[Bug 46954] New: Relay trace causes crash in wine_dbgstr_wn helper due to invalid string pointer access

https://bugs.winehq.org/show_bug.cgi?id=46954

Bug ID: 46954 Summary: Relay trace causes crash in wine_dbgstr_wn helper due to invalid string pointer access Product: Wine Version: 4.5 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: -unknown Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---

Hello folks,

found while checking a patch for bug 46903

Relay tracing crashes the app:

--- snip --- $  WINEDEBUG=+seh,+loaddll,+relay,+ntdll wine ./ADHOCSIGNER.EXE ./TouchInputPC.exe >>log.txt 2>&1 ... 00ac:Call user32.SetPropA(00060044,7cd7c748 "__wine_x11_whole_window",05400001) ret=7cd53e2e ... 00ac:Ret user32.SetPropA() retval=00000001 ret=7cd53e2e .... 00ac:Call user32.EnumPropsW(00060044,004018cb) ret=00401b3e ... 00ac:Call KERNEL32.GlobalGetAtomNameW(0000c06a,0033f91c,00000100) ret=7e7a26a7 00ac:Call ntdll.NtQueryInformationAtom(0000c06a,00000000,0033f67e,00000206,00000000) ret=7b42fe3f 00ac:Ret ntdll.NtQueryInformationAtom() retval=00000000 ret=7b42fe3f 00ac:Ret KERNEL32.GlobalGetAtomNameW() retval=00000017 ret=7e7a26a7 00ac:Call user32.RemovePropW(00060044,0033f91c L"__wine_x11_whole_window") ret=004018e5 00ac:Ret user32.RemovePropW() retval=05400001 ret=004018e5 00ac:Call oleaut32.SysFreeString(code=c0000005 flags=0 addr=0x7bc7c011 ip=7bc7c011 tid=00ac 00ac:trace:seh:raise_exception info[0]=00000000 00ac:trace:seh:raise_exception info[1]=05400001 00ac:trace:seh:raise_exception eax=7bd0d000 ebx=7bd0d000 ecx=00000000 edx=05400001 esi=0033f880 edi=0033fb88 00ac:trace:seh:raise_exception ebp=0033f778 esp=0033f630 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010202 00ac:trace:seh:call_stack_handlers calling handler at 0x7b4980f1 code=c0000005 flags=0 ... wine: Unhandled page fault on read access to 0x05400001 at address 0x7bc7c011 (thread 00ac), starting debugger... ... Unhandled exception: page fault on read access to 0x05400001 in 32-bit code (0x7bc7c011). Register dump: CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b EIP:7bc7c011 ESP:0033f630 EBP:0033f778 EFLAGS:00010202( R- -- I - - - ) EAX:7bd0d000 EBX:7bd0d000 ECX:00000000 EDX:05400001 ESI:0033f880 EDI:0033fb88 Stack dump: 0x0033f630: 00000000 00000000 0033f6fc f7d9c2e2 0x0033f640: f7d88680 00000000 00000000 7bc42361 0x0033f650: 7bd0d000 ffffffff 0033f888 7bc42b08 0x0033f660: 7bd18922 0033f6c8 00000017 7bc42a86 0x0033f670: 0033f91c 00000017 7bd18600 0000031a 0x0033f680: f7d88680 00000000 0033f6a8 0033f6b0 Backtrace: =>0 0x7bc7c011 wine_dbgstr_wn+0x74() [/home/focht/projects/wine/mainline-src/include/wine/debug.h:277] in ntdll (0x0033f778) 1 0x7bc7c2b3 debugstr_w+0x1c() [/home/focht/projects/wine/mainline-src/include/wine/debug.h:515] in ntdll (0x0033f798) 2 0x7bc7cc57 trace_string_w+0x4e() [/home/focht/projects/wine/mainline-src/dlls/ntdll/relay.c:321] in ntdll (0x0033f7c8) 3 0x7bc7cf02 relay_trace_entry+0x237() [/home/focht/projects/wine/mainline-src/dlls/ntdll/relay.c:357] in ntdll (0x0033f868) 4 0x7bc7d2eb relay_call+0x16() in ntdll (0x0033f8a0) 5 0x7d6d6276 __wine_stub_OleLoadPictureFileEx+0xed() in oleaut32 (0x0033f8b8) 6 0x004018fe EntryPoint+0xffffffff() in adhocsigner (0x0033f8b8) 7 0x7e7a205a EnumPropsW_relay+0x32() [/home/focht/projects/wine/mainline-src/dlls/user32/property.c:92] in user32 (0x0033f8e8) 8 0x7e7a26d4 EnumPropsExW+0xa2() [/home/focht/projects/wine/mainline-src/dlls/user32/property.c:248] in user32 (0x0033fb38) 9 0x7e7a20da EnumPropsW+0x31() [/home/focht/projects/wine/mainline-src/dlls/user32/property.c:110] in user32 (0x0033fb68) --- snip ---

The app provided callback for user32.EnumPropsW() tries to remove Wine internal window properties. User32.RemovePropW() returns 0x05400001 which in turn gets passed to oleaut32.SysFreeString(). This should obviously fail due to invalid parameter.

Unfortunately the relay debug print functionality no longer catches invalid string pointer access. Quick inspection of Wine changes hint at this:

https://source.winehq.org/git/wine.git/commitdiff/9f75f7189935aeec55df79a5ab... ("include: Make wine_dbgstr_an()/wine_dbgstr_wn() into inline functions.")

_NTSYSTEM_ is always defined for ntdll (relay) which leaves the pointer test/access without SEH protection.

https://source.winehq.org/git/wine.git/blob/HEAD:/include/wine/debug.h#l267

$ wine --version wine-4.5-138-g8268c47462

Regards