[Bug 45743] New: Firefox crashes on startup due to missing pipe server object type information (needed for Gecko's HandleDispatcher::DuplicateHandleProxy)
https://bugs.winehq.org/show_bug.cgi?id=45743
Bug ID: 45743 Summary: Firefox crashes on startup due to missing pipe server object type information (needed for Gecko's HandleDispatcher::DuplicateHandleProxy) Product: Wine Version: 3.14 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: wineserver Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---
Hello folks,
as it says.
--- snip --- $ pwd /home/focht/.wine/drive_c/Program Files (x86)/Mozilla Firefox
$ WINEDEBUG=+pid,+seh,+loaddll,+process,+relay,+ntdll,+server wine ./firefox.exe >>log.txt 2>&1 ... 0008:0055:Starting thread proc 0x7bca4d0b (arg=0x2cb4a980) ... 0008:0055:Call KERNEL32.GetProcAddress(7bc30000,00427c48 "NtQueryObject") ret=004232be 0008:0055:Ret KERNEL32.GetProcAddress() retval=7bc37154 ret=004232be 0008:0055:Call KERNEL32.DuplicateHandle(00000328,000000f0,ffffffff,3030fb70,00000000,00000000,00000002) ret=0041444c 0008:0055:Ret KERNEL32.DuplicateHandle() retval=00000001 ret=0041444c 0008:0055:Call KERNEL32.GetLastError() ret=0040ba5d 0008:0055:Ret KERNEL32.GetLastError() retval=00000000 ret=0040ba5d 0008:0055:Call ntdll.NtQueryObject(000003f8,00000002,3030fb90,0000009e,3030fb6c) ret=0041449f 0008:0055:trace:ntdll:NtQueryObject (0x3f8,0x00000002,0x3030fb90,0x0000009e,0x3030fb6c) 0008:0055:Ret ntdll.NtQueryObject() retval=00000000 ret=0041449f 0008:0055:Call ntdll.wcslen(3030fbf0 L"Section") ret=0041673c 0008:0055:Ret ntdll.wcslen() retval=00000007 ret=0041673c 0008:0055:Call ntdll.wcslen(3030fbf0 L"Section") ret=0041673c 0008:0055:Ret ntdll.wcslen() retval=00000007 ret=0041673c 0008:0055:Call ntdll.RtlCompareUnicodeString(3030fa9c,3030faac,00000001) ret=004167bb 0008:0055:Ret ntdll.RtlCompareUnicodeString() retval=00000000 ret=004167bb 0008:0055:Call KERNEL32.DuplicateHandle(ffffffff,000003f8,ffffffff,3030fc8c,000f0006,00000000,00000000) ret=0041481f 0008:0055:Ret KERNEL32.DuplicateHandle() retval=00000001 ret=0041481f 0008:0055:Call KERNEL32.CloseHandle(000003f8) ret=0040177b 0008:0055:Ret KERNEL32.CloseHandle() retval=00000001 ret=0040177b 0008:0055:Call ucrtbase.memset(2d07e1a0,000000e5,000000a0) ret=1000603f 0008:0055:Ret ucrtbase.memset() retval=2d07e1a0 ret=1000603f 0008:0055:Call KERNEL32.SetEvent(00000338) ret=00420f64 0008:0055:Ret KERNEL32.SetEvent() retval=00000001 ret=00420f64 0008:0055:Call ucrtbase.memset(3030fd24,00000000,00000034) ret=00420f32 0008:0055:Ret ucrtbase.memset() retval=3030fd24 ret=00420f32 0008:0055:Call ucrtbase.memcpy(30e843e0,2cff0094,00000098) ret=00410459 0008:0055:Ret ucrtbase.memcpy() retval=30e843e0 ret=00410459 0008:0055:Call ucrtbase.memset(3030fc74,00000000,0000003c) ret=00420bfb 0008:0055:Ret ucrtbase.memset() retval=3030fc74 ret=00420bfb 0008:0055:Call ucrtbase.memcmp(00428b6c,3030fcb0,00000028) ret=00422697 0008:0055:Ret ucrtbase.memcmp() retval=ffffffff ret=00422697 0008:0055:Call ucrtbase.memcmp(00428b94,3030fcb0,00000028) ret=004226ab 0008:0055:Ret ucrtbase.memcmp() retval=ffffffff ret=004226ab 0008:0055:Call ucrtbase.memcmp(2ff07370,3030fcb0,00000028) ret=004106ca 0008:0055:Ret ucrtbase.memcmp() retval=00000000 ret=004106ca 0008:0055:Call KERNEL32.DuplicateHandle(00000328,00000170,ffffffff,3030fb70,00000000,00000000,00000002) ret=0041444c 0008:0055:Ret KERNEL32.DuplicateHandle() retval=00000001 ret=0041444c 0008:0055:Call KERNEL32.GetLastError() ret=0040ba5d 0008:0055:Ret KERNEL32.GetLastError() retval=00000000 ret=0040ba5d 0008:0055:Call ntdll.NtQueryObject(00000408,00000002,3030fb90,0000009e,3030fb6c) ret=0041449f 0008:0055:trace:ntdll:NtQueryObject (0x408,0x00000002,0x3030fb90,0x0000009e,0x3030fb6c) 0008:0055:Ret ntdll.NtQueryObject() retval=00000000 ret=0041449f 0008:0055:trace:seh:raise_exception code=c0000005 flags=0 addr=0x4144ba ip=004144ba tid=0055 0008:0055:trace:seh:raise_exception info[0]=00000001 0008:0055:trace:seh:raise_exception info[1]=00000000 0008:0055:trace:seh:raise_exception eax=00000000 ebx=00000000 ecx=00000000 edx=00000000 esi=3030fc74 edi=00000002 0008:0055:trace:seh:raise_exception ebp=3030fc34 esp=3030fb58 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010246 0008:0055:trace:seh:call_vectored_handlers calling handler at 0x16d95c3 code=c0000005 flags=0 0008:0055:trace:seh:call_vectored_handlers handler at 0x16d95c3 returned 0 0008:0055:trace:seh:call_stack_handlers calling handler at 0x7bcb3bc4 code=c0000005 flags=0 0008:0055:Call KERNEL32.UnhandledExceptionFilter(3030f654) ret=7bcb3bff ... --- snip ---
Tracing the handle back across multiple dupes:
--- snip --- ... 0008:002c:Call advapi32.CreateProcessAsUserW(0000031c,2f832a50 L"C:\Program Files (x86)\Mozilla Firefox\firefox.exe",2fae7800 L""C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -contentproc --channel="8.0.218090689\870550889" -childID 1 -isForBrowser -prefsHandle 756 -prefsLen 5527 -schedulerPrefs 0001,2 -greomni "C:\Program Files (x86)\Mozilla Firefox\omni.ja" -appomni "C:\Program Files (x86)\Mozilla Fire"...,00000000,00000000,00000001,0108040c,3041c020,00000000,09c2f0b0,09c2ef94) ret=00422051 ... 002c: new_process( inherit_all=1, create_flags=0108040c, socket_fd=194, exe_file=0318, process_access=001fffff, process_attr=00000000, thread_access=001fffff, thread_attr=00000000, cpu=x86, info_size=1482, ... 002c: new_process() = 0 { info=0320, pid=0056, phandle=0328, tid=0057, thandle=032c } ... 0056:0057:Call KERNEL32.CreateNamedPipeW(010acf40 L"\\.\pipe\chrome.86.0.22204864",40080003,00000000,00000001,00001000,00001000,00001388,00000000) ret=023d5c1f 0056:0057:trace:ntdll:NtCreateNamedPipeFile (0x33d6dc c0180000 L"\??\pipe\chrome.86.0.22204864" 0x33d6b4 3 5 0 0 0 0 1 4096 4096 0x33d6a8) 0057: create_named_pipe( access=c0180000, options=00000000, sharing=00000003, maxinstances=00000001, outsize=00001000, insize=00001000, timeout=+5.0000000, flags=00000000, objattr={rootdir=0000,attributes=00000040,sd={},name=L"\??\pipe\chrome.86.0.22204864"} ) 0057: create_named_pipe() = 0 { handle=0164 } ... 0057: dup_handle( src_process=ffffffff, src_handle=0164, dst_process=ffffffff, access=00000000, attributes=00000000, options=00000002 ) 0057: dup_handle() = 0 { handle=0168, self=1, closed=0 } ... 0057: dup_handle( src_process=ffffffff, src_handle=0168, dst_process=ffffffff, access=00000000, attributes=00000000, options=00000002 ) 0057: dup_handle() = 0 { handle=0170, self=1, closed=0 } .... 0008:0055:Call KERNEL32.DuplicateHandle(00000328,00000170,ffffffff,3030fb70,00000000,00000000,00000002) ret=0041444c 0055: dup_handle( src_process=0328, src_handle=0170, dst_process=ffffffff, access=00000000, attributes=00000000, options=00000002 ) 0055: dup_handle() = 0 { handle=0408, self=0, closed=0 } 0008:0055:Ret KERNEL32.DuplicateHandle() retval=00000001 ret=0041444c ... 0008:0055:Call ntdll.NtQueryObject(00000408,00000002,3030fb90,0000009e,3030fb6c) ret=0041449f 0008:0055:trace:ntdll:NtQueryObject (0x408,0x00000002,0x3030fb90,0x0000009e,0x3030fb6c) 0055: get_object_type( handle=0408 ) 0055: get_object_type() = 0 { total=0, type=L"" } 0008:0055:Ret ntdll.NtQueryObject() retval=00000000 ret=0041449f --- snip ---
Wineserver debug session:
--- snip --- ... (gdb) b no_get_type Breakpoint 1 at 0x42c1a2: file /home/focht/projects/wine/mainline-src/server/object.c, line 499.
