[Bug 38955] New: Visual Studio Code installer crashes on startup (parsing of overly long string-format security descriptor causes stack corruption)
https://bugs.winehq.org/show_bug.cgi?id=38955
Bug ID: 38955 Summary: Visual Studio Code installer crashes on startup (parsing of overly long string-format security descriptor causes stack corruption) Product: Wine Version: 1.7.47 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: advapi32 Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---
Hello folks,
the installer passes an overly long string-format security descriptor which is greater than MAX_PATH.
--- snip --- $ WINEDEBUG=+tid,+seh,+relay wine ./VSCodeSetup.exe >>log.txt 2>&1 ... 0044:Call advapi32.ConvertStringSecurityDescriptorToSecurityDescriptorW(004237d0 L"D:PAI(A;;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;CIIO;GA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;0x1301bf;;;SY)(A;OICIIO;GA;;;SY)(A;;0x1301bf;;;BA)(A;OICIIO;GA;;;BA)(A;;0x1200a9;;;BU)(A;OICIIO;GXGR;;;BU)(A;OICIIO;GA;;;CO)(A;;0x1200a9;;;AC)(A"...,00000001,0033d5a0,00000000) ret=004022d7 0044:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7ea9690c ip=7ea9690c tid=0044 0044:trace:seh:raise_exception info[0]=00000001 0044:trace:seh:raise_exception info[1]=00d1d326 0044:trace:seh:raise_exception eax=004f0049 ebx=0033d540 ecx=0033d480 edx=0033d294 esi=0033d584 edi=0033d550 0044:trace:seh:raise_exception ebp=0033d4c8 esp=0033d260 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010246 ... Unhandled exception: page fault on write access to 0x003b0041 in 32-bit code (0x7ea99089). ... Backtrace: =>0 0x7ea99089 ParseStringSidToSid+0x3a4(StringSid="PAI(A;;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;CIIO;GA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;0x1301bf;;;SY)(A;OICIIO;GA;;;SY)(A;;0x1301bf;;;BA)(A;OICIIO;GA;;;BA)(A;;0x1200a9;;;BU)(A;OICIIO;GXGR;;;BU)(A;OICIIO;GA;;;CO)(A;;0x1200a9;;;AC)(A;OICIIO;GXGR;;;AC)?????", pSid=0x3b0041, cBytes=0x33d28c) [/home/focht/projects/wine/wine.repo/src/dlls/advapi32/security.c:5587] in advapi32 (0x0033d258) 1 0x7ea969c7 ParseStringSecurityDescriptorToSecurityDescriptor+0x197(StringSecurityDescriptor="", SecurityDescriptor=0x610030, cBytes=0x3b0039) [/home/focht/projects/wine/wine.repo/src/dlls/advapi32/security.c:4577] in advapi32 (0x0033d4c8) 2 0x00310078 (0x0030003b) 0x7ea99089 ParseStringSidToSid+0x3a4 [/home/focht/projects/wine/wine.repo/src/dlls/advapi32/security.c:5587] in advapi32: movb $0x1,0x0(%eax) 5587 pisid->Revision = SDDL_REVISION; Modules: Module Address Debug info Name (66 modules) PE 400000- 3e07000 Deferred vscodesetup ELF 7b800000-7ba71000 Deferred kernel32<elf> -PE 7b820000-7ba71000 \ kernel32 ... Threads: process tid prio (all id:s are in hex) ... 00000043 (D) Z:\home\focht\Downloads\VSCodeSetup.exe 00000044 0 <== --- snip ---
Source: https://source.winehq.org/git/wine.git/blob/3e55f1d2cc673d55ee342ff168a335b3...
--- snip --- 4508 static BOOL ParseStringSecurityDescriptorToSecurityDescriptor( 4509 LPCWSTR StringSecurityDescriptor, 4510 SECURITY_DESCRIPTOR_RELATIVE* SecurityDescriptor, 4511 LPDWORD cBytes) 4512 { 4513 BOOL bret = FALSE; 4514 WCHAR toktype; 4515 WCHAR tok[MAX_PATH]; 4516 LPCWSTR lptoken; 4517 LPBYTE lpNext = NULL; 4518 DWORD len; 4519 4520 *cBytes = sizeof(SECURITY_DESCRIPTOR); 4521 4522 if (SecurityDescriptor) 4523 lpNext = (LPBYTE)(SecurityDescriptor + 1); ... --- snip ---
$ sha1sum VSCodeSetup.exe c971e8805aa21ef6483e04434cb819e524e682f0 VSCodeSetup.exe
$ du -sh VSCodeSetup.exe 59M VSCodeSetup.exe
$ wine --version wine-1.7.47-162-g0f9a0aa
Regards
https://bugs.winehq.org/show_bug.cgi?id=38955
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download, Installer URL| |https://go.microsoft.com/fw | |link/?LinkID=534107
https://bugs.winehq.org/show_bug.cgi?id=38955
--- Comment #1 from Nikolay Sivov bunglehead@gmail.com --- I'll take a look quickly.
https://bugs.winehq.org/show_bug.cgi?id=38955
Alistair Leslie-Hughes leslie_alistair@hotmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1| |3b5107d06305972beaa9c5ff147 | |ecbcd99949a75 Status|NEW |RESOLVED CC| |leslie_alistair@hotmail.com Resolution|--- |FIXED
--- Comment #2 from Alistair Leslie-Hughes leslie_alistair@hotmail.com --- Fixed by http://source.winehq.org/git/wine.git/?a=commit;h=3b5107d06305972beaa9c5ff14...
https://bugs.winehq.org/show_bug.cgi?id=38955
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #3 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 1.7.50.
https://bugs.winehq.org/show_bug.cgi?id=38955
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- URL|https://go.microsoft.com/fw |https://web.archive.org/web |link/?LinkID=534107 |/20150919090011/https://az7 | |64295.vo.msecnd.net/public/ | |0.8.0/VSCodeSetup.exe
--- Comment #4 from Anastasius Focht focht@gmx.net --- Hello folks,
adding stabling download link to Internet Archive for documentation.
https://web.archive.org/web/20150919090011/https://az764295.vo.msecnd.net/pu...
https://www.virustotal.com/gui/file/3ae51c4647091382d3955e636a0d4a6d8058cead...
$ sha1sum VSCodeSetup.exe fb21f9438e1265ee2ab03608dd0a48a8fdca3498 VSCodeSetup.exe
$ du -sh VSCodeSetup.exe 43M VSCodeSetup.exe
Regards
-
wine-bugs@winehq.org -
WineHQ Bugzilla