[Bug 48975] New: Multiple kernel drivers crash with unhandled privileged instruction while trying to scan PCI config space using PCI index (0xCF8) and data (0xCFC) ports
https://bugs.winehq.org/show_bug.cgi?id=48975
Bug ID: 48975 Summary: Multiple kernel drivers crash with unhandled privileged instruction while trying to scan PCI config space using PCI index (0xCF8) and data (0xCFC) ports Product: Wine Version: 5.6 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: -unknown Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---
Hello folks,
currently only for documentation/dupe collector as I found a couple of drivers doing this.
From the past:
* bug 23701
https://bugs.winehq.org/show_bug.cgi?id=23701
--- quote --- The next crash is due to kernel driver trying to scan PCI config space using PCI index (0xCF8) and data (0xCFC) ports in x86 architecture I/O ports address space - a privileged operation.
Theoretically the driver PCI port I/O could be made to work using ioperm/iopl but that requires root privileges, creating a big security hole. Another way could be trapping and emulating PCI config space accesses using Linux supplied PCI info. Though this area is most likely outside the scope of Wine. --- quote ---
https://web.archive.org/web/20200419230034/https://www.crucial.com/content/d...
Another one from an old ASRock driver CD installer I've tried for fun ;-)
--- $ WINEDEBUG=+seh,+relay,+ntoskrnl wine ./ASRSetup.exe >>~/log.txt 2>&1 ... 002e:trace:ntoskrnl:load_driver loading driver L"C:\windows\SysWOW64\Drivers\AsrCDDrv.sys" 002e:Call KERNEL32.LoadLibraryW(00728c40 L"C:\windows\SysWOW64\Drivers\AsrCDDrv.sys") ret=1800152e8 ... 002e:Ret KERNEL32.LoadLibraryW() retval=00d60000 ret=1800152e8 ... 002e:Call driver init 0000000000D6612C (obj=0000000000728A20,str=L"\Registry\Machine\System\CurrentControlSet\Services\AsrCDDrv") ... 002e:trace:ntoskrnl:IoCreateSymbolicLink L"\DosDevices\AsrCDDrv" -> L"\Device\AsrCDDrv" ... 0009:Call KERNEL32.DeviceIoControl(00000080,00222838,01a0b5dc,0000000c,01a0b5dc,0000000c,01a0b5e8,00000000) ret=00411f1d 002f:Ret ntdll.NtWaitForMultipleObjects() retval=00000001 ret=7b04af97 002f:Ret KERNEL32.WaitForMultipleObjectsEx() retval=00000001 ret=18000d53e ... 002f:trace:ntoskrnl:IoGetAttachedDevice (0000000000728C50) 002f:trace:ntoskrnl:dispatch_ioctl ioctl 222838 device 0000000000728C50 file 0000000000728DC0 in_size 12 out_size 12 002f:trace:ntoskrnl:IoBuildDeviceIoControlRequest 222838, 0000000000728C50, 0000000000727710, 12, 0000000000727710, 12, 0, 0000000000000000, 0000000000000000 002f:trace:ntoskrnl:IoAllocateIrp 1, 0 002f:Call ntdll.RtlAllocateHeap(00790000,00000000,00000118) ret=18000dc2d 002f:Ret ntdll.RtlAllocateHeap() retval=00790330 ret=18000dc2d 002f:trace:ntoskrnl:ExAllocatePoolWithTag 280 pool 0 -> 0000000000790330 002f:trace:ntoskrnl:IoInitializeIrp 0000000000790330, 280, 1 002f:Call msvcrt.memset(00790330,00000000,00000118) ret=18000dcc7 002f:Ret msvcrt.memset() retval=00790330 ret=18000dcc7 002f:Call ntdll.NtGetTickCount() ret=180014eac 002f:Ret ntdll.NtGetTickCount() retval=02efb33b ret=180014eac 002f:trace:ntoskrnl:KeEnterCriticalRegion semi-stub 002f:Call driver dispatch 0000000000D6106C (device=0000000000728C50,irp=0000000000790330)
