http://bugs.winehq.org/show_bug.cgi?id=30543

Vitaliy Margolen vitaliy-bugzilla@kievinfo.com changed:

What |Removed |Added ---------------------------------------------------------------------------- Keywords| |source, testcase Version|unspecified |1.4

--- Comment #1 from Vitaliy Margolen vitaliy-bugzilla@kievinfo.com 2012-04-29 10:07:56 CDT --- Please attach complete terminal output of the crash. And please make sure you do have Wine debug symbols installed from your distro (wine*-dbg package).

http://bugs.winehq.org/show_bug.cgi?id=30543

Bruno Jesus 00cpxxx@gmail.com changed:

What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |NEW CC| |00cpxxx@gmail.com Ever Confirmed|0 |1

--- Comment #3 from Bruno Jesus 00cpxxx@gmail.com 2012-04-29 11:26:28 CDT --- I can confirm this issue. Please, try the patch above. It avoids the crash here but I'm unsure if it's ok.

http://bugs.winehq.org/show_bug.cgi?id=30543

--- Comment #5 from Bruno Jesus 00cpxxx@gmail.com 2012-04-29 17:53:15 CDT --- (In reply to comment #4)

(In reply to comment #2) That patch obviously is wrong.

Isn't the problem related to this line then: http://source.winehq.org/source/dlls/kernel32/module.c#L1259

The NULL may be written out of the array, isn't it?

http://bugs.winehq.org/show_bug.cgi?id=30543

Anastasius Focht focht@gmx.net changed:

What |Removed |Added ---------------------------------------------------------------------------- CC| |focht@gmx.net Summary|K32GetModuleFileNameExW |Multiple apps |segfault |crash/terminate because | |K32GetModuleFileNameExW | |overflows supplied buffer

--- Comment #7 from Anastasius Focht focht@gmx.net 2012-05-01 07:01:11 CDT --- Hello,

I encountered this problem with another app which also indicates K32GetModuleFileNameExW() needs some more fixing.

Download: http://download.sonymediasoftware.com/current/cdarchitect52d-trial_enu.exe

(needs 'winetricks -q mfc42' prerequisite, ignore the other bugs from installer)

The app collects process module information on startup using EnumProcesses/EnumProcessModules/GetModuleFileNameExW sequence. It fails and terminates silently with 0xC0000409 (stack overflow). Winedbg doesn't have a chance to attach due to bug 24038

App code, showing the problem (annotated):

--- snip --- 005240F0 SUB ESP,234 005240F6 MOV EAX,DWORD PTR DS:[625C1C] ; global security cookie 005240FB XOR EAX,ESP 005240FD MOV DWORD PTR SS:[ESP+230],EAX ; store local canary on stack 00524104 MOV EAX,DWORD PTR SS:[ESP+238] 0052410B MOV ECX,DWORD PTR SS:[ESP+23C] ... 00524143 PUSH EBX 00524144 PUSH EDI 00524145 MOV EDI,DWORD PTR DS:[<&KERNEL32.GetProcAddress>] 0052414B PUSH OFFSET 005F65B4 ; Procname = "EnumProcesses" 00524150 PUSH EBP ; hModule 00524151 CALL EDI ; KERNEL32.GetProcAddress 00524153 PUSH OFFSET 005F65A0 ; "EnumProcessModules" 00524158 PUSH EBP 00524159 MOV DWORD PTR SS:[ESP+20],EAX ; KERNEL32.EnumProcesses 0052415D CALL EDI ; KERNEL32.GetProcAddress 0052415F PUSH OFFSET 005F6588 ; "GetModuleFileNameExW" 00524164 MOV EBX,EAX 00524166 PUSH EBP 00524167 MOV DWORD PTR SS:[ESP+38],EBX ; KERNEL32.EnumProcessModules 0052416B CALL EDI ; KERNEL32.GetProcAddress 0052416D CMP DWORD PTR SS:[ESP+18],ESI 00524171 MOV DWORD PTR SS:[ESP+28],EAX ; KERNEL32.GetModuleFileNameExW ... 00524197 MOV EDI,400 ... 005241D9 LEA EDX,[ESP+24] 005241DD PUSH EDX 005241DE PUSH EDI ; 0x400 005241DF PUSH ESI ; heap buffer (GlobalAlloc) 005241E0 CALL DWORD PTR SS:[ESP+24] ; KERNEL32.EnumProcesses 005241E4 TEST EAX,EAX ... 00524206 PUSH EAX ; ProcessID 00524207 PUSH 0 ; InheritHandle = FALSE 00524209 PUSH 410 ; Access = PROCESS_VM_READ|PROCESS_QUERY_INFORMATION 0052420E CALL DWORD PTR DS:[<&KERNEL32.OpenProcess>] ; KERNEL32.OpenProcess 00524214 MOV EBX,EAX ... 0052421E LEA ECX,[ESP+34] 00524222 PUSH ECX 00524223 PUSH 4 00524225 LEA EDX,[ESP+20] 00524229 PUSH EDX 0052422A PUSH EBX ; hProcess 0052422B CALL DWORD PTR SS:[ESP+40] ; KERNEL32.EnumProcessModules 0052422F TEST EAX,EAX ... 00524233 MOV ECX,DWORD PTR SS:[ESP+18] 00524237 PUSH 104 ; 0x104 (size of the filename buffer, in characters) 0052423C LEA EAX,[ESP+3C] 00524240 PUSH EAX ; stack buffer for filename 00524241 PUSH ECX ; hModule 00524242 PUSH EBX ; hProcess 00524243 CALL DWORD PTR SS:[ESP+38] ; KERNEL32.GetModuleFileNameExW 00524247 TEST EAX,EAX ; 0x20 ... 005242A0 MOV ECX,DWORD PTR SS:[ESP+238] ; get local canary back 005242A7 XOR EAX,EAX 005242A9 CMP DWORD PTR SS:[ESP+8],EAX ... <security cookie mismatch throw 0xC0000409 and terminate process> --- snip ---

The problem is that the local canary is partly overwritten by Wine after return from kernel32.GetModuleFileNameExW().

