[Bug 28795] New: ExeInfoPE: PE protection schemes that abuse %gs won't run (breaks glibc TLS selector)
http://bugs.winehq.org/show_bug.cgi?id=28795
Bug #: 28795 Summary: ExeInfoPE: PE protection schemes that abuse %gs won't run (breaks glibc TLS selector) Product: Wine Version: 1.3.30 Platform: x86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: -unknown AssignedTo: wine-bugs@winehq.org ReportedBy: focht@gmx.net Classification: Unclassified
Hello,
newer versions of "ExeInfoPE" (>0.0.2.3) which coin their own PE protection scheme don't run anymore. There is still bug 26701 though the app crashes now earlier.
With tracing enabled:
--- snip --- ... 0024:Call KERNEL32.VirtualProtect(00400000,00001000,00000004,0032fe40) ret=05bd0336 0024:Ret KERNEL32.VirtualProtect() retval=00000001 ret=05bd0336 0024:Call KERNEL32.VirtualProtect(00400000,00001000,00000002,0032fe40) ret=05bd034b 0024:Ret KERNEL32.VirtualProtect() retval=00000001 ret=05bd034b 0024:trace:seh:raise_exception code=c0000005 flags=0 addr=0xb74a916a ip=b74a916a tid=0024 0024:trace:seh:raise_exception info[0]=00000000 0024:trace:seh:raise_exception info[1]=ffffffff 0024:trace:seh:raise_exception eax=7bc9d7a7 ebx=b75e0ff4 ecx=0032fdcc edx=7bc9d7a7 esi=0032fc74 edi=ffffffc8 0024:trace:seh:raise_exception ebp=0032fc48 esp=0032f6bc cs=0073 ds=007b es=007b fs=0033 gs=0002 flags=00010246 0024:trace:seh:call_vectored_handlers calling handler at 0x7e16e0bd code=c0000005 flags=0 0024:trace:seh:call_vectored_handlers handler at 0x7e16e0bd returned 0 0024:trace:seh:call_stack_handlers calling handler at 0x7bc90f61 code=c0000005 flags=0 0024:Call KERNEL32.UnhandledExceptionFilter(0032f194) ret=7bc90f9b wine: Unhandled page fault on read access to 0xffffffff at address 0xb74a916a (thread 0024), starting debugger... 0024:trace:seh:start_debugger Starting debugger "winedbg --auto 35 52" 0024:Ret KERNEL32.UnhandledExceptionFilter() retval=00000000 ret=7bc90f9b 0024:trace:seh:call_stack_handlers handler at 0x7bc90f61 returned 1 Unhandled exception: page fault on read access to 0xffffffff in 32-bit code (0xb74a916a). Register dump: CS:0073 SS:007b DS:007b ES:007b FS:0033 GS:0002 EIP:b74a916a ESP:0032f6bc EBP:0032fc48 EFLAGS:00010246( R- -- I Z- -P- ) EAX:7bc9d7a7 EBX:b75e0ff4 ECX:0032fdcc EDX:7bc9d7a7 ESI:0032fc74 EDI:ffffffc8 Stack dump: 0x0032f6bc: 0032fc7c 7bc9d82e 0032fc58 b74a992c 0x0032f6cc: 0032fc7c 7bc9d82d 00000001 00000000 0x0032f6dc: 0032fc8c 7bc9d82d 00000001 00000001 0x0032f6ec: 7bc9d82d 00000000 00000000 00000001 0x0032f6fc: 7bc9d82d 00000000 00000000 00000000 0x0032f70c: 00000000 00000000 00000000 00000000 Backtrace: =>0 0xb74a916a _IO_vfprintf+0x3a() in libc.so.6 (0x0032fc48) 1 0xb74cbdbb vsnprintf+0xca() in libc.so.6 (0x0032fc74) 2 0x7bc350f9 NTDLL_dbg_vprintf+0x56() in ntdll (0x0032fd90) 3 0xb761ab63 wine_dbg_printf+0x2e() in libwine.so.1 (0x0032fdc0) 4 0x7bc640e5 relay_call+0x113() in ntdll (0x0032fe10) 5 0x7b8224ad in kernel32 (+0x124ac) (0x0032fe60) 6 0x004075cd in exeinfope (+0x75cc) (0x0032fe60) 7 0x7b85de44 call_process_entry+0xb() in kernel32 (0x0032fe78) 8 0x7b85df8a start_process+0x143() in kernel32 (0x0032fec8) 9 0x7bc7a244 call_thread_func+0xb() in ntdll (0x0032fed8) 10 0x7bc7a282 call_thread_entry_point+0x33() in ntdll (0x0032ffb8) 11 0x7bc51ebc start_process+0x25() in ntdll (0x0032ffe8) 12 0xb761edb5 wine_call_on_stack+0x1c() in libwine.so.1 (0x00000000) 0xb74a916a _IO_vfprintf+0x3a in libc.so.6: movl %gs:0x00000000,%ecx --- snip ---
The protection scheme fiddles with %gs selector value which breaks TLS pointer access through %gs:0 (Wine uses %fs) or the stack protector scheme that Userland libs and Wine are built with (glibc provided __stack_chk_guard at %gs:0x14).
My gcc 4.6.1 x86 host toolchain has -fstack-protector enabled by default hence Wine gets the stack canary code in the binaries. The Glibc here (Xubuntu 11.10) has stack smashing protection enabled by default.
Even if Wine is built with "-fno-stack-protector" the app would still break glibc %gs TLS code.
This is just a "collector" bug for apps that run into this issue. WONTFIX obviously, there is no reliable way to know when to repair/restore %gs value (and restarting faulting instruction).
