http://bugs.winehq.org/show_bug.cgi?id=27991
Summary: LsaLookupNames2 implementation leads to leak of returned buffer data Product: Wine Version: 1.3.26 Platform: x86 OS/Version: Linux Status: NEW Severity: minor Priority: P2 Component: advapi32 AssignedTo: wine-bugs@winehq.org ReportedBy: bunglehead@gmail.com
Just in case I forget about this.
LsaLookupNames2() returns domains data in LSA_REFERENCED_DOMAIN_LIST structure, that contains pointer to domain data array. We currently allocate all of this separately - first LSA_REFERENCED_DOMAIN_LIST itself then a linked array, and finally setting a pointer from one to another.
This is wrong and leads to allocations that can't be freed with LsaFreeMemory(), what should be done is to incrementally calculate all components buffer sizes and then allocate a single buffer that holds everything at once. With properly adjusted pointers of course, that act as offsets in it.
After that all related leaks will be fixed.
P.S. simple testing shows that native does something like that, at least HeapSize() for domains pointer returns large number and array pointer points 12 bytes from the buffer first byte.
http://bugs.winehq.org/show_bug.cgi?id=27991
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |dotnet, download URL| |http://www.datafilehost.com | |/download-04329f6d.html CC| |focht@gmx.net Summary|LsaLookupNames2 |LsaLookupNames2 separate |implementation leads to |allocations break .NET 4.0 |leak of returned buffer |System.Security subsystem |data |and leak returned buffer | |data Severity|minor |normal
--- Comment #1 from Anastasius Focht focht@gmx.net 2012-01-22 11:11:55 CST --- Hello,
hijacking this bug because I think the root cause might be the separate allocations mentioned here. This breaks the .NET 4.0 System.Security subsystem.
Some .NET 4.0 apps that make use of unmanaged LsaLookupNames2() crash with managed backtrace:
--- snip --- ... fixme:advapi:LsaOpenPolicy ((null),0x32f074,0x00000800,0x32f04c) stub fixme:advapi:LsaClose (0xcafe) stub fixme:advapi:LsaOpenPolicy ((null),0x32efc4,0x00000800,0x32ef9c) stub fixme:advapi:RegisterTraceGuidsW (0x12145d2, (nil), {8e9f5090-2d75-4d03-8a81-e5afbf85daf1}, 1, 0x32d95c, (null), (null), 0x1565dcc,): stub
Unhandled Exception: System.ArgumentOutOfRangeException: The number of bytes cannot exceed the virtual address space on a 32 bit machine. Parameter name: numBytes at System.Runtime.InteropServices.SafeBuffer.Initialize(UInt64 numBytes) at System.Security.Principal.Win32.InitializeReferencedDomainsPointer(SafeLsaMemoryHandle referencedDomains) at System.Security.Principal.NTAccount.TranslateToSids(IdentityReferenceCollection sourceAccounts, Boolean& someFailed) at System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection sourceAccounts, Type targetType, Boolean& someFailed) at System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection sourceAccounts, Type targetType, Boolean forceSuccess) at System.Security.Principal.NTAccount.Translate(Type targetType) at System.Security.AccessControl.CommonObjectSecurity.ModifyAccess(AccessControlModification modification, AccessRule rule, Boolean& modified) at System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(AccessRule rule) at System.Security.AccessControl.EventWaitHandleSecurity.AddAccessRule(EventWaitHandleAccessRule rule) at Microsoft.VisualBasic.ApplicationServices.WindowsFormsApplicationBase.Run(String[] commandLine) at HAL7600.My.MyApplication.Main(String[] Args) --- snip ---
Trace log:
--- snip --- 002a:Call advapi32.LsaLookupNames2(0000cafe,00000000,00000001,0016d890,0032ef98,0032ef8c) ret=04a4f6f2 002a:trace:advapi:LsaLookupNames2 (0xcafe,0x00000000,0x00000001,0x16d890,0x32ef98,0x32ef8c) 002a:trace:advapi:GetTokenInformation (0x17c, TokenUser, 0x32ec9c, 80, 0x32ec98): 002a:trace:advapi:LsaLookupNames2 mapped 1 out of 1 002a:trace:advapi:GetTokenInformation (0x17c, TokenUser, 0x32ec9c, 80, 0x32ec98): 002a:Ret advapi32.LsaLookupNames2() retval=00000000 ret=04a4f6f2 ... 002a:Call KERNEL32.RaiseException(e0434352,00000001,00000005,0032eea0) ret=791cac08 002a:trace:seh:raise_exception code=e0434352 flags=1 addr=0x7b838ccb ip=7b838ccb tid=002a 002a:trace:seh:raise_exception info[0]=80131502 002a:trace:seh:raise_exception info[1]=00000000 002a:trace:seh:raise_exception info[2]=00000000 002a:trace:seh:raise_exception info[3]=00000000 002a:trace:seh:raise_exception info[4]=79140000 --- snip ---
Interestingly some of these apps don't crash every time.
