https://bugs.winehq.org/show_bug.cgi?id=45656

Bug ID: 45656 Summary: Acronis Storage Filter Management Driver 'fltsrv.sys' crashes on unimplemented function 'ntoskrnl.exe.KeBugCheckEx' in 'CrashOnError' mode Product: Wine Version: 3.13 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: ntoskrnl Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---

Hello folks,

as it says.

--- snip --- $ WINEDEBUG=+seh,+relay,+ntoskrnl,+reg wineboot >>log.txt 2>&1 ... 0028:Call ntoskrnl.exe.RtlInitUnicodeString(0065fb3c,00792420 L"CrashOnError") ret=007858d1 0028:Call ntdll.RtlInitUnicodeString(0065fb3c,00792420 L"CrashOnError") ret=7bc813a3 0028:Ret ntdll.RtlInitUnicodeString() retval=0065fb3c ret=7bc813a3 0028:Ret ntoskrnl.exe.RtlInitUnicodeString() retval=0065fb3c ret=007858d1 0028:Call ntoskrnl.exe.ZwOpenKey(0065fa94,00000001,0065fa6c) ret=00790c21 0028:Call ntdll.NtOpenKey(0065fa94,00000001,0065fa6c) ret=7bc813a3 0028:trace:reg:open_key ((nil),L"\Registry\Machine\System\CurrentControlSet\Services\fltsrv\Parameters",1,0x65fa94) 0028:trace:reg:open_key <- 0x44 0028:Ret ntdll.NtOpenKey() retval=00000000 ret=7bc813a3 0028:Ret ntoskrnl.exe.ZwOpenKey() retval=00000000 ret=00790c21 0028:Call ntoskrnl.exe.ZwQueryValueKey(00000044,0065fa28,00000002,0065fa5c,00000014,0065fa30) ret=00790c86 0028:Call ntdll.NtQueryValueKey(00000044,0065fa28,00000002,0065fa5c,00000014,0065fa30) ret=7bc813a3 0028:trace:reg:NtQueryValueKey (0x44,L"CrashOnError",2,0x65fa5c,20) 0028:Ret ntdll.NtQueryValueKey() retval=00000000 ret=7bc813a3 0028:Ret ntoskrnl.exe.ZwQueryValueKey() retval=00000000 ret=00790c86 0028:Call ntoskrnl.exe.ZwClose(00000044) ret=00790b84 0028:Call ntdll.NtClose(00000044) ret=7bc813a3 0028:Ret ntdll.NtClose() retval=00000000 ret=7bc813a3 0028:Ret ntoskrnl.exe.ZwClose() retval=00000000 ret=00790b84 ... 0028:fixme:ntoskrnl:KeWaitForSingleObject stub: 0x155a74, 0, 0, 0, (nil) 0028:Ret ntoskrnl.exe.KeWaitForSingleObject() retval=c0000002 ret=00785cf4 0028:Call ntoskrnl.exe.DbgQueryDebugFilterState(0000004d,00000000) ret=007861db 0028:fixme:ntoskrnl:DbgQueryDebugFilterState stub: 0x4d (nil) 0028:Ret ntoskrnl.exe.DbgQueryDebugFilterState() retval=c0000002 ret=007861db 0028:Call ntoskrnl.exe.vDbgPrintExWithPrefix(00797194 "[fltsrv] ",0000004d,00000000,0079148a "Expression '%s' failed with status 0x%x, Source File: %s, line %ld\n",0065fa68) ret=00786228 0028:Call ntdll.vDbgPrintExWithPrefix(00797194 "[fltsrv] ",0000004d,00000000,0079148a "Expression '%s' failed with status 0x%x, Source File: %s, line %ld\n",0065fa68) ret=7bc813a3 0028:err:ntdll:vDbgPrintExWithPrefix [fltsrv] 4d: Expression 'LockWithStatus()' failed with status 0xc0000002, Source File: threading\mutex.cpp, line 32 0028:Ret ntdll.vDbgPrintExWithPrefix() retval=00000000 ret=7bc813a3 0028:Ret ntoskrnl.exe.vDbgPrintExWithPrefix() retval=00000000 ret=00786228 0028:Call KERNEL32.RaiseException(80000100,00000001,00000002,0065f9e8) ret=7e98b3d7 0028:trace:seh:raise_exception code=80000100 flags=1 addr=0x7b44733b ip=7b44733b tid=0028 0028:trace:seh:raise_exception info[0]=7e98b400 0028:trace:seh:raise_exception info[1]=7e98d8d5 wine: Call from 0x7b44733b to unimplemented function ntoskrnl.exe.KeBugCheckEx, aborting 0028:trace:seh:call_vectored_handlers calling handler at 0x7e982845 code=80000100 flags=1 0028:trace:seh:call_vectored_handlers handler at 0x7e982845 returned 0 0028:trace:seh:call_stack_handlers calling handler at 0x7bcb3a74 code=80000100 flags=1 0028:Call KERNEL32.UnhandledExceptionFilter(0065f494) ret=7bcb3aaf wine: Unimplemented function ntoskrnl.exe.KeBugCheckEx called at address 0x7b44733b (thread 0028), starting debugger... --- snip ---

One has to explicitly enable "crash mode" by adding the following registry key:

--- snip --- [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\fltsrv\Parameters] "CrashOnError"=dword:00000001 --- snip ---

Source:

https://source.winehq.org/git/wine.git/blob/HEAD:/dlls/ntoskrnl.exe/ntoskrnl...

