[Bug 11052] New: crypt32 accesses freed memory and tries to enter deleted critical sections on process shutdown
http://bugs.winehq.org/show_bug.cgi?id=11052
Summary: crypt32 accesses freed memory and tries to enter deleted critical sections on process shutdown Product: Wine Version: 0.9.52. Platform: Other OS/Version: other Status: UNCONFIRMED Severity: enhancement Priority: P2 Component: crypt32 AssignedTo: wine-bugs@winehq.org ReportedBy: kumbayo84+wine_bugzilla@gmail.com
Created an attachment (id=10060) --> (http://bugs.winehq.org/attachment.cgi?id=10060) output more debug info + possible solution + simplify test case to only 1 call
crypt32 accesses memory after it has been freed normally this does not manifest, but a easy way to reproduce this is to run the cert test in the wine test suite with 2 patches of me applied
what happens is: on process shutdown rsaenh.dll is unloaded and it calls destroy_handle_table which HeapFrees the handle table and deletes a critical section
then crypt32.dll is unloaded and it tries to release a handle(release_handle) from rsaenh.dll which accesses the HeapFreed handle table + it calls a function of a already unloaded dll and tries to enter the already uninitialized critical section which hangs with my patch that zeros the whole critical section when deleting it
http://blogs.msdn.com/oldnewthing/archive/2005/05/23/421024.aspx also talks about this problem of
inside the first patch there are also 2 commented lines which make crypt32 do nothing when DLL_PROCESS_DETACH happens because of process shutdown this might already be the proper solution for this problem
http://bugs.winehq.org/show_bug.cgi?id=11052
--- Comment #1 from Peter Oberndorfer kumbayo84+wine_bugzilla@gmail.com 2008-01-05 12:33:13 --- Created an attachment (id=10061) --> (http://bugs.winehq.org/attachment.cgi?id=10061) zero critical sections when destroying them this makes the test hang on shutdown
http://bugs.winehq.org/show_bug.cgi?id=11052
--- Comment #2 from Peter Oberndorfer kumbayo84+wine_bugzilla@gmail.com 2008-01-05 12:35:36 --- Created an attachment (id=10062) --> (http://bugs.winehq.org/attachment.cgi?id=10062) a trace of the hang, shows what functions are called/when dlls are unloaded
http://bugs.winehq.org/show_bug.cgi?id=11052
Peter Oberndorfer kumbayo84+wine_bugzilla@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Attachment #10060|0 |1 is obsolete| |
--- Comment #3 from Peter Oberndorfer kumbayo84+wine_bugzilla@gmail.com 2008-01-05 12:38:04 --- Created an attachment (id=10063) --> (http://bugs.winehq.org/attachment.cgi?id=10063) output more debug info + possible solution + simplify test case to only 1 call
oops, wrong file
http://bugs.winehq.org/show_bug.cgi?id=11052
Dan Kegel dank@kegel.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |dank@kegel.com
--- Comment #4 from Dan Kegel dank@kegel.com 2008-01-05 13:33:42 --- Does that explain any of the warnings at http://kegel.com/wine/valgrind/logs-2008-01-03/vg-crypt32_cert.txt ?
http://bugs.winehq.org/show_bug.cgi?id=11052
--- Comment #5 from Lei Zhang thestig@google.com 2008-01-06 03:09:31 --- I guess I forgot to file a bug for it, but I have essentially the same problem in winmm where it tries to call DriverProc for a video codec that has already been unloaded. FWIW, I sent this patch:
http://winehq.org/pipermail/wine-patches/2007-December/047489.html
http://bugs.winehq.org/show_bug.cgi?id=11052
--- Comment #6 from Peter Oberndorfer kumbayo84+wine_bugzilla@gmail.com 2008-01-06 12:13:27 --- (In reply to comment #4)
I am not sure but i would say no, since all those errors have main and run_test on the stack
I tried to run valgrind on my minimized testcase, but it did not report any errors regarding crypt32 I need to research more why this error is not reported. I would guess the memory is allocated again and thus also valid again. I will try to create a patch which does not free memory, only make it unaccessible for VG, so it is raises a error when the program is accessing it.
(In reply to comment #5)
Looks like it has not been applied yet, if this is the right way to also solve the crypt32 problem i can create/send a patch for it
http://bugs.winehq.org/show_bug.cgi?id=11052
--- Comment #7 from Juan Lang juan_lang@yahoo.com 2008-01-08 11:40:40 --- Created an attachment (id=10118) --> (http://bugs.winehq.org/attachment.cgi?id=10118) Possible fix
Does this patch fix it for you?
http://bugs.winehq.org/show_bug.cgi?id=11052
Juan Lang juan_lang@yahoo.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |juan_lang@yahoo.com
http://bugs.winehq.org/show_bug.cgi?id=11052
--- Comment #8 from Peter Oberndorfer kumbayo84+wine_bugzilla@gmail.com 2008-01-09 12:01:38 --- (In reply to comment #7)
Created an attachment (id=10118)
--> (http://bugs.winehq.org/attachment.cgi?id=10118) [details]
Possible fix
Does this patch fix it for you?
Yes this patch fixes the problem. I still wonder if we should try to free the handle when crypt32.dll is unloaded by FreeLibrary instead of process shutdown In this case we hypotetically keep rsaenh.dll in memory while crypt32 is unloaded. But i don't know if it matters/or works the way i propose(checking the reserved value in DllMain)
http://bugs.winehq.org/show_bug.cgi?id=11052
--- Comment #9 from Juan Lang juan_lang@yahoo.com 2008-01-14 13:18:29 --- (In reply to comment #8)
I still wonder if we should try to free the handle when crypt32.dll is unloaded by FreeLibrary instead of process shutdown
You're right, I updated my patch and sent it in: http://www.winehq.org/pipermail/wine-patches/2008-January/049063.html
http://bugs.winehq.org/show_bug.cgi?id=11052
Vijay Kamuju infyquest@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution| |FIXED
--- Comment #10 from Vijay Kamuju infyquest@gmail.com 2008-01-15 08:22:23 --- patch commited, it will be in 0.9.54 http://source.winehq.org/git/wine.git?a=commitdiff;h=027236b04f83f9d8f4b14bc...
http://bugs.winehq.org/show_bug.cgi?id=11052
Dan Kegel dank@kegel.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #11 from Dan Kegel dank@kegel.com 2008-01-28 06:13:59 --- Closing all RESOLVED FIXED bugs older than 0.9.54.
-
wine-bugs@winehq.org