[Bug 21542] New: SOFTPUB_LoadCatalogMessage should use catalog members instead of file ones for retrieving msg data
wine-bugs at winehq.org
wine-bugs at winehq.org
Fri Jan 29 19:38:07 CST 2010
http://bugs.winehq.org/show_bug.cgi?id=21542
Summary: SOFTPUB_LoadCatalogMessage should use catalog members
instead of file ones for retrieving msg data
Product: Wine
Version: 1.1.37
Platform: x86
OS/Version: Linux
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: wintrust
AssignedTo: wine-bugs at winehq.org
ReportedBy: focht at gmx.net
Hello,
recent wintrust refactoring patch series broke PowerShell 1.x/2.x installers by
revealing a previously hidden bug...
--- snip ---
0036:Call wintrust.SoftpubInitialize(001e86f8) ret=7974e691
0036:trace:wintrust:SoftpubInitialize (0x1e86f8)
0036:trace:wintrust:SoftpubInitialize returning 00000000
0036:Ret wintrust.SoftpubInitialize() retval=00000000 ret=7974e691
0036:Call wintrust.SoftpubLoadMessage(001e86f8) ret=7974e691
0036:trace:wintrust:SoftpubLoadMessage (0x1e86f8)
0036:Call KERNEL32.CreateFileW(0033b53c
L"C:\\windows\\system32\\catroot\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\KB968930xp.cat",80000000,00000001,00000000,00000003,00000080,00000000)
ret=7974bf32
0036:Ret KERNEL32.CreateFileW() retval=0000007c ret=7974bf32
0036:Call crypt32.CryptSIPRetrieveSubjectGuid(0033b53c
L"C:\\windows\\system32\\catroot\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\KB968930xp.cat",0000007c,001640dc)
ret=7974bf70
...
0036:Call KERNEL32.GetFileSize(0000007c,00000000) ret=686fa459
0036:Ret KERNEL32.GetFileSize() retval=0000e8d2 ret=686fa459
...
0036:Ret crypt32.CryptSIPRetrieveSubjectGuid() retval=00000001 ret=7974bf70
...
0036:Call crypt32.CryptSIPLoad(001640dc,00000000,001ed4c0) ret=7974b4f9
...
0036:Ret crypt32.CryptSIPLoad() retval=00000001 ret=7974b4f9
0036:trace:wintrust:SOFTPUB_GetSIP returning 0
...
0036:Call
wintrust.CryptSIPGetSignedDataMsg(001e8780,001e8730,00000000,0033b188,00000000)
ret=686fb39a
0036:trace:wintrust:CryptSIPGetSignedDataMsg (0x1e8780 0x1e8730 0 0x33b188
(nil))
0036:trace:wintrust:WINTRUST_GetSignedMsgFromCatFile (0x1e8780 0x1e8730 0
0x33b188 (nil))
0036:Call KERNEL32.GetFileSize(0033b53c,00000000) ret=7974418b
0036:Ret KERNEL32.GetFileSize() retval=ffffffff ret=7974418b
0036:trace:wintrust:CryptSIPGetSignedDataMsg returning 1
0036:Ret wintrust.CryptSIPGetSignedDataMsg() retval=00000001 ret=686fb39a
0036:Call KERNEL32.GetProcessHeap() ret=7974e07e
0036:Ret KERNEL32.GetProcessHeap() retval=00110000 ret=7974e07e
0036:Call ntdll.RtlAllocateHeap(00110000,00000008,ffffffff) ret=7974e095
0036:Ret ntdll.RtlAllocateHeap() retval=00000000 ret=7974e095
0036:Call KERNEL32.CloseHandle(0000007c) ret=7974bfff
0036:Ret KERNEL32.CloseHandle() retval=00000001 ret=7974bfff
0036:trace:wintrust:SoftpubLoadMessage returning 1 (0000000e)
0036:Ret wintrust.SoftpubLoadMessage() retval=00000001 ret=7974e691
0036:trace:wintrust:WINTRUST_DefaultVerify returning 0000000e
0036:trace:wintrust:WINTRUST_DefaultClose ((nil),
{00aac56b-cd44-11d0-8cc2-00c04fc295ee}, 0x33b4e8)
0036:Call wintrust.SoftpubCleanup(001e86f8) ret=7974eb81
...
--- snip ---
SoftpubLoadMessage -> (WTD_CHOICE_CATALOG) SOFTPUB_LoadCatalogMessage ->
SOFTPUB_GetMessageFromFile
WINTRUST_GetSignedMsgFromCatFile -> GetFileSize() gets passed invalid file
handle (stack garbage) -> following alloc fails and error is propagated to top
...
--- snip dlls/wintrust/softpub.c ---
static DWORD SOFTPUB_LoadCatalogMessage(CRYPT_PROVIDER_DATA *data)
{
DWORD err;
HANDLE catalog = INVALID_HANDLE_VALUE;
if (!data->pWintrustData->u.pCatalog)
{
SetLastError(ERROR_INVALID_PARAMETER);
return FALSE;
}
catalog =
CreateFileW(data->pWintrustData->u.pCatalog->pcwszCatalogFilePath,
GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL,
NULL);
if (catalog == INVALID_HANDLE_VALUE)
return GetLastError();
if (!CryptSIPRetrieveSubjectGuid(
data->pWintrustData->u.pCatalog->pcwszCatalogFilePath, catalog,
&data->u.pPDSip->gSubject))
{
err = GetLastError();
goto error;
}
err = SOFTPUB_GetSIP(data);
if (err)
goto error;
err = SOFTPUB_GetMessageFromFile(data, data->pWintrustData->u.pFile->hFile,
data->pWintrustData->u.pFile->pcwszFilePath);
if (err)
goto error;
...
}
--- snip dlls/wintrust/softpub.c ---
This is a catalog type file hence the pFile members can't be used for
SOFTPUB_GetMessageFromFile(), e.g.
"data->pWintrustData->u.pFile->hFile" and
"data->pWintrustData->u.pFile->pcwszFilePath"
will be invalid upon entry.
You must use "catalog" file handle and
"data->pWintrustData->u.pCatalog->pcwszCatalogFilePath" just like you do with
CryptSIPRetrieveSubjectGuid() for SOFTPUB_GetMessageFromFile().
Regards
--
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the wine-bugs
mailing list