.com -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=20896 Michael Stefaniuc <mstefani(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|1.8.x |--- --- Comment #11 from Michael Stefaniuc <mstefani(a)redhat.com> --- Removing 1.8.x milestone from bugs included in 1.8.5. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
participants (1)
-
wine-bugs@winehq.org