[Bug 38329] 64-bit Double Commander 0.6.x hangs on startup due to incorrect vectored handler struct layout

https://bugs.winehq.org/show_bug.cgi?id=38329

Anastasius Focht focht@gmx.net changed:

What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |NEW CC| |focht@gmx.net Component|-unknown |ntdll Keywords| |download Ever confirmed|0 |1 URL|https://sourceforge.net/pro |https://web.archive.org/web |jects/doublecmd/files/DC%20 |/20211029121233/https://mas |for%20Windows%2064%20bit/ |ter.dl.sourceforge.net/proj | |ect/doublecmd/DC%20for%20Wi | |ndows%2064%20bit/Double%20C | |ommander%200.6.6%20beta/dou | |blecmd-0.6.6.x86_64-win64.e | |xe?viasf=1 Summary|64-bit Double Commander |64-bit Double Commander |hangs |0.6.x hangs on startup due | |to incorrect vectored | |handler struct layout

--- Comment #5 from Anastasius Focht focht@gmx.net --- Hello folks,

confirming, still present.

Stable download link via Internet Archive:

https://web.archive.org/web/20211029121233/https://master.dl.sourceforge.net...

Trace log:

--- snip --- $ pwd /home/focht/.wine/drive_c/Program Files/Double Commander

$ WINEDEBUG=+seh,+relay,+server,+loaddll wine ./doublecmd.exe >>log.txt 2>&1 ... 0104:Starting thread proc 00000001000176D0 (arg=0000000067FF0000) 0104:Call KERNEL32.BaseThreadInitThunk(00000000,1000176d0,67ff0000) ret=7bc57752 0104:Call ntdll.RtlAddVectoredExceptionHandler(00000001,100017470) ret=1000176c5 0104:Ret ntdll.RtlAddVectoredExceptionHandler() retval=010a71b0 ret=1000176c5 ... 0104:Call ntdll.RtlAddVectoredExceptionHandler(00000001,100017f80) ret=10001806e 0104:Ret ntdll.RtlAddVectoredExceptionHandler() retval=010adcb0 ret=10001806e <hangs> --- snip ---

Debugging reveals the reason:

--- snip --- 010001803E | add byte ptr ds:[rax],al | 0100018040 | sub rsp,38 | 0100018044 | mov qword ptr ss:[rsp+20],rbx | 0100018049 | mov qword ptr ss:[rsp+28],rsi | 010001804E | lea rcx,qword ptr ds:[100017470] | 0100018055 | call <JMP.&RtlEncodePointer> | 010001805A | mov rbx,rax | 010001805D | lea rdx,qword ptr ds:[100017F80] | handler 0100018064 | mov ecx,1 | First = true 0100018069 | call <JMP.&RtlAddVectoredExceptionHandler> | 010001806E | mov qword ptr ds:[1005C1350],rax | 0100018075 | mov rax,qword ptr ds:[1005C1350] | 010001807C | mov rsi,qword ptr ds:[rax] | entry.next 010001807F | nop | loop: 0100018080 | mov rax,qword ptr ds:[rsi+18] | handler->func 0100018084 | cmp rax,rbx | found the handler? 0100018087 | jne doublecmd.100018093 | 0100018089 | mov rcx,rsi | 010001808C | call <JMP.&RtlRemoveVectoredExceptionHandler> | 0100018091 | jmp doublecmd.10001809E | 0100018093 | mov rsi,qword ptr ds:[rsi] | entry.next 0100018096 | mov rax,rsi | 0100018099 | test rax,rax | no more entry? (bug) 010001809C | jne doublecmd.100018080 | 010001809E | mov rbx,qword ptr ss:[rsp+20] | 01000180A3 | mov rsi,qword ptr ss:[rsp+28] | 01000180A8 | add rsp,38 | 01000180AC | ret ... 01000180E0 | sub rsp,28 | 01000180E4 | call doublecmd.100018040 | 01000180E9 | add rsp,28 | 01000180ED | ret | --- snip ---

--- snip --- $ ==> 0000000001066B80 00000000010666F0 ; entry.next $+8 0000000001066B88 000000007BC81288 ; entry.prev $+10 0000000001066B90 F83852926C3391AB ; handler->func ; = RtlEncodePointer( func ) $+18 0000000001066B98 0033006500000001 ; handler->count --- snip ---

--- snip --- ntdll.vectored_exception_handlers: 000000007BC81288 0000000001066B80 000000007BC81290 00000000010666F0 ; &vectored_exception_handlers --- snip ---

The code wants to find a specific vectored handler which already has been installed in early startup phase. It can't find it because Wine's VECTORED_HANDLER structure layout isn't correct. Due to an exit condition bug (list entry/node = nil) in app code, it loops forever.

