[Bug 44927] New: StarForce v3 kernel driver 'sfdrv01' causes 'winedevice' hosting process to crash due to relocation entry crossing page boundary
https://bugs.winehq.org/show_bug.cgi?id=44927
Bug ID: 44927 Summary: StarForce v3 kernel driver 'sfdrv01' causes 'winedevice' hosting process to crash due to relocation entry crossing page boundary Product: Wine Version: 3.5 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: programs Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---
Hello folks,
as it says.
--- snip --- $ WINEDEBUG=+seh,+relay,+ntoskrnl,+ntdll,+module,+virtual,+winedevice wine notepad >>log.txt 2>&1 ... 0026:trace:winedevice:load_driver loading driver L"System32\drivers\sfdrv01.sys" 0026:Call KERNEL32.LoadLibraryW(0011cc98 L"System32\drivers\sfdrv01.sys") ret=7effa9de ... 0026:trace:module:load_native_dll Trying native dll L"C:\windows\System32\drivers\sfdrv01.sys" 0026:trace:virtual:map_view got mem in reserved area 0x780000-0x791000 0026:trace:module:map_image mapped PE file at 0x780000-0x791000 0026:trace:module:map_image mapping section .text at 0x781000 off 400 size 1e00 virt 1d5a flags 68000020 0026:trace:module:map_image clearing 0x782e00 - 0x783000 0026:trace:module:map_image mapping section .rdata at 0x783000 off 2200 size 600 virt 421 flags 48000040 0026:trace:module:map_image clearing 0x783600 - 0x784000 0026:trace:module:map_image mapping section .data at 0x784000 off 2800 size 400 virt 1420 flags c8000040 0026:trace:module:map_image clearing 0x784400 - 0x785000 0026:trace:module:map_image mapping section PAGE at 0x786000 off 2c00 size 6e00 virt 6d7e flags 60000020 0026:trace:module:map_image clearing 0x78ce00 - 0x78d000 0026:trace:module:map_image mapping section INIT at 0x78d000 off 9a00 size 1200 virt 101a flags e2000020 0026:trace:module:map_image clearing 0x78e200 - 0x78f000 0026:trace:module:map_image mapping section .rsrc at 0x78f000 off ac00 size 400 virt 3f0 flags 42000040 0026:trace:module:map_image clearing 0x78f400 - 0x790000 0026:trace:module:map_image mapping section .reloc at 0x790000 off b000 size a00 virt 9fc flags 42000040 0026:trace:module:map_image clearing 0x790a00 - 0x791000 0026:trace:virtual:VIRTUAL_DumpView View: 0x780000 - 0x790fff (image) 0026:trace:virtual:VIRTUAL_DumpView 0x780000 - 0x780fff c-r-- 0026:trace:virtual:VIRTUAL_DumpView 0x781000 - 0x782fff c-r-x 0026:trace:virtual:VIRTUAL_DumpView 0x783000 - 0x783fff c-r-- 0026:trace:virtual:VIRTUAL_DumpView 0x784000 - 0x785fff c-rW- 0026:trace:virtual:VIRTUAL_DumpView 0x786000 - 0x78cfff c-r-x 0026:trace:virtual:VIRTUAL_DumpView 0x78d000 - 0x78efff c-rWx 0026:trace:virtual:VIRTUAL_DumpView 0x78f000 - 0x790fff c-r-- ... 0026:Ret KERNEL32.LoadLibraryW() retval=00780000 ret=7effa9de 0026:Call ntoskrnl.exe.RtlImageNtHeader(00780000) ret=7effa9ff 0026:Call ntdll.RtlImageNtHeader(00780000) ret=7bc7f49b 0026:Ret ntdll.RtlImageNtHeader() retval=007800d8 ret=7bc7f49b 0026:Ret ntoskrnl.exe.RtlImageNtHeader() retval=007800d8 ret=7effa9ff 0026:Call ntoskrnl.exe.NtQuerySystemInformation(00000000,0065f9c4,0000002c,00000000) ret=7effaa32 0026:Call ntdll.NtQuerySystemInformation(00000000,0065f9c4,0000002c,00000000) ret=7bc7f49b 0026:trace:ntdll:NtQuerySystemInformation (0x00000000,0x65f9c4,0x0000002c,(nil)) 0026:Ret ntdll.NtQuerySystemInformation() retval=00000000 ret=7bc7f49b 0026:Ret ntoskrnl.exe.NtQuerySystemInformation() retval=00000000 ret=7effaa32 