https://bugs.winehq.org/show_bug.cgi?id=50791
Bug ID: 50791 Summary: NtQueryObject( ..., ObjectBasicInformation, NULL, 0, &retLen) returns incorrect NTSTATUS error code when querying for buffer size Product: Wine Version: 6.3 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: ntdll Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---
Hello folks,
found while testing 'EditSection' tool from Google sandbox-attacksurface-analysis-tools v1.1.x fails list section. Follow up of bug 45132
--- snip --- $ WINEDEBUG=+seh,+relay,+ntdll,+server wine ./EditSection.exe >>log.txt 2>&1 ... 0024:Call ntdll.NtQuerySystemInformation(00000005,001fb320,00002228,0033eae4) ret=05a0be37 0024:trace:ntdll:NtQuerySystemInformation (0x00000005,0x1fb320,0x00002228,0x33eae4) 0024: list_processes( ) 0024: list_processes() = 0 { info_size=2024, process_count=9, data={{start_time=1d7165dcc491236 (-5.4284020),thread_count=3,priority=2,pid=0020,parent_pid=0000,handle_count=256,unix_pid=293760,name=L"\??\Z:\home\focht\Downloads\commonobj\EditSection.exe",threads={{start_time=1d7165dcbd1a2be (-6.2111340),tid=0024,base_priority=0,current_priority=0,unix_tid=293760},{start_time=1d7165dcc64cd1e (-5.2466700),tid=00fc,base_priority=0,current_priority=0,unix_tid=293825},{start_time=1d7165dcc65c214 (-5.2403990),tid=0100,base_priority=2,current_priority=2,unix_tid=293826}}},{start_time=1d7165dcbdadb18 (-6.1507090),thread_count=9,priority=2,pid=0038,parent_pid=0028,handle_count=128,unix_pid=293768,name=L"\??\C:\windows\system32\services.exe",threads={{start_time=1d7165dcbd96030 (-6.1604090),tid=003c,base_priority=0,current_priority=0,unix_tid=293768}, ... {start_time=1d7165dcc4b8b06 (-5.4122020),thread_count=1,priority=2,pid=00f4,parent_pid=0020,handle_count=32,unix_pid=293824,name=L"\??\C:\windows\system32\conhost.exe",threads={{start_time=1d7165dcc4a8198 (-5.4189970),tid=00f8,base_priority=0,current_priority=0,unix_tid=293824}}}} } 0024:Ret ntdll.NtQuerySystemInformation() retval=00000000 ret=05a0be37 ... 0024:Call ntdll.NtOpenProcess(0033eccc,00001040,0033ec60,01e2d450) ret=05a0cc71 0024: open_process( pid=0020, access=00001040, attributes=00000000 ) 0024: open_process() = 0 { handle=01cc } 0024:Ret ntdll.NtOpenProcess() retval=00000000 ret=05a0cc71 ... 0024:Call ntdll.NtQueryObject(000001cc,00000000,00000000,00000000,0033ebc4) ret=05a00b58 0024:Ret ntdll.NtQueryObject() retval=c0000206 ret=05a00b58 0024:Call KERNEL32.RaiseException(e0434352,00000001,00000005,0033eaa0) ret=013b48c7 0024:Call ntdll.memcpy(0033e9b8,0033eaa0,00000014) ret=7b0101c8 0024:Ret ntdll.memcpy() retval=0033e9b8 ret=7b0101c8 0024:trace:seh:dispatch_exception code=e0434352 flags=1 addr=7B0101D8 ip=7b0101d8 tid=0024 0024:trace:seh:dispatch_exception info[0]=80131600 0024:trace:seh:dispatch_exception info[1]=00000000 0024:trace:seh:dispatch_exception info[2]=00000000 0024:trace:seh:dispatch_exception info[3]=00000000 0024:trace:seh:dispatch_exception info[4]=01290000 0024:warn:seh:dispatch_exception unknown exception (code=e0434352) raised 0024:trace:seh:dispatch_exception eax=0033e9a4 ebx=00000005 ecx=0033eaa0 edx=00000014 esi=00000005 edi=0033ea10 0024:trace:seh:dispatch_exception ebp=0033e9f8 esp=0033e9a4 cs=7bc50023 ds=33002b es=7bc3002b fs=330063 gs=006b flags=00000212 0024:trace:seh:call_vectored_handlers calling handler at 01431BEA code=e0434352 flags=1 --- snip ---
The NTSTATUS code 0xc0000206 = STATUS_INVALID_BUFFER_SIZE is unexpected for the app.
