[Bug 21542] New: SOFTPUB_LoadCatalogMessage should use catalog members instead of file ones for retrieving msg data

wine-bugs at winehq.org wine-bugs at winehq.org
Fri Jan 29 19:38:07 CST 2010 

http://bugs.winehq.org/show_bug.cgi?id=21542

           Summary: SOFTPUB_LoadCatalogMessage should use catalog members
                    instead of file ones for retrieving msg data
           Product: Wine
           Version: 1.1.37
          Platform: x86
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: wintrust
        AssignedTo: wine-bugs at winehq.org
        ReportedBy: focht at gmx.net


Hello,

recent wintrust refactoring patch series broke PowerShell 1.x/2.x installers by
revealing a previously hidden bug...

--- snip ---
0036:Call wintrust.SoftpubInitialize(001e86f8) ret=7974e691
0036:trace:wintrust:SoftpubInitialize (0x1e86f8)
0036:trace:wintrust:SoftpubInitialize returning 00000000
0036:Ret  wintrust.SoftpubInitialize() retval=00000000 ret=7974e691
0036:Call wintrust.SoftpubLoadMessage(001e86f8) ret=7974e691
0036:trace:wintrust:SoftpubLoadMessage (0x1e86f8)
0036:Call KERNEL32.CreateFileW(0033b53c
L"C:\\windows\\system32\\catroot\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\KB968930xp.cat",80000000,00000001,00000000,00000003,00000080,00000000)
ret=7974bf32
0036:Ret  KERNEL32.CreateFileW() retval=0000007c ret=7974bf32
0036:Call crypt32.CryptSIPRetrieveSubjectGuid(0033b53c
L"C:\\windows\\system32\\catroot\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\KB968930xp.cat",0000007c,001640dc)
ret=7974bf70
...
0036:Call KERNEL32.GetFileSize(0000007c,00000000) ret=686fa459
0036:Ret  KERNEL32.GetFileSize() retval=0000e8d2 ret=686fa459
...
0036:Ret  crypt32.CryptSIPRetrieveSubjectGuid() retval=00000001 ret=7974bf70 
...
0036:Call crypt32.CryptSIPLoad(001640dc,00000000,001ed4c0) ret=7974b4f9
...
0036:Ret  crypt32.CryptSIPLoad() retval=00000001 ret=7974b4f9
0036:trace:wintrust:SOFTPUB_GetSIP returning 0
...
0036:Call
wintrust.CryptSIPGetSignedDataMsg(001e8780,001e8730,00000000,0033b188,00000000)
ret=686fb39a
0036:trace:wintrust:CryptSIPGetSignedDataMsg (0x1e8780 0x1e8730 0 0x33b188
(nil))
0036:trace:wintrust:WINTRUST_GetSignedMsgFromCatFile (0x1e8780 0x1e8730 0
0x33b188 (nil))
0036:Call KERNEL32.GetFileSize(0033b53c,00000000) ret=7974418b
0036:Ret  KERNEL32.GetFileSize() retval=ffffffff ret=7974418b
0036:trace:wintrust:CryptSIPGetSignedDataMsg returning 1
0036:Ret  wintrust.CryptSIPGetSignedDataMsg() retval=00000001 ret=686fb39a
0036:Call KERNEL32.GetProcessHeap() ret=7974e07e
0036:Ret  KERNEL32.GetProcessHeap() retval=00110000 ret=7974e07e
0036:Call ntdll.RtlAllocateHeap(00110000,00000008,ffffffff) ret=7974e095
0036:Ret  ntdll.RtlAllocateHeap() retval=00000000 ret=7974e095
0036:Call KERNEL32.CloseHandle(0000007c) ret=7974bfff
0036:Ret  KERNEL32.CloseHandle() retval=00000001 ret=7974bfff
0036:trace:wintrust:SoftpubLoadMessage returning 1 (0000000e)
0036:Ret  wintrust.SoftpubLoadMessage() retval=00000001 ret=7974e691
0036:trace:wintrust:WINTRUST_DefaultVerify returning 0000000e
0036:trace:wintrust:WINTRUST_DefaultClose ((nil),
{00aac56b-cd44-11d0-8cc2-00c04fc295ee}, 0x33b4e8)
0036:Call wintrust.SoftpubCleanup(001e86f8) ret=7974eb81 
...
--- snip ---

SoftpubLoadMessage -> (WTD_CHOICE_CATALOG) SOFTPUB_LoadCatalogMessage ->
SOFTPUB_GetMessageFromFile

WINTRUST_GetSignedMsgFromCatFile -> GetFileSize() gets passed invalid file
handle (stack garbage) -> following alloc fails and error is propagated to top
...

--- snip dlls/wintrust/softpub.c ---
static DWORD SOFTPUB_LoadCatalogMessage(CRYPT_PROVIDER_DATA *data)
{
    DWORD err;
    HANDLE catalog = INVALID_HANDLE_VALUE;

    if (!data->pWintrustData->u.pCatalog)
    {
        SetLastError(ERROR_INVALID_PARAMETER);
        return FALSE;
    }
    catalog =
CreateFileW(data->pWintrustData->u.pCatalog->pcwszCatalogFilePath,
     GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL,
     NULL);
    if (catalog == INVALID_HANDLE_VALUE)
        return GetLastError();
    if (!CryptSIPRetrieveSubjectGuid(
     data->pWintrustData->u.pCatalog->pcwszCatalogFilePath, catalog,
     &data->u.pPDSip->gSubject))
    {
        err = GetLastError();
        goto error;
    }
    err = SOFTPUB_GetSIP(data);
    if (err)
        goto error;
    err = SOFTPUB_GetMessageFromFile(data, data->pWintrustData->u.pFile->hFile,
     data->pWintrustData->u.pFile->pcwszFilePath);
    if (err)
        goto error;
...
}
--- snip dlls/wintrust/softpub.c ---

This is a catalog type file hence the pFile members can't be used for
SOFTPUB_GetMessageFromFile(), e.g.

"data->pWintrustData->u.pFile->hFile" and
"data->pWintrustData->u.pFile->pcwszFilePath"

will be invalid upon entry.

You must use "catalog" file handle and
"data->pWintrustData->u.pCatalog->pcwszCatalogFilePath" just like you do with
CryptSIPRetrieveSubjectGuid() for SOFTPUB_GetMessageFromFile().

Regards

-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the wine-bugs mailing list