--- snip --- 519 @ stub KeBugCheckEx --- snip ---

Microsoft docs:

https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/nf...

--- snip --- NTKERNELAPI DECLSPEC_NORETURN VOID KeBugCheckEx( ULONG BugCheckCode, ULONG_PTR BugCheckParameter1, ULONG_PTR BugCheckParameter2, ULONG_PTR BugCheckParameter3, ULONG_PTR BugCheckParameter4 ); --- snip ---

One could argue that the (default) unimplemented stub behaviour already does the right thing, causing the hosting process to crash/terminate. The bugcheck codes are lost though (stack dump not deep enough). Alternatively add a stub, ERR() bugcheck codes and terminate the driver hosting process or still trigger a crash which invokes crash handler (default 'winedbg').

I'm also fine if the decision is to leave the current behaviour.

Also referenced in:

* bug 41001 ("64-bit Core Temp 1.x kernel driver 'ALSysIO.sys' crashes on unimplemented function ntoskrnl.exe.RtlUnwindEx") -> imports table * bug 42744 ("Ninite don't installs apps") -> recycled/tainted WINEPREFIX

ProtectionID scan:

--- snip --- -=[ ProtectionID v0.6.9.0 DECEMBER]=- (c) 2003-2017 CDKiLLER & TippeX Build 24/12/17-21:05:42 Ready... Scanning -> C:\windows\system32\drivers\fltsrv.sys File Type : 32-Bit Driver (BAD checksum - won't load!), Good Checksum = 01ED8Bh Size : 0123744 (01E360h) Byte(s) | Machine: 0x14C (I386) Compilation TimeStamp : 0x5638DF2A -> Tue 03rd Nov 2015 16:22:02 (GMT) [TimeStamp] 0x5638DF2A -> Tue 03rd Nov 2015 16:22:02 (GMT) | PE Header | - | Offset: 0x000000F0 | VA: 0x004000F0 | - [TimeStamp] 0x5638DF2A -> Tue 03rd Nov 2015 16:22:02 (GMT) | DebugDirectory | - | Offset: 0x000139B4 | VA: 0x004151B4 | - -> File Appears to be Digitally Signed @ Offset 017A00h, size : 06960h / 026976 byte(s) [LoadConfig] Struct determined as v8 (Expected size 140 | Actual size 64) [!] Executable uses SEH Tables (/SAFESEH) (3 calculated 2 recorded... 1 invalid addresses) [!] * table may be compressed / encrypted * [LoadConfig] CodeIntegrity -> Flags 0x5352 | Catalog 0x5344 (21316) | Catalog Offset 0x1E431CED | Reserved 0x4EDC114E [LoadConfig] GuardAddressTakenIatEntryTable 0x356CB182 | Count 0x821065B8 (2182112696) [LoadConfig] GuardLongJumpTargetTable 0x1 | Count 0x325C3A4B (844905035) [LoadConfig] HybridMetadataPointer 0x5C373232 | DynamicValueRelocTable 0x6E72656B [LoadConfig] FailFastIndirectProc 0x775C6C65 | FailFastPointer 0x2E5C6E69 [LoadConfig] UnknownZero1 0x7074756F [File Heuristics] -> Flag #1 : 00000100000001001101000000000100 (0x0404D004) [Entrypoint Section Entropy] : 6.66 (section #0) ".text " | Size : 0x13308 (78600) byte(s) [DllCharacteristics] -> Flag : (0x0140) -> ASLR | DEP [SectionCount] 6 (0x6) | ImageSize 0x1C000 (114688) byte(s) [VersionInfo] Company Name : Acronis International GmbH [VersionInfo] Product Name : Acronis Storage Filter Management [VersionInfo] Product Version : 1.3.0.2227 [VersionInfo] File Description : Acronis Storage Filter Management Driver [VersionInfo] File Version : 1.3.0.2227 [VersionInfo] Original FileName : fltsrv.sys [VersionInfo] Internal Name : fltsrv [VersionInfo] Version Comments : Acronis Storage Filter Management [VersionInfo] Legal Trademarks : Acronis International GmbH. All rights reserved. [VersionInfo] Legal Copyrights : Copyright © Acronis International GmbH. 2002-2013. [ModuleReport] [IAT] Modules -> ntoskrnl.exe | HAL.dll [Debug Info] (record 1 of 1) (file offset 0x139B0) Characteristics : 0x0 | TimeDateStamp : 0x5638DF2A (Tue 03rd Nov 2015 16:22:02 (GMT)) | MajorVer : 0 / MinorVer : 0 -> (0.0) Type : 2 (0x2) -> CodeView | Size : 0x4C (76) AddressOfRawData : 0x166A4 | PointerToRawData : 0x14EA4 CvSig : 0x53445352 | SigGuid 1E431CED-114E-4EDC-82B16C35B8651082 Age : 0x1 (1) | Pdb : K:\2227\kernel\win.output\Win32\Release\fltsrv.pdb [!] File appears to have no protection or is using an unknown protection - Scan Took : 0.247 Second(s) [0000000F7h (247) tick(s)] [135 of 580 scan(s) done] --- snip ---

$ sha1sum ADD12_trial_en-US.exe da5cd4fb2b457b86bc9a76b0fafd96ceec5608e6e ADD12_trial_en-US.exe

$ du -sh ADD12_trial_en-US.exe 293M ADD12_trial_en-US.exe

$ wine --version wine-3.13-318-gccf6211c0a

Regards