(gdb) c Continuing.
Breakpoint 1, no_get_type (obj=0x269c3e0) at /home/focht/projects/wine/mainline-src/server/object.c:499 499 return NULL; (gdb) bt #0 no_get_type (obj=0x269c3e0) at /home/focht/projects/wine/mainline-src/server/object.c:499 #1 0x0000000000415d55 in req_get_object_type (req=0x2692170, reply=0x7fff998dce50) at /home/focht/projects/wine/mainline-src/server/directory.c:524 #2 0x0000000000445c6d in call_req_handler (thread=0x2692020) at /home/focht/projects/wine/mainline-src/server/request.c:303 #3 0x0000000000445e02 in read_request (thread=0x2692020) at /home/focht/projects/wine/mainline-src/server/request.c:337 #4 0x000000000044e264 in thread_poll_event (fd=0x2692250, event=1) at /home/focht/projects/wine/mainline-src/server/thread.c:272 #5 0x0000000000417188 in fd_poll_event (fd=0x2692250, event=1) at /home/focht/projects/wine/mainline-src/server/fd.c:457 #6 0x000000000041756a in main_loop_epoll () at /home/focht/projects/wine/mainline-src/server/fd.c:552 #7 0x0000000000417b80 in main_loop () at /home/focht/projects/wine/mainline-src/server/fd.c:897 #8 0x0000000000423b73 in main (argc=3, argv=0x7fff998dd688) at /home/focht/projects/wine/mainline-src/server/main.c:148
(gdb) p *req $10 = {__header = {req = 256, request_size = 0, reply_size = 62}, handle = 1032}
(gdb) p *obj $9 = {refcount = 4, handle_count = 3, ops = 0x47ee80 <pipe_server_ops>, wait_queue = {next = 0x269c3f0, prev = 0x269c3f0}, name = 0x0, sd = 0x0, obj_list = {next = 0x26a3620, prev = 0x26a8090}} --- snip ---
I found the involved source code here:
https://github.com/mozilla/gecko-dev/blob/HEAD/security/sandbox/chromium/san...
--- snip --- bool HandleDispatcher::DuplicateHandleProxy(IPCInfo* ipc, HANDLE source_handle, uint32_t target_process_id, uint32_t desired_access, uint32_t options) { static NtQueryObject QueryObject = NULL; if (!QueryObject) ResolveNTFunctionPtr("NtQueryObject", &QueryObject);
// Get a copy of the handle for use in the broker process. HANDLE handle_temp; if (!::DuplicateHandle(ipc->client_info->process, source_handle, ::GetCurrentProcess(), &handle_temp, 0, FALSE, DUPLICATE_SAME_ACCESS | options)) { ipc->return_info.win32_result = ::GetLastError(); return false; } options &= ~DUPLICATE_CLOSE_SOURCE; base::win::ScopedHandle handle(handle_temp);
// Get the object type (32 characters is safe; current max is 14). BYTE buffer[sizeof(OBJECT_TYPE_INFORMATION) + 32 * sizeof(wchar_t)]; OBJECT_TYPE_INFORMATION* type_info = reinterpret_cast<OBJECT_TYPE_INFORMATION*>(buffer); ULONG size = sizeof(buffer) - sizeof(wchar_t); NTSTATUS error = QueryObject(handle.Get(), ObjectTypeInformation, type_info, size, &size); if (!NT_SUCCESS(error)) { ipc->return_info.nt_status = error; return false; } type_info->Name.Buffer[type_info->Name.Length / sizeof(wchar_t)] = L'\0';
CountedParameterSet<HandleTarget> params; params[HandleTarget::NAME] = ParamPickerMake(type_info->Name.Buffer); params[HandleTarget::TARGET] = ParamPickerMake(target_process_id);
EvalResult eval = policy_base_->EvalPolicy(IPC_DUPLICATEHANDLEPROXY_TAG, params.GetBase()); ipc->return_info.win32_result = HandlePolicy::DuplicateHandleProxyAction(eval, handle.Get(), target_process_id, &ipc->return_info.handle, desired_access, options); return true; } --- snip ---
Used in several places:
https://github.com/mozilla/gecko-dev/search?q=DuplicateHandleProxy
Wine source:
https://source.winehq.org/git/wine.git/blob/d4e0f0a12fdca62fea49a635418d19eb...