0026:Call ntoskrnl.exe.RtlImageDirectoryEntryToData(00780000,00000001,00000005,0065f9c0) ret=7effaa66 0026:Call ntdll.RtlImageDirectoryEntryToData(00780000,00000001,00000005,0065f9c0) ret=7bc7f49b 0026:Ret ntdll.RtlImageDirectoryEntryToData() retval=00790000 ret=7bc7f49b 0026:Ret ntoskrnl.exe.RtlImageDirectoryEntryToData() retval=00790000 ret=7effaa66 0026:trace:winedevice:load_driver_module L"System32\drivers\sfdrv01.sys": relocating from 0x10000 to 0x780000 0026:Call KERNEL32.VirtualProtect(00781000,00001000,00000040,0065f9bc) ret=7effaafa 0026:trace:virtual:NtProtectVirtualMemory 0xffffffff 0x781000 00001000 00000040 0026:trace:virtual:VIRTUAL_DumpView View: 0x780000 - 0x790fff (image) 0026:trace:virtual:VIRTUAL_DumpView 0x780000 - 0x780fff c-r-- 0026:trace:virtual:VIRTUAL_DumpView 0x781000 - 0x781fff c-rWx 0026:trace:virtual:VIRTUAL_DumpView 0x782000 - 0x782fff c-r-x 0026:trace:virtual:VIRTUAL_DumpView 0x783000 - 0x783fff c-r-- 0026:trace:virtual:VIRTUAL_DumpView 0x784000 - 0x785fff c-rW- 0026:trace:virtual:VIRTUAL_DumpView 0x786000 - 0x78cfff c-r-x 0026:trace:virtual:VIRTUAL_DumpView 0x78d000 - 0x78efff c-rWx 0026:trace:virtual:VIRTUAL_DumpView 0x78f000 - 0x790fff c-r-- 0026:Ret KERNEL32.VirtualProtect() retval=00000001 ret=7effaafa ... 0026:Call ntdll.LdrProcessRelocationBlock(00781000,00000082,00790008,00770000) ret=7effab18 ... 0026:Ret ntdll.LdrProcessRelocationBlock() retval=0079010c ret=7effab18 ... 0026:Call KERNEL32.VirtualProtect(00788000,00001000,00000040,0065f9bc) ret=7effaafa 0026:trace:virtual:NtProtectVirtualMemory 0xffffffff 0x788000 00001000 00000040 0026:trace:virtual:VIRTUAL_DumpView View: 0x780000 - 0x790fff (image) 0026:trace:virtual:VIRTUAL_DumpView 0x780000 - 0x780fff c-r-- 0026:trace:virtual:VIRTUAL_DumpView 0x781000 - 0x782fff c-r-x 0026:trace:virtual:VIRTUAL_DumpView 0x783000 - 0x783fff c-r-- 0026:trace:virtual:VIRTUAL_DumpView 0x784000 - 0x785fff c-rW- 0026:trace:virtual:VIRTUAL_DumpView 0x786000 - 0x787fff c-r-x 0026:trace:virtual:VIRTUAL_DumpView 0x788000 - 0x788fff c-rWx 0026:trace:virtual:VIRTUAL_DumpView 0x789000 - 0x78cfff c-r-x 0026:trace:virtual:VIRTUAL_DumpView 0x78d000 - 0x78efff c-rWx 0026:trace:virtual:VIRTUAL_DumpView 0x78f000 - 0x790fff c-r-- 0026:Ret KERNEL32.VirtualProtect() retval=00000001 ret=7effaafa 0026:Call ntdll.LdrProcessRelocationBlock(00788000,00000028,00790388,00770000) ret=7effab18 ... 0026:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7bc6a3aa ip=7bc6a3aa tid=0026 0026:trace:seh:raise_exception info[0]=00000001 0026:trace:seh:raise_exception info[1]=00789000 0026:trace:seh:raise_exception eax=00788ffe ebx=0065f920 ecx=0001302c edx=0078302c esi=0065f970 edi=0065f930 0026:trace:seh:raise_exception ebp=0065f908 esp=0065f8e0 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010202 0026:trace:seh:call_vectored_handlers calling handler at 0x7ec122b1 code=c0000005 flags=0 0026:trace:seh:call_vectored_handlers handler at 0x7ec122b1 returned 0 0026:trace:seh:call_stack_handlers calling handler at 0x7bcb1a8e code=c0000005 flags=0 0026:Call KERNEL32.UnhandledExceptionFilter(0065f3e4) ret=7bcb1ac9 ... --- snip ---
Relocation directory:
--- snip ---
->Relocation Directory 1. Relocation Block: VirtualAddress: 0x00001000 (".text") SizeOfBlock: 0x0000010C (0x0082 block entries)
RVA Type ---------- ----------------- 0x00001031 HIGHLOW 0x00001056 HIGHLOW ... 0x00001FA8 HIGHLOW 0x00001FC5 HIGHLOW
...
