[PATCH 0/3] MR2333: win32u / winex11: Avoid invalid writes on WOW64 with kernel-side Nt syscalls.
On WOW64, Nt calls expect a 64-bit IO_STATUS_BLOCK with .Pointer pointing to the 32-bit IOSB. When Nt calls are made from the unix side we need to initialize the pointer to NULL to, at least, discard the IOSB results and avoid invalid writes.
There's the same problem in wineandroid.drv `android_ioctl`, but it is more complicated. The IOSB result is actually read, so instead of a NULL pointer it will need to point to a 32-bit IOSB, and to check whether the process is WOW64 or not when reading the result.
It's more complicated and I preferred to not make the change. Note that anything that needs the IOSB result from the unix side will face the same problem, and it would maybe be nice to have a general solution.
From: Rémi Bernon rbernon@codeweavers.com
To avoid invalid writes on WOW64 Nt calls. --- dlls/win32u/font.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/dlls/win32u/font.c b/dlls/win32u/font.c index 742a31b59a4..1590ab00483 100644 --- a/dlls/win32u/font.c +++ b/dlls/win32u/font.c @@ -6530,9 +6530,9 @@ static void load_system_bitmap_fonts(void)
static void load_directory_fonts( WCHAR *path, UINT flags ) { + IO_STATUS_BLOCK io = {{0}}; OBJECT_ATTRIBUTES attr; UNICODE_STRING nt_name; - IO_STATUS_BLOCK io; HANDLE handle; char buf[8192]; size_t len;
From: Rémi Bernon rbernon@codeweavers.com
To avoid invalid writes on WOW64 Nt calls. --- dlls/win32u/rawinput.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/dlls/win32u/rawinput.c b/dlls/win32u/rawinput.c index 1ddbca0896a..bd2e00a31c4 100644 --- a/dlls/win32u/rawinput.c +++ b/dlls/win32u/rawinput.c @@ -218,11 +218,11 @@ static struct device *add_device( HKEY key, DWORD type ) static const RID_DEVICE_INFO_MOUSE mouse_info = {1, 5, 0, FALSE}; struct hid_preparsed_data *preparsed = NULL; HID_COLLECTION_INFORMATION hid_info; + IO_STATUS_BLOCK io = {{0}}; OBJECT_ATTRIBUTES attr; UNICODE_STRING string; struct device *device; RID_DEVICE_INFO info; - IO_STATUS_BLOCK io; unsigned int status; UINT32 handle; void *buffer;
From: Rémi Bernon rbernon@codeweavers.com
To avoid invalid writes on WOW64 Nt calls. --- dlls/winex11.drv/graphics.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/dlls/winex11.drv/graphics.c b/dlls/winex11.drv/graphics.c index 54e6b9b2084..e3b0445379a 100644 --- a/dlls/winex11.drv/graphics.c +++ b/dlls/winex11.drv/graphics.c @@ -1689,7 +1689,7 @@ BOOL CDECL X11DRV_GetICMProfile( PHYSDEV dev, BOOL allow_default, LPDWORD size, else if ((buffer = get_icm_profile( &buflen ))) { static const WCHAR icm[] = {'.','i','c','m',0}; - IO_STATUS_BLOCK io; + IO_STATUS_BLOCK io = {{0}}; UINT64 hash = 0; HANDLE file; int status;
FWIW, I have patches related to this issue that I've been working on intermittently.
On Tue Mar 7 07:51:14 2023 +0000, Zebediah Figura wrote:
FWIW, I have patches related to this issue that I've been working on intermittently.
Well I think this is a simple enough fix, and the same thing is done already in ntdll. It will fix user32:input crashing systematically on WOW64.
This merge request was approved by Huw Davies.
Well I think this is a simple enough fix, and the same thing is done already in ntdll. It will fix user32:input crashing systematically on WOW64.
Yes, sorry, I didn't mean to argue against this patch; I think it's fine. I just mentioned it in case others were looking to work on the more general problem.
-
Huw Davies (@huw) -
Rémi Bernon
-
Rémi Bernon (@rbernon)
-
Zebediah Figura (@zfigura)