[Bug 50791] New: NtQueryObject( ..., ObjectBasicInformation, NULL, 0, &retLen) returns incorrect NTSTATUS error code when querying for buffer size
https://bugs.winehq.org/show_bug.cgi?id=50791
Bug ID: 50791 Summary: NtQueryObject( ..., ObjectBasicInformation, NULL, 0, &retLen) returns incorrect NTSTATUS error code when querying for buffer size Product: Wine Version: 6.3 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: ntdll Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---
Hello folks,
found while testing 'EditSection' tool from Google sandbox-attacksurface-analysis-tools v1.1.x fails list section. Follow up of bug 45132
--- snip --- $ WINEDEBUG=+seh,+relay,+ntdll,+server wine ./EditSection.exe >>log.txt 2>&1 ... 0024:Call ntdll.NtQuerySystemInformation(00000005,001fb320,00002228,0033eae4) ret=05a0be37 0024:trace:ntdll:NtQuerySystemInformation (0x00000005,0x1fb320,0x00002228,0x33eae4) 0024: list_processes( ) 0024: list_processes() = 0 { info_size=2024, process_count=9, data={{start_time=1d7165dcc491236 (-5.4284020),thread_count=3,priority=2,pid=0020,parent_pid=0000,handle_count=256,unix_pid=293760,name=L"\??\Z:\home\focht\Downloads\commonobj\EditSection.exe",threads={{start_time=1d7165dcbd1a2be (-6.2111340),tid=0024,base_priority=0,current_priority=0,unix_tid=293760},{start_time=1d7165dcc64cd1e (-5.2466700),tid=00fc,base_priority=0,current_priority=0,unix_tid=293825},{start_time=1d7165dcc65c214 (-5.2403990),tid=0100,base_priority=2,current_priority=2,unix_tid=293826}}},{start_time=1d7165dcbdadb18 (-6.1507090),thread_count=9,priority=2,pid=0038,parent_pid=0028,handle_count=128,unix_pid=293768,name=L"\??\C:\windows\system32\services.exe",threads={{start_time=1d7165dcbd96030 (-6.1604090),tid=003c,base_priority=0,current_priority=0,unix_tid=293768}, ... {start_time=1d7165dcc4b8b06 (-5.4122020),thread_count=1,priority=2,pid=00f4,parent_pid=0020,handle_count=32,unix_pid=293824,name=L"\??\C:\windows\system32\conhost.exe",threads={{start_time=1d7165dcc4a8198 (-5.4189970),tid=00f8,base_priority=0,current_priority=0,unix_tid=293824}}}} } 0024:Ret ntdll.NtQuerySystemInformation() retval=00000000 ret=05a0be37 ... 0024:Call ntdll.NtOpenProcess(0033eccc,00001040,0033ec60,01e2d450) ret=05a0cc71 0024: open_process( pid=0020, access=00001040, attributes=00000000 ) 0024: open_process() = 0 { handle=01cc } 0024:Ret ntdll.NtOpenProcess() retval=00000000 ret=05a0cc71 ... 0024:Call ntdll.NtQueryObject(000001cc,00000000,00000000,00000000,0033ebc4) ret=05a00b58 0024:Ret ntdll.NtQueryObject() retval=c0000206 ret=05a00b58 0024:Call KERNEL32.RaiseException(e0434352,00000001,00000005,0033eaa0) ret=013b48c7 0024:Call ntdll.memcpy(0033e9b8,0033eaa0,00000014) ret=7b0101c8 0024:Ret ntdll.memcpy() retval=0033e9b8 ret=7b0101c8 0024:trace:seh:dispatch_exception code=e0434352 flags=1 addr=7B0101D8 ip=7b0101d8 tid=0024 0024:trace:seh:dispatch_exception info[0]=80131600 0024:trace:seh:dispatch_exception info[1]=00000000 0024:trace:seh:dispatch_exception info[2]=00000000 0024:trace:seh:dispatch_exception info[3]=00000000 0024:trace:seh:dispatch_exception info[4]=01290000 0024:warn:seh:dispatch_exception unknown exception (code=e0434352) raised 0024:trace:seh:dispatch_exception eax=0033e9a4 ebx=00000005 ecx=0033eaa0 edx=00000014 esi=00000005 edi=0033ea10 0024:trace:seh:dispatch_exception ebp=0033e9f8 esp=0033e9a4 cs=7bc50023 ds=33002b es=7bc3002b fs=330063 gs=006b flags=00000212 0024:trace:seh:call_vectored_handlers calling handler at 01431BEA code=e0434352 flags=1 --- snip ---
The NTSTATUS code 0xc0000206 = STATUS_INVALID_BUFFER_SIZE is unexpected for the app.
