[Bug 21917] LazyLaunch raises unable to dispatch exception (TLS callbacks can taint EBP, needs assembly wrapper)

12 May 2012


      http://bugs.winehq.org/show_bug.cgi?id=21917
Anastasius Focht focht@gmx.net changed:
What    |Removed                     |Added
----------------------------------------------------------------------------
                URL|                            |http://www.sc2win.com/starc
                   |                            |raft-2-downloads/lazy-launc
                   |                            |her-v2-0-download/
                 CC|                            |focht@gmx.net
          Component|-unknown                    |ntdll
            Summary|LazyLaunch raises unable to |LazyLaunch raises unable to
                   |dispatch exception          |dispatch exception (TLS
                   |                            |callbacks can taint EBP,
                   |                            |needs assembly wrapper)
--- Comment #8 from Anastasius Focht focht@gmx.net 2012-05-12 17:59:42 CDT ---
Hello,
confirming.
--- quote ---
...
Unhandled exception: page fault on read access to 0x00000004, invalid program
stack in 32-bit code (0x7bc4de3d).
Register dump:
 CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b
 EIP:7bc4de3d ESP:0033fcd0 EBP:0033fcb0 EFLAGS:00010202(  R- --  I   - - - )
 EAX:00000004 EBX:7bcbf544 ECX:cc56933b EDX:00504152
 ESI:ffd46df4 EDI:00000000
Stack dump:
0x0033fcd0:  0033fbd8 00400000 7bc4dcf3 0033fda0
0x0033fce0:  ffffffff 7bcbf544 0033fe58 7e9d56aa
0x0033fcf0:  ffffffff 7bc91c4a 00000003 7bcbf544
0x0033fd00:  ffd46df4 00000000 0033fdc8 2215b5cc
0x0033fd10:  cc56933b 00000000 00000001 7bc91c4a
0x0033fd20:  00000000 7bcbf544 ffd46df4 00000001
000c: sel=0067 base=00000000 limit=00000000 32-bit --x
Backtrace:
=>0 0x7bc4de3d call_tls_callbacks+0x240(module=0x5d3d25, reason=0x7bc4dcf3)
[/home/focht/projects/wine/wine-git/dlls/ntdll/loader.c:964] in ntdll
(0x0033fcb0)
  1 0x00000246 (0x5184a24a)
0x7bc4de3d call_tls_callbacks+0x240
[/home/focht/projects/wine/wine-git/dlls/ntdll/loader.c:964] in ntdll: movl   
0x0(%eax),%eax
964        for (callback = (const PIMAGE_TLS_CALLBACK
*)dir->AddressOfCallBacks; *callback; callback++)
...
--- quote ---
Unfortunately it's currently not possible without patching Wine to set
breakpoint on TLS callback which makes this inconvenient to analyse.
Side note: Some debuggers advertise a feature to break on TLS callbacks (before
app entry).
I have to figure out what mechanism is used so Wine can support this too.
Using a patched version we can actually see what happens...
Immediately before calling the first TLS callback:
--- snip ---
Wine-dbg>
0x7bc4e123 call_tls_callbacks+0x102
[/home/focht/projects/wine/wine-git/dlls/ntdll/loader.c:974] in ntdll: call   
*%edx
974                (*callback)( module, reason, NULL );
Wine-dbg>info reg
Register dump:
 CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b
 EIP:7bc4e123 ESP:0032fcd0 EBP:0032fdc8 EFLAGS:00000246(   - --  I  Z- -P- )
 EAX:00400000 EBX:7bcc09a4 ECX:2f8b8eaf EDX:00504152
 ESI:fffd2a94 EDI:00000000
--- snip ---
After TLS callback:
--- snip ---
Wine-dbg>info reg
Register dump:
 CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b
 EIP:7bc4e125 ESP:0032fcdc EBP:0032fcb0 EFLAGS:00000246(   - --  I  Z- -P- )
 EAX:00400000 EBX:7bcc09a4 ECX:2f8b8eaf EDX:00504152
 ESI:fffd2a94 EDI:00000000
Wine-dbg>si
0x7bc4e128 call_tls_callbacks+0x107
[/home/focht/projects/wine/wine-git/dlls/ntdll/loader.c:976] in ntdll: leal   
0xffffff28(%ebp),%eax
976            __EXCEPT_ALL
...
0x7bc4e12e call_tls_callbacks+0x10d
[/home/focht/projects/wine/wine-git/dlls/ntdll/loader.c:976] in ntdll: movl   
%eax,0x0(%esp)
0x7bc4e131 call_tls_callbacks+0x110
[/home/focht/projects/wine/wine-git/dlls/ntdll/loader.c:976] in ntdll: call   
0x7bc4becd __wine_pop_frame
[/home/focht/projects/wine/wine-git/include/wine/exception.h:222] in ntdll
--- snip ---
EBP has been tainted within the callback and Wine actually *relies* on EBP
being preserved.
For testing I added a small assembly wrapper to call the TLS callback and it
helped.
Source:
http://source.winehq.org/git/wine.git/blob/33236819c839f6ac053d724e0930c95bb...
--- snip ---
 955 static void call_tls_callbacks( HMODULE module, UINT reason )
 956 {
 957     const IMAGE_TLS_DIRECTORY *dir;
 958     const PIMAGE_TLS_CALLBACK *callback;
 959     ULONG dirsize;
 960 
 961     dir = RtlImageDirectoryEntryToData( module, TRUE,
IMAGE_DIRECTORY_ENTRY_TLS, &dirsize );
 962     if (!dir || !dir->AddressOfCallBacks) return;
 963 
 964     for (callback = (const PIMAGE_TLS_CALLBACK *)dir->AddressOfCallBacks;
*callback; callback++)
 965     {
...
 969         __TRY
 970         {
 971             (*callback)( module, reason, NULL );
 972         }
 973         __EXCEPT_ALL
 974         {
 ...
 978             return;
 979         }
 980         __ENDTRY
...
 984     }
 985 }
--- snip ---
$ du -sh lazylaunch2.exe 
900K    lazylaunch2.exe
$ sha1sum lazylaunch2.exe 
9ecd89dece306f5e227081295e0b7c73c6bd5057  lazylaunch2.exe
Regards
-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

[Bug 21917] LazyLaunch raises unable to dispatch exception (TLS callbacks can taint EBP, needs assembly wrapper)