[Bug 27991] LsaLookupNames2 separate allocations break .NET 4.0 System.Security subsystem and leak returned buffer data

wine-bugs at winehq.org wine-bugs at winehq.org
Sun Jan 22 11:11:55 CST 2012 

http://bugs.winehq.org/show_bug.cgi?id=27991

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |dotnet, download
                URL|                            |http://www.datafilehost.com
                   |                            |/download-04329f6d.html
                 CC|                            |focht at gmx.net
            Summary|LsaLookupNames2             |LsaLookupNames2 separate
                   |implementation leads to     |allocations break .NET 4.0
                   |leak of returned buffer     |System.Security subsystem
                   |data                        |and leak returned buffer
                   |                            |data
           Severity|minor                       |normal

--- Comment #1 from Anastasius Focht <focht at gmx.net> 2012-01-22 11:11:55 CST ---
Hello,

hijacking this bug because I think the root cause might be the separate
allocations mentioned here.
This breaks the .NET 4.0 System.Security subsystem.

Some .NET 4.0 apps that make use of unmanaged LsaLookupNames2() crash with
managed backtrace:

--- snip ---
...
fixme:advapi:LsaOpenPolicy ((null),0x32f074,0x00000800,0x32f04c) stub
fixme:advapi:LsaClose (0xcafe) stub
fixme:advapi:LsaOpenPolicy ((null),0x32efc4,0x00000800,0x32ef9c) stub
fixme:advapi:RegisterTraceGuidsW (0x12145d2, (nil),
{8e9f5090-2d75-4d03-8a81-e5afbf85daf1}, 1, 0x32d95c, (null), (null),
0x1565dcc,): stub

Unhandled Exception: System.ArgumentOutOfRangeException: The number of bytes
cannot exceed the virtual address space on a 32 bit machine.
Parameter name: numBytes
   at System.Runtime.InteropServices.SafeBuffer.Initialize(UInt64 numBytes)
   at
System.Security.Principal.Win32.InitializeReferencedDomainsPointer(SafeLsaMemoryHandle
referencedDomains)
   at
System.Security.Principal.NTAccount.TranslateToSids(IdentityReferenceCollection
sourceAccounts, Boolean& someFailed)
   at System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection
sourceAccounts, Type targetType, Boolean& someFailed)
   at System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection
sourceAccounts, Type targetType, Boolean forceSuccess)
   at System.Security.Principal.NTAccount.Translate(Type targetType)
   at
System.Security.AccessControl.CommonObjectSecurity.ModifyAccess(AccessControlModification
modification, AccessRule rule, Boolean& modified)
   at
System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(AccessRule
rule)
   at
System.Security.AccessControl.EventWaitHandleSecurity.AddAccessRule(EventWaitHandleAccessRule
rule)
   at
Microsoft.VisualBasic.ApplicationServices.WindowsFormsApplicationBase.Run(String[]
commandLine)
   at HAL7600.My.MyApplication.Main(String[] Args)
--- snip ---

Trace log:

--- snip ---
002a:Call
advapi32.LsaLookupNames2(0000cafe,00000000,00000001,0016d890,0032ef98,0032ef8c)
ret=04a4f6f2
002a:trace:advapi:LsaLookupNames2
(0xcafe,0x00000000,0x00000001,0x16d890,0x32ef98,0x32ef8c)
002a:trace:advapi:GetTokenInformation (0x17c, TokenUser, 0x32ec9c, 80,
0x32ec98):
002a:trace:advapi:LsaLookupNames2 mapped 1 out of 1
002a:trace:advapi:GetTokenInformation (0x17c, TokenUser, 0x32ec9c, 80,
0x32ec98):
002a:Ret  advapi32.LsaLookupNames2() retval=00000000 ret=04a4f6f2 
...
002a:Call KERNEL32.RaiseException(e0434352,00000001,00000005,0032eea0)
ret=791cac08
002a:trace:seh:raise_exception code=e0434352 flags=1 addr=0x7b838ccb
ip=7b838ccb tid=002a
002a:trace:seh:raise_exception  info[0]=80131502
002a:trace:seh:raise_exception  info[1]=00000000
002a:trace:seh:raise_exception  info[2]=00000000
002a:trace:seh:raise_exception  info[3]=00000000
002a:trace:seh:raise_exception  info[4]=79140000 
--- snip ---

Interestingly some of these apps don't crash every time.

Pretty nasty to step through pure IL code _oO_
At one point before a crash I got lucky and found the following values in
locals:

--- snip ---
[t#:0] mdbg> p 
local_0=Microsoft.Win32.Win32Native+LSA_REFERENCED_DOMAIN_LIST
local_1=1
local_2=Microsoft.Win32.Win32Native+LSA_TRUST_INFORMATION
local_3=0
referencedDomains=Microsoft.Win32.SafeHandles.SafeLsaMemoryHandle
...
[t#:0] mdbg> p local_0
local_0=Microsoft.Win32.Win32Native+LSA_REFERENCED_DOMAIN_LIST
<Microsoft.Win32.Win32Native+LSA_REFERENCED_DOMAIN_LIST>
    Entries=1
    Domains=1638600
...
[t#:0] mdbg> p referencedDomains
referencedDomains=Microsoft.Win32.SafeHandles.SafeLsaMemoryHandle
    Uninitialized=4294967295
    _numBytes=8
    handle=1673144
    _state=8
    _ownsHandle=True
    _fullyInitialized=True
...
[t#:0] mdbg> p
local_0=Microsoft.Win32.Win32Native+LSA_REFERENCED_DOMAIN_LIST
local_1=1
local_2=Microsoft.Win32.Win32Native+LSA_TRUST_INFORMATION
local_3=-34532
referencedDomains=Microsoft.Win32.SafeHandles.SafeLsaMemoryHandle
--- snip ---

The negative value is the result of a pointer subtraction which seem to come
from LSA_TRUST_INFORMATION pointer and domain list pointer.
This leads to sanity check failing, hence the exception.

Bug 27447 contains a small .NET 4.0 example app that quickly dies from this
issue.

TurboTax 2011 (bug 29666) also suffers from this, though doesn't crash every
time.

Needs .NET 4.0 Framework prerequisite which can be installed using appdb recipe
(http://appdb.winehq.org/objectManager.php?sClass=version&iId=17886).
A 'winetricks dotnet40' recipe might be available in near future.

$ sha1sum HAL7600.exe 
a4e96b4b93c70da172f0bee1e2a6f181e79a6f9e  HAL7600.exe

$ wine --version
wine-1.3.37-254-g14b790a

Regards

-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the wine-bugs mailing list