[Bug 21542] New: SOFTPUB_LoadCatalogMessage should use catalog members instead of file ones for retrieving msg data

30 Jan 2010


      http://bugs.winehq.org/show_bug.cgi?id=21542
Summary: SOFTPUB_LoadCatalogMessage should use catalog members
                    instead of file ones for retrieving msg data
           Product: Wine
           Version: 1.1.37
          Platform: x86
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: wintrust
        AssignedTo: wine-bugs@winehq.org
        ReportedBy: focht@gmx.net
Hello,
recent wintrust refactoring patch series broke PowerShell 1.x/2.x installers by
revealing a previously hidden bug...
--- snip ---
0036:Call wintrust.SoftpubInitialize(001e86f8) ret=7974e691
0036:trace:wintrust:SoftpubInitialize (0x1e86f8)
0036:trace:wintrust:SoftpubInitialize returning 00000000
0036:Ret  wintrust.SoftpubInitialize() retval=00000000 ret=7974e691
0036:Call wintrust.SoftpubLoadMessage(001e86f8) ret=7974e691
0036:trace:wintrust:SoftpubLoadMessage (0x1e86f8)
0036:Call KERNEL32.CreateFileW(0033b53c
L"C:\windows\system32\catroot\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\KB968930xp.cat",80000000,00000001,00000000,00000003,00000080,00000000)
ret=7974bf32
0036:Ret  KERNEL32.CreateFileW() retval=0000007c ret=7974bf32
0036:Call crypt32.CryptSIPRetrieveSubjectGuid(0033b53c
L"C:\windows\system32\catroot\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\KB968930xp.cat",0000007c,001640dc)
ret=7974bf70
...
0036:Call KERNEL32.GetFileSize(0000007c,00000000) ret=686fa459
0036:Ret  KERNEL32.GetFileSize() retval=0000e8d2 ret=686fa459
...
0036:Ret  crypt32.CryptSIPRetrieveSubjectGuid() retval=00000001 ret=7974bf70 
...
0036:Call crypt32.CryptSIPLoad(001640dc,00000000,001ed4c0) ret=7974b4f9
...
0036:Ret  crypt32.CryptSIPLoad() retval=00000001 ret=7974b4f9
0036:trace:wintrust:SOFTPUB_GetSIP returning 0
...
0036:Call
wintrust.CryptSIPGetSignedDataMsg(001e8780,001e8730,00000000,0033b188,00000000)
ret=686fb39a
0036:trace:wintrust:CryptSIPGetSignedDataMsg (0x1e8780 0x1e8730 0 0x33b188
(nil))
0036:trace:wintrust:WINTRUST_GetSignedMsgFromCatFile (0x1e8780 0x1e8730 0
0x33b188 (nil))
0036:Call KERNEL32.GetFileSize(0033b53c,00000000) ret=7974418b
0036:Ret  KERNEL32.GetFileSize() retval=ffffffff ret=7974418b
0036:trace:wintrust:CryptSIPGetSignedDataMsg returning 1
0036:Ret  wintrust.CryptSIPGetSignedDataMsg() retval=00000001 ret=686fb39a
0036:Call KERNEL32.GetProcessHeap() ret=7974e07e
0036:Ret  KERNEL32.GetProcessHeap() retval=00110000 ret=7974e07e
0036:Call ntdll.RtlAllocateHeap(00110000,00000008,ffffffff) ret=7974e095
0036:Ret  ntdll.RtlAllocateHeap() retval=00000000 ret=7974e095
0036:Call KERNEL32.CloseHandle(0000007c) ret=7974bfff
0036:Ret  KERNEL32.CloseHandle() retval=00000001 ret=7974bfff
0036:trace:wintrust:SoftpubLoadMessage returning 1 (0000000e)
0036:Ret  wintrust.SoftpubLoadMessage() retval=00000001 ret=7974e691
0036:trace:wintrust:WINTRUST_DefaultVerify returning 0000000e
0036:trace:wintrust:WINTRUST_DefaultClose ((nil),
{00aac56b-cd44-11d0-8cc2-00c04fc295ee}, 0x33b4e8)
0036:Call wintrust.SoftpubCleanup(001e86f8) ret=7974eb81 
...
--- snip ---
SoftpubLoadMessage -> (WTD_CHOICE_CATALOG) SOFTPUB_LoadCatalogMessage ->
SOFTPUB_GetMessageFromFile
WINTRUST_GetSignedMsgFromCatFile -> GetFileSize() gets passed invalid file
handle (stack garbage) -> following alloc fails and error is propagated to top
...
--- snip dlls/wintrust/softpub.c ---
static DWORD SOFTPUB_LoadCatalogMessage(CRYPT_PROVIDER_DATA *data)
{
    DWORD err;
    HANDLE catalog = INVALID_HANDLE_VALUE;
if (!data->pWintrustData->u.pCatalog)
    {
        SetLastError(ERROR_INVALID_PARAMETER);
        return FALSE;
    }
    catalog =
CreateFileW(data->pWintrustData->u.pCatalog->pcwszCatalogFilePath,
     GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL,
     NULL);
    if (catalog == INVALID_HANDLE_VALUE)
        return GetLastError();
    if (!CryptSIPRetrieveSubjectGuid(
     data->pWintrustData->u.pCatalog->pcwszCatalogFilePath, catalog,
     &data->u.pPDSip->gSubject))
    {
        err = GetLastError();
        goto error;
    }
    err = SOFTPUB_GetSIP(data);
    if (err)
        goto error;
    err = SOFTPUB_GetMessageFromFile(data, data->pWintrustData->u.pFile->hFile,
     data->pWintrustData->u.pFile->pcwszFilePath);
    if (err)
        goto error;
...
}
--- snip dlls/wintrust/softpub.c ---
This is a catalog type file hence the pFile members can't be used for
SOFTPUB_GetMessageFromFile(), e.g.
"data->pWintrustData->u.pFile->hFile" and
"data->pWintrustData->u.pFile->pcwszFilePath"
will be invalid upon entry.
You must use "catalog" file handle and
"data->pWintrustData->u.pCatalog->pcwszCatalogFilePath" just like you do with
CryptSIPRetrieveSubjectGuid() for SOFTPUB_GetMessageFromFile().
Regards
-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

[Bug 21542] New: SOFTPUB_LoadCatalogMessage should use catalog members instead of file ones for retrieving msg data