[Bug 28795] New: ExeInfoPE: PE protection schemes that abuse %gs won't run (breaks glibc TLS selector)

wine-bugs at winehq.org wine-bugs at winehq.org
Tue Oct 18 15:19:50 CDT 2011


http://bugs.winehq.org/show_bug.cgi?id=28795

             Bug #: 28795
           Summary: ExeInfoPE: PE protection schemes that abuse %gs won't
                    run (breaks glibc TLS selector)
           Product: Wine
           Version: 1.3.30
          Platform: x86
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: -unknown
        AssignedTo: wine-bugs at winehq.org
        ReportedBy: focht at gmx.net
    Classification: Unclassified


Hello,

newer versions of "ExeInfoPE" (>0.0.2.3) which coin their own PE protection
scheme don't run anymore.
There is still bug 26701 though the app crashes now earlier.

With tracing enabled:

--- snip ---
...
0024:Call KERNEL32.VirtualProtect(00400000,00001000,00000004,0032fe40)
ret=05bd0336
0024:Ret  KERNEL32.VirtualProtect() retval=00000001 ret=05bd0336
0024:Call KERNEL32.VirtualProtect(00400000,00001000,00000002,0032fe40)
ret=05bd034b
0024:Ret  KERNEL32.VirtualProtect() retval=00000001 ret=05bd034b
0024:trace:seh:raise_exception code=c0000005 flags=0 addr=0xb74a916a
ip=b74a916a tid=0024
0024:trace:seh:raise_exception  info[0]=00000000
0024:trace:seh:raise_exception  info[1]=ffffffff
0024:trace:seh:raise_exception  eax=7bc9d7a7 ebx=b75e0ff4 ecx=0032fdcc
edx=7bc9d7a7 esi=0032fc74 edi=ffffffc8
0024:trace:seh:raise_exception  ebp=0032fc48 esp=0032f6bc cs=0073 ds=007b
es=007b fs=0033 gs=0002 flags=00010246
0024:trace:seh:call_vectored_handlers calling handler at 0x7e16e0bd
code=c0000005 flags=0
0024:trace:seh:call_vectored_handlers handler at 0x7e16e0bd returned 0
0024:trace:seh:call_stack_handlers calling handler at 0x7bc90f61 code=c0000005
flags=0
0024:Call KERNEL32.UnhandledExceptionFilter(0032f194) ret=7bc90f9b
wine: Unhandled page fault on read access to 0xffffffff at address 0xb74a916a
(thread 0024), starting debugger...
0024:trace:seh:start_debugger Starting debugger "winedbg --auto 35 52"
0024:Ret  KERNEL32.UnhandledExceptionFilter() retval=00000000 ret=7bc90f9b
0024:trace:seh:call_stack_handlers handler at 0x7bc90f61 returned 1
Unhandled exception: page fault on read access to 0xffffffff in 32-bit code
(0xb74a916a).
Register dump:
 CS:0073 SS:007b DS:007b ES:007b FS:0033 GS:0002
 EIP:b74a916a ESP:0032f6bc EBP:0032fc48 EFLAGS:00010246(  R- --  I  Z- -P- )
 EAX:7bc9d7a7 EBX:b75e0ff4 ECX:0032fdcc EDX:7bc9d7a7
 ESI:0032fc74 EDI:ffffffc8
Stack dump:
0x0032f6bc:  0032fc7c 7bc9d82e 0032fc58 b74a992c
0x0032f6cc:  0032fc7c 7bc9d82d 00000001 00000000
0x0032f6dc:  0032fc8c 7bc9d82d 00000001 00000001
0x0032f6ec:  7bc9d82d 00000000 00000000 00000001
0x0032f6fc:  7bc9d82d 00000000 00000000 00000000
0x0032f70c:  00000000 00000000 00000000 00000000
Backtrace:
=>0 0xb74a916a _IO_vfprintf+0x3a() in libc.so.6 (0x0032fc48)
  1 0xb74cbdbb vsnprintf+0xca() in libc.so.6 (0x0032fc74)
  2 0x7bc350f9 NTDLL_dbg_vprintf+0x56() in ntdll (0x0032fd90)
  3 0xb761ab63 wine_dbg_printf+0x2e() in libwine.so.1 (0x0032fdc0)
  4 0x7bc640e5 relay_call+0x113() in ntdll (0x0032fe10)
  5 0x7b8224ad in kernel32 (+0x124ac) (0x0032fe60)
  6 0x004075cd in exeinfope (+0x75cc) (0x0032fe60)
  7 0x7b85de44 call_process_entry+0xb() in kernel32 (0x0032fe78)
  8 0x7b85df8a start_process+0x143() in kernel32 (0x0032fec8)
  9 0x7bc7a244 call_thread_func+0xb() in ntdll (0x0032fed8)
  10 0x7bc7a282 call_thread_entry_point+0x33() in ntdll (0x0032ffb8)
  11 0x7bc51ebc start_process+0x25() in ntdll (0x0032ffe8)
  12 0xb761edb5 wine_call_on_stack+0x1c() in libwine.so.1 (0x00000000)
0xb74a916a _IO_vfprintf+0x3a in libc.so.6: movl    %gs:0x00000000,%ecx
--- snip ---

The protection scheme fiddles with %gs selector value which breaks TLS pointer
access through %gs:0 (Wine uses %fs) or the stack protector scheme that
Userland libs and Wine are built with (glibc provided __stack_chk_guard at
%gs:0x14).

My gcc 4.6.1 x86 host toolchain has -fstack-protector enabled by default hence
Wine gets the stack canary code in the binaries.
The Glibc here (Xubuntu 11.10) has stack smashing protection enabled by
default.

Even if Wine is built with "-fno-stack-protector" the app would still break
glibc %gs TLS code.

This is just a "collector" bug for apps that run into this issue.
WONTFIX obviously, there is no reliable way to know when to repair/restore %gs
value (and restarting faulting instruction).

Regards

-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.



More information about the wine-bugs mailing list