[Bug 48417] New: Wine 32-bit builtins in PE format occupy low address space range, preventing non-relocatable native executables from being loaded

https://bugs.winehq.org/show_bug.cgi?id=48417

Bug ID: 48417 Summary: Wine 32-bit builtins in PE format occupy low address space range, preventing non-relocatable native executables from being loaded Product: Wine Version: 5.0-rc4 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: ntdll Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---

Hello folks,

as it says. Encountered with some Microsoft installers, for example .NET Framework 2.0 SDK. Wine was built with llvm-mingw toolchain.

Failure of installer with PE builtins:

--- snip --- $ WINEDEBUG=+seh,+relay,+server,+loaddll,+virtual,+module wine ./setup.exe

...

log.txt 2>&1

... 0009:trace:module:load_dll looking for L"kernelbase.dll" in L"Z:\home\focht\.cache\winetricks\dotnet20sdk;C:\windows\system32;C:\windows\system;C:\windows;.;C:\windows\system32;C:\windows;C:\windows\system32\wbem;C:\windows\system32\WindowsPowershell\v1.0" 0009: create_file( access=80100000, sharing=00000005, create=1, options=00000060, attrs=00000000, objattr={rootdir=0000,attributes=00000040,sd={},name=L""}, filename="/home/focht/.wine/dosdevices/c:/windows/system32/kernelbase.dll" ) 0009: create_file() = 0 { handle=0014 } 0009: get_handle_fd( handle=0014 ) 0009: *fd* 0014 -> 24 0009: get_handle_fd() = 0 { type=1, cacheable=1, access=00120089, options=00000060 } 0009: create_mapping( access=000f000d, flags=01000000, file_access=00000001, size=00000000, file_handle=0014, objattr={} ) 0009: create_mapping() = 0 { handle=0018 } 0009: close_handle( handle=0014 ) 0009: close_handle() = 0 0009: get_mapping_info( handle=0018, access=0000000c ) 0009: get_mapping_info() = 0 { size=001c1000, flags=01800000, shared_file=0000, image={base=10000000,entry_point=10020850,map_size=001c1000,stack_size=00100000,stack_commit=00001000,zerobits=00000000,subsystem=00000002,subsystem_low=0000,subsystem_high=0006,gp=00000000,image_charact=2102,dll_charact=0100,machine=014c,contains_code=1,image_flags=40,loader_flags=00000000,header_size=00000400,file_size=001b8000,checksum=00000000,cpu=x86} } 0009: get_handle_fd( handle=0018 ) 0009: *fd* 0018 -> 25 0009: get_handle_fd() = 0 { type=1, cacheable=1, access=000f000d, options=00000020 } 0009:trace:module:map_image mapped PE file at 0x10000000-0x101c1000 0009:trace:module:map_image mapping section .text at 0x10001000 off 400 size 46800 virt 466b8 flags 60000020 0009:trace:module:map_image clearing 0x10047800 - 0x10048000 0009:trace:module:map_image mapping section .rdata at 0x10048000 off 46c00 size 37800 virt 377ca flags 40000040 0009:trace:module:map_image clearing 0x1007f800 - 0x10080000 0009:trace:module:map_image mapping section .buildid at 0x10080000 off 7e400 size 200 virt 81 flags 40000040 0009:trace:module:map_image clearing 0x10080200 - 0x10081000 0009:trace:module:map_image mapping section .data at 0x10081000 off 7e600 size 200 virt 1c30 flags c0000040 0009:trace:module:map_image clearing 0x10081200 - 0x10082000 0009:trace:module:map_image mapping section .rodata at 0x10083000 off 7e800 size 1e00 virt 1d04 flags c0000040 0009:trace:module:map_image clearing 0x10084e00 - 0x10085000 0009:trace:module:map_image mapping section .reloc at 0x10085000 off 80600 size 4200 virt 4158 flags 42000040 0009:trace:module:map_image clearing 0x10089200 - 0x1008a000 0009:trace:module:map_image mapping section /4 at 0x1008a000 off 84800 size 4600 virt 45c4 flags 42000040 0009:trace:module:map_image clearing 0x1008e600 - 0x1008f000 0009:trace:module:map_image mapping section /18 at 0x1008f000 off 88e00 size 8000 virt 7f08 flags 42000040 0009:trace:module:map_image mapping section /31 at 0x10097000 off 90e00 size 92600 virt 9243c flags 42000040 0009:trace:module:map_image clearing 0x10129600 - 0x1012a000 0009:trace:module:map_image mapping section /43 at 0x1012a000 off 123400 size 1aa00 virt 1a936 flags 42000040 0009:trace:module:map_image clearing 0x10144a00 - 0x10145000 0009:trace:module:map_image mapping section /55 at 0x10145000 off 13de00 size 34400 virt 3432e flags 42000040 0009:trace:module:map_image clearing 0x10179400 - 0x1017a000 0009:trace:module:map_image mapping section /66 at 0x1017a000 off 172200 size 4600 virt 4488 flags 42000040 0009:trace:module:map_image clearing 0x1017e600 - 0x1017f000 0009:trace:module:map_image