[Bug 46251] New: some (all?) crinkler compressed executables crash because they parse in-memory DLL export tables
https://bugs.winehq.org/show_bug.cgi?id=46251
Bug ID: 46251 Summary: some (all?) crinkler compressed executables crash because they parse in-memory DLL export tables Product: Wine Version: 3.21 Hardware: x86 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: kernel32 Assignee: wine-bugs@winehq.org Reporter: p2@psychaos.be Distribution: ---
Created attachment 62950 --> https://bugs.winehq.org/attachment.cgi?id=62950 crash dump and disassembly of decompressor and symbol resolver
Some crinkler compressed executables crash when building the imported symbol table. The routine which does this relies on parsing the in-memory copy of KERNEL32.DLL first to retrieve the address for LoadModuleA. This is later used to load other DLLs. Symbol name matching is done using a hash function. The executable only stores the hashes of the symbols it wants to import. For each symbol has in the executable, the symbol resolver routine iterates over all exported symbol names of the DLL and stores the symbol address if the hashes match. The symbol resolver routine crashes because it seems the in-memory copy of KERNEL32.DLL does not have a exported symbol names table.
Attached:
winhello_asm.txt: the crash dump and a dissassembly of both the decompressor and the symbol resolver.
winhello.zip: source code for the trivial program, obj file, normally linked executable (winhello.exe), crinkler linked executable (winhello_cr.exe)_and the msvcrt.lib as recommended by the crinkler manual. Toolchain used was VS2013 community edition.
crinker can be found here: http://crinkler.net/
https://bugs.winehq.org/show_bug.cgi?id=46251
--- Comment #1 from Peter De Schrijver p2@psychaos.be --- Created attachment 62951 --> https://bugs.winehq.org/attachment.cgi?id=62951 source code and various toolchain output files
https://bugs.winehq.org/show_bug.cgi?id=46251
Peter De Schrijver p2@psychaos.be changed:
What |Removed |Added ---------------------------------------------------------------------------- Attachment #62950|0 |1 is obsolete| |
--- Comment #2 from Peter De Schrijver p2@psychaos.be --- Created attachment 62953 --> https://bugs.winehq.org/attachment.cgi?id=62953 slightly improved disassembly comments to 6290
https://bugs.winehq.org/show_bug.cgi?id=46251
--- Comment #3 from Peter De Schrijver p2@psychaos.be --- Apparently the symbol resolver routine expects to find KERNEL32.DLL as the second DLL in the chain. However on wine, it is the third. The following command sequence in wine-gdb makes the program work:
HOME\p2@sunshine:~/projects/winhello$ winedbg --gdb winhello_cr.exe Wine-gdb> break *0x0004000d3 Breakpoint 1 at 0x4000d3 Wine-gdb> c Continuing. Warning: not running or target is remote
Breakpoint 1, 0x004000d3 in ?? () Wine-gdb> stepi Warning: not running or target is remote 0x00420000 in ?? () Wine-gdb> break *0x000000000042001a Breakpoint 2 at 0x42001a Wine-gdb> c Continuing. Warning: not running or target is remote
Breakpoint 2, 0x0042001a in ?? () Wine-gdb> set $eax=*$eax Wine-gdb> c Continuing. 0048:0049: loads DLL @0x7e930000 (0<0>) 0048:0049: loads DLL @0x7e9b0000 (0<0>) 0048:0049: loads DLL @0x7ed10000 (0<0>) 0048:0049: loads DLL @0x7eae0000 (0<0>) 0048:0049: loads DLL @0x7e900000 (0<0>) 0048:0049: loads DLL @0x7e860000 (0<0>) 0048:0049: loads DLL @0x7e7c0000 (0<0>) 00000048:00000049: exit process (0) [Inferior 1 (Remote target) exited normally] Warning: not running or target is remote Wine-gdb>
https://bugs.winehq.org/show_bug.cgi?id=46251
Peter De Schrijver p2@psychaos.be changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|some (all?) crinkler |some (all?) crinkler |compressed executables |compressed executables |crash because they parse |crash because they expect |in-memory DLL export tables |KERNEL32.DLL as the second | |library when following | |PEB32->LdrData->InLoadOrder | |ModuleList
https://bugs.winehq.org/show_bug.cgi?id=46251
Fabian Maurer dark.shadow4@web.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |NEW Keywords| |download CC| |dark.shadow4@web.de Ever confirmed|0 |1
--- Comment #4 from Fabian Maurer dark.shadow4@web.de --- Also note that this only appears on wine-staging, vanilla wine refuses to run the program with "Bad EXE format".
https://bugs.winehq.org/show_bug.cgi?id=46251
--- Comment #5 from Fabian Maurer dark.shadow4@web.de --- I assume ntdll is the first, what is the second on WINE?
