http://bugs.winehq.org/show_bug.cgi?id=28628

Bug #: 28628 Summary: advapi32/security.ok: GetTokenInformation(Token, TokenGroups,...) returns partial garbage leading to uninitialized memory accesses? Product: Wine Version: 1.3.29 Platform: x86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: advapi32 AssignedTo: wine-bugs@winehq.org ReportedBy: dank@kegel.com Classification: Unclassified

"wine advapi32_test.exe.so security.c" says in part

security.c:1475: TokenGroups: security.c:1489: S-1-1-0, \Everyone use: 5 attr: 0x00000007 security.c:1489: S-1-2-0, \LOCAL use: 5 attr: 0x00000007 security.c:1489: S-1-5-4, NT AUTHORITY\INTERACTIVE use: 5 attr: 0x00000007 security.c:1489: S-1-5-11, NT AUTHORITY\Authenticated Users use: 5 attr: 0x00000007 security.c:1489: S-1-5-32-544, BUILTIN\Administrators use: 4 attr: 0x0000000f security.c:1492: attr: 0x00000007 LookupAccountSid failed with error 1332 security.c:1492: attr: 0xc0000007 LookupAccountSid failed with error 1332

Those two LookupAccountSid() errors appear to be because the last two SIDs from GetTokenInformation() are garbage.

This causes the valgrind warning

Conditional jump or move depends on uninitialised value(s) at RtlEqualSid (sec.c:210) by EqualSid (security.c:1027) by IsWellKnownSid (security.c:961) by LookupAccountSidW (security.c:2098) by LookupAccountSidA (security.c:2024) by test_token_attr (security.c:1485) by func_security (security.c:4000) by run_test (test.h:556) by main (test.h:624) Uninitialised value was created by a client request at RtlAllocateHeap (heap.c:208) by test_token_attr (security.c:1468) by func_security (security.c:4000) by run_test (test.h:556) by main (test.h:624)

I dumped the SIDs that are being compared in test_token_attr, and it looks like the first six are ok, but the last two aren't:

... security.c:1487: Dumping SIDs security.c:1489: i = 4, j = 0, val = 1 security.c:1489: i = 4, j = 1, val = 2 security.c:1489: i = 4, j = 2, val = 0 security.c:1489: i = 4, j = 3, val = 0 security.c:1489: i = 4, j = 4, val = 0 security.c:1489: i = 4, j = 5, val = 0 security.c:1489: i = 4, j = 6, val = 0 security.c:1489: i = 4, j = 7, val = 5 security.c:1489: i = 4, j = 8, val = 20 security.c:1489: i = 4, j = 9, val = 0 security.c:1489: i = 4, j = 10, val = 0 security.c:1489: i = 4, j = 11, val = 0 security.c:1496: S-1-5-32-544, BUILTIN\Administrators use: 4 attr: 0x0000000f security.c:1487: Dumping SIDs security.c:1489: i = 5, j = 0, val = 1 security.c:1489: i = 5, j = 1, val = 2 security.c:1489: i = 5, j = 2, val = 0 security.c:1489: i = 5, j = 3, val = 0 security.c:1489: i = 5, j = 4, val = cc security.c:1489: i = 5, j = 5, val = cc security.c:1489: i = 5, j = 6, val = cc security.c:1489: i = 5, j = 7, val = cc security.c:1489: i = 5, j = 8, val = cc security.c:1489: i = 5, j = 9, val = cc security.c:1489: i = 5, j = 10, val = cc security.c:1489: i = 5, j = 11, val = cc security.c:1499: attr: 0x00000007 LookupAccountSid failed with error 1332 security.c:1487: Dumping SIDs security.c:1489: i = 6, j = 0, val = cc security.c:1489: i = 6, j = 1, val = cc security.c:1489: i = 6, j = 2, val = cc security.c:1489: i = 6, j = 3, val = cc security.c:1489: i = 6, j = 4, val = cc security.c:1489: i = 6, j = 5, val = cc security.c:1489: i = 6, j = 6, val = cc security.c:1489: i = 6, j = 7, val = cc security.c:1489: i = 6, j = 8, val = cc security.c:1489: i = 6, j = 9, val = cc security.c:1489: i = 6, j = 10, val = cc security.c:1489: i = 6, j = 11, val = cc security.c:1499: attr: 0xc0000007 LookupAccountSid failed with error 1332

Is some buffer length wrong somewhere?

The responsible code seems to be from:

commit 573db9ef639f65385f1efab5593b52c72b4b4108 Author: Nikolay Sivov nsivov@codeweavers.com Date: Tue Aug 23 11:16:27 2011 +0400 ntdll: While requesting TokenGroups calculate required user buffer size in server.