[Bug 46954] New: Relay trace causes crash in wine_dbgstr_wn helper due to invalid string pointer access
https://bugs.winehq.org/show_bug.cgi?id=46954
Bug ID: 46954 Summary: Relay trace causes crash in wine_dbgstr_wn helper due to invalid string pointer access Product: Wine Version: 4.5 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: -unknown Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---
Hello folks,
found while checking a patch for bug 46903
Relay tracing crashes the app:
--- snip --- $ WINEDEBUG=+seh,+loaddll,+relay,+ntdll wine ./ADHOCSIGNER.EXE ./TouchInputPC.exe >>log.txt 2>&1 ... 00ac:Call user32.SetPropA(00060044,7cd7c748 "__wine_x11_whole_window",05400001) ret=7cd53e2e ... 00ac:Ret user32.SetPropA() retval=00000001 ret=7cd53e2e .... 00ac:Call user32.EnumPropsW(00060044,004018cb) ret=00401b3e ... 00ac:Call KERNEL32.GlobalGetAtomNameW(0000c06a,0033f91c,00000100) ret=7e7a26a7 00ac:Call ntdll.NtQueryInformationAtom(0000c06a,00000000,0033f67e,00000206,00000000) ret=7b42fe3f 00ac:Ret ntdll.NtQueryInformationAtom() retval=00000000 ret=7b42fe3f 00ac:Ret KERNEL32.GlobalGetAtomNameW() retval=00000017 ret=7e7a26a7 00ac:Call user32.RemovePropW(00060044,0033f91c L"__wine_x11_whole_window") ret=004018e5 00ac:Ret user32.RemovePropW() retval=05400001 ret=004018e5 00ac:Call oleaut32.SysFreeString(code=c0000005 flags=0 addr=0x7bc7c011 ip=7bc7c011 tid=00ac 00ac:trace:seh:raise_exception info[0]=00000000 00ac:trace:seh:raise_exception info[1]=05400001 00ac:trace:seh:raise_exception eax=7bd0d000 ebx=7bd0d000 ecx=00000000 edx=05400001 esi=0033f880 edi=0033fb88 00ac:trace:seh:raise_exception ebp=0033f778 esp=0033f630 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010202 00ac:trace:seh:call_stack_handlers calling handler at 0x7b4980f1 code=c0000005 flags=0 ... wine: Unhandled page fault on read access to 0x05400001 at address 0x7bc7c011 (thread 00ac), starting debugger... ... Unhandled exception: page fault on read access to 0x05400001 in 32-bit code (0x7bc7c011). Register dump: CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b EIP:7bc7c011 ESP:0033f630 EBP:0033f778 EFLAGS:00010202( R- -- I - - - ) EAX:7bd0d000 EBX:7bd0d000 ECX:00000000 EDX:05400001 ESI:0033f880 EDI:0033fb88 Stack dump: 0x0033f630: 00000000 00000000 0033f6fc f7d9c2e2 0x0033f640: f7d88680 00000000 00000000 7bc42361 0x0033f650: 7bd0d000 ffffffff 0033f888 7bc42b08 0x0033f660: 7bd18922 0033f6c8 00000017 7bc42a86 0x0033f670: 0033f91c 00000017 7bd18600 0000031a 0x0033f680: f7d88680 00000000 0033f6a8 0033f6b0 Backtrace: =>0 0x7bc7c011 wine_dbgstr_wn+0x74() [/home/focht/projects/wine/mainline-src/include/wine/debug.h:277] in ntdll (0x0033f778) 1 0x7bc7c2b3 debugstr_w+0x1c() [/home/focht/projects/wine/mainline-src/include/wine/debug.h:515] in ntdll (0x0033f798) 2 0x7bc7cc57 trace_string_w+0x4e() [/home/focht/projects/wine/mainline-src/dlls/ntdll/relay.c:321] in ntdll (0x0033f7c8) 3 0x7bc7cf02 relay_trace_entry+0x237() [/home/focht/projects/wine/mainline-src/dlls/ntdll/relay.c:357] in ntdll (0x0033f868) 4 0x7bc7d2eb relay_call+0x16() in ntdll (0x0033f8a0) 5 0x7d6d6276 __wine_stub_OleLoadPictureFileEx+0xed() in oleaut32 (0x0033f8b8) 6 0x004018fe EntryPoint+0xffffffff() in adhocsigner (0x0033f8b8) 7 0x7e7a205a EnumPropsW_relay+0x32() [/home/focht/projects/wine/mainline-src/dlls/user32/property.c:92] in user32 (0x0033f8e8) 8 0x7e7a26d4 EnumPropsExW+0xa2() [/home/focht/projects/wine/mainline-src/dlls/user32/property.c:248] in user32 (0x0033fb38) 9 0x7e7a20da EnumPropsW+0x31() [/home/focht/projects/wine/mainline-src/dlls/user32/property.c:110] in user32 (0x0033fb68) --- snip ---
The app provided callback for user32.EnumPropsW() tries to remove Wine internal window properties. User32.RemovePropW() returns 0x05400001 which in turn gets passed to oleaut32.SysFreeString(). This should obviously fail due to invalid parameter.
