[Bug 21542] New: SOFTPUB_LoadCatalogMessage should use catalog members instead of file ones for retrieving msg data
http://bugs.winehq.org/show_bug.cgi?id=21542
Summary: SOFTPUB_LoadCatalogMessage should use catalog members instead of file ones for retrieving msg data Product: Wine Version: 1.1.37 Platform: x86 OS/Version: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: wintrust AssignedTo: wine-bugs@winehq.org ReportedBy: focht@gmx.net
Hello,
recent wintrust refactoring patch series broke PowerShell 1.x/2.x installers by revealing a previously hidden bug...
--- snip --- 0036:Call wintrust.SoftpubInitialize(001e86f8) ret=7974e691 0036:trace:wintrust:SoftpubInitialize (0x1e86f8) 0036:trace:wintrust:SoftpubInitialize returning 00000000 0036:Ret wintrust.SoftpubInitialize() retval=00000000 ret=7974e691 0036:Call wintrust.SoftpubLoadMessage(001e86f8) ret=7974e691 0036:trace:wintrust:SoftpubLoadMessage (0x1e86f8) 0036:Call KERNEL32.CreateFileW(0033b53c L"C:\windows\system32\catroot\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\KB968930xp.cat",80000000,00000001,00000000,00000003,00000080,00000000) ret=7974bf32 0036:Ret KERNEL32.CreateFileW() retval=0000007c ret=7974bf32 0036:Call crypt32.CryptSIPRetrieveSubjectGuid(0033b53c L"C:\windows\system32\catroot\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\KB968930xp.cat",0000007c,001640dc) ret=7974bf70 ... 0036:Call KERNEL32.GetFileSize(0000007c,00000000) ret=686fa459 0036:Ret KERNEL32.GetFileSize() retval=0000e8d2 ret=686fa459 ... 0036:Ret crypt32.CryptSIPRetrieveSubjectGuid() retval=00000001 ret=7974bf70 ... 0036:Call crypt32.CryptSIPLoad(001640dc,00000000,001ed4c0) ret=7974b4f9 ... 0036:Ret crypt32.CryptSIPLoad() retval=00000001 ret=7974b4f9 0036:trace:wintrust:SOFTPUB_GetSIP returning 0 ... 0036:Call wintrust.CryptSIPGetSignedDataMsg(001e8780,001e8730,00000000,0033b188,00000000) ret=686fb39a 0036:trace:wintrust:CryptSIPGetSignedDataMsg (0x1e8780 0x1e8730 0 0x33b188 (nil)) 0036:trace:wintrust:WINTRUST_GetSignedMsgFromCatFile (0x1e8780 0x1e8730 0 0x33b188 (nil)) 0036:Call KERNEL32.GetFileSize(0033b53c,00000000) ret=7974418b 0036:Ret KERNEL32.GetFileSize() retval=ffffffff ret=7974418b 0036:trace:wintrust:CryptSIPGetSignedDataMsg returning 1 0036:Ret wintrust.CryptSIPGetSignedDataMsg() retval=00000001 ret=686fb39a 0036:Call KERNEL32.GetProcessHeap() ret=7974e07e 0036:Ret KERNEL32.GetProcessHeap() retval=00110000 ret=7974e07e 0036:Call ntdll.RtlAllocateHeap(00110000,00000008,ffffffff) ret=7974e095 0036:Ret ntdll.RtlAllocateHeap() retval=00000000 ret=7974e095 0036:Call KERNEL32.CloseHandle(0000007c) ret=7974bfff 0036:Ret KERNEL32.CloseHandle() retval=00000001 ret=7974bfff 0036:trace:wintrust:SoftpubLoadMessage returning 1 (0000000e) 0036:Ret wintrust.SoftpubLoadMessage() retval=00000001 ret=7974e691 0036:trace:wintrust:WINTRUST_DefaultVerify returning 0000000e 0036:trace:wintrust:WINTRUST_DefaultClose ((nil), {00aac56b-cd44-11d0-8cc2-00c04fc295ee}, 0x33b4e8) 0036:Call wintrust.SoftpubCleanup(001e86f8) ret=7974eb81 ... --- snip ---
SoftpubLoadMessage -> (WTD_CHOICE_CATALOG) SOFTPUB_LoadCatalogMessage -> SOFTPUB_GetMessageFromFile
WINTRUST_GetSignedMsgFromCatFile -> GetFileSize() gets passed invalid file handle (stack garbage) -> following alloc fails and error is propagated to top ...
