[Bug 48798] New: RegCloseKey: Uninitialized read from get_language_sort

List overview All Threads

newer

older

[Bug 46047] New: Multiple...

[Bug 49155] New: null pointer...

WineHQ Bugzilla

24 Mar 2020 24 Mar '20

5:28 a.m.

https://bugs.winehq.org/show_bug.cgi?id=48798

Bug ID: 48798 Summary: RegCloseKey: Uninitialized read from get_language_sort Product: Wine Version: 5.3 Hardware: x86 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: kernelbase Assignee: wine-bugs@winehq.org Reporter: jeffersoncarpenter2@gmail.com Distribution: ---

Created attachment 66710 --> https://bugs.winehq.org/attachment.cgi?id=66710 Configure output.

Steps to reproduce:

* Build wine 5.3 (or commit 00e55c8fc0). Configure output attached. * Disable wine preloader to make valgrind a little quieter. * Compile a test program (I used 'int main() { return 0; }') using i686-w64-mingw32-gcc * Run this under valgrind. Valgrind output attached.

The first error raised by valgrind is:

==9987== Conditional jump or move depends on uninitialised value(s) ==9987== at 0x7B062414: RegCloseKey (registry.c:965) ==9987== by 0x7B040070: get_language_sort (locale.c:693) ==9987== by 0x7B040243: init_locale (locale.c:737) ==9987== by 0x7B04BE43: DllMain (main.c:48) ==9987== ...

The uninitialized value is the HKEY key defined in get_language_sort.

-- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

Show replies by date

WineHQ Bugzilla

24 Mar 24 Mar

5:28 a.m.

New subject: [Bug 48798] RegCloseKey: Uninitialized read from get_language_sort

https://bugs.winehq.org/show_bug.cgi?id=48798

--- Comment #1 from jeffersoncarpenter2@gmail.com --- Created attachment 66711 --> https://bugs.winehq.org/attachment.cgi?id=66711 Valgrind output.

-- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

WineHQ Bugzilla

5:33 a.m.

New subject: [Bug 48798] RegCloseKey: Uninitialized read from get_language_sort

https://bugs.winehq.org/show_bug.cgi?id=48798

--- Comment #2 from jeffersoncarpenter2@gmail.com --- Created attachment 66712 --> https://bugs.winehq.org/attachment.cgi?id=66712 A patch.

-- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

WineHQ Bugzilla

5:34 a.m.

New subject: [Bug 48798] RegCloseKey: Uninitialized read from get_language_sort

https://bugs.winehq.org/show_bug.cgi?id=48798

Austin English austinenglish@gmail.com changed:

--- Comment #3 from Austin English austinenglish@gmail.com --- Hi Jefferson,

Thanks for your work on valgrind/wine! In the future, please add the keyword 'valgrind' to related bugs, I have a saved filter for it and others use the keyword as well. Thanks!

-- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

WineHQ Bugzilla

6:13 p.m.

New subject: [Bug 48798] RegCloseKey: Uninitialized read from get_language_sort

https://bugs.winehq.org/show_bug.cgi?id=48798

Anastasius Focht focht@gmx.net changed:

--- Comment #4 from Anastasius Focht focht@gmx.net --- Hello folks,

I was about to create a bug report myself since I encountered weird app/game crashes and traced it back to this problem. Didn't find it via Bugzilla regression sha1 search but fortunately 'get_language_sort' showed up in bug list while typing the summary ;-)

Encountered while checking bug 38741 ("Assetto Corsa (Steam) Launcher (.NET 4.0 app) crashes on startup")

Prerequisite: 'winetricks -q dotnet40'

