https://bugs.winehq.org/show_bug.cgi?id=38659
Bug ID: 38659 Summary: Windows Sysinternals Process Explorer v16.05 crashes on startup (registry SID profile data in 'ProfileList' must contain 'Flags' and 'ProfileImagePath' values) Product: Wine Version: 1.7.44 Hardware: x86 OS: Linux Status: NEW Severity: normal Priority: P2 Component: -unknown Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---
Hello folks,
I received a 'garbage' rated test report for Process Explorer 16.x appdb entry. The app worked in earlier versions (<16.x).
--- snip --- $ WINEDEBUG=+tid,+seh,+relay wine ./procexp.exe >>log.txt 2>&1 ... 0029:Call oleaut32.SysAllocString(004b0940 L"Software\Microsoft\Command Processor") ret=004060ea 0029:Ret oleaut32.SysAllocString() retval=0021de1c ret=004060ea 0029:Call ntdll.RtlAllocateHeap(00110000,00000000,0000000c) ret=0048fb78 0029:Ret ntdll.RtlAllocateHeap() retval=00217e40 ret=0048fb78 0029:Call oleaut32.SysAllocString(004afa48 L"\") ret=004036e8 0029:Ret oleaut32.SysAllocString() retval=00201c6c ret=004036e8 0029:Call ntdll.RtlAllocateHeap(00110000,00000000,0000000c) ret=0048fb78 0029:Ret ntdll.RtlAllocateHeap() retval=00217e58 ret=0048fb78 0029:Call oleaut32.SysAllocString(00000008) ret=004036e8 0029:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7dfcd8b5 ip=7dfcd8b5 tid=0029 0029:trace:seh:raise_exception info[0]=00000000 0029:trace:seh:raise_exception info[1]=00000008 0029:trace:seh:raise_exception eax=00000008 ebx=0078e7b0 ecx=0078e7b0 edx=00000004 esi=0078e7e0 edi=0078e7b4 0029:trace:seh:raise_exception ebp=0078e778 esp=0078e768 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00210202 ... Unhandled exception: page fault on read access to 0x00000008 in 32-bit code (0x7dfcd8b5). ... Backtrace: =>0 0x7dfcd8b5 lstrlenW+0x15(str=*** invalid address 0x8 ***) [/home/focht/projects/wine/wine.repo/src/include/winbase.h:2597] in oleaut32 (0x0078e778) 1 0x7dfcdb81 SysAllocString+0x29(str=<couldn't compute location>) [/home/focht/projects/wine/wine.repo/src/dlls/oleaut32/oleaut.c:232] in oleaut32 (0x0078e798) 2 0x7bc7bdce relay_call+0x39() in ntdll (0x0078e7c4) 3 0x7dfc86e1 in oleaut32 (+0x86e0) (0x0078e7fc) 4 0x004036e8 in procexp (+0x36e7) (0x0078e7fc) 5 0x004063f9 in procexp (+0x63f8) (0x0078e85c) 6 0x0040a77f in procexp (+0xa77e) (0x0078e91c) 7 0x0040a4c6 in procexp (+0xa4c5) (0x0078e96c) 8 0x0040aeea in procexp (+0xaee9) (0x0078e9b4) 9 0x0040458d in procexp (+0x458c) (0x0078e9d8) 10 0x00493c26 in procexp (+0x93c25) (0x0078ea10) 11 0x00493ccd in procexp (+0x93ccc) (0x0078ea18) ... 0x7dfcd8b5 lstrlenW+0x15 [/home/focht/projects/wine/wine.repo/src/include/winbase.h:2597] in oleaut32: movzwl 0x0(%eax),%eax 2597 while (*s) s++; Modules: Module Address Debug info Name (128 modules) PE 400000- 68a000 Export procexp ELF 470b0000-470ce000 Deferred libgcc_s.so.1 ... Threads: process tid prio (all id:s are in hex) ... 00000025 (D) Z:\home\focht\Downloads\procexp.exe 0000002b 0 00000029 0 <== 00000026 0 --- snip ---
Unfortunately the crash is a manifestation of a problem that happened much earlier. It can also be attributed to sloppy programming since it's the only location where this instance/data pointer is (de)referenced without prior validation.
--- snip --- ... 004063E4 A1 4CE44D00 MOV EAX,DWORD PTR DS:[4DE44C] ; NULL ptr 004063E9 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20] 004063EC 83C0 08 ADD EAX,8 004063EF C645 FC 02 MOV BYTE PTR SS:[EBP-4],2 004063F3 50 PUSH EAX 004063F4 E8 97D2FFFF CALL procexp.00403690 ; *boom* --- snip ---
Putting a hardware watchpoint to that location for trapping r/w accesses didn't bring further insight - the crash is the first (read) access.