002f:trace:seh:raise_exception code=c0000096 flags=0 addr=0xd6123c ip=d6123c tid=002f 002f:trace:seh:raise_exception rax=0000000000000000 rbx=0000000000000cfc rcx=000000000000000c rdx=0000000000000000 002f:trace:seh:raise_exception rsi=0000000000727710 rdi=0000000000790330 rbp=0000000000790330 rsp=0000000000d4f920 002f:trace:seh:raise_exception r8=0000000000000000 r9=0000000000000000 r10=0000000000000000 r11=0000000000000cfc 002f:trace:seh:raise_exception r12=0000000000000000 r13=0000000000728dc0 r14=0000000000000000 r15=0000000000727710 002f:trace:seh:call_vectored_handlers calling handler at 0x18000b9b0 code=c0000096 flags=0 002f:trace:seh:call_vectored_handlers handler at 0x18000b9b0 returned ffffffff
002f:trace:seh:raise_exception code=c0000096 flags=0 addr=0xd6126a ip=d6126a tid=002f 002f:trace:seh:raise_exception rax=0000000080000000 rbx=0000000000000cfc rcx=0000000000100000 rdx=0000000000000cf8 002f:trace:seh:raise_exception rsi=0000000000727710 rdi=0000000000790330 rbp=0000000000790330 rsp=0000000000d4f920 002f:trace:seh:raise_exception r8=0000000000000000 r9=0000000000000000 r10=0000000000000000 r11=0000000000000cfc 002f:trace:seh:raise_exception r12=0000000000000000 r13=0000000000728dc0 r14=0000000000000000 r15=0000000000727710 002f:trace:seh:call_vectored_handlers calling handler at 0x18000b9b0 code=c0000096 flags=0 002f:trace:seh:call_vectored_handlers handler at 0x18000b9b0 returned 0 ... wine: Unhandled privileged instruction at address 0000000000D6126A (thread 002f), starting debugger... 002f:trace:seh:start_debugger Starting debugger L"winedbg --auto 43 80" --- snip ---
First one is emulated 'cli', second one is PCI_CONFIG_ADDRESS.
Disassembly of crash location:
--- snip --- ... 0000000000D61394 movzx eax, word ptr [rsi+4] 0000000000D61398 movzx r10d, byte ptr [rsi+2] 0000000000D6139D movzx r9d, byte ptr [rsi+1] 0000000000D613A2 movzx edx, byte ptr [rsi] 0000000000D613A5 movzx r11d, ax 0000000000D613A9 mov ebx, 0CFCh 0000000000D613AE and r11w, 3 0000000000D613B3 add r11w, bx 0000000000D613B7 cli ; ok 0000000000D613B8 mov ecx, eax 0000000000D613BA mov r8d, eax 0000000000D613BD shr ecx, 8 0000000000D613C0 and r8d, 0FCh 0000000000D613C7 and ecx, 0Fh 0000000000D613CA sub ecx, 0FFFFFF80h 0000000000D613CD shl ecx, 8 0000000000D613D0 add ecx, edx 0000000000D613D2 lea edx, [rbx-4] 0000000000D613D5 shl ecx, 5 0000000000D613D8 add ecx, r9d 0000000000D613DB lea eax, [r10+rcx*8] 0000000000D613DF shl eax, 8 0000000000D613E2 add eax, r8d 0000000000D613E2 add eax, r8d 0000000000D613E5 out dx, eax ; PCI_CONFIG_ADDRESS ; PCI Configuration Space Address Register ; bits 7..0: configuration space offset ; bits 10..8: function number ; bits 15..11: device number ; bits 23..16: bus number 0000000000D613E6 movzx edx, r11w 0000000000D613EA in al, dx ; PCI_CONFIG_DATA 0000000000D613EB mov [rsi+8], al 0000000000D613EE sti ; ok ... --- snip ---
Linux userspace lib/tools:
https://git.kernel.org/pub/scm/utils/pciutils/pciutils.git
$ wine --version wine-5.6-193-g59987bc9ec
Regards
https://bugs.winehq.org/show_bug.cgi?id=48975
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- URL| |https://web.archive.org/web | |/20200419230034/https://www | |.crucial.com/content/dam/cr | |ucial/support/scan/download | |s/CrucialScan.exe Keywords| |download, hardware
https://bugs.winehq.org/show_bug.cgi?id=48975
Fabian Maurer dark.shadow4@web.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Component|-unknown |ntoskrnl CC| |dark.shadow4@web.de
-
WineHQ Bugzilla