--- snip --- $ pwd /home/focht/.wine/drive_c/Games/Assetto Corsa

$ WINEDEBUG=+seh,+relay,+wincodecs,+reg,+server wine ./AssettoCorsa_Launcher.exe >>log_server.txt 2>&1 ... 002d:Call windowscodecs.IWICImagingFactory_CreateDecoderFromStream_Proxy(0533311c,05332848,0032eb68,00000000,0032eb78) ret=15b83331 002d:trace:wincodecs:ImagingFactory_CreateDecoderFromStream (0x5333118,0x5332848,{f0e749ca-edef-4589-a73a-ee0e626a2a2b},0,0x32eb78) 002d:Call advapi32.RegOpenKeyExW(80000000,78fbe7dc L"CLSID",00000000,00020019,0032e8a0) ret=78f6a7b0 002d:Call ntdll.RtlInitUnicodeString(0032e7ec,78fbe7dc L"CLSID") ret=7b0325a9 002d:Ret ntdll.RtlInitUnicodeString() retval=0000000c ret=7b0325a9 002d:Call ntdll.NtOpenKeyEx(0032e8a0,00020019,0032e7f4,00000000) ret=7b0325cb 002d:trace:reg:open_key (0x24,L"CLSID",20019,0x32e8a0) 002d: open_key( parent=0024, access=00020019, attributes=00000000, name=L"CLSID" ) 002d: open_key() = 0 { hkey=003c } 002d:trace:reg:open_key <- 0x3c 002d:Ret ntdll.NtOpenKeyEx() retval=00000000 ret=7b0325cb 002d:Call ntdll.RtlNtStatusToDosError(00000000) ret=7b0325d2 002d:Ret ntdll.RtlNtStatusToDosError() retval=00000000 ret=7b0325d2 002d:Ret advapi32.RegOpenKeyExW() retval=00000000 ret=78f6a7b0 ... 002d:Call windowscodecs.WICCreateImagingFactory_Proxy(00000236,0dfe6090) ret=15b83010 002d:trace:wincodecs:WICCreateImagingFactory_Proxy 236, 0xdfe6090 002d:trace:wincodecs:ImagingFactory_CreateInstance ({ec5ec8a9-c395-4314-9c77-54d7a935ff70},0xdfe6090) 002d:Call ntdll.RtlAllocateHeap(00110000,00000000,0000000c) ret=78f64726 002d:Ret ntdll.RtlAllocateHeap() retval=0532d320 ret=78f64726 002d:trace:wincodecs:ImagingFactory_QueryInterface (0x532d320,{ec5ec8a9-c395-4314-9c77-54d7a935ff70},0xdfe6090) 002d:trace:wincodecs:ImagingFactory_AddRef (0x532d320) refcount=2 002d:trace:wincodecs:ImagingFactory_Release (0x532d320) refcount=1 002d:Ret windowscodecs.WICCreateImagingFactory_Proxy() retval=00000000 ret=15b83010 002d:Call windowscodecs.IWICImagingFactory_CreateDecoderFromStream_Proxy(0532d324,05352598,0032eb68,00000000,0032eb78) ret=15b83331 002d:trace:wincodecs:ImagingFactory_CreateDecoderFromStream (0x532d320,0x5352598,{f0e749ca-edef-4589-a73a-ee0e626a2a2b},0,0x32eb78) 002d:Call advapi32.RegOpenKeyExW(80000000,78fbe7dc L"CLSID",00000000,00020019,0032e8a0) ret=78f6a7b0 002d:Call ntdll.RtlInitUnicodeString(0032e7ec,78fbe7dc L"CLSID") ret=7b0325a9 002d:Ret ntdll.RtlInitUnicodeString() retval=0000000c ret=7b0325a9 002d:Call ntdll.NtOpenKeyEx(0032e8a0,00020019,0032e7f4,00000000) ret=7b0325cb 002d:trace:reg:open_key (0x24,L"CLSID",20019,0x32e8a0) 002d: open_key( parent=0024, access=00020019, attributes=00000000, name=L"CLSID" ) 002d: open_key() = INVALID_HANDLE { hkey=0000 } 002d:trace:reg:open_key <- (nil) 002d:Ret ntdll.NtOpenKeyEx() retval=c0000008 ret=7b0325cb 002d:Call ntdll.RtlNtStatusToDosError(c0000008) ret=7b0325d2 002d:Ret ntdll.RtlNtStatusToDosError() retval=00000006 ret=7b0325d2 002d:Ret advapi32.RegOpenKeyExW() retval=00000006 ret=78f6a7b0 002d:Call advapi32.RegOpenKeyExW(80000000,78fbe7dc L"CLSID",00000000,00020019,0032e8a0) ret=78f6a7b0 002d:Call ntdll.RtlInitUnicodeString(0032e7ec,78fbe7dc L"CLSID") ret=7b0325a9 002d:Ret ntdll.RtlInitUnicodeString() retval=0000000c ret=7b0325a9 002d:Call