mapping section /80 at 0x1017f000 off 176800 size 41600 virt 41417 flags 42000040 0009:trace:module:map_image clearing 0x101c0600 - 0x101c1000 0009: map_view( mapping=0018, access=0000000c, base=10000000, size=001c1000, start=00000000 ) 0009: map_view() = 0 0009:trace:virtual:VIRTUAL_DumpView View: 0x10000000 - 0x101c0fff (image) 0009:trace:virtual:VIRTUAL_DumpView 0x10000000 - 0x10000fff c-r-- 0009:trace:virtual:VIRTUAL_DumpView 0x10001000 - 0x10047fff c-r-x 0009:trace:virtual:VIRTUAL_DumpView 0x10048000 - 0x10080fff c-r-- 0009:trace:virtual:VIRTUAL_DumpView 0x10081000 - 0x10084fff c-rW- 0009:trace:virtual:VIRTUAL_DumpView 0x10085000 - 0x101c0fff c-r-- ... 0009:trace:loaddll:load_native_dll Loaded L"C:\windows\system32\kernelbase.dll" at 0x10000000: PE builtin 0009:trace:module:load_dll Loaded module L"\??\C:\windows\system32\kernelbase.dll" at 0x10000000 ... 0009:trace:loaddll:load_so_dll Loaded L"C:\windows\system32\kernel32.dll" at 0x7b420000: builtin 0009:trace:module:load_dll looking for L"Z:\home\focht\.cache\winetricks\dotnet20sdk\setup.exe" in L"Z:\home\focht\.cache\winetricks\dotnet20sdk;C:\windows\system32;C:\windows\system;C:\windows;.;C:\windows\system32;C:\windows;C:\windows\system32\wbem;C:\windows\system32\WindowsPowershell\v1.0" 0009: create_file( access=80100000, sharing=00000005, create=1, options=00000060, attrs=00000000, objattr={rootdir=0000,attributes=00000040,sd={},name=L""}, filename="/home/focht/.wine/dosdevices/z:/home/focht/.cache/winetricks/dotnet20sdk/setup.exe" ) 0009: create_file() = 0 { handle=0014 } 0009: get_handle_fd( handle=0014 ) 0009: *fd* 0014 -> 24 0009: get_handle_fd() = 0 { type=1, cacheable=1, access=00120089, options=00000060 } 0009: create_mapping( access=000f000d, flags=01000000, file_access=00000001, size=00000000, file_handle=0014, objattr={} ) 0009: create_mapping() = 0 { handle=0018 } 0009: close_handle( handle=0014 ) 0009: close_handle() = 0 0009: get_mapping_info( handle=0018, access=0000000c ) 0009: get_mapping_info() = 0 { size=1620a000, flags=01800000, shared_file=0000, image={base=01000000,entry_point=0100645c,map_size=1620a000,stack_size=00040000,stack_commit=00001000,zerobits=00000000,subsystem=00000002,subsystem_low=0000,subsystem_high=0004,gp=00000000,image_charact=010f,dll_charact=8400,machine=014c,contains_code=1,image_flags=00,loader_flags=00000000,header_size=00000400,file_size=162088b8,checksum=16210119,cpu=x86} } 0009: get_handle_fd( handle=0018 ) 0009: *fd* 0018 -> 25 0009: get_handle_fd() = 0 { type=1, cacheable=1, access=000f000d, options=00000020 } 0009:trace:virtual:map_view got mem in reserved area 0x101d0000-0x263da000 0009:trace:module:map_image mapped PE file at 0x101d0000-0x263da000 0009:trace:module:map_image mapping section .text at 0x101d1000 off 400 size 9a00 virt 992c flags 60000020 0009:trace:module:map_image clearing 0x101daa00 - 0x101db000 0009:trace:module:map_image mapping section .data at 0x101db000 off 9e00 size 400 virt 1be4 flags c0000040 0009:trace:module:map_image clearing 0x101db400 - 0x101dc000 0009:trace:module:map_image mapping section .rsrc at 0x101dd000 off a200 size 161fcc00 virt 161fca34 flags 40000040 0009:trace:module:map_image clearing 0x263d9c00 - 0x263da000 0009: map_view( mapping=0018, access=0000000c, base=101d0000, size=1620a000, start=00000000 ) 0009: map_view() = 0 0009:trace:virtual:VIRTUAL_DumpView View: 0x101d0000 - 0x263d9fff (image) 0009:trace:virtual:VIRTUAL_DumpView 0x101d0000 - 0x101d0fff c-r-- 0009:trace:virtual:VIRTUAL_DumpView 0x101d1000 - 0x101dafff c-r-x 0009:trace:virtual:VIRTUAL_DumpView 0x101db000 - 0x101dcfff c-rW- 0009:trace:virtual:VIRTUAL_DumpView 0x101dd000 - 0x263d9fff c-r-- 0009: close_handle( handle=0018 ) 0009: close_handle() = 0 0009:trace:module:get_load_order looking for L"Z:\home\focht\.cache\winetricks\dotnet20sdk\setup.exe" 0009:trace:module:get_load_order got main exe default n,b for L"Z:\home\focht\.cache\winetricks\dotnet20sdk\setup.exe" 0009:trace:module:load_native_dll Trying native dll L"\??\Z:\home\focht\.cache\winetricks\dotnet20sdk\setup.exe" 0009:warn:module:perform_relocations Need to relocate module from 0x1000000 to 0x101d0000, but there are no relocation records 0009: unmap_view( base=101d0000 ) 0009: unmap_view() = 0 0009:warn:module:load_dll Failed to load module L"Z:\home\focht\.cache\winetricks\dotnet20sdk\setup.exe"; status=c0000018 ... --- snip ---