Now all references to that memory location have to be investigated.
--- snip --- 00403F80 MOV ECX,DWORD PTR DS:[4DE44C] ... 004041E4 MOV DWORD PTR DS:[4DE44C],EBX ... 00404429 MOV DWORD PTR DS:[4DE44C],ESI ... 004045B6 PUSH DWORD PTR DS:[4DE44C] ... 004063E4 MOV EAX,DWORD PTR DS:[4DE44C] ; crash, NULL ptr ... 0040EA6F MOV DWORD PTR DS:[4DE44C],EAX ... 0041C8DE MOV ECX,DWORD PTR DS:[4DE44C] --- snip ---
Breakpoints at all branches/parent call sites before a write (0x004041E4, 0x00404429, 0x0040EA6F).
Finally we arrive at this location:
--- snip --- ... 0040425A 33DB XOR EBX,EBX 0040425C 50 PUSH EAX 0040425D 53 PUSH EBX 0040425E FFB5 D4EBFFFF PUSH DWORD PTR SS:[EBP-142C] 00404264 899D D8EBFFFF MOV DWORD PTR SS:[EBP-1428],EBX 0040426A E8 91C20000 CALL procexp.00410500 ; retval = 0x103 0040426F 83C4 0C ADD ESP,0C 00404272 85C0 TEST EAX,EAX 00404274 0F85 20020000 JNZ procexp.0040449A 0040427A 8B3D ECF04A00 MOV EDI,DWORD PTR DS:[<&ADVAPI32.RegQueryValueExW>] ... 004042CF 50 PUSH EAX 004042D0 6A 00 PUSH 0 004042D2 6A 00 PUSH 0 004042D4 68 144A4B00 PUSH procexp.004B4A14 ; UNICODE "Flags" 004042D9 FFB5 BCEBFFFF PUSH DWORD PTR SS:[EBP-1444] 004042DF FFD7 CALL EDI ... 00404336 50 PUSH EAX 00404337 8D85 A8EBFFFF LEA EAX,DWORD PTR SS:[EBP-1458] 0040433D 50 PUSH EAX 0040433E 8D85 E0FBFFFF LEA EAX,DWORD PTR SS:[EBP-420] 00404344 50 PUSH EAX 00404345 53 PUSH EBX 00404346 6A 00 PUSH 0 00404348 FF15 BCF04A00 CALL DWORD PTR DS:[<&ADVAPI32.LookupAccountSidW>] ... 00404382 51 PUSH ECX 00404383 6A 00 PUSH 0 00404385 6A 00 PUSH 0 00404387 68 204A4B00 PUSH procexp.004B4A20 ; UNICODE "ProfileImagePath" 0040438C FFB5 BCEBFFFF PUSH DWORD PTR SS:[EBP-1444] 00404392 FFD7 CALL EDI ... 00404415 FFB5 E0EBFFFF PUSH DWORD PTR SS:[EBP-1420] ; pSID2 0040441B 53 PUSH EBX ; pSID1 0040441C FF15 84F04A00 CALL DWORD PTR DS:[<&ADVAPI32.EqualSid>] 00404422 85C0 TEST EAX,EAX 00404424 74 0B JE SHORT procexp.00404431 00404426 C606 01 MOV BYTE PTR DS:[ESI],1 00404429 8935 4CE44D00 MOV DWORD PTR DS:[4DE44C],ESI 0040442F EB 03 JMP SHORT procexp.00404434 ... --- snip ---
The trace log (with additional +ntdll,+reg):
--- snip --- ... 003e:Call advapi32.OpenProcessToken(ffffffff,00000008,0078d584) ret=00404059 003e:trace:ntdll:NtOpenProcessTokenEx (0xffffffff,0x00000008,0x00000000,0x78d584) 003e:Ret advapi32.OpenProcessToken() retval=00000001 ret=00404059 003e:Call advapi32.GetTokenInformation(0000008c,00000001,0078d5a4,00001000,0078d570) ret=00404088 003e:trace:ntdll:NtQueryInformationToken (0x8c,1,0x78d5a4,4096,0x78d570) 003e:Ret advapi32.GetTokenInformation() retval=00000001 ret=00404088 003e:Call KERNEL32.CloseHandle(0000008c) ret=004040b3 003e:Ret KERNEL32.CloseHandle() retval=00000001 ret=004040b3 003e:Call advapi32.LookupAccountNameW(00000000,004b4954 L"NT AUTHORITY",00000000,0078d57c,0078e7ac,0078d588,0078d578) ret=004040ea ... 003e:Ret advapi32.LookupAccountNameW() retval=00000000 ret=004040ea 003e:Call ntdll.RtlAllocateHeap(00110000,00000000,00000001) ret=0048fb78 003e:Ret ntdll.RtlAllocateHeap() retval=00201e10 ret=0048fb78 003e:Call advapi32.LookupAccountNameW(00000000,004b0550 L"System",00201e10,0078d57c,0078e7ac,0078d588,0078d578) ret=00404124 003e:Ret advapi32.LookupAccountNameW() retval=00000000 ret=00404124 ... 