ntdll.NtOpenKeyEx(0032e8a0,00020019,0032e7f4,00000000) ret=7b0325cb 002d:trace:reg:open_key (0x24,L"CLSID",20019,0x32e8a0) 002d: open_key( parent=0024, access=00020019, attributes=00000000, name=L"CLSID" ) 002d: open_key() = INVALID_HANDLE { hkey=0000 } 002d:trace:reg:open_key <- (nil) 002d:Ret ntdll.NtOpenKeyEx() retval=c0000008 ret=7b0325cb 002d:Call ntdll.RtlNtStatusToDosError(c0000008) ret=7b0325d2 002d:Ret ntdll.RtlNtStatusToDosError() retval=00000006 ret=7b0325d2 002d:Ret advapi32.RegOpenKeyExW() retval=00000006 ret=78f6a7b0 002d:warn:wincodecs:ImagingFactory_CreateDecoderFromStream failed to load from a stream 0x80070006 002d:trace:wincodecs:IWICStreamImpl_Seek (0x5352598, 0, 0, (nil)) 002d:trace:wincodecs:StreamOnMemory_Seek (0x534ff48, 0, 0, (nil)) 002d:trace:wincodecs:IWICStreamImpl_Read (0x5352598, 0x32e9cc, 4, 0x32e9c8) 002d:trace:wincodecs:StreamOnMemory_Read (0x534ff48, 0x32e9cc, 4, 0x32e9c8) 002d:warn:wincodecs:ImagingFactory_CreateDecoderFromStream first 4 bytes of stream=89 50 4e 47 002d:Ret windowscodecs.IWICImagingFactory_CreateDecoderFromStream_Proxy() retval=80070006 ret=15b83331 ... System.Windows.Markup.XamlParseException: Provide value on 'System.Windows.Baml2006.TypeConverterMarkupExtension' threw an exception. ---> System.Runtime.InteropServices.COMException: Invalid handle. (Exception from HRESULT: 0x80070006 (E_HANDLE)) at System.Windows.Media.Imaging.BitmapDecoder.SetupDecoderFromUriOrStream(Uri uri, Stream stream, BitmapCacheOption cacheOption, Guid& clsId, Boolean& isOriginalWritable, Stream& uriStream, UnmanagedMemoryStream& unmanagedMemoryStream, SafeFileHandle& safeFilehandle) at System.Windows.Media.Imaging.BitmapDecoder.CreateFromUriOrStream(Uri baseUri, Uri uri, Stream stream, BitmapCreateOptions createOptions, BitmapCacheOption cacheOption, RequestCachePolicy uriCachePolicy, Boolean insertInDecoderCache) at System.Windows.Media.Imaging.BitmapFrame.CreateFromUriOrStream(Uri baseUri, Uri uri, Stream stream, BitmapCreateOptions createOptions, BitmapCacheOption cacheOption, RequestCachePolicy uriCachePolicy) at System.Windows.Media.ImageSourceConverter.ConvertFrom(ITypeDescriptorContext context, CultureInfo culture, Object value) at System.Windows.Baml2006.TypeConverterMarkupExtension.ProvideValue(IServiceProvider serviceProvider) at MS.Internal.Xaml.Runtime.ClrObjectRuntime.CallProvideValue(MarkupExtension me, IServiceProvider serviceProvider) --- End of inner exception stack trace --- at System.Windows.Markup.XamlReader.RewrapException(Exception e, IXamlLineInfo lineInfo, Uri baseUri) at System.Windows.Markup.WpfXamlLoader.Load(XamlReader xamlReader, IXamlObjectWriterFactory writerFactory, Boolean skipJournaledProperties, Object rootObject, XamlObjectWriterSettings settings, Uri baseUri) at System.Windows.Markup.WpfXamlLoader.LoadBaml(XamlReader xamlReader, Boolean skipJournaledProperties, Object rootObject, XamlAccessLevel accessLevel, Uri baseUri) at System.Windows.Markup.XamlReader.LoadBaml(Stream stream, ParserContext parserContext, Object parent, Boolean closeStream) at System.Windows.Application.LoadComponent(Object component, Uri resourceLocator) at AC.Launcher.MainWindow.InitializeComponent() at AC.Launcher.MainWindow..ctor(Boolean softwaremode) at AC.Launcher.Startup.Main(String[] args) --- snip ---

