[Bug 10249] New: Battlefield2/SafeDisc 4. x and Punkbuster services cause lockup: child processes debugging misconception
http://bugs.winehq.org/show_bug.cgi?id=10249 Summary: Battlefield2/SafeDisc 4.x and Punkbuster services cause lockup: child processes debugging misconception Product: Wine Version: CVS/GIT Platform: PC OS/Version: Linux Status: UNCONFIRMED Severity: major Priority: P2 Component: wine-kernel AssignedTo: wine-bugs(a)winehq.org ReportedBy: focht(a)gmx.net Created an attachment (id=8876) --> (http://bugs.winehq.org/attachment.cgi?id=8876) WINEDEBUG=-all,+server,+tid,+loaddll,+seh wine ./BF2.exe +fullscreen 0 +szx 800 +szy 600 &>/tmp/debug_pipe Hello, while testing some PunkBuster stuff on popular games, I came across Battlefield 2 which employs SafeDisc 4.x It seems there is a problem with debuggers in chained child processes. Consider following scenario: --- snip process list --- pid threads parent executable (all id:s are in hex) 0000001b 1 00000008 'PnkBstrA.exe' 0000000c 2 00000008 'explorer.exe' 0000000a 2 00000008 '~e5.0001' 00000008 4 00000000 'BF2.exe' --- snip process list --- --- snip thread list --- process tid prio (all id:s are in hex) 0000001b 0000001c 0 0000000c 00000010 0 0000000d 0 0000000a 00000012 0 0000000b 0 00000008 0000001a 1 00000014 15 00000013 0 00000009 0 --- snip thread list --- "BF2.exe" = parent (game) "~e5.0001" = 1st child = SafeDisc 4.x process = "debugger" "PnkBstrA.exe" = 2nd child = PunkBuster Update Service The 1st child acts as debugger for the parent "BF2.exe" and receives all debug events (process, thread creation, dll load/unload...) There are lots of breakpoint events triggered from parent. This is part of SafeDisc 4.x and used for on-the-fly decryption of code sections (child decrypts code of father). When PunkBuster is initialized (loading of pbcl = client, pbag = agent), the following services should get started: PnkBstrA.exe, PnkBstrB.exe and finally the kmode driver PnkBstrK.exe The service process "PnkBstrA.exe" is started from main process "BF2.exe" (which is a debuggee itself). No debug flags (DEBUG_PROCESS | DEBUG_ONLY_THIS_PROCESS) are specified in process creation flags. The debugger (child of parent, receives the process creation event) does not make debugger_attach() to the newly created child process. The child process seems to inherit the state of being a "debuggee": wine server -> new_process -> set_process_debugger( process, parent->debugger ); The parent got its process->debugger from debugger_attach(). This leads to a problem in child process startup code: "dlls/kernel32/process.c:start_process()" checks the PEB->BeingDebugged field and if set, a system breakpoint is encountered before the entry code is called. This breakpoint results in debug event - seen by debugger. Unfortunately this event is _not_ expected by debugger because it didn't expect another debuggee (child) to be created. Ok, long story short solution: If you debug a process by attaching to an already created process, you _must_ treat default debugging flags as if the process has been created with DEBUG_ONLY_THIS_PROCESS, meaning that all childs created by debuggee will NOT automagically become debuggees. Short and (hopefully) acceptable patch snippet: --- snip --- diff --git a/server/debugger.c b/server/debugger.c index a64a17a..c59f3a0 100644 --- a/server/debugger.c +++ b/server/debugger.c @@ -444,6 +444,7 @@ static int debugger_attach( struct process *process, struct thread *debugger ) resume_process( process ); return 0; } + process->create_flags |= DEBUG_ONLY_THIS_PROCESS; return 1; error: --- snip --- And yes, the patch (snippet) works as intended (tm) ;-) Attached for sake of completeness is relevant server trace. Search for "001c:trace:seh:raise_exception code=80000003 flags=0 addr=0x7b870ed8 " to the point where the entry system breakpoint is triggered. Regards -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=10249 killertux <killertux(a)suomi24.fi> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |obfuscation -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=10249 --- Comment #1 from Austin English <austinenglish(a)gmail.com> 2008-10-23 15:13:32 --- Is this still an issue in current (1.1.6 or newer) wine? -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=10249 Alistair Leslie-Hughes <leslie_alistair(a)hotmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #8876|text/plain |application/x-bzip2 mime type| | -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=10249 Anastasius Focht <focht(a)gmx.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|Battlefield2/SafeDisc 4.x |childs must not inherit |and Punkbuster services |debuggee state when created |cause lockup: child |by attach-to-process |processes debugging |"debuggee" |misconception | --- Comment #2 from Anastasius Focht <focht(a)gmx.net> 2008-12-17 09:27:09 --- Hello, --- quote --- Is this still an issue in current (1.1.6 or newer) wine? --- quote --- It doesn't apply to Battlefield2/SafeDisc 4.x and Punkbuster services anymore but its still a valid bug. I changed the summary accordingly. There were architectural changes in early 2008 which changed the way how services are spawned/managed (services.exe). Spawned services don't suffer from this problem unless services.exe itself is being debugged. Of course you can reproduce this issue anytime. Attach to some process and spawn processes from the debuggee with standard process create flags. Intelligent debuggers will usually complain about seeing (unexpected) debug events from different process ids (childs). Regards -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=10249 Anastasius Focht <focht(a)gmx.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords|obfuscation | Version|CVS/GIT |0.9.48. --- Comment #3 from Anastasius Focht <focht(a)gmx.net> 2009-01-17 05:35:05 --- Hello, corrected version tag. Also removed "obfuscation" keyword because it's about standard debugging behaviour and not limited to copy protection, anti-debugging techniques. Regards -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=10249 Dmitry Timoshkov <dmitry(a)codeweavers.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|childs must not inherit |children must not inherit |debuggee state when created |debuggee state when created |by attach-to-process |by attach-to-process |"debuggee" |"debuggee" -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=10249 --- Comment #4 from Austin English <austinenglish(a)gmail.com> 2009-07-21 13:47:19 --- Is this still an issue in current (1.1.26 or newer) wine? -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=10249 EA Durbin <ead1234(a)hotmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ead1234(a)hotmail.com --- Comment #5 from EA Durbin <ead1234(a)hotmail.com> 2009-08-12 13:13:40 --- (In reply to comment #4)
Is this still an issue in current (1.1.26 or newer) wine?
