[Bug 18980] New: Canon's CONSOLE Image Control & Storage Software fails on administrator privs check

wine-bugs at winehq.org wine-bugs at winehq.org
Wed Jun 17 13:53:56 CDT 2009 

http://bugs.winehq.org/show_bug.cgi?id=18980

           Summary: Canon's CONSOLE Image Control & Storage Software fails
                    on administrator privs check
           Product: Wine
           Version: 1.1.23
          Platform: PC
               URL: http://www.usa.canon.com/consumer/controller?act=Model
                    InfoAct&tabact=DownloadDetailTabAct&fcategoryid=326&mo
                    delid=10350
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: advapi32
        AssignedTo: wine-bugs at winehq.org
        ReportedBy: focht at gmx.net


Hello,

a user in #winehq came up with this problem, so I looked into it knowing the
app won't work at all due to low level hardware driver dependency.

Anyway it revealed at least a valid bug ;-)

--- snip ---
...
0028:Call advapi32.OpenProcessToken(ffffffff,00000018,0032fce4) ret=0046fa9e
0028:Ret  advapi32.OpenProcessToken() retval=00000001 ret=0046fa9e
0028:Call
advapi32.GetTokenInformation(000000a8,00000002,00000000,00000000,0032fce0)
ret=0046fac3
0028:trace:advapi:GetTokenInformation (0xa8, TokenGroups, (nil), 0, 0x32fce0):
0028:Ret  advapi32.GetTokenInformation() retval=00000000 ret=0046fac3
0028:Call msvcrt.malloc(000000a0) ret=5f8038d6
0028:Call ntdll.RtlAllocateHeap(00110000,00000000,000000a0) ret=7ed2d867
0028:Ret  ntdll.RtlAllocateHeap() retval=00159260 ret=7ed2d867
0028:Ret  msvcrt.malloc() retval=00159260 ret=5f8038d6
0028:Call
advapi32.GetTokenInformation(000000a8,00000002,00159260,000000a0,0032fce0)
ret=0046faef
0028:trace:advapi:GetTokenInformation (0xa8, TokenGroups, 0x159260, 160,
0x32fce0):
0028:Ret  advapi32.GetTokenInformation() retval=00000001 ret=0046faef
0028:Call advapi32.GetSidSubAuthorityCount(0015929c) ret=0046fb10
0028:Ret  advapi32.GetSidSubAuthorityCount() retval=0015929d ret=0046fb10
0028:Call KERNEL32.GetLastError() ret=0046fb20
0028:Ret  KERNEL32.GetLastError() retval=0000007a ret=0046fb20
0028:Call advapi32.GetSidSubAuthorityCount(001592a8) ret=0046fb10
0028:Ret  advapi32.GetSidSubAuthorityCount() retval=001592a9 ret=0046fb10
0028:Call KERNEL32.GetLastError() ret=0046fb20
0028:Ret  KERNEL32.GetLastError() retval=0000007a ret=0046fb20
0028:Call advapi32.GetSidSubAuthorityCount(001592b4) ret=0046fb10
0028:Ret  advapi32.GetSidSubAuthorityCount() retval=001592b5 ret=0046fb10
0028:Call KERNEL32.GetLastError() ret=0046fb20
0028:Ret  KERNEL32.GetLastError() retval=0000007a ret=0046fb20
0028:Call advapi32.GetSidSubAuthorityCount(001592c0) ret=0046fb10
0028:Ret  advapi32.GetSidSubAuthorityCount() retval=001592c1 ret=0046fb10
0028:Call KERNEL32.GetLastError() ret=0046fb20
0028:Ret  KERNEL32.GetLastError() retval=0000007a ret=0046fb20
0028:Call advapi32.GetSidSubAuthorityCount(001592cc) ret=0046fb10
0028:Ret  advapi32.GetSidSubAuthorityCount() retval=001592cd ret=0046fb10
0028:Call KERNEL32.GetLastError() ret=0046fb20
0028:Ret  KERNEL32.GetLastError() retval=0000007a ret=0046fb20
0028:Call advapi32.GetSidSubAuthorityCount(001592dc) ret=0046fb10
0028:Ret  advapi32.GetSidSubAuthorityCount() retval=001592dd ret=0046fb10
0028:Call KERNEL32.GetLastError() ret=0046fb20
0028:Ret  KERNEL32.GetLastError() retval=0000007a ret=0046fb20
0028:Call advapi32.GetSidSubAuthorityCount(001592ec) ret=0046fb10
0028:Ret  advapi32.GetSidSubAuthorityCount() retval=001592ed ret=0046fb10
0028:Call KERNEL32.GetLastError() ret=0046fb20
0028:Ret  KERNEL32.GetLastError() retval=0000007a ret=0046fb20
0028:Call msvcrt.free(00159260) ret=5f8048cf
0028:Call ntdll.RtlFreeHeap(00110000,00000000,00159260) ret=7ed2da36
0028:Ret  ntdll.RtlFreeHeap() retval=00000001 ret=7ed2da36
0028:Ret  msvcrt.free() retval=00000001 ret=5f8048cf
...
0028:Call user32.MessageBoxW(00000000,00159560 L"This program requires
administrator privileges.",00157d48 L"CONSOLE",00000040) ret=5f86881e
--- snip ---

With the first call to GetTokenInformation( ... TokenGroups ... ) the app
queries the buffer size to hold result data -> lasterror =
ERROR_INSUFFICIENT_BUFFER.
The app allocates the required buffer and then calls GetTokenInformation() to
actually fetch the data.

Next, the app loops through sub authorities using GetSidSubAuthorityCount().
Normally it would look for DOMAIN_ALIAS_RID_ADMINS but the problem is the
GetLastError() call _before_ the actual comparison. If last error is != 0, the
app won't look at data returned by GetSidSubAuthorityCount().

The last successful call to GetTokenInformation() didn't reset last error at
all - it's still at ERROR_INSUFFICIENT_BUFFER:

--- snip dlls/advapi32/security.c ---
BOOL WINAPI
GetTokenInformation( HANDLE token, TOKEN_INFORMATION_CLASS tokeninfoclass,
             LPVOID tokeninfo, DWORD tokeninfolength, LPDWORD retlen )
{
...
    return set_ntstatus( NtQueryInformationToken( token, tokeninfoclass,
tokeninfo, tokeninfolength, retlen));
}
--- snip dlls/advapi32/security.c ---

--- snip dlls/advapi32/security.c ---
/* set last error code from NT status and get the proper boolean return value
*/
/* used for functions that are a simple wrapper around the corresponding ntdll
API */
static inline BOOL set_ntstatus( NTSTATUS status )
{
    if (status) SetLastError( RtlNtStatusToDosError( status ));
    return !status;
}
--- snip dlls/advapi32/security.c ---

This is probably an oversight. I don't know what Windows does but the app seems
to expect the last error being reset to zero (NTSTATUS success).
A conformance test should reveal this.

Regards

-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the wine-bugs mailing list