Why would such thing fail on wineserver side:

--- snip --- 002d:trace:reg:open_key (0x24,L"CLSID",20019,0x32e8a0) 002d: open_key( parent=0024, access=00020019, attributes=00000000, name=L"CLSID" ) 002d: open_key() = INVALID_HANDLE { hkey=0000 } 002d:trace:reg:open_key <- (nil) --- snip ---

Going back in time and find this:

--- snip --- 002d:Call KERNEL32.LCMapStringEx(01941620 L"",00000100,01a3a37c L"0",00000001,01a3a38c,00000001,00000000,00000000,00000000) ret=7916d04d 002d:Call ntdll.memcmp(7b059070,00aa05d4,00000010) ret=7b01fc72 002d:Ret ntdll.memcmp() retval=ffffffff ret=7b01fc72 002d:Call ntdll.memcmp(7b059070,00aa0328,00000010) ret=7b01fc72 002d:Ret ntdll.memcmp() retval=ffffffff ret=7b01fc72 002d:Call ntdll.memcmp(7b059070,00aa01c0,00000010) ret=7b01fc72 002d:Ret ntdll.memcmp() retval=ffffffff ret=7b01fc72 002d:Call ntdll.memcmp(7b059070,00aa010c,00000010) ret=7b01fc72 002d:Ret ntdll.memcmp() retval=ffffffff ret=7b01fc72 002d:Call ntdll.memcmp(7b059070,00aa00c4,00000010) ret=7b01fc72 002d:Ret ntdll.memcmp() retval=ffffffff ret=7b01fc72 002d:Call ntdll.memcmp(7b059070,00aa00a0,00000010) ret=7b01fc72 002d:Ret ntdll.memcmp() retval=00000000 ret=7b01fc72 002d:Call ntdll.NtClose(05002f2b) ret=7b033207 002d: close_handle( handle=5002f2b ) 002d: close_handle() = INVALID_HANDLE 002d:Ret ntdll.NtClose() retval=c0000008 ret=7b033207 002d:Call ntdll.RtlNtStatusToDosError(c0000008) ret=7b03320e 002d:Ret ntdll.RtlNtStatusToDosError() retval=00000006 ret=7b03320e 002d:Ret KERNEL32.LCMapStringEx() retval=00000001 ret=7916d04d --- snip ---

Yikes. Taking random data and pass it to NtClose(). What could possibly go wrong. Many things ;-)

--- snip --- $ egrep -B1 "002d:.*close_handle() = INVALID_HANDLE.*" log_server.txt

002d: close_handle( handle=a99830 ) 002d: close_handle() = INVALID_HANDLE -- 002d: close_handle( handle=1302 ) 002d: close_handle() = INVALID_HANDLE -- 002d: close_handle( handle=1302 ) 002d: close_handle() = INVALID_HANDLE -- 002d: close_handle( handle=32c6b8 ) 002d: close_handle() = INVALID_HANDLE -- 002d: close_handle( handle=32c6a8 ) 002d: close_handle() = INVALID_HANDLE -- 002d: close_handle( handle=7bce8a74 ) 002d: close_handle() = INVALID_HANDLE -- ... -- 002d: close_handle( handle=003f ) 002d: close_handle() = INVALID_HANDLE -- 002d: close_handle( handle=003f ) 002d: close_handle() = INVALID_HANDLE -- 002d: close_handle( handle=32ebb4 ) 002d: close_handle() = INVALID_HANDLE -- 002d: close_handle( handle=1991ac8 ) 002d: close_handle() = INVALID_HANDLE -- 002d: close_handle( handle=003f ) 002d: close_handle() = INVALID_HANDLE -- 002d: close_handle( handle=003f ) 002d: close_handle() = INVALID_HANDLE -- 002d: close_handle( handle=32e8b8 ) 002d: close_handle() = INVALID_HANDLE -- 002d: close_handle( handle=79142ec3 ) 002d: close_handle() = INVALID_HANDLE -- 002d: close_handle( handle=5002f2b ) 002d: close_handle() = INVALID_HANDLE -- 002d: close_handle( handle=5002f2b ) 002d: close_handle() = INVALID_HANDLE -- 002d: close_handle( handle=5002f2b ) 002d: close_handle() = INVALID_HANDLE -- ... -- 002d: close_handle( handle=003f ) 002d: close_handle() = INVALID_HANDLE -- 002d: close_handle( handle=003f ) 002d: close_handle() = INVALID_HANDLE -- 002d: close_handle( handle=003f ) 002d: close_handle() = INVALID_HANDLE -- 002d: close_handle( handle=32e8b8 ) 002d: close_handle() = INVALID_HANDLE -- 002d: close_handle( handle=79142ec3 ) 002d: close_handle() = INVALID_HANDLE -- 002d: close_handle( handle=1611658 ) 002d: close_handle() = INVALID_HANDLE --- snip ---

Regression introduced by https://source.winehq.org/git/wine.git/commitdiff/b780e5f5b1bd018629bfa31431... ("kernelbase: Use linguistic case table for LCMAP_LINGUISTIC_CASING.")

https://source.winehq.org/git/wine.git/blob/84cca2baae23c6afa0c8070f5009fdcf...

