[Bug 57613] New: Calling 'iphlpapi.GetIpNetTable' with a large number of network interfaces present crashes Wine builtin NSI proxy service

https://bugs.winehq.org/show_bug.cgi?id=57613

Bug ID: 57613 Summary: Calling 'iphlpapi.GetIpNetTable' with a large number of network interfaces present crashes Wine builtin NSI proxy service Product: Wine Version: 10.0-rc3 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: iphlpapi Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---

Created attachment 77732 --> https://bugs.winehq.org/attachment.cgi?id=77732 crash reproducer, calling 'iphlpapi.GetIpNetTable'

Hello folks,

observed while looking at bug 8133 (game demo part), completely unrelated to original problem though.

The game (demo sw protection/wrapper) calls 'inetmib1.SnmpExtensionInit' which in turn calls all mib2XXX init funcs (mib2IpNetInit, ...) which delay loads 'iphlpapi', calling 'iphlpapi.GetIpNetTable'. With quite a number of (virtual) network interfaces present on the host machine, Wine NSI Proxy service crashes.

--- snip --- Wine-dbg>info process pid threads executable (all id:s are in hex) 00000070 4 'explorer.exe' 00000038 11 'services.exe' 000000f4 7 _ 'rpcss.exe' 000000a4 10 _ 'winedevice.exe' 00000088 3 _ 'svchost.exe' 00000068 6 _ 'plugplay.exe' 00000044 8 _ 'winedevice.exe' 00000020 1 'start.exe' 00000124 1 _ 'winedbg.exe' =00000134 1 _ 'winedbg.exe'

0000013c 1 _ 'CLUE Classic.exe'

0000012c 1 _ 'CLUE Classic.exe' 000000fc 2 _ 'conhost.exe'

Wine-dbg>info threads process tid prio name (all IDs are in hex) 00000020 start.exe 00000024 0 00000038 services.exe 0000003c 0 00000040 0 wine_rpcrt4_server 0000004c 0 wine_rpcrt4_io 00000078 0 wine_rpcrt4_io 00000090 0 wine_rpcrt4_io 000000ac 0 wine_rpcrt4_io 000000e0 0 000000f0 0 wine_rpcrt4_io 00000104 0 wine_rpcrt4_io 00000044 winedevice.exe 00000048 0 00000054 0 00000058 0 wine_sechost_service 0000005c 0 00000060 0 00000064 0 0000009c 0 000000a0 0 00000068 plugplay.exe 0000006c 0 0000007c 0 00000080 0 wine_sechost_service 00000084 0 wine_rpcrt4_server 000000d0 0 wine_rpcrt4_io 00000070 explorer.exe 00000074 0 000000e4 0 000000e8 0 wine_explorer_display_settings_restorer 000000ec 0 wine_rpcrt4_server 00000088 svchost.exe 0000008c 0 00000094 0 00000098 0 wine_sechost_service 000000a4 winedevice.exe 000000a8 0 000000b0 0 000000b4 0 wine_sechost_service 000000b8 0 000000bc 0 000000c0 0 000000c4 0 000000cc 0 000000d8 0 000000dc 0 000000f4 rpcss.exe 000000f8 0 0000010c 0 00000110 0 wine_sechost_service 00000114 0 wine_rpcrt4_server 00000118 0 wine_rpcrt4_server 0000011c 0 wine_rpcrt4_io 000000fc conhost.exe 00000100 0 00000144 0 00000124 winedbg.exe 00000128 0 0000012c CLUE Classic.exe 00000130 0 0000013c (D) C:\Program Files (x86)\CLUE Classic\CLUE Classic.exe 00000140 0 <==

Wine-dbg>c wine: Unhandled page fault on read access to 00007FFEFFFFFFFF at address 00006FFFFFF66270 (thread 0058), starting debugger... --- snip ---

Another run, now attached to NSI service before crash:

