https://bugs.winehq.org/show_bug.cgi?id=39127
Bug ID: 39127 Summary: Multiple applications wrapped with XenoCode Postbuild 2009 application sandboxing crash with stack overflow ('NtWaitForSingleObject' must not call 'NtWaitForMultipleObjects') Product: Wine Version: 1.7.49 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: ntdll Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---
Hello folks,
as the summary says.
Continuation of bug 30399
The app crashes very quickly:
--- snip --- $ wine ./Stylizer.exe fixme:ole:RemUnknown_QueryInterface No interface for iid {00000019-0000-0000-c000-000000000046} wine: Unhandled stack overflow at address 0x377db8 (thread 0009), starting debugger... err:seh:setup_exception_record stack overflow 816 bytes in thread 0009 eip 00377d91 esp 00241000 stack 0x240000-0x241000-0x340000 --- snip ---
--- snip --- -=[ ProtectionID v0.6.6.7 DECEMBER]=- (c) 2003-2015 CDKiLLER & TippeX Build 24/12/14-22:48:13 Ready... Scanning -> Z:\home\focht\Downloads\Stylizer.exe File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 15854203 (0F1EA7Bh) Byte(s) Compilation TimeStamp : 0x50B3AB61 -> Mon 26th Nov 2012 17:48:17 (GMT) [TimeStamp] 0x50B3AB61 -> Mon 26th Nov 2012 17:48:17 (GMT) | PE Header | - | Offset: 0x00000088 | VA: 0x00400088 | - -> File has 15719035 (0EFDA7Bh) bytes of appended data starting at offset 021000h [File Heuristics] -> Flag #1 : 00000000000001001000000000000100 (0x00048004) [Entrypoint Section Entropy] : 6.37 (section #0) ".text " | Size : 0x3ABE (15038) byte(s) [DllCharacteristics] -> Flag : (0x8000) -> TSA [SectionCount] 6 (0x6) | ImageSize 0x30B000 (3190784) byte(s) [!] XenoCode Postbuild 2009 detected ! [CdKeySerial] found "Invalid code" @ VA: 0x00001E60 / Offset: 0x00001260 - Scan Took : 0.332 Second(s) [00000014Ch (332) tick(s)] [558 of 573 scan(s) done] --- snip ---
Relay tracing interferes with the way the native API sandboxing scheme works and use of dedicated trace channels doesn't reveal much.
Debugging reveals the culprit.
'NtWaitForSingleObject':
--- snip --- 7BC99B3E E9 2A057284 JMP 003BA06D ; trampoline 7BC99B43 E4 F0 IN AL,0F0 7BC99B45 FF71 FC PUSH DWORD PTR DS:[ECX-4] 7BC99B48 55 PUSH EBP 7BC99B49 89E5 MOV EBP,ESP 7BC99B4B 51 PUSH ECX 7BC99B4C 83EC 24 SUB ESP,24 7BC99B4F 89C8 MOV EAX,ECX 7BC99B51 8B50 04 MOV EDX,DWORD PTR DS:[EAX+4] 7BC99B54 8855 F4 MOV BYTE PTR SS:[EBP-0C],DL 7BC99B57 0FB655 F4 MOVZX EDX,BYTE PTR SS:[EBP-0C] 7BC99B5B 8B48 08 MOV ECX,DWORD PTR DS:[EAX+8] 7BC99B5E 894C24 10 MOV DWORD PTR SS:[ESP+10],ECX 7BC99B62 895424 0C MOV DWORD PTR SS:[ESP+0C],EDX 7BC99B66 C74424 08 00000 MOV DWORD PTR SS:[ESP+8],0 7BC99B6E 894424 04 MOV DWORD PTR SS:[ESP+4],EAX 7BC99B72 C70424 01000000 MOV DWORD PTR SS:[ESP],1 7BC99B79 E8 E7FEFFFF CALL NtWaitForMultipleObjects 7BC99B7E 83EC 14 SUB ESP,14 7BC99B81 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4] 7BC99B84 C9 LEAVE 7BC99B85 8D61 FC LEA ESP,[ECX-4] 7BC99B88 C2 0C00 RETN 0C ... 00A3004E 8D4C24 04 LEA ECX,[ESP+4] ; saved prolog chunk 00A30052 83E4 F0 AND ESP,FFFFFFF0 00A30055 E9 EB9A267B JMP 7BC99B45 --- snip ---
NtWaitForMultipleObjects:
--- snip --- 7BC99A65 E9 81067284 JMP 003BA0EB ; trampoline 7BC99A6A F0:81EC 3001000 LOCK SUB ESP,130 7BC99A71 8B55 10 MOV EDX,DWORD PTR SS:[EBP+10] 7BC99A74 8B45 14 MOV EAX,DWORD PTR SS:[EBP+14] 7BC99A77 885424 1C MOV BYTE PTR SS:[ESP+1C],DL 7BC99A7B 884424 18 MOV BYTE PTR SS:[ESP+18],AL 7BC99A7F C78424 28010000 MOV DWORD PTR SS:[ESP+128],2 7BC99A8A 837D 08 00 CMP DWORD PTR SS:[EBP+8],0 7BC99A8E 74 06 JE SHORT 7BC99A96 ... --- snip ---
The trampoline/hook state tracking code gets confused due to 'NtWaitForSingleObject' calling 'NtWaitForMultipleObjects' which causes a recursion in the continuation code.
Native NT API doesn't do this by design since each function has an own syscall.
If you use a static/inline helper which is shared/called by both, the app starts fine.
NOTE: Although the app bundles .NET on its own, you will need 'winetricks -q dotnet20' to work around bug 38956
$ sha1sum Stylizer5Setup.exe fa99802266f80441ac4f091e90b20691e170f12d Stylizer5Setup.exe
$ du -sh Stylizer5Setup.exe 16M Stylizer5Setup.exe
$ wine --version wine-1.7.49-184-g5021e91
Regards