[Bug 28254] PM FASTrack for the PMP Exam Version 7 CrypKey device driver crashes during load/relocation (relocation entry crosses page boundary)
wine-bugs at winehq.org
wine-bugs at winehq.org
Tue Jan 31 16:08:07 CST 2012
http://bugs.winehq.org/show_bug.cgi?id=28254
Anastasius Focht <focht at gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
URL| |http://www.rmcproject.com/s
| |upport/PMP/v7/download-demo
| |.aspx
CC| |focht at gmx.net
Summary|Problem with activation |PM FASTrack for the PMP
|program pm_fastrack-pmp.exe |Exam Version 7 CrypKey
| |device driver crashes
| |during load/relocation
| |(relocation entry crosses
| |page boundary)
--- Comment #4 from Anastasius Focht <focht at gmx.net> 2012-01-31 16:08:07 CST ---
Hello,
there are at least two problems here.
One is the main application and one is the crashing device driver.
I debugged the main application and found "madCodeHook" signatures/code.
Basically that code reads Wine core dlls (placeholders) into memory and
verifies it with the already loaded in-memory images (PE structures).
--- snip ---
...
0045:Call KERNEL32.CreateFileW(00175b68
L"C:\\windows\\system32\\KERNEL32.dll",80000000,00000001,00000000,00000003,00000000,00000000)
ret=003dfa8a
0045:Ret KERNEL32.CreateFileW() retval=000000bc ret=003dfa8a
...
0045:Call
KERNEL32.CreateFileMappingW(000000bc,00000000,00000002,00000000,00000000,00000000)
ret=003dfae6
0045:Ret KERNEL32.CreateFileMappingW() retval=000000c0 ret=003dfae6
0045:Call KERNEL32.MapViewOfFile(000000c0,00000004,00000000,00000000,00000000)
ret=003dfb0e
0045:Ret KERNEL32.MapViewOfFile() retval=03000000 ret=003dfb0e
0045:Call KERNEL32.CloseHandle(000000c0) ret=003dfb16
0045:Ret KERNEL32.CloseHandle() retval=00000001 ret=003dfb16
0045:Call KERNEL32.CloseHandle(000000bc) ret=003dfb1c
0045:Ret KERNEL32.CloseHandle() retval=00000001 ret=003dfb1c
...
0045:trace:seh:raise_exception code=c0000005 flags=0 addr=0x3dfc5a ip=003dfc5a
tid=0045
0045:trace:seh:raise_exception info[0]=00000000
0045:trace:seh:raise_exception info[1]=03099994
0045:trace:seh:raise_exception eax=03099978 ebx=7b810000 ecx=00000001
edx=00099978 esi=7b810040 edi=03000000
0045:trace:seh:raise_exception ebp=03099978 esp=0032f520 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010206
0045:trace:seh:call_stack_handlers calling handler at 0x3eb605 code=c0000005
flags=0
0045:trace:seh:call_stack_handlers handler at 0x3eb605 returned 1
0045:trace:seh:call_stack_handlers calling handler at 0x3c3db8 code=c0000005
flags=0
0045:Call KERNEL32.UnhandledExceptionFilter(0032f014) ret=003c3ddc
wine: Unhandled page fault on read access to 0x03099994 at address
0x0000:0x003dfc5a (thread 0045), starting debugger...
...
--- snip ---
This obviously can't work due to the nature of Wine core dlls -> bug 15437
The driver crash can be fixed = making this bug about.
Though it won't help much in the end.
--- snip ---
002d:trace:winedevice:ServiceMain starting service L"NetworkX"
...
002d:trace:winedevice:load_driver loading driver
L"C:\\windows\\System32\\ckldrv.sys"
002d:Call KERNEL32.LoadLibraryW(0011aaa0 L"C:\\windows\\System32\\ckldrv.sys")
ret=7effc926
...