App source code:
https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/bl...
--- snip --- ... private static NtResult<SafeStructureInOutBuffer<T>> QueryObject<T>(SafeKernelObjectHandle handle, ObjectInformationClass object_info, bool throw_on_error) where T : new() { SafeStructureInOutBuffer<T> ret = null; NtStatus status = NtStatus.STATUS_BUFFER_TOO_SMALL; try { status = NtSystemCalls.NtQueryObject(handle, object_info, SafeHGlobalBuffer.Null, 0, out int return_length); if ((status != NtStatus.STATUS_BUFFER_TOO_SMALL) && (status != NtStatus.STATUS_INFO_LENGTH_MISMATCH)) return status.CreateResultFromError<SafeStructureInOutBuffer<T>>(throw_on_error);
if (return_length == 0) ret = new SafeStructureInOutBuffer<T>(); else ret = new SafeStructureInOutBuffer<T>(return_length, false); status = NtSystemCalls.NtQueryObject(handle, object_info, ret, ret.Length, out return_length); return status.CreateResult(throw_on_error, () => ret); } finally { if (ret != null && !status.IsSuccess()) { ret.Close(); ret = null; } } } --- snip ---
Wine source:
https://source.winehq.org/git/wine.git/blob/580413032c61bc142078d08efb1d1167...
--- snip --- 6581 /************************************************************************** 6582 * NtQueryObject (NTDLL.@) 6583 */ 6584 NTSTATUS WINAPI NtQueryObject( HANDLE handle, OBJECT_INFORMATION_CLASS info_class, 6585 void *ptr, ULONG len, ULONG *used_len ) 6586 { 6587 NTSTATUS status; 6588 6589 TRACE("(%p,0x%08x,%p,0x%08x,%p)\n", handle, info_class, ptr, len, used_len); 6590 6591 if (used_len) *used_len = 0; 6592 6593 switch (info_class) 6594 { 6595 case ObjectBasicInformation: 6596 { 6597 OBJECT_BASIC_INFORMATION *p = ptr; 6598 6599 if (len < sizeof(*p)) return STATUS_INVALID_BUFFER_SIZE; 6600 6601 SERVER_START_REQ( get_object_info ) 6602 { 6603 req->handle = wine_server_obj_handle( handle ); 6604 status = wine_server_call( req ); 6605 if (status == STATUS_SUCCESS) 6606 { 6607 memset( p, 0, sizeof(*p) ); 6608 p->GrantedAccess = reply->access; 6609 p->PointerCount = reply->ref_count; 6610 p->HandleCount = reply->handle_count; 6611 if (used_len) *used_len = sizeof(*p); 6612 } 6613 } 6614 SERVER_END_REQ; 6615 break; 6616 } ... --- snip ---
The incorrect NTSTATUS error code was always present. It was introduced with https://source.winehq.org/git/wine.git/commitdiff/bae75024a430dd4486e4f5d786... ("server/ntdll: Simplistic implementation of NtQueryObject(ObjectBasicInformation).")
$ sha1sum Release-v1.1.14.7z 8cd7991e675a995a3d67ef0aca2a8bf0e1512f6a Release-v1.1.14.7z
$ du -sh Release-v1.1.14.7z 384K Release-v1.1.14.7z
$ wine --version wine-6.3-295-g580413032c6
Regards
https://bugs.winehq.org/show_bug.cgi?id=50791
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|NtQueryObject( ..., |NtQueryObject( ..., |ObjectBasicInformation, |ObjectBasicInformation, |NULL, 0, &retLen) returns |NULL, 0, &retLen) returns |incorrect NTSTATUS error |incorrect NTSTATUS error |code when querying for |code and no buffer size |buffer size |(EditSection, Google | |sandbox-attacksurface-analy | |sis-tools v1.1.x) Keywords| |dotnet, download URL| |https://web.archive.org/web | |/20210117130822/https://git | |hub.com/google/sandbox-atta | |cksurface-analysis-tools/re | |leases/download/v1.1.14/Rel | |ease-v1.1.14.7z
--- Comment #1 from Anastasius Focht focht@gmx.net --- Hello folks,
refining summary to reflect that buffer size needs to be still returned.
Stable download link via Internet Archive:
https://web.archive.org/web/20210117130822/https://github.com/google/sandbox...
Regards
https://bugs.winehq.org/show_bug.cgi?id=50791
--- Comment #2 from Gijs Vermeulen gijsvrm@gmail.com --- I've sent https://source.winehq.org/patches/data/204017 for this.
Contrary to what MSDN states, it seems that retLen is not written in the case where buffer is NULL.