Pretty nasty to step through pure IL code _oO_ At one point before a crash I got lucky and found the following values in locals:
--- snip --- [t#:0] mdbg> p local_0=Microsoft.Win32.Win32Native+LSA_REFERENCED_DOMAIN_LIST local_1=1 local_2=Microsoft.Win32.Win32Native+LSA_TRUST_INFORMATION local_3=0 referencedDomains=Microsoft.Win32.SafeHandles.SafeLsaMemoryHandle ... [t#:0] mdbg> p local_0 local_0=Microsoft.Win32.Win32Native+LSA_REFERENCED_DOMAIN_LIST <Microsoft.Win32.Win32Native+LSA_REFERENCED_DOMAIN_LIST> Entries=1 Domains=1638600 ... [t#:0] mdbg> p referencedDomains referencedDomains=Microsoft.Win32.SafeHandles.SafeLsaMemoryHandle Uninitialized=4294967295 _numBytes=8 handle=1673144 _state=8 _ownsHandle=True _fullyInitialized=True ... [t#:0] mdbg> p local_0=Microsoft.Win32.Win32Native+LSA_REFERENCED_DOMAIN_LIST local_1=1 local_2=Microsoft.Win32.Win32Native+LSA_TRUST_INFORMATION local_3=-34532 referencedDomains=Microsoft.Win32.SafeHandles.SafeLsaMemoryHandle --- snip ---
The negative value is the result of a pointer subtraction which seem to come from LSA_TRUST_INFORMATION pointer and domain list pointer. This leads to sanity check failing, hence the exception.
Bug 27447 contains a small .NET 4.0 example app that quickly dies from this issue.
TurboTax 2011 (bug 29666) also suffers from this, though doesn't crash every time.
Needs .NET 4.0 Framework prerequisite which can be installed using appdb recipe (http://appdb.winehq.org/objectManager.php?sClass=version&iId=17886). A 'winetricks dotnet40' recipe might be available in near future.
$ sha1sum HAL7600.exe a4e96b4b93c70da172f0bee1e2a6f181e79a6f9e HAL7600.exe
$ wine --version wine-1.3.37-254-g14b790a
Regards
http://bugs.winehq.org/show_bug.cgi?id=27991
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |29666
http://bugs.winehq.org/show_bug.cgi?id=27991
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |austinenglish@gmail.com
http://bugs.winehq.org/show_bug.cgi?id=27991
--- Comment #2 from Austin English austinenglish@gmail.com 2012-03-26 19:37:21 CDT --- Also affects the Skyrim NPC Editor (someone asked about it in #winehq): http://skyrim.nexusmods.com/downloads/file.php?id=4554
the "Skyrim NPC Editor 0_75_1 - Non Installer - README FIRST" link is only a few megs and has the same problem (after winetricks -q dotnet40).