--- snip --- Register dump: rip:00006ffffff66270 rsp:00007ffffebff8d0 rbp:0000000000000002 eflags:00010206 ( R- -- I - -P- ) rax:00007ffffec2d8e8 rbx:00007ffffe220000 rcx:00007ffffe220108 rdx:0000000000000000 rsi:0000000000000002 rdi:0000000000001d44 r8:0000000000000002 r9:0000000000001d00 r10:0000000000000008 r11:0000000000000246 r12:00007ffffe220000 r13:00007ffffe220000 r14:0000000000001d50 r15:00007fff00000000 Stack dump: 0x007ffffebff8d0: 00007ffffec2b6d0 0000000000000004 0x007ffffebff8e0: 0000000000000038 00006ffffe741933 0x007ffffebff8f0: 0000000000000001 00007ffffec2b6d0 0x007ffffebff900: 00007ffffec2b6c8 00006ffffff650f4 0x007ffffebff910: 00007ffffe7c1f90 00001002fe8101b7 0x007ffffebff920: 00007ffffec2b6c8 0000000000001d44 0x007ffffebff930: 0000000000000002 0000000000000000 0x007ffffebff940: 0000000000000000 00007ffffe220000 0x007ffffebff950: 00007ffffe220000 00007ffffe2200d0 0x007ffffebff960: 0000000000001d50 00006ffffff65c5a 0x007ffffebff970: 0000000000000000 00007ffffe220000 0x007ffffebff980: 0000000000000000 00006ffffff654da Backtrace: =>0 0x006ffffff66270 block_get_flags(block=<internal error>) [/home/focht/projects/wine/mainline-src/dlls/ntdll/heap.c:344] in ntdll (0x00000000000002) 1 0x006ffffff66270 find_free_block+0x90(heap=<internal error>, flags=<internal error>, block_size=<internal error>, size=<internal error>, ret=<internal error>) [/home/foc ht/projects/wine/mainline-src/dlls/ntdll/heap.c:1121] in ntdll (0x00000000000002) 2 0x006ffffff66270 heap_allocate_block+0x90(heap=<internal error>, flags=<internal error>, block_size=<internal error>, size=<internal error>, ret=<internal error>) [/home /focht/projects/wine/mainline-src/dlls/ntdll/heap.c:1703] in ntdll (0x00000000000002) 3 0x006ffffff65c5a RtlAllocateHeap+0x57a(handle=<internal error>, flags=<internal error>, size=<internal error>) [/home/focht/projects/wine/mainline-src/dlls/ntdll/heap.c: 2053] in ntdll (0x00000000000002) 4 0x006ffffe818d40 dispatch_ioctl+0x190(context=<internal error>) [/home/focht/projects/wine/mainline-src/dlls/ntoskrnl.exe/ntoskrnl.c:757] in ntoskrnl (0x007ffffec2a440) 5 0x006ffffe80f72f wine_ntoskrnl_main_loop+0x3bf(stop_event=<internal error>) [/home/focht/projects/wine/mainline-src/dlls/ntoskrnl.exe/ntoskrnl.c:1029] in ntoskrnl (00000 00000000000) 6 0x00000140001160 ServiceMain+0x120(argc=<internal error>, argv=<internal error>) [/home/focht/projects/wine/mainline-src/programs/winedevice/device.c:145] in winedevice (0x00000000000002) 7 0x006fffffbba831 service_thread+0x1d1(arg=<internal error>) [/home/focht/projects/wine/mainline-src/dlls/sechost/service.c:1630] in sechost (0x00000000000002) 8 0x006fffffef5d09 BaseThreadInitThunk+0x9(unknown=<internal error>, entry=<internal error>, arg=<internal error>) [/home/focht/projects/wine/mainline-src/dlls/kernel32/th read.c:60] in kernel32 (0000000000000000) 9 0x006ffffff91da7 in ntdll (+0x51da7) (0000000000000000) 0x006ffffff66270 heap_allocate_block+0x90 [/home/focht/projects/wine/mainline-src/dlls/ntdll/heap.c:1703] in ntdll: movzbl -1(%r15), %r8d 1703 { Wine-dbg> --- snip ---

Heap corruption/pointer truncation likely.

Doesn't happen with 32-bit WINEPREFIX. Doesn't happen with Wine 8.16 and older regardless if the prefix is 32-bit or 64-bit.

Commit a81c53504ae327 ("ntdll: Release the low address space reservation for 64-bit apps."), part of Wine 8.17 revealed a number of app and Wine bugs. This one as well.

https://bugs.winehq.org/buglist.cgi?bug_status=UNCONFIRMED&bug_status=NE...

I've attached a simple C reproducer which just calls 'iphlpapi.GetIpNetTable'.

I run several Docker containers with default networking -> bridged mode. Hence the unusual number of (virtual) network interfaces on my machine (30+). Although I think its nothing special nowadays.

--- snip --- $ ip link show 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: enp5s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000 link/ether 40:16:7e:14:b3:5d brd ff:ff:ff:ff:ff:ff 3: wlp4s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default qlen 1000 link/ether 5a:37:3d:e5:d2:53 brd ff:ff:ff:ff:ff:ff permaddr ac:7b:a1:8a:72:4e 4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default link/ether 02:42:68:10:bf:af brd ff:ff:ff:ff:ff:ff 5: br-794b0e0580cf: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default link/ether 02:42:e1:13:e3:eb brd ff:ff:ff:ff:ff:ff 189: vethf8de8d8@if188: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-794b0e0580cf state UP mode DEFAULT group default link/ether aa:bf:60:8c:f3:b4 brd ff:ff:ff:ff:ff:ff link-netnsid 1 193: vethc3d9863@if192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-794b0e0580cf state UP mode DEFAULT group default link/ether 4e:36:a2:e3:0a:fe brd ff:ff:ff:ff:ff:ff link-netnsid 15 195: veth6b62a93@if194: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-794b0e0580cf state UP mode DEFAULT group default link/ether fe:41:b9:57:a3:8e brd ff:ff:ff:ff:ff:ff link-netnsid 8 197: veth2bfd596@if196: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-794b0e0580cf state UP mode DEFAULT group default link/ether ae:d6:5f:84:18:6b brd ff:ff:ff:ff:ff:ff link-netnsid 0 ... 261: veth8cfbac0@if260: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-794b0e0580cf state UP mode DEFAULT group default link/ether ee:af:59:5e:3e:26 brd ff:ff:ff:ff:ff:ff link-netnsid 19 263: vethe4fccf2@if262: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-794b0e0580cf state UP mode DEFAULT group default link/ether ce:c5:8f:c0:11:11 brd ff:ff:ff:ff:ff:ff link-netnsid 22 --- snip ---

$ wine --version wine-10.0-rc3-9-g872f5c59d4b

Regards