[Bug 37356] Multiple software protection/DRM schemes crash due to ' ntoskrnl.MmMapLockedPagesSpecifyCache' returning NULL (Tages v5.x, ProtectDISC 6.x)

https://bugs.winehq.org/show_bug.cgi?id=37356

Anastasius Focht focht@gmx.net changed:

What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |DUPLICATE Fixed by SHA1| |68f23a1138ed697257c348011d7 | |7ec8519b44294 Summary|Multiple software |Multiple software |protection/DRM schemes need |protection/DRM schemes |ntoskrnl |crash due to |'MmMapLockedPagesSpecifyCac |'ntoskrnl.MmMapLockedPagesS |he' implementation (Tages |pecifyCache' returning NULL |v5.x, ProtectDISC 6.x) |(Tages v5.x, ProtectDISC | |6.x)

--- Comment #5 from Anastasius Focht focht@gmx.net --- Hello folks,

yes, I've noticed it now too.

It's a dupe of bug 37355 ("Multiple software protection schemes need ntoskrnl 'MmMapLockedPagesSpecifyCache' implementation (Tages Protection v5.x, BattleEye's 'bedaisy.sys')")

--- snip --- ... 0034:Call ntdll.RtlInitUnicodeString(0054fb50,0054fb58 L"\Device\atksgt") ret=7bc7f49b 0034:Ret ntdll.RtlInitUnicodeString() retval=0054fb50 ret=7bc7f49b 0034:Ret ntoskrnl.exe.RtlInitUnicodeString() retval=0054fb50 ret=00780387 0034:Call ntoskrnl.exe.IoGetDeviceObjectPointer(0054fb50,00020000,0054fb4c,0054fb48) ret=007803a1 0034:fixme:ntoskrnl:IoGetDeviceObjectPointer stub: L"\Device\atksgt" 20000 0x54fb4c 0x54fb48 0034:Ret ntoskrnl.exe.IoGetDeviceObjectPointer() retval=00000000 ret=007803a1 0034:trace:ntoskrnl:ObDereferenceObject ((nil)): stub 0034:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7803c1 ip=007803c1 tid=0034 0034:trace:seh:raise_exception info[0]=00000001 0034:trace:seh:raise_exception info[1]=00000000 0034:trace:seh:raise_exception eax=00000000 ebx=0054fc70 ecx=0054fb44 edx=00552f44 esi=0011cd18 edi=0054fe14 0034:trace:seh:raise_exception ebp=00000000 esp=0054fb48 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010216 0034:trace:seh:call_vectored_handlers calling handler at 0x7ec112b1 code=c0000005 flags=0 0034:trace:seh:call_vectored_handlers handler at 0x7ec112b1 returned 0 0034:trace:seh:call_stack_handlers calling handler at 0x7bcb1a8e code=c0000005 flags=0 0034:Call KERNEL32.UnhandledExceptionFilter(0054f644) ret=7bcb1ac9 wine: Unhandled page fault on write access to 0x00000000 at address 0x7803c1 (thread 0034), starting debugger... --- snip ---

The current stub:

https://source.winehq.org/git/wine.git/blob/HEAD:/dlls/ntoskrnl.exe/ntoskrnl...

--- snip --- 1211 NTSTATUS WINAPI IoGetDeviceObjectPointer( UNICODE_STRING *name, ACCESS_MASK access, PFILE_OBJECT *file, PDEVICE_OBJECT *device ) 1212 { 1213 static DEVICE_OBJECT stub_device; 1214 static DRIVER_OBJECT stub_driver; 1215 1216 FIXME( "stub: %s %x %p %p\n", debugstr_us(name), access, file, device ); 1217 1218 stub_device.StackSize = 0x80; /* minimum value to appease SecuROM 5.x */ 1219 stub_device.DriverObject = &stub_driver; 1220 1221 *file = NULL; 1222 *device = &stub_device; 1223 1224 return STATUS_SUCCESS; 1225 } --- snip ---

'ObDereferenceObject(NULL)' in trace log is the result of 'IoGetDeviceObjectPointer()' returning NULL file object. This is expected, the driver doesn't need the file object.

https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/attaching-the-... ("Attaching the Filter Device Object to the Target Device Object")

Driver disassembly:

--- snip --- 00780300 SUB ESP,30 00780303 XOR EAX,EAX 00780305 MOV ECX,65 0078030A MOV WORD PTR SS:[ESP+14],CX 0078030F MOV WORD PTR SS:[ESP+1C],CX ... 00780381 CALL DWORD PTR DS:[<&ntoskrnl.RtlInitUnicodeString>] 00780387 LEA EDX,DWORD PTR SS:[ESP] 0078038B PUSH EDX 0078038C LEA EAX,DWORD PTR SS:[ESP+8] 00780390 PUSH EAX 00780391 PUSH 20000 00780396 LEA ECX,DWORD PTR SS:[ESP+14] 0078039A PUSH ECX 0078039B CALL DWORD PTR DS:[<&ntoskrnl.IoGetDeviceObjectPointer>] 007803A1 TEST EAX,EAX 007803A3 JL SHORT lirsgt.007803BD 007803A5 MOV EDX,DWORD PTR SS:[ESP] ; stub_device 007803A9 MOV EAX,DWORD PTR DS:[EDX+28] ; _DEVICE_OBJECT.Timer 007803AC MOV ECX,DWORD PTR SS:[ESP+34] ; arg1 007803B0 MOV DWORD PTR DS:[ECX+30],EAX 007803B3 MOV ECX,DWORD PTR SS:[ESP+4] 007803B7 CALL DWORD PTR DS:[<&ntoskrnl.ObfDereferenceObject>] 007803BD MOV EAX,DWORD PTR SS:[ESP+38] 007803C1 MOV WORD PTR DS:[EAX],5 ; arg2 == NULL *boom* 007803C6 MOV WORD PTR DS:[EAX+2],5 007803CC MOV BYTE PTR DS:[EAX+4],2 007803D0 ADD ESP,30 007803D3 RETN 8 --- snip ---

The problem here is the caller supplying NULL arg2 (ptr) to this function. Looking at the caller:

--- snip --- ... 007829B3 PUSH 20 ; Priority 007829B5 PUSH 0 ; BugCheckOnFailure 007829B7 PUSH 0 ; BaseAddress 007829B9 PUSH 1 ; CacheType 007829BB PUSH 0 ; AccessMode 007829BD PUSH EAX ; MemoryDescriptorList 007829BE CALL DWORD PTR DS:[<&ntoskrnl.MmMapLockedPagesSpecifyCache>] 007829C4 PUSH EAX ; arg2 -> address of mapped pages 007829C5 PUSH ESI ; arg1 007829C6 CALL lirsgt.00780300 ; see above snippet 007829CB JMP lirsgt.00783F5E ... --- snip ---

arg2 == NULL -> bug 37355 ("Multiple software protection schemes need ntoskrnl 'MmMapLockedPagesSpecifyCache' implementation (Tages Protection v5.x, BattleEye's 'bedaisy.sys')")

$ wine --version wine-3.5-91-g3263d51a1f

Regards

*** This bug has been marked as a duplicate of bug 37355 ***