Regards
http://bugs.winehq.org/show_bug.cgi?id=28795
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |obfuscation Status|NEW |RESOLVED URL| |http://www.exeinfo.xwp.pl/ Resolution| |WONTFIX
--- Comment #1 from Anastasius Focht focht@gmx.net 2011-10-18 15:23:52 CDT --- Hello,
filling fields and resolving ;-)
$ wine --version wine-1.3.30-253-g6b0f110
ExeInfoPE version : 0.0.3.0 - ( 617 sign )
Regards
http://bugs.winehq.org/show_bug.cgi?id=28795
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #2 from Austin English austinenglish@gmail.com 2011-10-19 13:09:42 CDT --- Closing.
http://bugs.winehq.org/show_bug.cgi?id=28795
--- Comment #3 from Bruno Jesus 00cpxxx@gmail.com 2013-02-19 22:02:42 CST --- A similar bug that had problems with %gs was fixed recently by http://source.winehq.org/git/wine.git/commitdiff/64ddb263d25dfceeeae8457a013...
Maybe this patch helps here too?
http://bugs.winehq.org/show_bug.cgi?id=28795
--- Comment #4 from Bruno Jesus 00cpxxx@gmail.com 2013-05-23 08:02:55 CDT --- Created attachment 44534 --> http://bugs.winehq.org/attachment.cgi?id=44534 screenshot wine 1.5.30
Anastasius, I still think this was fixed by the commit in my previous comment. I don't have the 0.0.3.0 version so I tried the latest 0.0.3.3 and the program works and is able to extract info from itself. What is the correct way to test this bug?
http://bugs.winehq.org/show_bug.cgi?id=28795
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1| |64ddb263d25dfceeeae8457a013 | |1f1a2af292383 Status|CLOSED |RESOLVED Component|-unknown |ntdll Resolution|WONTFIX |FIXED
--- Comment #5 from Anastasius Focht focht@gmx.net 2013-05-23 15:36:25 CDT --- Hello Bruno,
will since it's about the same thing that part was most likely fixed, yes. Unfortunately the author seems to change/invent protection features very often so bug verification can only be done on a certain range of app versions that might not be available anymore.
Anyway, marking that bug fixed, too. Thanks.
Regards
http://bugs.winehq.org/show_bug.cgi?id=28795
--- Comment #6 from Bruno Jesus 00cpxxx@gmail.com 2013-05-23 15:54:14 CDT --- Hi, thanks for the answer. I'm confused now =) The crash should happen when opening ExeInfoPE or when opening a PE protected file inside ExeInfoPE? If it's the second case I can try opening the EXE file from the game GPolice from bug 23227 (bug which was fixed by the same commit).
Regards.
http://bugs.winehq.org/show_bug.cgi?id=28795
Bruno Jesus 00cpxxx@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED Resolution|FIXED |WONTFIX
--- Comment #7 from Bruno Jesus 00cpxxx@gmail.com 2013-05-24 09:03:54 CDT --- Well, I understand your concern about this bug better now. I just used archive.org to get some older versions of the program and found out that versions "0.0.29 598 sign" and "version 0.0.3.0 617 sign" really do not run in wine. Although they don't crash anymore they silently quit without showing anything, so all your study is still valid. After reverting 64ddb263d25dfceeeae8457a0131f1a2af292383 they start crashing again, so that commit seem to have improved the situation but does not solve it completely. Sorry for the noise ;)
https://bugs.winehq.org/show_bug.cgi?id=28795
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|ExeInfoPE: PE protection |ExeInfoPE v0.0.3.0: PE |schemes that abuse %gs |protection schemes that |won't run (breaks glibc TLS |abuse %gs won't run (breaks |selector) |glibc TLS selector) Resolution|WONTFIX |FIXED URL|http://www.exeinfo.xwp.pl/ |https://archive.org/details | |/exeinfo-pe-v-0.0.3.0 Status|CLOSED |RESOLVED Keywords| |download
--- Comment #8 from Anastasius Focht focht@gmx.net --- Hello folks,
revisiting. Adding stable download via Internet Archive (manual upload).
https://archive.org/details/exeinfo-pe-v-0.0.3.0
@Bruno comment #7
--- quote --- Well, I understand your concern about this bug better now. I just used archive.org to get some older versions of the program and found out that versions "0.0.29 598 sign" and "version 0.0.3.0 617 sign" really do not run in wine. Although they don't crash anymore they silently quit without showing anything, so all your study is still valid. After reverting 64ddb263d25dfceeeae8457a0131f1a2af292383 they start crashing again, so that commit seem to have improved the situation but does not solve it completely. --- quote ---
I've retested old ExeInfo 0.0.3.0 and found no problems running it. UI works and analyzing executables works.
Resolving as fixed by commit https://source.winehq.org/git/wine.git/commitdiff/64ddb263d25dfceeeae8457a01... ("ntdll: Check for invalid %gs value in 32-bit code.").
Part of Wine 1.5.24 release.
Thanks Alexandre.
$ sha1sum ExeinfoPE\ v0.0.3.0.zip f7114968604d543cf2df91f499179bcae70238f5 ExeinfoPE v0.0.3.0.zip
$ du -sh ExeinfoPE\ v0.0.3.0.zip 908K ExeinfoPE v0.0.3.0.zip
$ wine --version wine-1.5.24
Regards
https://bugs.winehq.org/show_bug.cgi?id=28795
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #9 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 6.13.
-
wine-bugs@winehq.org -
WineHQ Bugzilla