http://bugs.winehq.org/show_bug.cgi?id=27991
--- Comment #3 from Austin English austinenglish@gmail.com 2013-01-17 18:09:51 CST --- I've also seen this in wine-1.5.21-321-g175039e with TurboTax 2012. Nikolay, any progress on this? Or a test patch/hack? :)
http://bugs.winehq.org/show_bug.cgi?id=27991
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |32746
http://bugs.winehq.org/show_bug.cgi?id=27991
--- Comment #4 from Nikolay Sivov bunglehead@gmail.com 2013-01-19 07:37:24 CST --- Created attachment 43227 --> http://bugs.winehq.org/attachment.cgi?id=43227 [1/2] advapi32: Make it possible to free data buffer returned from LsaLookupSids()
I got some patches to test, please apply both and let me know if it helps.
http://bugs.winehq.org/show_bug.cgi?id=27991
--- Comment #5 from Nikolay Sivov bunglehead@gmail.com 2013-01-19 07:38:11 CST --- Created attachment 43228 --> http://bugs.winehq.org/attachment.cgi?id=43228 [2/2] advapi32: Fix LsaLookupNames2() regarding referenced domain list allocation
Second patch.
http://bugs.winehq.org/show_bug.cgi?id=27991
--- Comment #6 from Nikolay Sivov bunglehead@gmail.com 2013-01-19 13:08:16 CST --- (In reply to comment #1)
Interestingly some of these apps don't crash every time.
That's because sometimes it happens to get saner pointer difference I guess.
Attached patches are broken, but I've got a fixed version that allows me to get to next crash for application from bug 27447.
http://bugs.winehq.org/show_bug.cgi?id=27991
Nikolay Sivov bunglehead@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Attachment #43227|0 |1 is obsolete| |
http://bugs.winehq.org/show_bug.cgi?id=27991
Nikolay Sivov bunglehead@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Attachment #43228|0 |1 is obsolete| |
http://bugs.winehq.org/show_bug.cgi?id=27991
--- Comment #7 from Nikolay Sivov bunglehead@gmail.com 2013-01-19 14:18:32 CST --- I just sent two patches that should actually work:
http://www.winehq.org/pipermail/wine-patches/2013-January/121683.html http://www.winehq.org/pipermail/wine-patches/2013-January/121684.html
http://bugs.winehq.org/show_bug.cgi?id=27991
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |32758
http://bugs.winehq.org/show_bug.cgi?id=27991
--- Comment #8 from Austin English austinenglish@gmail.com 2013-01-19 15:24:53 CST --- (In reply to comment #7)
I just sent two patches that should actually work:
http://www.winehq.org/pipermail/wine-patches/2013-January/121683.html http://www.winehq.org/pipermail/wine-patches/2013-January/121684.html
Yep. On my debian 32-bit machine, the installer crashed every time I tried (10 times). With the patches, it started up 10 out of 10 times.
Great work, thanks!
After that, the program shows errors on startup about the update service not working (bug 32758). Then trying to use the program gives bug 32471, which looks like wined3d/winex11.drv territory.
http://bugs.winehq.org/show_bug.cgi?id=27991
Nikolay Sivov bunglehead@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |27447
http://bugs.winehq.org/show_bug.cgi?id=27991
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1| |f8aabe2247e6b899f9360be69a5 | |6c919513b6e87 Status|NEW |RESOLVED Resolution| |FIXED
--- Comment #9 from Austin English austinenglish@gmail.com 2013-01-21 13:58:16 CST --- http://source.winehq.org/git/wine.git/commitdiff/f8aabe2247e6b899f9360be69a5...
http://source.winehq.org/git/wine.git/commitdiff/af641dc94ca0e2cd0afa8aa3ad6...
http://bugs.winehq.org/show_bug.cgi?id=27991
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #10 from Alexandre Julliard julliard@winehq.org 2013-02-01 04:57:02 CST --- Closing bugs fixed in 1.5.23.
-
wine-bugs@winehq.org