7. Relocation Block: VirtualAddress: 0x00008000 ("PAGE") SizeOfBlock: 0x00000058 (0x0028 block entries)
RVA Type ---------- ----------------- 0x00008CCA HIGHLOW 0x00008D57 HIGHLOW ... 0x00008FED HIGHLOW 0x00008FFE HIGHLOW n/a ABSOLUTE
... --- snip ---
Last entry (39), RVA 0x8FFE crosses the page boundary.
Source:
https://source.winehq.org/git/wine.git/blob/HEAD:/programs/winedevice/device...
--- snip --- 98 static HMODULE load_driver_module( const WCHAR *name ) 99 { 100 IMAGE_NT_HEADERS *nt; 101 const IMAGE_IMPORT_DESCRIPTOR *imports; 102 SYSTEM_BASIC_INFORMATION info; 103 int i; 104 INT_PTR delta; 105 ULONG size; 106 HMODULE module = LoadLibraryW( name ); 107 108 if (!module) return NULL; 109 nt = RtlImageNtHeader( module ); 110 111 if (!(delta = (char *)module - (char *)nt->OptionalHeader.ImageBase)) return module; 112 113 /* the loader does not apply relocations to non page-aligned binaries or executables, 114 * we have to do it ourselves */ 115 116 NtQuerySystemInformation( SystemBasicInformation, &info, sizeof(info), NULL ); 117 if (nt->OptionalHeader.SectionAlignment < info.PageSize || 118 !(nt->FileHeader.Characteristics & IMAGE_FILE_DLL)) 119 { 120 DWORD old; 121 IMAGE_BASE_RELOCATION *rel, *end; 122 123 if ((rel = RtlImageDirectoryEntryToData( module, TRUE, IMAGE_DIRECTORY_ENTRY_BASERELOC, &size ))) 124 { 125 WINE_TRACE( "%s: relocating from %p to %p\n", 126 wine_dbgstr_w(name), (char *)module - delta, module ); 127 end = (IMAGE_BASE_RELOCATION *)((char *)rel + size); 128 while (rel < end && rel->SizeOfBlock) 129 { 130 void *page = (char *)module + rel->VirtualAddress; 131 VirtualProtect( page, info.PageSize, PAGE_EXECUTE_READWRITE, &old ); 132 rel = LdrProcessRelocationBlock( page, (rel->SizeOfBlock - sizeof(*rel)) / sizeof(USHORT), 133 (USHORT *)(rel + 1), delta ); 134 if (old != PAGE_EXECUTE_READWRITE) VirtualProtect( page, info.PageSize, old, &old ); 135 if (!rel) goto error; 136 } 137 /* make sure we don't try again */ 138 size = FIELD_OFFSET( IMAGE_NT_HEADERS, OptionalHeader ) + nt->FileHeader.SizeOfOptionalHeader; 139 VirtualProtect( nt, size, PAGE_READWRITE, &old ); 140 nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress = 0; 141 VirtualProtect( nt, size, old, &old ); 142 } 143 } --- snip ---
$ sha1sum tmsunrisedemo_setup.exe 2d44577a71718464c595d9da91a017fb0914afc4 tmsunrisedemo_setup.exe
$ du -sh tmsunrisedemo_setup.exe 210M tmsunrisedemo_setup.exe
$ wine --version wine-3.5-91-g3263d51a1f
Regards
https://bugs.winehq.org/show_bug.cgi?id=44927
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download, obfuscation URL| |https://www.fileplanet.com/ | |151268/download/TrackMania: | |-Sunrise-Demo
https://bugs.winehq.org/show_bug.cgi?id=44927
tokktokk fdsfgs@krutt.org changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |fdsfgs@krutt.org
https://bugs.winehq.org/show_bug.cgi?id=44927
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |DUPLICATE Status|NEW |RESOLVED
--- Comment #1 from Anastasius Focht focht@gmx.net --- Hello folks,
actually this is a dupe of bug 44927 (which is almost 7 years old now).
Regards
*** This bug has been marked as a duplicate of bug 28254 ***
https://bugs.winehq.org/show_bug.cgi?id=44927
André H. nerv@dawncrow.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED CC| |nerv@dawncrow.de
--- Comment #2 from André H. nerv@dawncrow.de --- closing dup
https://bugs.winehq.org/show_bug.cgi?id=44927
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- URL|https://www.fileplanet.com/ |https://web.archive.org/web |151268/download/TrackMania: |/20210715125120/https://dl. |-Sunrise-Demo |4players.de/f1/pc/trackmani | |asunrise/tmsunrisedemo_setu | |p.exe
-
wine-bugs@winehq.org -
WineHQ Bugzilla