Unfortunately the relay debug print functionality no longer catches invalid string pointer access. Quick inspection of Wine changes hint at this:
https://source.winehq.org/git/wine.git/commitdiff/9f75f7189935aeec55df79a5ab... ("include: Make wine_dbgstr_an()/wine_dbgstr_wn() into inline functions.")
_NTSYSTEM_ is always defined for ntdll (relay) which leaves the pointer test/access without SEH protection.
https://source.winehq.org/git/wine.git/blob/HEAD:/include/wine/debug.h#l267
$ wine --version wine-4.5-138-g8268c47462
Regards
https://bugs.winehq.org/show_bug.cgi?id=46954
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |regression Component|-unknown |ntdll Regression SHA1| |9f75f7189935aeec55df79a5abb | |c3d2691ec5f7e
https://bugs.winehq.org/show_bug.cgi?id=46954
Zebediah Figura z.figura12@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |julliard@winehq.org
https://bugs.winehq.org/show_bug.cgi?id=46954
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1| |bb83b68832553ed74f47c07a90a | |ce0ed68d4e04f Status|NEW |RESOLVED Resolution|--- |FIXED
--- Comment #1 from Anastasius Focht focht@gmx.net --- Hello folks,
this is fixed by commit https://source.winehq.org/git/wine.git/commitdiff/bb83b68832553ed74f47c07a90... ("ntdll: Define IsBadStringPtr to handle exceptions in debug traces.")
Thanks Alexandre
--- snip --- ... 002b:Call user32.EnumPropsW(0001006c,004018cb) ret=00401b3e 002b:Call user32.RemovePropW(0001006c,0033f91c L"__wine_x11_whole_window") ret=004018e5 002b:Ret user32.RemovePropW() retval=04e00001 ret=004018e5 002b:Call oleaut32.SysFreeString(code=c0000005 flags=0 addr=0x7bc4c51c ip=7bc4c51c tid=002b 002b:trace:seh:raise_exception info[0]=00000000 002b:trace:seh:raise_exception info[1]=04e00001 002b:trace:seh:raise_exception eax=04e00001 ebx=7bd0d000 ecx=0033f620 edx=04e00003 esi=0033f880 edi=0033fb88 002b:trace:seh:raise_exception ebp=0033f608 esp=0033f530 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010212 002b:trace:seh:call_stack_handlers calling handler at 0x7bcb6560 code=c0000005 flags=0 002b:trace:seh:__regs_RtlUnwind code=c0000005 flags=2 002b:trace:seh:__regs_RtlUnwind eax=00000000 ebx=7bcb63ef ecx=0033f4d8 edx=0033f4d8 esi=0033f540 edi=7bcb63ef 002b:trace:seh:__regs_RtlUnwind ebp=0033efd8 esp=0033efa8 eip=7bcb63d8 cs=0023 ds=002b fs=0063 gs=006b flags=00000216 002b:trace:seh:__regs_RtlUnwind calling handler at 0x7bc922e7 code=c0000005 flags=2 002b:trace:seh:__regs_RtlUnwind handler at 0x7bc922e7 returned 1 002b:trace:relay:trace_string_w 04e00001 (invalid)) ret=004018fe 002b:Ret oleaut32.SysFreeString() retval=ffffffff ret=004018fe 002b:Call user32.RemovePropW(0001006c,0033f91c L"$BASE") ret=004018e5 002b:Ret user32.RemovePropW() retval=0018301c ret=004018e5 002b:Call oleaut32.SysFreeString(0018301c L"Z:\home\focht\Downloads\test") ret=004018fe 002b:Ret oleaut32.SysFreeString() retval=00000000 ret=004018fe 002b:Call user32.RemovePropW(0001006c,0033f91c L"$0") ret=004018e5 002b:Ret user32.RemovePropW() retval=001830fc ret=004018e5 002b:Call oleaut32.SysFreeString(001830fc L"Z:\home\focht\Downloads\test\ADHOCSIGNER.EXE") ret=004018fe 002b:Ret oleaut32.SysFreeString() retval=00000000 ret=004018fe 002b:Call user32.RemovePropW(0001006c,0033f91c L"$1") ret=004018e5 002b:Ret user32.RemovePropW() retval=00183164 ret=004018e5 002b:Call oleaut32.SysFreeString(00183164 L"./TouchInputPC.exe") ret=004018fe 002b:Ret oleaut32.SysFreeString() retval=00000000 ret=004018fe ... --- snip ---
$ wine --version wine-4.5-185-g17056908ac
Regards
https://bugs.winehq.org/show_bug.cgi?id=46954
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #2 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 4.6.
-
wine-bugs@winehq.org