[Bug 7679] IMVU 3D Avatar Chat client crashes

Wine Bugs wine-bugs at winehq.org
Mon Apr 30 03:48:26 CDT 2007


http://bugs.winehq.org/show_bug.cgi?id=7679





------- Additional Comments From focht at gmx.net  2007-30-04 03:48 -------
Hello,

seems i have to provide more info to get someone adding a patch ;)

The following is a trace from problematic hooker call:

--- snip ---
..
trace:virtual:NtProtectVirtualMemory 0xffffffff 0x1c7812c 0000000c 0000000c
trace:virtual:VIRTUAL_SetProt 0x1c78000-0x1c78fff c----
trace:virtual:VIRTUAL_DumpView View: 0x1c70000 - 0x1c79fff 0x140
trace:virtual:VIRTUAL_DumpView       0x1c70000 - 0x1c70fff c-r--
trace:virtual:VIRTUAL_DumpView       0x1c71000 - 0x1c73fff c-r-x
trace:virtual:VIRTUAL_DumpView       0x1c74000 - 0x1c76fff c-rW-
trace:virtual:VIRTUAL_DumpView       0x1c77000 - 0x1c77fff c-r--
trace:virtual:VIRTUAL_DumpView       0x1c78000 - 0x1c78fff c----
trace:virtual:VIRTUAL_DumpView       0x1c79000 - 0x1c79fff c-r--
..
--- snip ---

The problem is VIRTUAL_GetProt() in dlls/ntdll/virtual.c:NtProtectVirtualMemory().

It doesnt honour multiple flag combinations (of course some of them are invalid).
As said in my previous comment, it tries to NtProtectVirtualMemory(
PAGE_WRITECOPY | PAGE_READWRITE) due to .idata section attributes.

VIRTUAL_GetProt( PAGE_WRITECOPY | PAGE_READWRITE) is called which can't handle
multiple flags and falls through default case (vprot = 0).

VIRTUAL_SetProt() is then called with (0 | VPROT_COMMITTED).
This results in no access page ("c----") where every pointer access causes
access violation.

To fix this, add the following pre-check in 

--- snip dlls/ntdll/virtual.c ---

NTSTATUS WINAPI NtProtectVirtualMemory( HANDLE process, PVOID *addr_ptr, SIZE_T
*size_ptr,
                                        ULONG new_prot, ULONG *old_prot )
{
    FILE_VIEW *view;
    sigset_t sigset;
    NTSTATUS status = STATUS_SUCCESS;
    char *base;
    UINT i;
    BYTE vprot, *p;
    ULONG prot;
    SIZE_T size = *size_ptr;
    LPVOID addr = *addr_ptr;
    RTL_OSVERSIONINFOEXW info;

    TRACE("%p %p %08lx %08x\n", process, addr, size, new_prot );

    /* Check for mutually exclusive protection values (e.g. WRITECOPY | READWRITE)
       NOTE: VIRTUAL_GetProt doesnt honour multiple flags, so we do it here.
       Make NtProtectVirtualMemory fail to emulate windows NT behaviour.
       TODO: check for other invalid combinations */
    if( (new_prot & (PAGE_READWRITE | PAGE_WRITECOPY)) == 
                    (PAGE_READWRITE | PAGE_WRITECOPY))
    {
         info.dwOSVersionInfoSize = sizeof(info);
         if( (RtlGetVersion( &info) == STATUS_SUCCESS) &&
             (info.dwPlatformId == VER_PLATFORM_WIN32_NT))
         {
             TRACE( "invalid page protection combination, emulating NT\n");
             return STATUS_INVALID_PARAMETER;
         }
    }

    if (process != NtCurrentProcess())
     ....

--- snip dlls/ntdll/virtual.c ---

After patch:

--- snip trace ---
..
trace:virtual:NtProtectVirtualMemory 0xffffffff 0x1c7812c 0000000c 0000000c
trace:virtual:NtProtectVirtualMemory invalid page protection combination,
emulating NT
trace:virtual:NtProtectVirtualMemory 0xffffffff 0x1e12000 00000004 00000004
trace:virtual:VIRTUAL_SetProt 0x1e12000-0x1e12fff c-rw-
trace:virtual:VIRTUAL_SetProt forcing exec permission on 0x1e12000-0x1e12fff
trace:virtual:VIRTUAL_DumpView View: 0x1e10000 - 0x1e14fff 0x140
trace:virtual:VIRTUAL_DumpView       0x1e10000 - 0x1e10fff c-r--
trace:virtual:VIRTUAL_DumpView       0x1e11000 - 0x1e11fff c-r-x
trace:virtual:VIRTUAL_DumpView       0x1e12000 - 0x1e12fff c-rw-
trace:virtual:VIRTUAL_DumpView       0x1e13000 - 0x1e13fff c-rW-
trace:virtual:VIRTUAL_DumpView       0x1e14000 - 0x1e14fff c-r--
..
--- snip trace ---

App starts now fine with winecfg = NT+

Though this check might miss some cases, there is no information that *all*
combination are mutually exclusive.
It might be fun to add all VirtualProtect( flag_combinations) test cases for
various windows versions :)
This is left as excercise.
It could be possible that allowing only one flag at a time breaks too much
stuff, so i coded this specific case here.
Shouldnt be a performance killer at all.

Regards

-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.



More information about the wine-bugs mailing list