0033E370 - buffer start for filename 0033E578 - stack canary

0033E370 + 0x104*2 = 0033E578

Before the call:

$+0 = start of buffer for filename

--- snip --- $+204 00000023 $+208 C1D9AC35 $+20C 00524384 --- snip ---

After the call:

--- snip --- $+0 003A0043 C: $+4 0077005C \w $+8 006E0069 in $+C 006F0064 do $+10 00730077 ws $+14 0073005C \s $+18 00730079 ys $+1C 00650074 te $+20 0033006D m3 $+24 005C0032 2\ $+28 00650073 se $+2C 00760072 rv $+30 00630069 ic $+34 00730065 es $+38 0065002E .e $+3C 00650078 xe $+40 003B0000 .; ... <garbage data due to ReadProcessMemory reading more than needed> ... $+204 00000010 $+208 C1D90000 $+20C 00524384 --- snip ---

The canary was touched by Wine with following code (line 1268):

Source: http://source.winehq.org/git/wine.git/blob/d08f34cd8ecd883a0f0c6bd9b150d9240...

--- quote --- 1246 DWORD WINAPI K32GetModuleFileNameExW(HANDLE process, HMODULE module, 1247 LPWSTR file_name, DWORD size) 1248 { 1249 LDR_MODULE ldr_module; 1250 DWORD len; 1251 1252 if (!size) return 0; 1253 1254 if(!get_ldr_module(process, module, &ldr_module)) 1255 return 0; 1256 1257 len = ldr_module.FullDllName.Length / sizeof(WCHAR); 1258 if (size <= len) 1259 { 1260 len = size; 1261 size--; 1262 } 1263 1264 if (!ReadProcessMemory(process, ldr_module.FullDllName.Buffer, 1265 file_name, size * sizeof(WCHAR), NULL)) 1266 return 0; 1267 1268 file_name[size] = 0; 1269 return len; 1270 } --- quote ---

Alexandre partly fixed some overflow when the caller supplied buffer was too small with: http://source.winehq.org/git/wine.git/commitdiff/d08f34cd8ecd883a0f0c6bd9b15...

There is garbage written to the buffer following the module name if the supplied buffer size exceeds "ldr_module.FullDllName.Length". Not sure if this is intended...

At least line 1268 is wrong, it writes past the end of buffer, destroying the stack canary for the app. The module name/path which is much shorter than supplied buffer and is already NULL-terminated in between (see dump).

$ du -sh cdarchitect52d-trial_enu.exe 30M cdarchitect52d-trial_enu.exe

$ sha1sum cdarchitect52d-trial_enu.exe 045cfb932746810b2bfb52594f31926be11ebb73 cdarchitect52d-trial_enu.exe

$ wine --version wine-1.5.3-40-g9080f3c

Regards

http://bugs.winehq.org/show_bug.cgi?id=30543

Bruno Jesus 00cpxxx@gmail.com changed:

What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download URL| |http://download.sonymediaso | |ftware.com/current/cdarchit | |ect52d-trial_enu.exe

http://bugs.winehq.org/show_bug.cgi?id=30543

--- Comment #9 from Anastasius Focht focht@gmx.net 2012-05-01 12:04:08 CDT --- Hello,

uh oh ... .NET Framework 3.0/3.5 installer is also affected by this (also reported by forum users). It even gives a pretty clear message what's wrong :|

--- snip --- ... fixme:shell:URL_ParseUrl failed to parse L"System.ServiceModel.Install" fixme:shell:URL_ParseUrl failed to parse L"Microsoft.Web.Administration" fixme:shell:URL_ParseUrl failed to parse L"System.ServiceProcess" fixme:advapi:RegisterEventSourceW (L".",L"System.ServiceModel.Install 3.0.0.0"): stub fixme:advapi:ReportEventW (0xcafe4242,0x0001,0x0000,0x00000000,(nil),0x0001,0x00000000,0x88c34c,0x88c1c8): stub err:eventlog:ReportEventW L"System.IndexOutOfRangeException: Warning: A StringBuilder buffer has been overflowed by unmanaged code. The process may become unstable. Insufficient capacity allocated to the StringBuilder before marshaling it.\r\n at Microsoft.Win32.NativeMethods.GetModuleFileNameEx(SafeProcessHandle processHan"... fixme:advapi:DeregisterEventSource (0xcafe4242) stub err:msi:ITERATE_Actions Execution halted, action L"DD_CA_InstallXwsRegExe_X86.3643236F_FC70_11D3_A536_0090278A1BB8" returned 1603 ... Note: command 'wine dotnetfx3.exe /q /c:install.exe /q' returned status 67. Aborting. --- snip ---

Regards

http://bugs.winehq.org/show_bug.cgi?id=30543

Anastasius Focht focht@gmx.net changed:

What |Removed |Added ---------------------------------------------------------------------------- Blocks|6775 |

http://bugs.winehq.org/show_bug.cgi?id=30543

Alexandre Julliard julliard@winehq.org changed:

What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |1.4.x

https://bugs.winehq.org/show_bug.cgi?id=30543

Anastasius Focht focht@gmx.net changed:

What |Removed |Added ---------------------------------------------------------------------------- URL|http://download.sonymediaso |https://web.archive.org/web |ftware.com/current/cdarchit |/20140807165222/http://down |ect52d-trial_enu.exe |load.sonymediasoftware.com/ | |current/cdarchitect52d-tria | |l_enu.exe