Wine source:

https://source.winehq.org/git/wine.git/blob/e5f7a73c83a2b50db27c084b7b913a37...

--- snip --- 42 typedef struct 43 { 44 struct list entry; 45 PVECTORED_EXCEPTION_HANDLER func; 46 ULONG count; 47 } VECTORED_HANDLER; --- snip ---

If you swap func and count members it will work.

App source code just for reference. I didn't use it for analysis to not spoil fun.

https://github.com/doublecmd/doublecmd/blob/master/src/platform/win/uexcepti...

--- snip --- type PVectoredExceptionNode = ^TVectoredExceptionNode; TVectoredExceptionNode = record m_pNextNode: PVectoredExceptionNode; m_pPreviousNode: PVectoredExceptionNode; m_Unknown: Pointer; m_pfnVectoredHandler: Pointer; end; --- snip ---

https://github.com/doublecmd/doublecmd/blob/master/src/platform/win/uexcepti...

--- snip --- procedure InstallExceptionHandler; var HandlerAddress: Pointer; Node: PVectoredExceptionNode; begin // Get Free Pascal exception handler encoded address HandlerAddress := RtlEncodePointer(@syswin64_x86_64_exception_handler); VectoredExceptionHandler := AddVectoredExceptionHandler(1, @ProcessException); // Find Free Pascal exception handler and remove it Node:= VectoredExceptionHandler^.m_pNextNode; repeat if (Node^.m_pfnVectoredHandler = HandlerAddress) then begin RemoveVectoredExceptionHandler(Node); Break; end; Node := Node^.m_pNextNode; until (Node = nil); end; --- snip ---

ProtectionID scan:

--- snip --- -=[ ProtectionID v0.6.9.0 DECEMBER]=- (c) 2003-2017 CDKiLLER & TippeX Build 24/12/17-21:05:42 Ready... Scanning -> C:\Program Files\Double Commander\doublecmd.exe File Type : 64-Bit Exe (Subsystem : Win GUI / 2), Size : 9986579 (0986213h) Byte(s) | Machine: 0x8664 (AMD64) Compilation TimeStamp : 0x00000000 -> Thu 01st Jan 1970 00:00:00 (GMT) -> File has 19 (013h) bytes of appended data starting at offset 0986200h [LoadConfig] CodeIntegrity -> Flags 0xAA60 | Catalog 0x46 (70) | Catalog Offset 0x2000001 | Reserved 0x46AB40 [LoadConfig] GuardAddressTakenIatEntryTable 0x46AC88:02000011 | Count 0x46AE9C02000011 (463222033554449) [LoadConfig] GuardLongJumpTargetTable 0x46AF38:08000011 | Count 0x46AFE008000011 (4632544134217745) [LoadConfig] HybridMetadataPointer 0x46A66C:08000011 | DynamicValueRelocTable 0x8000011:0046B0A8 [LoadConfig] FailFastIndirectProc 0x8000011:0046B264 | FailFastPointer 0x8000011:0046B2FC [LoadConfig] UnknownZero1 0x8000011 46B448 [File Heuristics] -> Flag #1 : 00000000000001011100000000010100 (0x0005C014) [Entrypoint Section Entropy] : 5.72 (section #0) ".text " | Size : 0x5BCDB0 (6016432) byte(s) [DllCharacteristics] -> Flag : (0x0000) -> NONE [SectionCount] 7 (0x7) | ImageSize 0x998000 (10059776) byte(s) [VersionInfo] Product Name : Double Commander [VersionInfo] File Description : Double Commander is a cross platform open source file manager with two panels side by side [VersionInfo] File Version : 0.6.6.0 [VersionInfo] Internal Name : DOUBLECMD [VersionInfo] Legal Copyrights : Copyright (C) 2006-2015 Alexander Koblov [ModuleReport] [IAT] Modules -> advapi32.dll | comctl32.dll | comdlg32.dll | gdi32.dll | imm32.dll | kernel32.dll | mpr.dll | msimg32.dll | netapi32.dll | ntdll.dll | ole32.dll | oleaut32.dll | shell32.dll | shlwapi.dll | user32.dll | version.dll | winmm.dll [!] File appears to have no protection or is using an unknown protection - Scan Took : 1.76 Second(s) [000000784h (1924) tick(s)] [234 of 580 scan(s) done] --- snip ---

$ sha1sum doublecmd-0.6.6.x86_64-win64.exe 31b85211f1fd737b8773be35e102788e357273ce doublecmd-0.6.6.x86_64-win64.exe

$ du -sh doublecmd-0.6.6.x86_64-win64.exe 9.2M doublecmd-0.6.6.x86_64-win64.exe

$ wine --version wine-6.20-195-ge5f7a73c83a

Regards