[Bug 21917] LazyLaunch raises unable to dispatch exception (TLS callbacks can taint EBP, needs assembly wrapper)

wine-bugs at winehq.org wine-bugs at winehq.org
Sat May 12 17:59:42 CDT 2012 

http://bugs.winehq.org/show_bug.cgi?id=21917

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                URL|                            |http://www.sc2win.com/starc
                   |                            |raft-2-downloads/lazy-launc
                   |                            |her-v2-0-download/
                 CC|                            |focht at gmx.net
          Component|-unknown                    |ntdll
            Summary|LazyLaunch raises unable to |LazyLaunch raises unable to
                   |dispatch exception          |dispatch exception (TLS
                   |                            |callbacks can taint EBP,
                   |                            |needs assembly wrapper)

--- Comment #8 from Anastasius Focht <focht at gmx.net> 2012-05-12 17:59:42 CDT ---
Hello,

confirming.

--- quote ---
...
Unhandled exception: page fault on read access to 0x00000004, invalid program
stack in 32-bit code (0x7bc4de3d).
Register dump:
 CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b
 EIP:7bc4de3d ESP:0033fcd0 EBP:0033fcb0 EFLAGS:00010202(  R- --  I   - - - )
 EAX:00000004 EBX:7bcbf544 ECX:cc56933b EDX:00504152
 ESI:ffd46df4 EDI:00000000
Stack dump:
0x0033fcd0:  0033fbd8 00400000 7bc4dcf3 0033fda0
0x0033fce0:  ffffffff 7bcbf544 0033fe58 7e9d56aa
0x0033fcf0:  ffffffff 7bc91c4a 00000003 7bcbf544
0x0033fd00:  ffd46df4 00000000 0033fdc8 2215b5cc
0x0033fd10:  cc56933b 00000000 00000001 7bc91c4a
0x0033fd20:  00000000 7bcbf544 ffd46df4 00000001
000c: sel=0067 base=00000000 limit=00000000 32-bit --x
Backtrace:
=>0 0x7bc4de3d call_tls_callbacks+0x240(module=0x5d3d25, reason=0x7bc4dcf3)
[/home/focht/projects/wine/wine-git/dlls/ntdll/loader.c:964] in ntdll
(0x0033fcb0)
  1 0x00000246 (0x5184a24a)
0x7bc4de3d call_tls_callbacks+0x240
[/home/focht/projects/wine/wine-git/dlls/ntdll/loader.c:964] in ntdll: movl   
0x0(%eax),%eax
964        for (callback = (const PIMAGE_TLS_CALLBACK
*)dir->AddressOfCallBacks; *callback; callback++)
...
--- quote ---

Unfortunately it's currently not possible without patching Wine to set
breakpoint on TLS callback which makes this inconvenient to analyse.

Side note: Some debuggers advertise a feature to break on TLS callbacks (before
app entry).
I have to figure out what mechanism is used so Wine can support this too.

Using a patched version we can actually see what happens...

Immediately before calling the first TLS callback:

--- snip ---
Wine-dbg>
0x7bc4e123 call_tls_callbacks+0x102
[/home/focht/projects/wine/wine-git/dlls/ntdll/loader.c:974] in ntdll: call   
*%edx
974                (*callback)( module, reason, NULL );

Wine-dbg>info reg
Register dump:
 CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b
 EIP:7bc4e123 ESP:0032fcd0 EBP:0032fdc8 EFLAGS:00000246(   - --  I  Z- -P- )
 EAX:00400000 EBX:7bcc09a4 ECX:2f8b8eaf EDX:00504152
 ESI:fffd2a94 EDI:00000000
--- snip ---

After TLS callback:

--- snip ---
Wine-dbg>info reg
Register dump:
 CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b
 EIP:7bc4e125 ESP:0032fcdc EBP:0032fcb0 EFLAGS:00000246(   - --  I  Z- -P- )
 EAX:00400000 EBX:7bcc09a4 ECX:2f8b8eaf EDX:00504152
 ESI:fffd2a94 EDI:00000000

Wine-dbg>si
0x7bc4e128 call_tls_callbacks+0x107
[/home/focht/projects/wine/wine-git/dlls/ntdll/loader.c:976] in ntdll: leal   
0xffffff28(%ebp),%eax
976            __EXCEPT_ALL
...
0x7bc4e12e call_tls_callbacks+0x10d
[/home/focht/projects/wine/wine-git/dlls/ntdll/loader.c:976] in ntdll: movl   
%eax,0x0(%esp)
0x7bc4e131 call_tls_callbacks+0x110
[/home/focht/projects/wine/wine-git/dlls/ntdll/loader.c:976] in ntdll: call   
0x7bc4becd __wine_pop_frame
[/home/focht/projects/wine/wine-git/include/wine/exception.h:222] in ntdll
--- snip ---

EBP has been tainted within the callback and Wine actually *relies* on EBP
being preserved.
For testing I added a small assembly wrapper to call the TLS callback and it
helped.

Source:
http://source.winehq.org/git/wine.git/blob/33236819c839f6ac053d724e0930c95bb2e4eddb:/dlls/ntdll/loader.c#l955

--- snip ---
 955 static void call_tls_callbacks( HMODULE module, UINT reason )
 956 {
 957     const IMAGE_TLS_DIRECTORY *dir;
 958     const PIMAGE_TLS_CALLBACK *callback;
 959     ULONG dirsize;
 960 
 961     dir = RtlImageDirectoryEntryToData( module, TRUE,
IMAGE_DIRECTORY_ENTRY_TLS, &dirsize );
 962     if (!dir || !dir->AddressOfCallBacks) return;
 963 
 964     for (callback = (const PIMAGE_TLS_CALLBACK *)dir->AddressOfCallBacks;
*callback; callback++)
 965     {
...
 969         __TRY
 970         {
 971             (*callback)( module, reason, NULL );
 972         }
 973         __EXCEPT_ALL
 974         {
 ...
 978             return;
 979         }
 980         __ENDTRY
...
 984     }
 985 }
--- snip ---

$ du -sh lazylaunch2.exe 
900K    lazylaunch2.exe

$ sha1sum lazylaunch2.exe 
9ecd89dece306f5e227081295e0b7c73c6bd5057  lazylaunch2.exe

Regards

-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the wine-bugs mailing list