I removed the explicit test for this because the results where inconsistent. The 32bit tests set retLen to 0, while the 64bit tests just leaves it be. You can see this here: https://testbot.winehq.org/JobDetails.pl?Key=88883
https://bugs.winehq.org/show_bug.cgi?id=50791
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED Fixed by SHA1| |749f8c25e262cb049289e7c96bb | |390edcafa1021
--- Comment #3 from Anastasius Focht focht@gmx.net --- Hello folks,
this is fixed by commit https://source.winehq.org/git/wine.git/commitdiff/749f8c25e262cb049289e7c96b... ("ntdll: Return STATUS_INFO_LENGTH_MISMATCH when len is too small in NtQueryObject(ObjectBasicInformation).").
Thanks Gijs
--- snip --- $ WINEDEBUG=+seh,+relay,+ntdll,+server wine ./EditSection.exe >>log.txt 2>&1 ... 0024:Call ntdll.NtQuerySystemInformation(00000005,00304e28,00002228,0021eaf4) ret=05a4c1a7 0024:trace:ntdll:NtQuerySystemInformation (0x00000005,0x304e28,0x00002228,0x21eaf4) 0024: list_processes( ) 0024: list_processes() = 0 { info_size=2024, process_count=9, data={{start_time=1d73362fbfada74 (-5.6514720),thread_count=3,priority=2,pid=0020,parent_pid=0000,handle_count=128,unix_pid=221181,name=L"\??\Z:\home\focht\Downloads\commonobj\EditSection.exe",threads={{start_time=1d73362fb88c4ac (-6.3991400),tid=0024,base_priority=0,current_priority=0,unix_tid=221181},{start_time=1d73362fc19b8d6 (-5.4491710),tid=0104,base_priority=0,current_priority=0,unix_tid=221248},{start_time=1d73362fc1a7e38 (-5.4441180),tid=0108,base_priority=2,current_priority=2,unix_tid=221249}}},{start_time=1d73362fb903b92 ... 0024:Ret ntdll.NtQuerySystemInformation() retval=00000000 ret=05a4c1a7 ... 0024:Call KERNEL32.MultiByteToWideChar(0000fde9,00000000,05909c7d "Threads",00000007,0021e540,00000007) ret=011d02b9 0024:Call ntdll.RtlUTF8ToUnicodeN(0021e540,0000000e,0021e478,05909c7d,00000007) ret=7b0219cc 0024:Ret ntdll.RtlUTF8ToUnicodeN() retval=00000000 ret=7b0219cc 0024:Ret KERNEL32.MultiByteToWideChar() retval=00000007 ret=011d02b9 ... 0024:Call ntdll.NtOpenProcess(0021ecdc,00001040,0021ec70,01d31118) ret=05a4cfd9 0024: open_process( pid=0038, access=00001040, attributes=00000000 ) 0024: open_process() = 0 { handle=01cc } 0024:Ret ntdll.NtOpenProcess() retval=00000000 ret=05a4cfd9 0024:Call KERNEL32.GetLastError() ret=0119af80 0024:Ret KERNEL32.GetLastError() retval=00000078 ret=0119af80 ... 0024:Call ntdll.NtQueryObject(000001cc,00000000,00000000,00000000,0021ebd4) ret=05a40b58 0024:Ret ntdll.NtQueryObject() retval=c0000004 ret=05a40b58 0024:Call KERNEL32.LocalAlloc(00000000,00000038) ret=79a2875f 0024:Call ntdll.RtlAllocateHeap(00220000,00000000,00000038) ret=7b02a492 0024:Ret ntdll.RtlAllocateHeap() retval=00303b00 ret=7b02a492 0024:Ret KERNEL32.LocalAlloc() retval=00303b00 ret=79a2875f 0024:Call ntdll.NtQueryObject(000001cc,00000000,00303b00,00000038,0021ebd4) ret=05a40b58 0024: get_object_info( handle=01cc ) 0024: get_object_info() = 0 { access=00001040, ref_count=0000000b, handle_count=00000001, total=0, name=L"" } 0024:Ret ntdll.NtQueryObject() retval=00000000 ret=05a40b58 ... --- snip ---
$ wine --version wine-6.6-196-g749f8c25e26
Regards
https://bugs.winehq.org/show_bug.cgi?id=50791
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #4 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 6.7.
https://bugs.winehq.org/show_bug.cgi?id=50791
Michael Stefaniuc mstefani@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |6.0.x
https://bugs.winehq.org/show_bug.cgi?id=50791
Michael Stefaniuc mstefani@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|6.0.x |---
--- Comment #5 from Michael Stefaniuc mstefani@winehq.org --- Removing the 6.0.x milestone from bug fixes included in 6.0.2.
-
WineHQ Bugzilla