--- snip --- 655 static const struct sortguid *get_language_sort( const WCHAR *locale ) 656 { 657 WCHAR *p, *end, buffer[LOCALE_NAME_MAX_LENGTH], guidstr[39]; 658 const struct sortguid *ret; 659 UNICODE_STRING str; 660 GUID guid; 661 HKEY key; 662 DWORD size, type; 663 664 if (locale == LOCALE_NAME_USER_DEFAULT) 665 { 666 if (current_locale_sort) return current_locale_sort; 667 GetUserDefaultLocaleName( buffer, ARRAY_SIZE( buffer )); 668 } 669 else lstrcpynW( buffer, locale, LOCALE_NAME_MAX_LENGTH ); 670 671 if (buffer[0] && !RegOpenKeyExW( nls_key, L"Sorting\Ids", 0, KEY_READ, &key )) 672 { 673 for (;;) 674 { 675 size = sizeof(guidstr); 676 if (!RegQueryValueExW( key, buffer, NULL, &type, (BYTE *)guidstr, &size ) && type == REG_SZ) 677 { 678 RtlInitUnicodeString( &str, guidstr ); 679 if (!RtlGUIDFromString( &str, &guid )) 680 { 681 ret = find_sortguid( &guid ); 682 goto done; 683 } 684 break; 685 } 686 for (p = end = buffer; *p; p++) if (*p == '-' || *p == '_') end = p; 687 if (end == buffer) break; 688 *end = 0; 689 } 690 } 691 ret = find_sortguid( &default_sort_guid ); 692 done: 693 RegCloseKey( key ); 694 return ret; 695 } --- snip ---

Ideally we want to fix this ASAP, before the next Wine 5.5 release! Otherwise expect quite a number of bug reports with all kinds of weird crashes/app/game behaviour.

$ wine --version wine-5.4-255-g00e55c8fc0

Regards

-- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

WineHQ Bugzilla

25 Mar 25 Mar

8:49 a.m.

New subject: [Bug 48798] RegCloseKey: Uninitialized read from get_language_sort

https://bugs.winehq.org/show_bug.cgi?id=48798

--- Comment #5 from Anastasius Focht focht@gmx.net --- Hello folks,

the issue is fixed with https://source.winehq.org/git/wine.git/commitdiff/375668e1222375462314a26e70... ("kernelbase: Open registry keys before looking for sort table.")

Thanks to Alexandre

Apparently you are trying to fix another issue here: "kernelbase: Zero out retkey in the ERROR_INVALID_HANDLE case in RegOpenKeyExW"?

https://www.winehq.org/pipermail/wine-devel/2020-March/162819.html

Strictly spoken that's not what this bug is about. The Valgrind finding and app crash report are related to bugged 'get_language_sort'. I suggest to split 'RegOpenKeyExW' behaviour into separate bug report since they are really different issues.

Regards

-- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

WineHQ Bugzilla

27 Mar 27 Mar

11:35 p.m.

New subject: [Bug 48798] RegCloseKey: Uninitialized read from get_language_sort

https://bugs.winehq.org/show_bug.cgi?id=48798

jeffersoncarpenter2@gmail.com changed:

--- Comment #6 from jeffersoncarpenter2@gmail.com --- Fixed in https://source.winehq.org/git/wine.git/commit/f070d040ebb587f117ac14492a9688...

-- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

WineHQ Bugzilla

10 Apr 10 Apr

6:57 p.m.

New subject: [Bug 48798] RegCloseKey: Uninitialized read from get_language_sort

https://bugs.winehq.org/show_bug.cgi?id=48798

Alexandre Julliard julliard@winehq.org changed:

What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED

--- Comment #7 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 5.6.

-- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

WineHQ Bugzilla

30 Apr 30 Apr

3:17 p.m.

New subject: [Bug 48798] RegCloseKey: Uninitialized read from get_language_sort

https://bugs.winehq.org/show_bug.cgi?id=48798

Anastasius Focht focht@gmx.net changed:

-- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

WineHQ Bugzilla

15 Aug 15 Aug

10:02 p.m.

New subject: [Bug 48798] RegCloseKey: Uninitialized read from get_language_sort

https://bugs.winehq.org/show_bug.cgi?id=48798

Zebediah Figura z.figura12@gmail.com changed:

What |Removed |Added ---------------------------------------------------------------------------- Component|kernelbase |kernel32

-- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

1609

Age (days ago)

1753

Last active (days ago)

wine-bugs@winehq.org

9 comments

1 participants

tags (0)

participants (1)

WineHQ Bugzilla