[Bug 54609] New: 32-bit LDAP Administrator crashes in internal Wine function proxy_manager_destroy
https://bugs.winehq.org/show_bug.cgi?id=54609
Bug ID: 54609 Summary: 32-bit LDAP Administrator crashes in internal Wine function proxy_manager_destroy Product: Wine Version: 8.2 Hardware: x86 OS: Linux Status: NEW Severity: normal Priority: P2 Component: rpc Assignee: wine-bugs@winehq.org Reporter: alexhenrie24@gmail.com Distribution: ---
Created attachment 74138 --> https://bugs.winehq.org/attachment.cgi?id=74138 WINEDEBUG=+ole
If I am reading the OLE trace correctly, the application:
1. Creates a proxy interface:
0110:trace:ole:proxy_manager_construct 01505048 created for OXID 2000000100, OID 3e
2. Sends the pointer to that interface to another thread:
0110:trace:ole:NdrBaseTypeMarshall value: 1505048
3. Releases and frees the interface:
0110:trace:ole:NdrInterfacePointerFree (04D4F594,01505048,1025B69C)
4. Receives the interface pointer on the other thread:
0100:trace:ole:NdrBaseTypeUnmarshall value: 1505048
5. Uses the interface on the other thread, despite it being freed:
0100:trace:ole:ClientIdentity_AddRef 01505048 - before 0
6. Releases and frees the interface again, which crashes:
0100:trace:ole:ClientIdentity_Release 01505048 - after 0
I don't understand how this works without crashing on Windows.
Here are all the traces that mention that interface pointer:
0110:trace:ole:proxy_manager_construct 01505048 created for OXID 2000000100, OID 3e 0110:trace:ole:ClientIdentity_AddRef 01505048 - before 1 0110:trace:ole:ClientIdentity_Release 01505048 - after 1 0110:trace:ole:std_unmarshal_interface Successfully created proxy 01505048 0110:trace:ole:NdrBaseTypeMarshall value: 1505048 0110:trace:ole:NdrInterfacePointerFree (04D4F594,01505048,1025B69C) 0110:trace:ole:ClientIdentity_Release 01505048 - after 0 0100:trace:ole:NdrBaseTypeUnmarshall value: 1505048 0100:trace:ole:ClientIdentity_AddRef 01505048 - before 0 0100:trace:ole:ClientIdentity_Release 01505048 - after 0
The 64-bit version also crashes, but in a different way, see Bug 54606.
$ sha256sum ldapadmin-4.21.24429.0-x86-eng.msi 9d3e062b9c30d4bd73630b969414f65f969f0eafc5a3835f1ebb246c5c657d2a
https://bugs.winehq.org/show_bug.cgi?id=54609
Zeb Figura z.figura12@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download Summary|32-bit LDAP Administrator |32-bit Softerra LDAP |crashes in internal Wine |Administrator crashes due |function |to proxy use-after-free |proxy_manager_destroy | CC| |z.figura12@gmail.com URL| |https://softerra-downloads. | |com/ldapadmin/ldapadmin-4.2 | |1.24429.0-x86-eng.msi
--- Comment #1 from Zeb Figura z.figura12@gmail.com --- As far as I can tell the remoted method is doing something like the following:
HRESULT remote_Method(IScpMTAMarshaller *this, [in] IUnknown *unk, [out] int64 *ptr) { *ptr = (int64)unk; return S_OK; }
Which, yes, can't possibly work.
There are a few possibilities that occur to me:
* the IUnknown isn't actually supposed to be proxied (i.e. it's supposed to be passed directly). Seems unlikely though given that 0100 (the calling thread) is an STA. Though it's odd that 0110 (the stub thread) never has COM initialized, and I'm not sure why it's hosting objects in the first place?
* Windows zeroes the vtbl or something after destroying a proxy, and then the resulting exception is caught by the COM RPC exception handler.
https://bugs.winehq.org/show_bug.cgi?id=54609
Alex Henrie alexhenrie24@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.winehq.org/sho | |w_bug.cgi?id=54606
https://bugs.winehq.org/show_bug.cgi?id=54609
Alex Henrie alexhenrie24@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|NEW |RESOLVED Fixed by SHA1| |a42f5f197093f0942d1c1ee60f1 | |cf0d8a7b610cd
--- Comment #2 from Alex Henrie alexhenrie24@gmail.com --- Fixed by https://gitlab.winehq.org/wine/wine/-/commit/a42f5f197093f0942d1c1ee60f1cf0d...
https://bugs.winehq.org/show_bug.cgi?id=54609
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #3 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 8.13.
https://bugs.winehq.org/show_bug.cgi?id=54609
Michael Stefaniuc mstefani@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |8.0.x
-
WineHQ Bugzilla