The function debugger_attach in server/debugger.c hasn't been modified since Dec. 28th of 2008, so it probably hasn't been addressed yet. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=10249 --- Comment #6 from Austin English <austinenglish(a)gmail.com> 2010-04-29 18:14:00 --- A couple related commits: http://source.winehq.org/git/wine.git/?a=commitdiff;h=6c0ecd0955bc85c51802ef... http://source.winehq.org/git/wine.git/?a=commitdiff;h=1970fb35d40240448a311c... still an issue? -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=10249 Richard <shiningarcanine(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |NEW Ever Confirmed|0 |1 --- Comment #7 from Richard <shiningarcanine(a)gmail.com> 2010-05-26 18:16:40 --- *** This bug has been confirmed by popular vote. *** -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=10249 --- Comment #8 from Anastasius Focht <focht(a)gmx.net> 2010-05-27 03:14:52 --- Hello, --- quote --- A couple related commits: ... still an issue? --- quote --- sure, bug still present, analysis still applies ;-) Regards -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=10249 Richard <shiningarcanine(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |shiningarcanine(a)gmail.com --- Comment #9 from Richard <shiningarcanine(a)gmail.com> 2010-05-27 08:50:22 --- (In reply to comment #7)
*** This bug has been confirmed by popular vote. ***
I know this is off-topic, but I do not recall posting this comment. Why did it appear? -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=10249 Anastasius Focht <focht(a)gmx.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|major |normal --- Comment #10 from Anastasius Focht <focht(a)gmx.net> 2011-04-27 03:51:12 CDT --- Hello, still present. Revising severity. Can be reproduced by using debuggers that verify process id of debug events (like ollydbg). Attach to an application that spawns other win32 processes on request, for example "Total Commander" (my favorite file manager). Start a child process from the debuggee, e.g. "notepad" (click toolbar button). Debugger will complain/spam in log: --- snip --- Message = Event 00000001 from different process (ID 00000029) --- snip --- $ wine --version wine-1.3.18-233-gcff8753 Regards -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=10249 Anastasius Focht <focht(a)gmx.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1| |e7ec00d22cfcaedbccad499f503 | |c50efc8125117 Status|NEW |RESOLVED URL| |http://www.ollydbg.de/odbg1 | |10.zip Component|kernel32 |wineserver Resolution| |FIXED Summary|children must not inherit |ollydbg complains about |debuggee state when created |unexpected debug events |by attach-to-process |from child processes after |"debuggee" |attaching to the debuggee --- Comment #11 from Anastasius Focht <focht(a)gmx.net> 2011-10-10 14:15:32 CDT --- Hello, fixed by commit e7ec00d22cfcaedbccad499f503c50efc8125117 Thanks Bernhard. Regards -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=10249 Alexandre Julliard <julliard(a)winehq.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #12 from Alexandre Julliard <julliard(a)winehq.org> 2011-10-21 13:49:21 CDT --- Closing bugs fixed in 1.3.31. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=10249 Anastasius Focht <focht(a)gmx.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=10249 Anastasius Focht <focht(a)gmx.net> changed: What |Removed |Added ---------------------------------------------------------------------------- URL|http://www.ollydbg.de/odbg1 |https://web.archive.org/web |10.zip |/20060127002930/http://www. | |ollydbg.de/odbg110.zip Summary|ollydbg complains about |OllyDbg 1.x complains about |unexpected debug events |unexpected debug events |from child processes after |from child processes after |attaching to the debuggee |attaching to the debuggee -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
participants (2)
-
wine-bugs@winehq.org -
WineHQ Bugzilla