[Bug 27033] crash while installing usb-over-network-client.msi

http://bugs.winehq.org/show_bug.cgi?id=27033

Anastasius Focht focht@gmx.net changed:

What |Removed |Added ---------------------------------------------------------------------------- Keywords| |Installer Status|UNCONFIRMED |NEW CC| |focht@gmx.net Component|-unknown |setupapi Ever Confirmed|0 |1

--- Comment #2 from Anastasius Focht focht@gmx.net 2011-05-14 14:20:48 CDT --- Hello,

the installer creates and tries to start "ftusbsrvc" service which crashes. To reproduce without messing the whole WINEPREFIX, set the "Start" DWORD value of the service from "2" to "3" (manual start).

HKLM\System\CurrentControlSet\Services\ftusbsrvc

WINEDEBUG=+tid,+seh,+loaddll,+process,+setupapi wine net start ftusbsrvc

--- snip --- ... The USB over Network (Client) service service is starting. 0015:trace:process:create_process_impl app (null) cmdline L"C:\windows\system32\ftusbsrvc.exe" ... 0015:trace:process:create_process_impl starting L"C:\windows\system32\ftusbsrvc.exe" as Win32 binary (0x400000-0x590000) ... 0015:trace:process:create_process_impl started process pid 0021 tid 0022 ... 0022:trace:setupapi:SetupDiGetClassDevsExW {a93d7ea5-df4c-4f5b-91cf-4ded03ca862d} (null) (nil) 0x00000012 (nil) (null) (nil) 0022:warn:setupapi:SetupDiGetClassDevsExW unsupported flags 00000002 0022:trace:setupapi:SetupDiCreateDeviceInfoListExW {a93d7ea5-df4c-4f5b-91cf-4ded03ca862d} (nil) (null) (nil) 0022:trace:setupapi:SETUPDI_EnumerateInterfaces 0x12f628, {a93d7ea5-df4c-4f5b-91cf-4ded03ca862d}, (null), 00000012 0022:trace:setupapi:SetupDiEnumDeviceInterfaces 0x12f628, (nil), {a93d7ea5-df4c-4f5b-91cf-4ded03ca862d}, 0, 0x33f724 0022:trace:setupapi:SetupDiGetDeviceInterfaceDetailW (0x12f628, 0x33f724, (nil), 0, 0x33f710, (nil)) 0022:trace:seh:raise_exception code=c0000005 flags=0 addr=0x687cbcb1 ip=687cbcb1 tid=0022 0022:trace:seh:raise_exception info[0]=00000000 0022:trace:seh:raise_exception info[1]=45455246 0022:trace:seh:raise_exception eax=45455246 ebx=68802ff4 ecx=00000000 edx=7bcc35a8 esi=0012f628 edi=0033f774 0022:trace:seh:raise_exception ebp=0033f66c esp=0033f65c cs=0073 ds=007b es=007b fs=0033 gs=003b flags=00210206 ... wine: Unhandled page fault on read access to 0x45455246 at address 0x687cbcb1 (thread 0022), starting debugger... ... Backtrace: =>0 0x687cbcb1 lstrlenW+0x15(str=*** invalid address 0x45455246 ***) [/opt/projects/wine/wine-git/include/winbase.h:2268] in setupapi (0x0033f66c) 1 0x687d2b80 SetupDiGetDeviceInterfaceDetailW+0x179(DeviceInfoSet=0x12f628, DeviceInterfaceData=0x33f724, DeviceInterfaceDetailData=(nil), DeviceInterfaceDetailDataSize=0, RequiredSize=0x33f710, DeviceInfoData=(nil)) [/opt/projects/wine/wine-git/dlls/setupapi/devinst.c:3039] in setupapi (0x0033f6dc) 2 0x0040afa8 in ftusbsrvc (+0xafa7) (0x687d2621) 0x687cbcb1 lstrlenW+0x15 [/opt/projects/wine/wine-git/include/winbase.h:2268] in setupapi: movzwl 0x0(%eax),%eax 2268 while (*s) s++; --- snip ---

The problem arises due to bad application code.

Maybe the app developers need to drink more beer to improve code quality (see bug 27162 for possible fix).

The following app code illustrates the problem (I added comments for better understanding):

--- snip --- ... mov edx, [edi+44h] lea ecx, [esp+28h] push ecx ; PSP_DEVICE_INTERFACE_DATA push 0 push ebx push 0 push esi mov dword ptr [esp+3Ch], 1Ch ; sizeof(SP_DEVICE_INTERFACE_DATA) call edx ; setupapi.SetupDiEnumDeviceInterfaces() test eax, eax jnz short label1 call ds:GetLastError ; lack of alcohol caused this label1: mov edx, [edi+48h] push 0 ; PSP_DEVINFO_DATA DeviceInfoData lea eax, [esp+18h] push eax ; PDWORD RequiredSize push 0 push 0 ; PSP_DEVICE_INTERFACE_DETAIL_DATA_W DeviceInterfaceDetailData lea ecx, [esp+38h] push ecx ; PSP_DEVICE_INTERFACE_DATA DeviceInterfaceData push esi ; HDEVINFO DeviceInfoSet call edx ; setupapi.SetupDiGetDeviceInterfaceDetailW() test eax, eax jz short label2 ... --- snip ---

The app simply ignores any setupapi.SetupDiEnumDeviceInterfaces() error condition and proceeds with setupapi.SetupDiGetDeviceInterfaceDetailW().

Wine accesses the "DeviceInterfaceData->Reserved" member which just points to uninitialized (stack) area, leading to crash.

--- snip dlls/setupapi/devinst.c ---

BOOL WINAPI SetupDiGetDeviceInterfaceDetailW( HDEVINFO DeviceInfoSet, PSP_DEVICE_INTERFACE_DATA DeviceInterfaceData, PSP_DEVICE_INTERFACE_DETAIL_DATA_W DeviceInterfaceDetailData, DWORD DeviceInterfaceDetailDataSize, PDWORD RequiredSize, PSP_DEVINFO_DATA DeviceInfoData) { ... info = (struct InterfaceInfo *)DeviceInterfaceData->Reserved; if (info->symbolicLink) bytesNeeded += sizeof(WCHAR)*lstrlenW(info->symbolicLink); ... --- snip dlls/setupapi/devinst.c ---

Because most applications will call SetupDiEnumDeviceInterfaces() (in a loop) before SetupDiGetDeviceInterfaceDetail() I suggest you zero/reset the "DeviceInterfaceData->Reserved" field member if no enumerated interface was found to work around stupid application code like this. I already tested this and it prevents the service crash. Though the installer still fails due to another (msi) bug.

$ sha1sum usb-over-network-client.msi a580cee5660348a80892ed008954345dddb4e3cb usb-over-network-client.msi

$ wine --version wine-1.3.20

Regards