[Bug 46135] New: Microsoft ODBC tool 'odbcconf.exe' ( part of MDAC 2.x install) crashes during configuration (some 'advapi32.dll ' API entries are not hotpatchable due to PIC/GOT code at entry)

https://bugs.winehq.org/show_bug.cgi?id=46135

Bug ID: 46135 Summary: Microsoft ODBC tool 'odbcconf.exe' (part of MDAC 2.x install) crashes during configuration (some 'advapi32.dll' API entries are not hotpatchable due to PIC/GOT code at entry) Product: Wine Version: 3.20 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: advapi32 Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---

Hello folks,

found during investigation of other MDAC 2.x installer related issues.

Another manifestation of bug 45199 ("Many applications and games fail to start/crash after compiling wine with gcc 8.1.0 and -O2 (GOT/PIC register load code now emitted at function entry, missing hotpatch signatures)")

--- snip --- $ WINEDEBUG=+seh,+relay wine ./MDAC_TYP.EXE /q /C:"setup /qnt" >>log.txt 2>&1 ... Unhandled exception: page fault on read access to 0x0104f463 in 32-bit code (0x7e9ea2a7). Register dump: CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b EIP:7e9ea2a7 ESP:0033d080 EBP:0033d0d8 EFLAGS:00010202( R- -- I - - - ) EAX:00000057 EBX:80000002 ECX:00000000 EDX:0104952f ESI:00000000 EDI:00000000 ... Backtrace: =>0 0x7e9ea2a7 RegCreateKeyExW+0x67() in advapi32 (0x0033d0d8) 1 0x010062d3 in odbcconf (+0x62d2) (0x0033d8e8) 2 0x7e9ea58b RegCreateKeyW+0x3a() [/home/focht/projects/wine/mainline-src/dlls/advapi32/registry.c:471] in advapi32 (0x0033d928) 3 0x7e0c2cd1 write_registry_values+0x40(regkey="ODBC Translators", driver="Software\ODBC\ODBCINST.INI", path_in=0x0(nil)) [/home/focht/projects/wine/mainline-src/dlls/odbccp32/odbccp32.c:830] in odbccp32 (0x0033e1a8) 4 0x7e0c5d5d SQLInstallTranslatorExW+0x7c(lpszTranslator=<couldn't compute location>, lpszPathIn=<couldn't compute location>, lpszPathOut=<couldn't compute location>, cbPathOutMax=<couldn't compute location>, pcbPathOut=<couldn't compute location>, fRequest=<couldn't compute location>, lpdwUsageCount=<couldn't compute location>) [/home/focht/projects/wine/mainline-src/dlls/odbccp32/odbccp32.c:1176] in odbccp32 (0x0033e408) 5 0x7e0c5fb9 SQLInstallTranslatorEx+0x148(lpszTranslator=<couldn't compute location>, lpszPathIn=<couldn't compute location>, lpszPathOut=<couldn't compute location>, cbPathOutMax=<couldn't compute location>, pcbPathOut=<couldn't compute location>, fRequest=<couldn't compute location>, lpdwUsageCount=<couldn't compute location>) [/home/focht/projects/wine/mainline-src/dlls/odbccp32/odbccp32.c:1212] in odbccp32 (0x0033e698) 6 0x005573b2 in odbcconf (+0x73b1) (0x0033f0e4) 7 0x005593a9 in odbcconf (+0x93a8) (0x0033f0fc) 8 0x01006b63 in odbcconf (+0x6b62) (0x0033f19c) 0x7e9ea2a7 RegCreateKeyExW+0x67 in advapi32: movl 0x5f2c(%edx,%ebx,4),%eax Module Address Debug info Name (42 modules) PE 550000- 572000 Export odbcconf PE 1000000- 1013000 Export odbcconf ELF 7b400000-7b7ee000 Deferred kernel32<elf> -PE 7b420000-7b7ee000 \ kernel32 ELF 7bc00000-7bd02000 Deferred ntdll<elf> -PE 7bc10000-7bd02000 \ ntdll ELF 7c000000-7c004000 Deferred <wine-loader> ELF 7e0b0000-7e0cd000 Dwarf odbccp32<elf> -PE 7e0c0000-7e0cd000 \ odbccp32 ... Threads: process tid prio (all id:s are in hex) 00000008 MDAC_TYP.EXE 00000009 0 0000000e services.exe ... 0000002b setup.exe 0000002c 0 0000002d dasetup.exe 0000002f 0 0000002e 0 00000032 (D) C:\windows\system32\odbcconf.exe 00000033 0 <== --- snip ---

There is a module (dll) of same name 'odbcconf' mapped which does hooking of several registry APIs.

Example original API entry 'RegCreateKeyExW' with GOT/PIC register load code emitted at function entry, missing hotpatch signatures:

--- snip --- 7E9EA240 E8 C494FEFF CALL 7E9D3709 ; PIC 7E9EA245 81C2 BB3D0400 ADD EDX,43DBB 7E9EA24B 8D4C24 04 LEA ECX,[ESP+4] 7E9EA24F 83E4 F0 AND ESP,FFFFFFF0 ; align 16-bytes ... 7E9D3709 8B1424 MOV EDX,DWORD PTR SS:[ARG.RETADDR] 7E9D370C C3 RETN --- snip ---

Patched by app:

--- snip --- 7E9EA240 E9 59C06182 JMP 0100629E 7E9EA245 81C2 BB3D0400 ADD EDX,43DBB 7E9EA24B 8D4C24 04 LEA ECX,[ESP+4] 7E9EA24F 83E4 F0 AND ESP,FFFFFFF0 7E9EA252 FF71 FC PUSH DWORD PTR DS:[ECX-4] 7E9EA255 55 PUSH EBP 7E9EA256 89E5 MOV EBP,ESP 7E9EA258 57 PUSH EDI 7E9EA259 56 PUSH ESI 7E9EA25A 53 PUSH EBX 7E9EA25B 51 PUSH ECX 7E9EA25C 83EC 48 SUB ESP,48 7E9EA25F 8B41 04 MOV EAX,DWORD PTR DS:[ECX+4] --- snip ---

--- snip --- 0100576F E8 95DF9C7D CALL 7E9D3709 ; can't work, PC (EIP) not in org module 01005774 E9 CC4A9E7D JMP 7E9EA245 ; back to org API 01005779 90 NOP ... 0100629E 55 PUSH EBP 0100629F 8BEC MOV EBP,ESP 010062A1 81EC D4070000 SUB ESP,7D4 010062A7 53 PUSH EBX 010062A8 56 PUSH ESI 010062A9 57 PUSH EDI 010062AA FF75 28 PUSH DWORD PTR SS:[ARG.9] 010062AD 8B7D 0C MOV EDI,DWORD PTR SS:[ARG.2] 010062B0 FF75 24 PUSH DWORD PTR SS:[ARG.8] 010062B3 A1 58F00001 MOV EAX,DWORD PTR DS:[100F058] 010062B8 FF75 20 PUSH DWORD PTR SS:[ARG.7] 010062BB 8945 FC MOV DWORD PTR SS:[LOCAL.1],EAX 010062BE FF75 1C PUSH DWORD PTR SS:[ARG.6] 010062C1 FF75 18 PUSH DWORD PTR SS:[ARG.5] 010062C4 FF75 14 PUSH DWORD PTR SS:[ARG.4] 010062C7 FF75 10 PUSH DWORD PTR SS:[ARG.3] 010062CA 57 PUSH EDI 010062CB FF75 08 PUSH DWORD PTR SS:[ARG.1] 010062CE E8 9CF4FFFF CALL 0100576F 010062D3 85FF TEST EDI,EDI ... 010063A6 CALL 01006C39 010063AB POP EDI 010063AC POP ESI 010063AD POP EBX 010063AE LEAVE 010063AF RETN 24 --- snip ---

Using 'search all for all intermodular calls in advapi32' in debugger:

--- snip --- Address = 7E9EE482 Command = CALL RegOpenKeyExA Dest = 01005E18 Dest name = odbcconf.01005E18

Address = 7EA00A43 Command = CALL RegOpenKeyExW Dest = 01005EF1 Dest name = odbcconf.01005EF1

Address = 7E9EE436 Command = CALL RegQueryValueExA Dest = 01006074 Dest name = odbcconf.01006074

Address = 7EA00A7F Command = CALL RegQueryValueExW Dest = 010060FF Dest name = odbcconf.010060FF

Address = 7E9EA5D6 Command = CALL RegCreateKeyExA Dest = 010061C0 Dest name = odbcconf.010061C0

Address = 7E9D8AA6 Command = CALL RegCreateKeyExW Dest = 0100629E Dest name = odbcconf.0100629E

Address = 7E9EC2A1 Command = CALL RegSetValueExA Dest = 010063B2 Dest name = odbcconf.010063B2

Address = 7E9D8A75 Command = CALL RegSetValueExW Dest = 01006436 Dest name = odbcconf.01006436

Address = 7E9ECD8F Command = CALL RegCloseKey Dest = 010064F0 Dest name = odbcconf.010064F0 --- snip ---

* RegOpenKeyExA -> DECLSPEC_HOTPATCH = ok * RegOpenKeyExW -> no hotpatch (!) * RegQueryValueExA -> DECLSPEC_HOTPATCH = ok * RegQueryValueExW -> no hotpatch (!) * RegCreateKeyExA -> no hotpatch (!) * RegCreateKeyExW -> no hotpatch (!) * RegSetValueExA -> no hotpatch (!) * RegSetValueExW -> no hotpatch (!) * RegCloseKey -> DECLSPEC_HOTPATCH = ok

Example of one that is already ok -> 'RegOpenKeyExA':

Org:

--- snip --- 7E9EA920 8BFF MOV EDI,EDI 7E9EA922 55 PUSH EBP 7E9EA923 8BEC MOV EBP,ESP 7E9EA925 E8 5816FFFF CALL 7E9DBF82 7E9EA92A 05 D6360400 ADD EAX,436D6 7E9EA92F 5D POP EBP 7E9EA930 8D4C24 04 LEA ECX,[ESP+4] 7E9EA934 83E4 F0 AND ESP,FFFFFFF0 --- snip ---

Patched (ok):

--- snip --- 7E9EA920 E9 F3B46182 JMP 01005E18 7E9EA925 E8 5816FFFF CALL 7E9DBF82 7E9EA92A 05 D6360400 ADD EAX,436D6 7E9EA92F 5D POP EBP 7E9EA930 8D4C24 04 LEA ECX,[ESP+4] 7E9EA934 83E4 F0 AND ESP,FFFFFFF0 7E9EA937 FF71 FC PUSH DWORD PTR DS:[ECX-4] 7E9EA93A 55 PUSH EBP --- snip ---

$ sha1sum MDAC_TYP.EXE 4fbc272c79da59e38818924d8575accb0af776fb MDAC_TYP.EXE

$ du -sh MDAC_TYP.EXE 5.9M MDAC_TYP.EXE

$ wine --version wine-3.20

Regards