002d:trace:module:map_image mapped PE file at 0x540000-0x54a000
002d:trace:module:map_image mapping section .text at 0x541000 off 400 size 3200
virt 3004 flags 68000020
002d:trace:module:map_image clearing 0x544200 - 0x545000
002d:trace:module:map_image mapping section .rdata at 0x545000 off 3600 size
200 virt 12d flags 48000040
002d:trace:module:map_image clearing 0x545200 - 0x546000
002d:trace:module:map_image mapping section .data at 0x546000 off 3800 size 200
virt 1150 flags c8000040
002d:trace:module:map_image clearing 0x546200 - 0x547000
002d:trace:module:map_image mapping section INIT at 0x548000 off 3a00 size 800
virt 758 flags e2000020
002d:trace:module:map_image clearing 0x548800 - 0x549000
002d:trace:module:map_image mapping section .reloc at 0x549000 off 4200 size
400 virt 37c flags 42000040
002d:trace:module:map_image clearing 0x549400 - 0x54a000
...
002d:Ret KERNEL32.LoadLibraryW() retval=00540000 ret=7effc926
...
002d:Call ntdll.RtlImageNtHeader(00540000) ret=7effc947
002d:Ret ntdll.RtlImageNtHeader() retval=005400d0 ret=7effc947
002d:Call
ntdll.RtlImageDirectoryEntryToData(00540000,00000001,00000005,0053e638)
ret=7effc9b1
002d:Ret ntdll.RtlImageDirectoryEntryToData() retval=00549000 ret=7effc9b1
002d:trace:winedevice:load_driver_module L"C:\\windows\\System32\\ckldrv.sys":
relocating from 0x10000 to 0x540000
002d:Call KERNEL32.VirtualProtect(00541000,00001000,00000040,0053e634)
ret=7effca68
002d:trace:virtual:NtProtectVirtualMemory 0xffffffff 0x541000 00001000 00000040
002d:trace:virtual:VIRTUAL_SetProt 0x541000-0x541fff c-rWx
002d:trace:virtual:VIRTUAL_DumpView View: 0x540000 - 0x549fff 0x44
002d:trace:virtual:VIRTUAL_DumpView 0x540000 - 0x540fff c-r--
002d:trace:virtual:VIRTUAL_DumpView 0x541000 - 0x541fff c-rWx
002d:trace:virtual:VIRTUAL_DumpView 0x542000 - 0x544fff c-r-x
002d:trace:virtual:VIRTUAL_DumpView 0x545000 - 0x545fff c-r--
002d:trace:virtual:VIRTUAL_DumpView 0x546000 - 0x547fff c-rW-
002d:trace:virtual:VIRTUAL_DumpView 0x548000 - 0x548fff c-rWx
002d:trace:virtual:VIRTUAL_DumpView 0x549000 - 0x549fff c-r--
002d:Ret KERNEL32.VirtualProtect() retval=00000001 ret=7effca68
002d:Call ntdll.LdrProcessRelocationBlock(00541000,00000096,00549008,00530000)
ret=7effca98
002d:Ret ntdll.LdrProcessRelocationBlock() retval=00549134 ret=7effca98
002d:Call KERNEL32.VirtualProtect(00541000,00001000,00000020,00000000)
ret=7effcac7
002d:trace:virtual:NtProtectVirtualMemory 0xffffffff 0x541000 00001000 00000020
002d:trace:virtual:VIRTUAL_SetProt 0x541000-0x541fff c-r-x
002d:trace:virtual:VIRTUAL_DumpView View: 0x540000 - 0x549fff 0x44
002d:trace:virtual:VIRTUAL_DumpView 0x540000 - 0x540fff c-r--
002d:trace:virtual:VIRTUAL_DumpView 0x541000 - 0x544fff c-r-x
002d:trace:virtual:VIRTUAL_DumpView 0x545000 - 0x545fff c-r--
002d:trace:virtual:VIRTUAL_DumpView 0x546000 - 0x547fff c-rW-
002d:trace:virtual:VIRTUAL_DumpView 0x548000 - 0x548fff c-rWx
002d:trace:virtual:VIRTUAL_DumpView 0x549000 - 0x549fff c-r--
002d:Ret KERNEL32.VirtualProtect() retval=00000001 ret=7effcac7
002d:Call KERNEL32.VirtualProtect(00542000,00001000,00000040,0053e634)
ret=7effca68
002d:trace:virtual:NtProtectVirtualMemory 0xffffffff 0x542000 00001000 00000040
