[Bug 19555] New: Crash in mountmgr early during Jumpstart 1st Grade Classic install; use-after-free bug
http://bugs.winehq.org/show_bug.cgi?id=19555
Summary: Crash in mountmgr early during Jumpstart 1st Grade Classic install; use-after-free bug Product: Wine Version: 1.1.23 Platform: PC OS/Version: Linux Status: NEW Keywords: Installer Severity: normal Priority: P2 Component: -unknown AssignedTo: wine-bugs@winehq.org ReportedBy: dank@kegel.com
Just updated to git, tried installing Jumpstart 1st Grade classic. Crashed as follows:
=>0 0x7eb29ace add_dos_device+0x1de(letter=-1, udi="/org/freedesktop/Hal/devices/volume_label_1stGrade________", device="/dev/sr0", mount_point="/media/cdrom0", type=DEVICE_CDROM, guid=(nil)) [dlls/mountmgr.sys/device.c:753] in mountmgr.sys (0x0074e878) 1 0x7eb2ad68 new_device+0x408(ctx=0x7d54ce58, udi="/org/freedesktop/Hal/devices/volume_label_1stGrade________") [dlls/mountmgr.sys/hal.c:175] in mountmgr.sys (0x0074e968) 2 0x7eb2afc8 hal_thread+0x1a8(arg=(nil)) [dlls/mountmgr.sys/hal.c:249] in mountmgr.sys (0x0074ea88)
After rooting around a while, it seems this is a use-after-free bug; when add_dos_device() calls delete_dos_device(drive), it should also set volume to NULL, since deleting that drive also frees the volume.
http://bugs.winehq.org/show_bug.cgi?id=19555
--- Comment #1 from Dan Kegel dank@kegel.com 2009-08-03 00:48:17 --- Created an attachment (id=22789) --> (http://bugs.winehq.org/attachment.cgi?id=22789) patch to print error message when we're about to crash because of this bug
The code's complicated, so all I can do tonight is show where the problem is, hopefully the author can fix.
http://bugs.winehq.org/show_bug.cgi?id=19555
--- Comment #2 from Austin English austinenglish@gmail.com 2009-08-03 00:54:08 --- (In reply to comment #1)
Created an attachment (id=22789)
--> (http://bugs.winehq.org/attachment.cgi?id=22789) [details]
patch to print error message when we're about to crash because of this bug
The code's complicated, so all I can do tonight is show where the problem is, hopefully the author can fix.
Is this a regression?
http://bugs.winehq.org/show_bug.cgi?id=19555
Dan Kegel dank@kegel.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |regression
--- Comment #3 from Dan Kegel dank@kegel.com 2009-08-03 00:56:17 --- Yes, it's a regression; 1.0.1 didn't crash.
Alexandre rewrote this code on July 22nd, perhaps it regressed then.
http://bugs.winehq.org/show_bug.cgi?id=19555
--- Comment #4 from Andrew Nguyen arethusa26@gmail.com 2009-08-03 00:59:19 --- Isn't this a duplicate of bug 19456?
http://bugs.winehq.org/show_bug.cgi?id=19555
--- Comment #5 from Jeff Zaroyko jeffz@jeffz.name 2009-08-03 02:50:15 --- (In reply to comment #4)
Isn't this a duplicate of bug 19456?
Looks like it. Someone has also sent a patch already. http://www.winehq.org/pipermail/wine-patches/2009-July/076489.html
http://bugs.winehq.org/show_bug.cgi?id=19555
Jeff Zaroyko jeffz@jeffz.name changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |DUPLICATE
--- Comment #6 from Jeff Zaroyko jeffz@jeffz.name 2009-08-03 02:50:43 --- marking duplicate
*** This bug has been marked as a duplicate of bug 19456 ***
http://bugs.winehq.org/show_bug.cgi?id=19555
Jeff Zaroyko jeffz@jeffz.name changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #7 from Jeff Zaroyko jeffz@jeffz.name 2009-08-03 02:52:01 --- closing dup
-
wine-bugs@winehq.org