App source code:
https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/bl...
--- snip --- ... private static NtResult<SafeStructureInOutBuffer<T>> QueryObject<T>(SafeKernelObjectHandle handle, ObjectInformationClass object_info, bool throw_on_error) where T : new() { SafeStructureInOutBuffer<T> ret = null; NtStatus status = NtStatus.STATUS_BUFFER_TOO_SMALL; try { status = NtSystemCalls.NtQueryObject(handle, object_info, SafeHGlobalBuffer.Null, 0, out int return_length); if ((status != NtStatus.STATUS_BUFFER_TOO_SMALL) && (status != NtStatus.STATUS_INFO_LENGTH_MISMATCH)) return status.CreateResultFromError<SafeStructureInOutBuffer<T>>(throw_on_error);
if (return_length == 0) ret = new SafeStructureInOutBuffer<T>(); else ret = new SafeStructureInOutBuffer<T>(return_length, false); status = NtSystemCalls.NtQueryObject(handle, object_info, ret, ret.Length, out return_length); return status.CreateResult(throw_on_error, () => ret); } finally { if (ret != null && !status.IsSuccess()) { ret.Close(); ret = null; } } } --- snip ---
Wine source:
https://source.winehq.org/git/wine.git/blob/580413032c61bc142078d08efb1d1167...
--- snip --- 6581 /************************************************************************** 6582 * NtQueryObject (NTDLL.@) 6583 */ 6584 NTSTATUS WINAPI NtQueryObject( HANDLE handle, OBJECT_INFORMATION_CLASS info_class, 6585 void *ptr, ULONG len, ULONG *used_len ) 6586 { 6587 NTSTATUS status; 6588 6589 TRACE("(%p,0x%08x,%p,0x%08x,%p)\n", handle, info_class, ptr, len, used_len); 6590 6591 if (used_len) *used_len = 0; 6592 6593 switch (info_class) 6594 { 6595 case ObjectBasicInformation: 6596 { 6597 OBJECT_BASIC_INFORMATION *p = ptr; 6598 6599 if (len < sizeof(*p)) return STATUS_INVALID_BUFFER_SIZE; 6600 6601 SERVER_START_REQ( get_object_info ) 6602 { 6603 req->handle = wine_server_obj_handle( handle ); 6604 status = wine_server_call( req ); 6605 if (status == STATUS_SUCCESS) 6606 { 6607 memset( p, 0, sizeof(*p) ); 6608 p->GrantedAccess = reply->access; 6609 p->PointerCount = reply->ref_count; 6610 p->HandleCount = reply->handle_count; 6611 if (used_len) *used_len = sizeof(*p); 6612 } 6613 } 6614 SERVER_END_REQ; 6615 break; 6616 } ... --- snip ---
The incorrect NTSTATUS error code was always present. It was introduced with https://source.winehq.org/git/wine.git/commitdiff/bae75024a430dd4486e4f5d786... ("server/ntdll: Simplistic implementation of NtQueryObject(ObjectBasicInformation).")
$ sha1sum Release-v1.1.14.7z 8cd7991e675a995a3d67ef0aca2a8bf0e1512f6a Release-v1.1.14.7z
$ du -sh Release-v1.1.14.7z 384K Release-v1.1.14.7z
$ wine --version wine-6.3-295-g580413032c6
Regards