[Bug 46205] New: Multiple kernel drivers need implementation of ' ntoskrnl.ObReferenceObjectByHandle' for 'PsThreadType' (PETHREAD)
https://bugs.winehq.org/show_bug.cgi?id=46205
Bug ID: 46205 Summary: Multiple kernel drivers need implementation of 'ntoskrnl.ObReferenceObjectByHandle' for 'PsThreadType' (PETHREAD) Product: Wine Version: 3.21 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: ntoskrnl Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---
Hello folks,
continuation of bug 44588 (and partially bug 44910)
--- snip --- $ WINEDEBUG=+seh,+loaddll,+process,+service,+ntoskrnl wineboot >>log.txt 2>&1 ... 000f:trace:service:scmdatabase_load_services Loading service L"bizVSerial" 000f:trace:service:load_service_config Image path = L"System32\drivers\bizVSerialNT.sys" 000f:trace:service:load_service_config Group = (null) 000f:trace:service:load_service_config Service account name = L"LocalSystem" 000f:trace:service:load_service_config Display name = L"Franson VSerial" 000f:trace:service:load_service_config Service dependencies : (none) 000f:trace:service:load_service_config Group dependencies : (none) ... 0017:trace:service:service_thread 0x10d60 0017:trace:service:SERV_OpenSCManagerW ((null),(null),0x00000001) 0015:trace:service:svcctl_OpenSCManagerW ((null), (null), 1) 0017:trace:service:SERV_OpenSCManagerW returning 0x11920 0017:trace:service:RegisterServiceCtrlHandlerExW L"winedevice" 0x7f47d7011ab0 0x11800 0017:trace:service:SetServiceStatus 0x110c0 30 4 5 0 0 0 0 ... 000f:trace:service:process_send_start_message 0x143b0 L"bizVSerial" (nil) 0 0016:trace:service:service_handle_control L"winedevice" control 2147483648 data 0x11bb2 data_size 22 0016:trace:ntoskrnl:ZwLoadDriver (L"\Registry\Machine\System\CurrentControlSet\Services\bizVSerial") ... 0016:trace:service:QueryServiceConfigW Image path = L"System32\drivers\bizVSerialNT.sys" 0016:trace:service:QueryServiceConfigW Group = L"" 0016:trace:service:QueryServiceConfigW Dependencies = L"" 0016:trace:service:QueryServiceConfigW Service account name = L"LocalSystem" 0016:trace:service:QueryServiceConfigW Display name = L"Franson VSerial" 0016:trace:ntoskrnl:open_driver opened service for driver L"\Registry\Machine\System\CurrentControlSet\Services\bizVSerial" 0016:trace:service:SetServiceStatus 0x12e50 30 2 0 0 0 0 2710 0014:trace:service:svcctl_SetServiceStatus (0x15e80, 0x15754) 0016:trace:ntoskrnl:IoCreateDriver (L"\Driver\bizVSerial", 0x7f47c8c949c0) 0016:trace:ntoskrnl:load_driver loading driver L"System32\drivers\bizVSerialNT.sys" 0016:trace:loaddll:load_native_dll Loaded L"C:\windows\System32\drivers\bizVSerialNT.sys" at 0x460000: native 0016:trace:seh:NtRaiseException code=c0000005 flags=0 addr=0x468034 ip=468034 tid=0016 0016:trace:seh:NtRaiseException info[0]=0000000000000000 0016:trace:seh:NtRaiseException info[1]=fffff78000000320 0016:trace:seh:NtRaiseException rax=fffff78000000320 rbx=0000000000013178 rcx=0000000000013010 rdx=0000000000013178 0016:trace:seh:NtRaiseException rsi=00007f47d73b84b1 rdi=00007f47c8cd1c71 rbp=000000000033f8a0 rsp=000000000033f788 0016:trace:seh:NtRaiseException r8=0000000000466100 r9=00002b992ddfa232 r10=000000000000a000 r11=0000000000012ee0 0016:trace:seh:NtRaiseException r12=0000000000013010 r13=0000000000000000 r14=0000000000011b18 r15=0000000000468008 0016:trace:seh:call_vectored_handlers calling handler at 0x7f47c8c93260 code=c0000005 flags=0 0016:trace:seh:call_vectored_handlers handler at 0x7f47c8c93260 returned ffffffff 0016:trace:ntoskrnl:IoCreateDevice (0x13010, 496, L"\Device\bizvSerialMgr", 34, 0, 0, 0x33f790) 0016:trace:ntoskrnl:IoCreateSymbolicLink L"\DosDevices\bizSerialMgr" -> L"\Device\bizvSerialMgr" 0016:trace:ntoskrnl:KeInitializeEvent event 0x136e8, type 0, state 0. 