[Bug 28795] New: ExeInfoPE: PE protection schemes that abuse %gs won't run (breaks glibc TLS selector)

http://bugs.winehq.org/show_bug.cgi?id=28795

Bug #: 28795 Summary: ExeInfoPE: PE protection schemes that abuse %gs won't run (breaks glibc TLS selector) Product: Wine Version: 1.3.30 Platform: x86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: -unknown AssignedTo: wine-bugs@winehq.org ReportedBy: focht@gmx.net Classification: Unclassified

Hello,

newer versions of "ExeInfoPE" (>0.0.2.3) which coin their own PE protection scheme don't run anymore. There is still bug 26701 though the app crashes now earlier.

With tracing enabled:

--- snip --- ... 0024:Call KERNEL32.VirtualProtect(00400000,00001000,00000004,0032fe40) ret=05bd0336 0024:Ret KERNEL32.VirtualProtect() retval=00000001 ret=05bd0336 0024:Call KERNEL32.VirtualProtect(00400000,00001000,00000002,0032fe40) ret=05bd034b 0024:Ret KERNEL32.VirtualProtect() retval=00000001 ret=05bd034b 0024:trace:seh:raise_exception code=c0000005 flags=0 addr=0xb74a916a ip=b74a916a tid=0024 0024:trace:seh:raise_exception info[0]=00000000 0024:trace:seh:raise_exception info[1]=ffffffff 0024:trace:seh:raise_exception eax=7bc9d7a7 ebx=b75e0ff4 ecx=0032fdcc edx=7bc9d7a7 esi=0032fc74 edi=ffffffc8 0024:trace:seh:raise_exception ebp=0032fc48 esp=0032f6bc cs=0073 ds=007b es=007b fs=0033 gs=0002 flags=00010246 0024:trace:seh:call_vectored_handlers calling handler at 0x7e16e0bd code=c0000005 flags=0 0024:trace:seh:call_vectored_handlers handler at 0x7e16e0bd returned 0 0024:trace:seh:call_stack_handlers calling handler at 0x7bc90f61 code=c0000005 flags=0 0024:Call KERNEL32.UnhandledExceptionFilter(0032f194) ret=7bc90f9b wine: Unhandled page fault on read access to 0xffffffff at address 0xb74a916a (thread 0024), starting debugger... 0024:trace:seh:start_debugger Starting debugger "winedbg --auto 35 52" 0024:Ret KERNEL32.UnhandledExceptionFilter() retval=00000000 ret=7bc90f9b 0024:trace:seh:call_stack_handlers handler at 0x7bc90f61 returned 1 Unhandled exception: page fault on read access to 0xffffffff in 32-bit code (0xb74a916a). Register dump: CS:0073 SS:007b DS:007b ES:007b FS:0033 GS:0002 EIP:b74a916a ESP:0032f6bc EBP:0032fc48 EFLAGS:00010246( R- -- I Z- -P- ) EAX:7bc9d7a7 EBX:b75e0ff4 ECX:0032fdcc EDX:7bc9d7a7 ESI:0032fc74 EDI:ffffffc8 Stack dump: 0x0032f6bc: 0032fc7c 7bc9d82e 0032fc58 b74a992c 0x0032f6cc: 0032fc7c 7bc9d82d 00000001 00000000 0x0032f6dc: 0032fc8c 7bc9d82d 00000001 00000001 0x0032f6ec: 7bc9d82d 00000000 00000000 00000001 0x0032f6fc: 7bc9d82d 00000000 00000000 00000000 0x0032f70c: 00000000 00000000 00000000 00000000 Backtrace: =>0 0xb74a916a _IO_vfprintf+0x3a() in libc.so.6 (0x0032fc48) 1 0xb74cbdbb vsnprintf+0xca() in libc.so.6 (0x0032fc74) 2 0x7bc350f9 NTDLL_dbg_vprintf+0x56() in ntdll (0x0032fd90) 3 0xb761ab63 wine_dbg_printf+0x2e() in libwine.so.1 (0x0032fdc0) 4 0x7bc640e5 relay_call+0x113() in ntdll (0x0032fe10) 5 0x7b8224ad in kernel32 (+0x124ac) (0x0032fe60) 6 0x004075cd in exeinfope (+0x75cc) (0x0032fe60) 7 0x7b85de44 call_process_entry+0xb() in kernel32 (0x0032fe78) 8 0x7b85df8a start_process+0x143() in kernel32 (0x0032fec8) 9 0x7bc7a244 call_thread_func+0xb() in ntdll (0x0032fed8) 10 0x7bc7a282 call_thread_entry_point+0x33() in ntdll (0x0032ffb8) 11 0x7bc51ebc start_process+0x25() in ntdll (0x0032ffe8) 12 0xb761edb5 wine_call_on_stack+0x1c() in libwine.so.1 (0x00000000) 0xb74a916a _IO_vfprintf+0x3a in libc.so.6: movl %gs:0x00000000,%ecx --- snip ---

The protection scheme fiddles with %gs selector value which breaks TLS pointer access through %gs:0 (Wine uses %fs) or the stack protector scheme that Userland libs and Wine are built with (glibc provided __stack_chk_guard at %gs:0x14).

My gcc 4.6.1 x86 host toolchain has -fstack-protector enabled by default hence Wine gets the stack canary code in the binaries. The Glibc here (Xubuntu 11.10) has stack smashing protection enabled by default.

Even if Wine is built with "-fno-stack-protector" the app would still break glibc %gs TLS code.

This is just a "collector" bug for apps that run into this issue. WONTFIX obviously, there is no reliable way to know when to repair/restore %gs value (and restarting faulting instruction).

Regards