[Bug 28628] New: advapi32/security.ok: GetTokenInformation(Token, TokenGroups, ...) returns partial garbage leading to uninitialized memory accesses?

wine-bugs at winehq.org wine-bugs at winehq.org
Sun Oct 9 12:55:28 CDT 2011


http://bugs.winehq.org/show_bug.cgi?id=28628

             Bug #: 28628
           Summary: advapi32/security.ok: GetTokenInformation(Token,
                    TokenGroups,...) returns partial garbage leading to
                    uninitialized memory accesses?
           Product: Wine
           Version: 1.3.29
          Platform: x86
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: advapi32
        AssignedTo: wine-bugs at winehq.org
        ReportedBy: dank at kegel.com
    Classification: Unclassified


"wine advapi32_test.exe.so security.c" says in part

security.c:1475: TokenGroups:
security.c:1489: S-1-1-0, \Everyone use: 5 attr: 0x00000007
security.c:1489: S-1-2-0, \LOCAL use: 5 attr: 0x00000007
security.c:1489: S-1-5-4, NT AUTHORITY\INTERACTIVE use: 5 attr: 0x00000007
security.c:1489: S-1-5-11, NT AUTHORITY\Authenticated Users use: 5 attr:
0x00000007
security.c:1489: S-1-5-32-544, BUILTIN\Administrators use: 4 attr: 0x0000000f
security.c:1492: attr: 0x00000007 LookupAccountSid failed with error 1332
security.c:1492: attr: 0xc0000007 LookupAccountSid failed with error 1332

Those two LookupAccountSid() errors appear to be because the last two SIDs
from GetTokenInformation() are garbage.

This causes the valgrind warning

Conditional jump or move depends on uninitialised value(s)
   at RtlEqualSid (sec.c:210) 
   by EqualSid (security.c:1027)
   by IsWellKnownSid (security.c:961)
   by LookupAccountSidW (security.c:2098)
   by LookupAccountSidA (security.c:2024)
   by test_token_attr (security.c:1485)
   by func_security (security.c:4000)
   by run_test (test.h:556)
   by main (test.h:624)
 Uninitialised value was created by a client request
   at RtlAllocateHeap (heap.c:208)
   by test_token_attr (security.c:1468)
   by func_security (security.c:4000)
   by run_test (test.h:556)
   by main (test.h:624)

I dumped the SIDs that are being compared in test_token_attr, and
it looks like the first six are ok, but the last two aren't:

...
security.c:1487: Dumping SIDs
security.c:1489: i = 4, j = 0, val = 1
security.c:1489: i = 4, j = 1, val = 2
security.c:1489: i = 4, j = 2, val = 0
security.c:1489: i = 4, j = 3, val = 0
security.c:1489: i = 4, j = 4, val = 0
security.c:1489: i = 4, j = 5, val = 0
security.c:1489: i = 4, j = 6, val = 0
security.c:1489: i = 4, j = 7, val = 5
security.c:1489: i = 4, j = 8, val = 20
security.c:1489: i = 4, j = 9, val = 0
security.c:1489: i = 4, j = 10, val = 0
security.c:1489: i = 4, j = 11, val = 0
security.c:1496: S-1-5-32-544, BUILTIN\Administrators use: 4 attr: 0x0000000f
security.c:1487: Dumping SIDs
security.c:1489: i = 5, j = 0, val = 1
security.c:1489: i = 5, j = 1, val = 2
security.c:1489: i = 5, j = 2, val = 0
security.c:1489: i = 5, j = 3, val = 0
security.c:1489: i = 5, j = 4, val = cc
security.c:1489: i = 5, j = 5, val = cc
security.c:1489: i = 5, j = 6, val = cc
security.c:1489: i = 5, j = 7, val = cc
security.c:1489: i = 5, j = 8, val = cc
security.c:1489: i = 5, j = 9, val = cc
security.c:1489: i = 5, j = 10, val = cc
security.c:1489: i = 5, j = 11, val = cc
security.c:1499: attr: 0x00000007 LookupAccountSid failed with error 1332
security.c:1487: Dumping SIDs
security.c:1489: i = 6, j = 0, val = cc
security.c:1489: i = 6, j = 1, val = cc
security.c:1489: i = 6, j = 2, val = cc
security.c:1489: i = 6, j = 3, val = cc
security.c:1489: i = 6, j = 4, val = cc
security.c:1489: i = 6, j = 5, val = cc
security.c:1489: i = 6, j = 6, val = cc
security.c:1489: i = 6, j = 7, val = cc
security.c:1489: i = 6, j = 8, val = cc
security.c:1489: i = 6, j = 9, val = cc
security.c:1489: i = 6, j = 10, val = cc
security.c:1489: i = 6, j = 11, val = cc
security.c:1499: attr: 0xc0000007 LookupAccountSid failed with error 1332

Is some buffer length wrong somewhere?

The responsible code seems to be from:

commit 573db9ef639f65385f1efab5593b52c72b4b4108
Author: Nikolay Sivov <nsivov at codeweavers.com>
Date:   Tue Aug 23 11:16:27 2011 +0400
    ntdll: While requesting TokenGroups calculate required user buffer size in
server.

-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.



More information about the wine-bugs mailing list