http://bugs.winehq.org/show_bug.cgi?id=27991
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |dotnet, download URL| |http://www.datafilehost.com | |/download-04329f6d.html CC| |focht@gmx.net Summary|LsaLookupNames2 |LsaLookupNames2 separate |implementation leads to |allocations break .NET 4.0 |leak of returned buffer |System.Security subsystem |data |and leak returned buffer | |data Severity|minor |normal
--- Comment #1 from Anastasius Focht focht@gmx.net 2012-01-22 11:11:55 CST --- Hello,
hijacking this bug because I think the root cause might be the separate allocations mentioned here. This breaks the .NET 4.0 System.Security subsystem.
Some .NET 4.0 apps that make use of unmanaged LsaLookupNames2() crash with managed backtrace:
--- snip --- ... fixme:advapi:LsaOpenPolicy ((null),0x32f074,0x00000800,0x32f04c) stub fixme:advapi:LsaClose (0xcafe) stub fixme:advapi:LsaOpenPolicy ((null),0x32efc4,0x00000800,0x32ef9c) stub fixme:advapi:RegisterTraceGuidsW (0x12145d2, (nil), {8e9f5090-2d75-4d03-8a81-e5afbf85daf1}, 1, 0x32d95c, (null), (null), 0x1565dcc,): stub
Unhandled Exception: System.ArgumentOutOfRangeException: The number of bytes cannot exceed the virtual address space on a 32 bit machine. Parameter name: numBytes at System.Runtime.InteropServices.SafeBuffer.Initialize(UInt64 numBytes) at System.Security.Principal.Win32.InitializeReferencedDomainsPointer(SafeLsaMemoryHandle referencedDomains) at System.Security.Principal.NTAccount.TranslateToSids(IdentityReferenceCollection sourceAccounts, Boolean& someFailed) at System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection sourceAccounts, Type targetType, Boolean& someFailed) at System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection sourceAccounts, Type targetType, Boolean forceSuccess) at System.Security.Principal.NTAccount.Translate(Type targetType) at System.Security.AccessControl.CommonObjectSecurity.ModifyAccess(AccessControlModification modification, AccessRule rule, Boolean& modified) at System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(AccessRule rule) at System.Security.AccessControl.EventWaitHandleSecurity.AddAccessRule(EventWaitHandleAccessRule rule) at Microsoft.VisualBasic.ApplicationServices.WindowsFormsApplicationBase.Run(String[] commandLine) at HAL7600.My.MyApplication.Main(String[] Args) --- snip ---
Trace log:
--- snip --- 002a:Call advapi32.LsaLookupNames2(0000cafe,00000000,00000001,0016d890,0032ef98,0032ef8c) ret=04a4f6f2 002a:trace:advapi:LsaLookupNames2 (0xcafe,0x00000000,0x00000001,0x16d890,0x32ef98,0x32ef8c) 002a:trace:advapi:GetTokenInformation (0x17c, TokenUser, 0x32ec9c, 80, 0x32ec98): 002a:trace:advapi:LsaLookupNames2 mapped 1 out of 1 002a:trace:advapi:GetTokenInformation (0x17c, TokenUser, 0x32ec9c, 80, 0x32ec98): 002a:Ret advapi32.LsaLookupNames2() retval=00000000 ret=04a4f6f2 ... 002a:Call KERNEL32.RaiseException(e0434352,00000001,00000005,0032eea0) ret=791cac08 002a:trace:seh:raise_exception code=e0434352 flags=1 addr=0x7b838ccb ip=7b838ccb tid=002a 002a:trace:seh:raise_exception info[0]=80131502 002a:trace:seh:raise_exception info[1]=00000000 002a:trace:seh:raise_exception info[2]=00000000 002a:trace:seh:raise_exception info[3]=00000000 002a:trace:seh:raise_exception info[4]=79140000 --- snip ---
Interestingly some of these apps don't crash every time.
Pretty nasty to step through pure IL code _oO_ At one point before a crash I got lucky and found the following values in locals:
--- snip --- [t#:0] mdbg> p local_0=Microsoft.Win32.Win32Native+LSA_REFERENCED_DOMAIN_LIST local_1=1 local_2=Microsoft.Win32.Win32Native+LSA_TRUST_INFORMATION local_3=0 referencedDomains=Microsoft.Win32.SafeHandles.SafeLsaMemoryHandle ... [t#:0] mdbg> p local_0 local_0=Microsoft.Win32.Win32Native+LSA_REFERENCED_DOMAIN_LIST <Microsoft.Win32.Win32Native+LSA_REFERENCED_DOMAIN_LIST> Entries=1 Domains=1638600 ... [t#:0] mdbg> p referencedDomains referencedDomains=Microsoft.Win32.SafeHandles.SafeLsaMemoryHandle Uninitialized=4294967295 _numBytes=8 handle=1673144 _state=8 _ownsHandle=True _fullyInitialized=True ... [t#:0] mdbg> p local_0=Microsoft.Win32.Win32Native+LSA_REFERENCED_DOMAIN_LIST local_1=1 local_2=Microsoft.Win32.Win32Native+LSA_TRUST_INFORMATION local_3=-34532 referencedDomains=Microsoft.Win32.SafeHandles.SafeLsaMemoryHandle --- snip ---
The negative value is the result of a pointer subtraction which seem to come from LSA_TRUST_INFORMATION pointer and domain list pointer. This leads to sanity check failing, hence the exception.
Bug 27447 contains a small .NET 4.0 example app that quickly dies from this issue.
TurboTax 2011 (bug 29666) also suffers from this, though doesn't crash every time.
Needs .NET 4.0 Framework prerequisite which can be installed using appdb recipe (http://appdb.winehq.org/objectManager.php?sClass=version&iId=17886). A 'winetricks dotnet40' recipe might be available in near future.
$ sha1sum HAL7600.exe a4e96b4b93c70da172f0bee1e2a6f181e79a6f9e HAL7600.exe
$ wine --version wine-1.3.37-254-g14b790a
Regards