--- snip --- static const struct object_ops pipe_server_ops = 155 { 156 sizeof(struct pipe_server), /* size */ 157 pipe_server_dump, /* dump */ 158 no_get_type, /* get_type */ 159 add_queue, /* add_queue */ ... --- snip ---
Although not strictly needed it might be worth to return type names for these too (touches same file):
* pipe_client * named_pipe
$ sha1sum Firefox\ Setup\ 61.0.2.exe cbda1b0eaf06486ac0dc8cd29df386d75dc1107c Firefox Setup 61.0.2.exe
$ du -sh Firefox\ Setup\ 61.0.2.exe 35M Firefox Setup 61.0.2.exe
$ wine --version wine-3.14-323-g6edf38c205
Regards
https://bugs.winehq.org/show_bug.cgi?id=45743
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- URL| |https://filehippo.com/de/do | |wnload_firefox/86978/ Keywords| |download Summary|Firefox crashes on startup |Firefox 61.x crashes on |due to missing pipe server |startup due to missing pipe |object type information |server object type |(needed for Gecko's |information (needed for |HandleDispatcher::Duplicate |Gecko's |HandleProxy) |HandleDispatcher::Duplicate | |HandleProxy)
https://bugs.winehq.org/show_bug.cgi?id=45743
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|Firefox 61.x crashes on |Firefox 61.x crashes on |startup due to missing pipe |startup due to missing pipe |server object type |server object type |information (needed for |information (Chromium |Gecko's |Windows sandbox handle |HandleDispatcher::Duplicate |duplication service) |HandleProxy) | Keywords| |source
https://bugs.winehq.org/show_bug.cgi?id=45743
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.winehq.org/sho | |w_bug.cgi?id=45645
https://bugs.winehq.org/show_bug.cgi?id=45743
Jacek Caban jacek@codeweavers.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |jacek@codeweavers.com
--- Comment #1 from Jacek Caban jacek@codeweavers.com --- Patch sent: https://bugs.winehq.org/show_bug.cgi?id=45743 Thanks for the report.
https://bugs.winehq.org/show_bug.cgi?id=45743
Jacek Caban jacek@codeweavers.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED Fixed by SHA1| |8c9c2fca08bb654568071305ab9 | |8b16d5b712c47
--- Comment #2 from Jacek Caban jacek@codeweavers.com --- Fixed in Git.
https://bugs.winehq.org/show_bug.cgi?id=45743
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #3 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 3.16.
https://bugs.winehq.org/show_bug.cgi?id=45743
Zebediah Figura z.figura12@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |dark.shadow4@web.de
--- Comment #4 from Zebediah Figura z.figura12@gmail.com --- *** Bug 45645 has been marked as a duplicate of this bug. ***
https://bugs.winehq.org/show_bug.cgi?id=45743
Aaron Simmons paleozogt@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |paleozogt@gmail.com
https://bugs.winehq.org/show_bug.cgi?id=45743
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- URL|https://filehippo.com/de/do |https://web.archive.org/web |wnload_firefox/86978/ |/20210320155903if_/https:// | |ftp.mozilla.org/pub/firefox | |/releases/61.0.2/win32/en-U | |S/Firefox%20Setup%2061.0.2. | |exe
-
wine-bugs@winehq.org -
WineHQ Bugzilla