http://bugs.winehq.org/show_bug.cgi?id=59834 Bug ID: 59834 Summary: WoW64: int 2Eh instruction in 32-bit code causes #GP that isn't forwarded to 32-bit exception handler Product: Wine Version: 11.10 Hardware: x86-64 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: ntdll Assignee: wine-bugs@list.winehq.org Reporter: vonvontabang@gmail.com Distribution: --- Created attachment 81114 --> http://bugs.winehq.org/attachment.cgi?id=81114 Full crash log with WoW64 int 2Eh SEH chain, register dumps, backtrace, and analysis across 6 Proton/Wine builds Summary: WoW64: int 2Eh instruction from 32-bit shellcode causes #GP that isn't forwarded to 32-bit exception handler Description: Under Wine's WoW64 (x86_64 guest i386), a 32-bit process executing raw syscalls via int 2Eh (bytes CD 2E) raises a #GP that is delivered as SIGSEGV. While Wine correctly converts this to EXCEPTION_ACCESS_VIOLATION and dispatches through the SEH chain, the underlying issue is that WoW64 has no handler for privileged instructions executed from 32-bit compat mode (CS=0023). Crash signature (consistent across all WoW64 builds): EXCEPTION_ACCESS_VIOLATION (0xc0000005) EAX = <shellcode RWX base> (e.g. 008D0000) EDX = 0x8 (syscall number) ECX = 0xE9000001 (syscall argument) CS = 0023 (32-bit compat mode under WoW64) EIP = <base>+0x6/0x7/0xF (offset into shellcode) Affected builds: Proton Experimental, Proton-EM, DW-Proton, Proton-CachyOS, GE-Proton10-34, system Wine 11.10 — all WoW64. The same shellcode also crashes intermittently on native Windows (server switches, elevated apps, PC lock), confirming a latent bug in the xtrap/AegisAC anti-cheat shellcode exposed 100% of the time under Wine WoW64. Root cause: Wine's WoW64 layer needs to either route int 2Eh syscalls to the 64-bit ntdll (as Windows WoW64 does), or at minimum provide a graceful error instead of crashing. Attachment: Fatal error report at upstream_bug_report.txt with full SEH chain logs. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.