0016:trace:ntoskrnl:KeInitializeEvent event 0x136c8, type 0, state 0. 0016:fixme:ntoskrnl:ObReferenceObjectByHandle stub: 0x3c 1fffff (nil) 0 0x136e0 (nil) 0016:trace:ntoskrnl:init_driver init done for L"bizVSerial" obj 0x13010 0016:trace:ntoskrnl:init_driver - DriverInit = 0x468008 0016:trace:ntoskrnl:init_driver - DriverStartIo = (nil) 0016:trace:ntoskrnl:init_driver - DriverUnload = 0x4613c0 0016:trace:ntoskrnl:init_driver - MajorFunction[0] = 0x461180 0016:trace:ntoskrnl:init_driver - MajorFunction[1] = 0x7f47c8c997b0 0016:trace:ntoskrnl:init_driver - MajorFunction[2] = 0x461228 0016:trace:ntoskrnl:init_driver - MajorFunction[3] = 0x46133c 0016:trace:ntoskrnl:init_driver - MajorFunction[4] = 0x461304 0016:trace:ntoskrnl:init_driver - MajorFunction[5] = 0x461398 0018:trace:ntoskrnl:KeWaitForMultipleObjects count 2, objs 0x56fd80, wait_type 1, reason 0, mode 0, alertable 0, timeout (nil), wait_blocks 0x56fd90. 0016:trace:ntoskrnl:init_driver - MajorFunction[6] = 0x461398 0016:trace:ntoskrnl:init_driver - MajorFunction[7] = 0x7f47c8c997b0 0016:trace:ntoskrnl:init_driver - MajorFunction[8] = 0x7f47c8c997b0 0016:trace:ntoskrnl:init_driver - MajorFunction[9] = 0x461398 0016:trace:ntoskrnl:init_driver - MajorFunction[10] = 0x7f47c8c997b0 0016:trace:ntoskrnl:init_driver - MajorFunction[11] = 0x7f47c8c997b0 0016:trace:ntoskrnl:init_driver - MajorFunction[12] = 0x7f47c8c997b0 0016:trace:ntoskrnl:init_driver - MajorFunction[13] = 0x7f47c8c997b0 0016:trace:ntoskrnl:init_driver - MajorFunction[14] = 0x4612e0 0016:trace:ntoskrnl:init_driver - MajorFunction[15] = 0x7f47c8c997b0 0016:trace:ntoskrnl:init_driver - MajorFunction[16] = 0x7f47c8c997b0 0016:trace:ntoskrnl:init_driver - MajorFunction[17] = 0x7f47c8c997b0 0016:trace:ntoskrnl:init_driver - MajorFunction[18] = 0x461374 0016:trace:ntoskrnl:init_driver - MajorFunction[19] = 0x7f47c8c997b0 0016:trace:ntoskrnl:init_driver - MajorFunction[20] = 0x7f47c8c997b0 0016:trace:ntoskrnl:init_driver - MajorFunction[21] = 0x7f47c8c997b0 0016:trace:ntoskrnl:init_driver - MajorFunction[22] = 0x7f47c8c997b0 0016:trace:ntoskrnl:init_driver - MajorFunction[23] = 0x7f47c8c997b0 0016:trace:ntoskrnl:init_driver - MajorFunction[24] = 0x7f47c8c997b0 0016:trace:ntoskrnl:init_driver - MajorFunction[25] = 0x7f47c8c997b0 0016:trace:ntoskrnl:init_driver - MajorFunction[26] = 0x7f47c8c997b0 0016:trace:ntoskrnl:init_driver - MajorFunction[27] = 0x7f47c8c997b0 0016:trace:service:SetServiceStatus 0x12e50 30 4 5 0 0 0 0 0015:trace:service:svcctl_SetServiceStatus (0x15e80, 0x15cf4) ... 0017:trace:ntoskrnl:unload_driver L"\Driver\bizVSerial" 0017:trace:service:SetServiceStatus 0x12e50 30 3 0 0 0 0 0 ... 0017:trace:ntoskrnl:KeSetEvent event 0x136c8, increment 0, wait 0. 0017:trace:ntoskrnl:KeWaitForMultipleObjects count 1, objs 0x44f900, wait_type 1, reason 6, mode 0, alertable 0, timeout (nil), wait_blocks (nil). 0018:trace:ntoskrnl:KeResetEvent event 0x136c8. 