Due to 'kernelbase.dll' already mapped to 0x10000000 (seven zeros) it prevents native 'setup.exe' from being mapped at 0x1000000 (six zeros). Mappable image size is 0x1620a000 (see 'get_mapping_info') which overlaps into 0x10000000 . The installer executable is non-relocatable.

Address space layout with 32-bit PE builtins using notepad:

--- snip --- $ winedbg notepad

WineDbg starting on pid 003d 0x7bcb0201 DbgBreakPoint+0x1 in ntdll: ret

Wine-dbg>info share Module Address Debug info Name (98 modules) PE 330000- 3c0000 Deferred shlwapi PE 3c0000- 3d3000 Deferred version PE 3e0000- 3ec000 Deferred api-ms-win-crt-runtime-l1-1-0 PE 400000- 458000 Deferred notepad PE 460000- 5d2000 Deferred comdlg32 PE 5e0000- 609000 Deferred shcore PE 610000- 95e000 Deferred ole32 PE 960000- ab1000 Deferred rpcrt4 PE ac0000- d7c000 Deferred comctl32 PE d80000- e0b000 Deferred usp10 PE e10000- e3f000 Deferred imm32 PE 1060000- 1149000 Deferred setupapi PE 1160000- 11b3000 Deferred uxtheme PE 10000000-101c1000 Deferred kernelbase ELF 7b400000-7b670000 Dwarf kernel32<elf> -PE 7b420000-7b670000 \ kernel32 ELF 7bc00000-7beb1000 Dwarf ntdll<elf> -PE 7bc30000-7beb1000 \ ntdll ELF 7c000000-7c004000 Deferred <wine-loader> ... --- snip ---

Without PE builtins:

--- snip --- $ winedbg notepad.exe

WineDbg starting on pid 0048 0x7bcb0851 DbgBreakPoint+0x1 in ntdll: ret

Wine-dbg>info share Module Address Debug info Name (108 modules) ELF 7b400000-7b670000 Dwarf kernel32<elf> -PE 7b420000-7b670000 \ kernel32 ELF 7bc00000-7beb2000 Dwarf ntdll<elf> -PE 7bc30000-7beb2000 \ ntdll ELF 7bec2000-7bf1e000 Deferred libblkid.so.1 ELF 7bf1e000-7c000000 Deferred libgcrypt.so.20 ELF 7c000000-7c004000 Deferred <wine-loader> ... ELF 7e908000-7e953000 Deferred notepad<elf> -PE 7e910000-7e953000 \ notepad ELF 7e953000-7ea2f000 Deferred kernelbase<elf> -PE 7e970000-7ea2f000 \ kernelbase ... --- snip ---

In case of 32-bit processes, the loader should not map Wine PE builtins into low address space regions to avoid these issues. I'm not sure what the "hard" lower limit is though, when the address space is congested with a lot of dlls (top down?).

Tidbit: Starting with Windows Vista+, even core dlls are subject to address space randomization (if ASLR enabled) but they are still located within 0x7xxxxxxx range on 32-bit.

$ sha1sum setup.exe 4e4b1072b5e65e855358e2028403f2dc52a62ab4 setup.exe

$ du -sh setup.exe 355M setup.exe

$ wine --version wine-5.0-rc4

Regards