https://bugs.winehq.org/show_bug.cgi?id=46251
--- Comment #6 from Peter De Schrijver p2@psychaos.be --- WoW64 apparently
https://bugs.winehq.org/show_bug.cgi?id=46251
--- Comment #7 from Peter De Schrijver p2@psychaos.be --- wow64cpu it seems:
Warning: not running or target is remote 0x00420016 in ?? () 1: $eip = (void (*)()) 0x420016 2: $eax = 0x110bd0 3: *($eax + 0x18) = 0x400000 # winhello_cr Wine-gdb> Warning: not running or target is remote 0x00420018 in ?? () 1: $eip = (void (*)()) 0x420018 2: $eax = 0x1104e8 3: *($eax + 0x18) = 0x7bc40000 # ntdll Wine-gdb> Warning: not running or target is remote 0x0042001a in ?? () 1: $eip = (void (*)()) 0x42001a 2: $eax = 0x110628 3: *($eax + 0x18) = 0x7eff0000 # wow64cpu Wine-gdb>
according to
Wine-dbg>info share Module Address Debug info Name (18 modules) PE 400000- 682b6eb Deferred winhello_cr ELF 7b400000-7b7fb000 Dwarf kernel32<elf> -PE 7b420000-7b7fb000 \ kernel32 ELF 7bc00000-7bd3b000 Deferred ntdll<elf> -PE 7bc40000-7bd3b000 \ ntdll ELF 7c000000-7c005000 Deferred <wine-loader> ELF 7eccd000-7ece8000 Deferred libnsl.so.1 ELF 7eec0000-7efc3000 Deferred libm.so.6 ELF 7efc8000-7efdc000 Deferred libnss_files.so.2 ELF 7efdc000-7efea000 Deferred libnss_nis.so.2 ELF 7efea000-7f000000 Deferred wow64cpu<elf> -PE 7eff0000-7f000000 \ wow64cpu ELF f7abf000-f7ac5000 Deferred libdl.so.2 ELF f7ac5000-f7c9f000 Deferred libc.so.6 ELF f7c9f000-f7cbf000 Deferred libpthread.so.0 ELF f7cf1000-f7cfb000 Deferred libnss_compat.so.2 ELF f7cfc000-f7ed2000 Dwarf libwine.so.1 ELF f7ed4000-f7efd000 Deferred ld-linux.so.2
so
https://bugs.winehq.org/show_bug.cgi?id=46251
--- Comment #8 from Peter De Schrijver p2@psychaos.be --- nicer trace:
0x00420013 in ?? () 1: x/i $eip => 0x420013: mov eax,DWORD PTR [eax+0xc] 2: $eax = 0x7bd3a480 3: *($eax + 0xc) = 0x110bd0 4: *($eax + 0x18) = 0x110728 Wine-gdb> Warning: not running or target is remote 0x00420016 in ?? () 1: x/i $eip => 0x420016: mov eax,DWORD PTR [eax] 2: $eax = 0x110bd0 3: *($eax + 0xc) = 0x7bd3a494 4: *($eax + 0x18) = 0x400000 Wine-gdb> Warning: not running or target is remote 0x00420018 in ?? () 1: x/i $eip => 0x420018: mov eax,DWORD PTR [eax] 2: $eax = 0x1104e8 3: *($eax + 0xc) = 0x110bd8 4: *($eax + 0x18) = 0x7bc40000 Wine-gdb> Warning: not running or target is remote 0x0042001a in ?? () 1: x/i $eip => 0x42001a: mov ebp,DWORD PTR [eax+0x18] 2: $eax = 0x110628 3: *($eax + 0xc) = 0x1104f0 4: *($eax + 0x18) = 0x7eff0000 Wine-gdb> Warning: not running or target is remote 0x0042001d in ?? () 1: x/i $eip => 0x42001d: test ebp,ebp 2: $eax = 0x110628 3: *($eax + 0xc) = 0x1104f0 4: *($eax + 0x18) = 0x7eff0000 Wine-gdb>
https://bugs.winehq.org/show_bug.cgi?id=46251
Andrew Wesie awesie@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |awesie@gmail.com
--- Comment #9 from Andrew Wesie awesie@gmail.com --- Looking at the behavior on Windows, wow64cpu should not be in the PEB32 ldr module list. It is, however, in the PEB (64-bit) ldr module list. As such, Wine should probably always exclude wow64cpu from the PEB loader module lists since Wine does not attempt to accurately emulate a WoW64 environment.
https://bugs.winehq.org/show_bug.cgi?id=46251
Zebediah Figura z.figura12@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Product|Wine |Wine-staging Component|kernel32 |-unknown CC| |leslie_alistair@hotmail.com | |, z.figura12@gmail.com
https://bugs.winehq.org/show_bug.cgi?id=46251
Zebediah Figura z.figura12@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1| |e45211698de5a89c862a5bf160e | |9e4024c5ce897 Regression SHA1| |2c7a6626556618ac2f1a84d9e56 | |b58748af386ad Status|NEW |RESOLVED Resolution|--- |FIXED Keywords| |regression
--- Comment #10 from Zebediah Figura z.figura12@gmail.com --- (In reply to Andrew Wesie from comment #9)
Looking at the behavior on Windows, wow64cpu should not be in the PEB32 ldr module list. It is, however, in the PEB (64-bit) ldr module list. As such, Wine should probably always exclude wow64cpu from the PEB loader module lists since Wine does not attempt to accurately emulate a WoW64 environment.
Thanks. This should be fixed by https://github.com/wine-staging/wine-staging/commit/e45211698de5a89c862a5bf1..., then.
https://bugs.winehq.org/show_bug.cgi?id=46251
Alistair Leslie-Hughes leslie_alistair@hotmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #11 from Alistair Leslie-Hughes leslie_alistair@hotmail.com --- Closing Fixed Staging bugs.
-
wine-bugs@winehq.org