--- snip dlls/wintrust/softpub.c --- static DWORD SOFTPUB_LoadCatalogMessage(CRYPT_PROVIDER_DATA *data) { DWORD err; HANDLE catalog = INVALID_HANDLE_VALUE;
if (!data->pWintrustData->u.pCatalog) { SetLastError(ERROR_INVALID_PARAMETER); return FALSE; } catalog = CreateFileW(data->pWintrustData->u.pCatalog->pcwszCatalogFilePath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (catalog == INVALID_HANDLE_VALUE) return GetLastError(); if (!CryptSIPRetrieveSubjectGuid( data->pWintrustData->u.pCatalog->pcwszCatalogFilePath, catalog, &data->u.pPDSip->gSubject)) { err = GetLastError(); goto error; } err = SOFTPUB_GetSIP(data); if (err) goto error; err = SOFTPUB_GetMessageFromFile(data, data->pWintrustData->u.pFile->hFile, data->pWintrustData->u.pFile->pcwszFilePath); if (err) goto error; ... } --- snip dlls/wintrust/softpub.c ---
This is a catalog type file hence the pFile members can't be used for SOFTPUB_GetMessageFromFile(), e.g.
"data->pWintrustData->u.pFile->hFile" and "data->pWintrustData->u.pFile->pcwszFilePath"
will be invalid upon entry.
You must use "catalog" file handle and "data->pWintrustData->u.pCatalog->pcwszCatalogFilePath" just like you do with CryptSIPRetrieveSubjectGuid() for SOFTPUB_GetMessageFromFile().
Regards
http://bugs.winehq.org/show_bug.cgi?id=21542
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download, Installer
http://bugs.winehq.org/show_bug.cgi?id=21542
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |21549
http://bugs.winehq.org/show_bug.cgi?id=21542
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |21511
http://bugs.winehq.org/show_bug.cgi?id=21542
Nikolay Sivov bunglehead@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |dank@kegel.com
--- Comment #1 from Nikolay Sivov bunglehead@gmail.com 2010-01-31 08:13:06 --- *** Bug 21557 has been marked as a duplicate of this bug. ***
http://bugs.winehq.org/show_bug.cgi?id=21542
Juan Lang juan_lang@yahoo.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |NEW Ever Confirmed|0 |1
--- Comment #2 from Juan Lang juan_lang@yahoo.com 2010-02-01 11:28:26 --- Indeed, that's clearly broken. Patch sent: http://www.winehq.org/pipermail/wine-patches/2010-February/084388.html Thanks!
http://bugs.winehq.org/show_bug.cgi?id=21542
Nikolay Sivov bunglehead@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |patch
http://bugs.winehq.org/show_bug.cgi?id=21542
Juan Lang juan_lang@yahoo.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED
--- Comment #3 from Juan Lang juan_lang@yahoo.com 2010-02-02 11:57:41 --- Fixed by commit ab270f9966f0f7a35d1f880101d75bae7e87ec7d.
http://bugs.winehq.org/show_bug.cgi?id=21542
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #4 from Alexandre Julliard julliard@winehq.org 2010-02-05 11:39:24 --- Closing bugs fixed in 1.1.38.
http://bugs.winehq.org/show_bug.cgi?id=21542
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1| |ab270f9966f0f7a35d1f880101d | |75bae7e87ec7d
--- Comment #5 from Anastasius Focht focht@gmx.net 2011-10-11 15:13:08 CDT --- Hello,
filling/correcting fields ...
Regards
https://bugs.winehq.org/show_bug.cgi?id=21542
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- URL| |https://web.archive.org/web | |/20120604201110if_/http://d | |ownload.microsoft.com/downl | |oad/7/3/4/7345bb7d-0b07-40e | |8-9480-5b8c55b9c8b7/Windows | |XP-KB926139-v2-x86-ENU.exe
-
wine-bugs@winehq.org -
WineHQ Bugzilla