[Bug 18426] VMware Player install - not enough disk space
wine-bugs at winehq.org
wine-bugs at winehq.org
Sun Jan 17 09:29:48 CST 2010
http://bugs.winehq.org/show_bug.cgi?id=18426
--- Comment #5 from Anastasius Focht <focht at gmx.net> 2010-01-17 09:29:47 ---
Hello,
looks like a problem of propagating NULL fields (SACL/DACL) when the security
descriptor is in self relative format.
--- quote ---
...
0009:trace:ntdll:NtQuerySecurityObject
(0x58,0x00000007,0x624f08,0x00000074,0x32cafc)
0009: get_security_object( handle=0058, security_info=00000007 )
0009: get_security_object() = 0 { sd_len=00000074,
sd={control=00000014,owner={S-1-5-7},group={S-1-5-32-544},sacl={},dacl={{AceType=ACCESS_ALLOWED_ACE_TYPE,Mask=1f01ff,AceFlags=0,Sid={S-1-5-18}},{AceType=ACCESS_ALLOWED_ACE_TYPE,Mask=1e00a9,AceFlags=0,Sid={S-1-5-7}},{AceType=ACCESS_ALLOWED_ACE_TYPE,Mask=1200a9,AceFlags=0,Sid={S-1-1-0}}}}
}
0009: close_handle( handle=0058 )
0009: close_handle() = 0
0009:trace:ntdll:NtAccessCheck (0x624f08, 0x48, 00120116, 0x32cadc, 0x32cac8,
0x32caf4, 0x32caec, 0x32ca84)
0009:trace:ntdll:RtlGetControlSecurityDescriptor (0x624f08,0x32ca0a,0x32ca0c)
0009:trace:ntdll:RtlLengthSid sid=0x624f1c
0009:trace:ntdll:RtlLengthSid sid=0x624f28
0009:trace:ntdll:RtlGetSaclSecurityDescriptor
(0x624f08,0x32ca12,0x32ca18,0x32ca13)
0009:trace:ntdll:RtlGetDaclSecurityDescriptor
(0x624f08,0x32ca12,0x32ca14,0x32ca13)
0009: access_check( handle=0048, desired_access=00120116,
mapping_read=00120089, mapping_write=00120116, mapping_execute=001200a0,
mapping_all=001201bf,
sd={control=00000014,owner={S-1-5-7},group={S-1-5-32-544},sacl={,dacl={{AceType=ACCESS_ALLOWED_ACE_TYPE,Mask=1f01ff,AceFlags=0,Sid={S-1-5-18}},{AceType=ACCESS_ALLOWED_ACE_TYPE,Mask=1e00a9,AceFlags=0,Sid={S-1-5-7}},{AceType=ACCESS_ALLOWED_ACE_TYPE,Mask=1200a9,AceFlags=0,Sid={S-1-1-0}}}}
)
0009: access_check() = ACCESS_VIOLATION { access_granted=00000000,
access_status=00000000, privileges_len=00000000, privileges={} }
--- quote ---
NtQuerySecurityObject():
sd_len=00000074,
sd={control=00000014,owner={S-1-5-7},group={S-1-5-32-544},sacl={},dacl=...
(ACEs present)
The resulting security descriptor is returned in self relative format:
{Revision=1, Sbz1=0, Control=32788, Owner=0x14, Group=0x20, Sacl=(nil),
Dacl=0x30}
control=0x8014 (SE_SELF_RELATIVE | SE_SACL_PRESENT | SE_DACL_PRESENT )
ntdll/sec.c:NtAccessCheck() collects various fields for transfer to
wineserver's token access_check():
--- snip dlls/ntdll/sec.c ---
NTSTATUS WINAPI
NtAccessCheck(
PSECURITY_DESCRIPTOR SecurityDescriptor,
HANDLE ClientToken,
ACCESS_MASK DesiredAccess,
PGENERIC_MAPPING GenericMapping,
PPRIVILEGE_SET PrivilegeSet,
PULONG ReturnLength,
PULONG GrantedAccess,
NTSTATUS *AccessStatus)
{
...
RtlGetSaclSecurityDescriptor( SecurityDescriptor, &present, &sacl,
&defaulted );
sd.sacl_len = ((present && sacl) ? acl_bytesInUse(sacl) : 0);
...
}
--- snip dlls/ntdll/sec.c ---
RtlGetSaclSecurityDescriptor() looks at the control flags and propagates
"present", along with pointer to data:
--- snip dlls/ntdll/sec.c ---
NTSTATUS WINAPI RtlGetSaclSecurityDescriptor(
IN PSECURITY_DESCRIPTOR pSecurityDescriptor,
OUT PBOOLEAN lpbSaclPresent,
OUT PACL *pSacl,
OUT PBOOLEAN lpbSaclDefaulted)
{
SECURITY_DESCRIPTOR* lpsd=pSecurityDescriptor;
TRACE("(%p,%p,%p,%p)\n",
pSecurityDescriptor, lpbSaclPresent, pSacl, lpbSaclDefaulted);
if (lpsd->Revision != SECURITY_DESCRIPTOR_REVISION)
return STATUS_UNKNOWN_REVISION;
if ( (*lpbSaclPresent = (SE_SACL_PRESENT & lpsd->Control) ? 1 : 0) )
{
if (SE_SELF_RELATIVE & lpsd->Control)
*pSacl = (PACL)SELF_RELATIVE_FIELD( lpsd, Sacl );
else
*pSacl = lpsd->Sacl;
*lpbSaclDefaulted = (( SE_SACL_DEFAULTED & lpsd->Control ) ? 1 : 0);
TRACE("*pSacl=%p\n", *pSacl);
}
return STATUS_SUCCESS;
}
--- snip dlls/ntdll/sec.c ---
The problem is the self relative case with control flags set but not data
present (corresponds to NULL DACL/SACL).
--- snip dlls/ntdll/sec.c ---
#define SELF_RELATIVE_FIELD(sd,field) ((BYTE *)(sd) +
((SECURITY_DESCRIPTOR_RELATIVE *)(sd))->field)
...
*pSacl = (PACL)SELF_RELATIVE_FIELD( lpsd, Sacl );
--- snip dlls/ntdll/sec.c ---
The returned pointer will be wrong, leading to later (mis)interpreted (ACL)
data.
You need to check for zero offsets (= NULL field case) because a valid self
relative field offset is never 0 (SD header present).
You might want to check other code locations in ntdll/sec.c that have similar
problem.
Regards
--
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the wine-bugs
mailing list