003e:Call ntdll.NtOpenKey(0078d598,00020019,0078d4fc) ret=004065a3 003e:trace:reg:NtOpenKey ((nil),L"\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\ProfileList",20019,0x78d598) 003e:trace:reg:NtOpenKey <- 0x8c 003e:Ret ntdll.NtOpenKey() retval=00000000 ret=004065a3 003e:Call ntdll.RtlNtStatusToDosError(00000000) ret=004065aa 003e:Ret ntdll.RtlNtStatusToDosError() retval=00000000 ret=004065aa 003e:Call KERNEL32.InterlockedDecrement(00201e48) ret=0040661d 003e:Ret KERNEL32.InterlockedDecrement() retval=00000000 ret=0040661d 003e:Call oleaut32.SysFreeString(00201e5c L"Software\Microsoft\Windows NT\CurrentVersion\ProfileList") ret=0040662e 003e:Ret oleaut32.SysFreeString() retval=00000000 ret=0040662e 003e:Call ntdll.RtlFreeHeap(00110000,00000000,00201e40) ret=0048fb11 003e:Ret ntdll.RtlFreeHeap() retval=00000001 ret=0048fb11 003e:Call KERNEL32.InterlockedDecrement(00205270) ret=00406664 003e:Ret KERNEL32.InterlockedDecrement() retval=00000000 ret=00406664 003e:Call oleaut32.SysFreeString(00205284 L"\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\ProfileList") ret=00406675 003e:Ret oleaut32.SysFreeString() retval=00000000 ret=00406675 003e:Call ntdll.RtlFreeHeap(00110000,00000000,00205268) ret=0048fb11 003e:Ret ntdll.RtlFreeHeap() retval=00000001 ret=0048fb11 003e:Call advapi32.RegQueryInfoKeyW(0000008c,00000000,00000000,00000000,00000000,0078d544,00000000,00000000,00000000,00000000,00000000,00000000) ret=0041052c 003e:trace:reg:RegQueryInfoKeyW (0x8c,(nil),0,(nil),(nil),0x78d544,(nil),(nil),(nil),(nil),(nil)) 003e:Ret advapi32.RegQueryInfoKeyW() retval=00000000 ret=0041052c 003e:Call ntdll.RtlReAllocateHeap(00110000,00000000,00201bc0,00000004) ret=0048fc04 003e:Ret ntdll.RtlReAllocateHeap() retval=00201bc0 ret=0048fc04 003e:Call advapi32.RegEnumKeyW(0000008c,00000000,00201bc0,00000001) ret=0041056a 003e:trace:reg:RegEnumKeyExW (0x8c,0,0x201bc0,0x78d4fc(1),(nil),(nil),(nil),(nil)) 003e:Ret advapi32.RegEnumKeyW() retval=00000103 ret=0041056a 003e:Call advapi32.RegCloseKey(0000008c) ret=004044a6 003e:Ret advapi32.RegCloseKey() retval=00000000 ret=004044a6 ... --- snip ---
Wine's 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList' doesn't have any profile subkeys (bug 15670) hence the enumeration fails and the active profile data can't be retrieved/set.
Technet blog entry:
http://blogs.technet.com/b/heyscriptingguy/archive/2005/06/03/hey-scripting-...
This app requires 'Flags' and 'ProfileImagePath' values to be present below the profile key.
Yes, there is bug 15670 (.NET applications that make use of System.IO.IsolatedStorage crash (missing "HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList<UserSID>" registry subkey) but I decided to make this a separate bug since all those apps listed only require the profile SID subkey to exist.
$ sha1sum ProcessExplorer.zip 521c2a2962eaadd572bcd09f2bca182803420198 ProcessExplorer.zip
$ du -sh ProcessExplorer.zip 1.1M ProcessExplorer.zip
$ wine --version wine-1.7.44
Regards