0017:trace:seh:NtRaiseException code=c0000005 flags=0 addr=0x7f47c8ca3183 ip=7f47c8ca3183 tid=0017 0017:trace:seh:NtRaiseException info[0]=0000000000000001 0017:trace:seh:NtRaiseException info[1]=00000000deadbeb7 0017:trace:seh:NtRaiseException rax=00000000deadbeaf rbx=000000000044f900 rcx=00007f47d6aed879 rdx=0000000000000000 0017:trace:seh:NtRaiseException rsi=000000000044f5c0 rdi=0000000000000000 rbp=000000000044f8a0 rsp=000000000044f580 0017:trace:seh:NtRaiseException r8=0000000000000000 r9=0000000000000000 r10=000000000044f340 r11=0000000000000246 0017:trace:seh:NtRaiseException r12=0000000000013010 r13=0000000000000001 r14=000000000044f908 r15=000000000044f900 0017:trace:seh:call_vectored_handlers calling handler at 0x7f47c8c93260 code=c0000005 flags=0 ... wine: Unhandled page fault on write access to 0xdeadbeb7 at address 0x7f47c8ca3183 (thread 0017), starting debugger... 0017:trace:seh:start_debugger Starting debugger "winedbg --auto 17 60" 0017:trace:process:CreateProcessInternalW app (null) cmdline L"winedbg --auto 17 60" 0017:trace:process:find_exe_file looking for L"winedbg" 0017:trace:process:find_exe_file Trying native exe L"C:\windows\system32\winedbg.exe" 0017:trace:process:CreateProcessInternalW starting L"C:\windows\system32\winedbg.exe" as Win64 binary (10000000-10018000, x86_64) 0017:err:seh:start_debugger Couldn't start debugger ("winedbg --auto 17 60") (1115) --- snip ---
The kernel driver creates a secondary thread via 'PsCreateSystemThread' and wait s in driver unload routine for the thread to exit. Wine's 'ObReferenceObjectByHandle' is currently a stub, returning a fake (invalid) handle. This causes 'KeWaitForSingleObject' to dereference an invalid handle later.
The sequence is pretty standard for Windows kernel drivers. One of the many driver examples on Github:
https://github.com/Microsoft/Windows-driver-samples/blob/master/general/canc...
--- snip --- ... NTSTATUS DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath) { ... // // Start the polling thread. //
devExtension->ThreadShouldStop = FALSE;
status = PsCreateSystemThread(&threadHandle, (ACCESS_MASK)0, NULL, (HANDLE) 0, NULL, CsampPollingThread, deviceObject );
if ( !NT_SUCCESS( status )) { IoDeleteSymbolicLink( &unicodeDosDeviceName ); IoDeleteDevice( deviceObject ); return status; }
// // Convert the Thread object handle into a pointer to the Thread object // itself. Then close the handle. //
ObReferenceObjectByHandle(threadHandle, THREAD_ALL_ACCESS, NULL, KernelMode, &devExtension->ThreadObject, NULL );
ZwClose(threadHandle); }
...
VOID CsampPollingThread( _In_ PVOID Context) {
... // // Now enter the main IRP-processing loop // for(;;) { ... // // See if thread was awakened because driver is unloading itself... // if ( DevExtension->ThreadShouldStop ) { PsTerminateSystemThread( STATUS_SUCCESS ); } ... }
... }
...
VOID CsampUnload( _In_ PDRIVER_OBJECT DriverObject) { ... // // Set the Stop flag // devExtension->ThreadShouldStop = TRUE; ... // // Wait for the thread to terminate // KeWaitForSingleObject(devExtension->ThreadObject, Executive, KernelMode, FALSE, NULL );
ObDereferenceObject(devExtension->ThreadObject); ... } --- snip ---
Microsoft docs:
https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/nf...
Wine source:
https://source.winehq.org/git/wine.git/blob/HEAD:/dlls/ntoskrnl.exe/ntoskrnl...