002d:trace:virtual:VIRTUAL_SetProt 0x542000-0x542fff c-rWx
002d:trace:virtual:VIRTUAL_DumpView View: 0x540000 - 0x549fff 0x44
002d:trace:virtual:VIRTUAL_DumpView 0x540000 - 0x540fff c-r--
002d:trace:virtual:VIRTUAL_DumpView 0x541000 - 0x541fff c-r-x
002d:trace:virtual:VIRTUAL_DumpView 0x542000 - 0x542fff c-rWx
002d:trace:virtual:VIRTUAL_DumpView 0x543000 - 0x544fff c-r-x
002d:trace:virtual:VIRTUAL_DumpView 0x545000 - 0x545fff c-r--
002d:trace:virtual:VIRTUAL_DumpView 0x546000 - 0x547fff c-rW-
002d:trace:virtual:VIRTUAL_DumpView 0x548000 - 0x548fff c-rWx
002d:trace:virtual:VIRTUAL_DumpView 0x549000 - 0x549fff c-r--
002d:Ret KERNEL32.VirtualProtect() retval=00000001 ret=7effca68
002d:Call ntdll.LdrProcessRelocationBlock(00542000,0000009c,0054913c,00530000)
ret=7effca98
002d:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7bc51367
ip=7bc51367 tid=002d
002d:trace:seh:raise_exception info[0]=00000001
002d:trace:seh:raise_exception info[1]=00543000
002d:trace:seh:raise_exception eax=00542ffd ebx=7bcc0204 ecx=00000000
edx=00543158 esi=0053e5e0 edi=0053e560
002d:trace:seh:raise_exception ebp=0053e548 esp=0053e510 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010202
002d:trace:seh:call_vectored_handlers calling handler at 0x7ed13486
code=c0000005 flags=0
--- snip ---
The problem is the second relocation block of the device driver PE binary:
--- snip ---
...
2. Relocation Block:
VirtualAddress: 0x00002000 (".text")
SizeOfBlock: 0x00000140 (0x009C block entries)
RVA Type
---------- -----------------
0x0000201A HIGHLOW
0x0000201F HIGHLOW
0x00002031 HIGHLOW
0x0000203D HIGHLOW
...
0x00002FF3 HIGHLOW
0x00002FFD HIGHLOW
--- snip ---
The last entry of block 2 (rva 0x2ffd) crosses page boundary, triggering write
fault.
Source:
http://source.winehq.org/git/wine.git/blob/6840a9273c92875c551e669b00d48c2944b3ef0e:/programs/winedevice/device.c#l64
--- snip ---
64 /* load the driver module file */
65 static HMODULE load_driver_module( const WCHAR *name )
66 {
...
89 if ((rel = RtlImageDirectoryEntryToData( module, TRUE,
IMAGE_DIRECTORY_ENTRY_BASERELOC, &size )))
90 {
91 WINE_TRACE( "%s: relocating from %p to %p\n",
92 wine_dbgstr_w(name), (char *)module - delta,
module );
93 end = (IMAGE_BASE_RELOCATION *)((char *)rel + size);
94 while (rel < end && rel->SizeOfBlock)
95 {
96 void *page = (char *)module + rel->VirtualAddress;
97 VirtualProtect( page, page_size, PAGE_EXECUTE_READWRITE,
&old );
98 rel = LdrProcessRelocationBlock( page, (rel->SizeOfBlock -
sizeof(*rel)) / sizeof(USHORT),
99 (USHORT *)(rel + 1),
delta );
100 if (old != PAGE_EXECUTE_READWRITE) VirtualProtect( page,
page_size, old, NULL );
101 if (!rel) goto error;
102 }
103 /* make sure we don't try again */
104 size = FIELD_OFFSET( IMAGE_NT_HEADERS, OptionalHeader ) +
nt->FileHeader.SizeOfOptionalHeader;
105 VirtualProtect( nt, size, PAGE_READWRITE, &old );
106
nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress
= 0;
107 VirtualProtect( nt, size, old, NULL );
108 }
--- snip ---
$ sha1sum pm_fastrack-pmp_setup.exe
6dcc7720df9ef9b440722373addf7fd7d8de15af pm_fastrack-pmp_setup.exe
$ wine --version
wine-1.4-rc1-57-g6847e88
Regards
--
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the wine-bugs
mailing list