--- snip --- 2580 /*********************************************************************** 2581 * ObReferenceObjectByHandle (NTOSKRNL.EXE.@) 2582 */ 2583 NTSTATUS WINAPI ObReferenceObjectByHandle( HANDLE obj, ACCESS_MASK access, 2584 POBJECT_TYPE type, 2585 KPROCESSOR_MODE mode, PVOID* ptr, 2586 POBJECT_HANDLE_INFORMATION info) 2587 { 2588 FIXME( "stub: %p %x %p %d %p %p\n", obj, access, type, mode, ptr, info); 2589 2590 if(ptr) 2591 *ptr = UlongToHandle(0xdeadbeaf); 2592 2593 return STATUS_SUCCESS; 2594 } --- snip ---
$ sha1sum GpsGateClient.exe bd5ac140199054a7b4502994439fcc78009fee35 GpsGateClient.exe
$ du -sh GpsGateClient.exe 2.5M GpsGateClient.exe
$ wine --version wine-3.21-87-g65677e2b2f
Regards
https://bugs.winehq.org/show_bug.cgi?id=46205
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download, hardware, | |obfuscation URL| |http://update.gpsgate.com/i | |nstall/GpsGateClient.exe
https://bugs.winehq.org/show_bug.cgi?id=46205
mirh mirh@protonmail.ch changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |mirh@protonmail.ch
https://bugs.winehq.org/show_bug.cgi?id=46205
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- URL|http://update.gpsgate.com/i |https://web.archive.org/web |nstall/GpsGateClient.exe |/20170608071455/http://upda | |te.gpsgate.com/install/GpsG | |ateClient.exe Resolution|--- |FIXED Fixed by SHA1| |b0b89cb569823da908bd75dfff6 | |4f44ebeceefd9 Status|NEW |RESOLVED
--- Comment #1 from Anastasius Focht focht@gmx.net --- Hello folks,
this is fixed by commits:
* https://source.winehq.org/git/wine.git/commitdiff/4c0e81728f6db575d9cbd8feb8... ("server: Allow creating thread kernel objects.")
* https://source.winehq.org/git/wine.git/commitdiff/b0b89cb569823da908bd75dfff... ("ntoskrnl.exe: Implement thread object constructor.")
Thanks Jacek
--- snip --- ... 0016:trace:ntoskrnl:open_driver opened service for driver L"\Registry\Machine\System\CurrentControlSet\Services\bizVSerial" 0016:trace:service:SetServiceStatus 0x136f0 30 2 0 0 0 0 2710 0014:trace:service:svcctl_SetServiceStatus (0x16700, 0x15d04) 0016:trace:ntoskrnl:IoCreateDriver (L"\Driver\bizVSerial", 0x7ff1e800d930) 0016:trace:ntoskrnl:load_driver loading driver L"System32\drivers\bizVSerialNT.sys" 0016:trace:loaddll:load_native_dll Loaded L"C:\windows\System32\drivers\bizVSerialNT.sys" at 0x450000: native ... 0016:trace:ntoskrnl:KeInitializeEvent event 0x14008, type 0, state 0. 0016:trace:ntoskrnl:KeInitializeEvent event 0x13fe8, type 0, state 0. 0016:trace:ntoskrnl:ObReferenceObjectByHandle 0x38 1fffff (nil) 0 0x14000 (nil) 0018:trace:ntoskrnl:KeWaitForMultipleObjects count 2, objs 0x55fd60, wait_type 1, reason 0, mode 0, alertable 0, timeout (nil), wait_blocks 0x55fd70. 0016:trace:ntoskrnl:ObReferenceObject (0x13820) ref=1 0016:trace:ntoskrnl:init_driver init done for L"bizVSerial" obj 0x138a0 ... 0017:trace:ntoskrnl:unload_driver L"\Driver\bizVSerial" ... 0017:trace:ntoskrnl:KeSetEvent event 0x13fe8, increment 0, wait 0. 0017:trace:ntoskrnl:KeWaitForMultipleObjects count 1, objs 0x43f790, wait_type 1, reason 6, mode 0, alertable 0, timeout (nil), wait_blocks (nil). 0018:trace:ntoskrnl:KeResetEvent event 0x13fe8. 0017:trace:ntoskrnl:ObDereferenceObject (0x13820) ref=0 0017:trace:ntoskrnl:IoDeleteDevice 0x13d00 0017:trace:ntoskrnl:ObDereferenceObject (0x13d00) ref=0 0017:trace:loaddll:free_modref Unloaded module L"C:\windows\System32\drivers\bizVSerialNT.sys" : native 0017:trace:ntoskrnl:IoDeleteDriver (0x138a0) 0017:trace:ntoskrnl:ObDereferenceObject (0x138a0) ref=0 0017:trace:service:SetServiceStatus 0x136f0 30 1 0 0 0 0 0 ... --- snip ---
$ wine --version wine-4.5-271-g18883a7676
Regards
https://bugs.winehq.org/show_bug.cgi?id=46205
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #2 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 4.6.
-
wine-bugs@winehq.org