[Bug 33849] Tages 64-bit software protection driver crashes on access to KI_USER_SHARED_DATA range (0xfffff78000000000)

wine-bugs at winehq.org wine-bugs at winehq.org
Fri Jun 21 15:09:47 CDT 2013 

http://bugs.winehq.org/show_bug.cgi?id=33849

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
           Keywords|                            |download, obfuscation,
                   |                            |win64
                URL|                            |http://www.tagesprotection.
                   |                            |com/5.5/TagesSetup_x64.exe
           Platform|arm64                       |x86-64
          Component|-unknown                    |ntdll
                 CC|                            |focht at gmx.net
         Resolution|DUPLICATE                   |
     Ever Confirmed|0                           |1
            Summary|Unhandled exception: page   |Tages 64-bit software
                   |fault on read access to     |protection driver crashes
                   |0xfffff78000000014 in       |on access to
                   |64-bit code                 |KI_USER_SHARED_DATA range
                   |(0x000000000048e10f).       |(0xfffff78000000000)

--- Comment #5 from Anastasius Focht <focht at gmx.net> 2013-06-21 15:09:47 CDT ---
Hello folks,

just closing bugs as dupe of some metabug because of "it looks like" won't do
any good.

The problem here can be indeed treated as isolated issue.

--- snip ---
Unhandled exception: page fault on read access to 0xfffff78000000320 in 64-bit
code (0x00000000004561b0).
Register dump:
 rip:00000000004561b0 rsp:000000000043ddc8 rbp:000000000043deb0 eflags:00010246
(  R- --  I  Z- -P- )
 rax:fffff78000000320 rbx:00007fffff7ef000 rcx:0000000000452100
rdx:00002b992ddfa232
 rsi:000000000043e100 rdi:00007f1fc06ea580  r8:000000000043e100 
r9:00007f1fc06ea5e0 r10:0000000000000008
 r11:0000003be2f7c950 r12:0000000000000000 r13:00007ffff3cd3cb0
r14:000000000043f700 r15:0000000000000000
Stack dump:
...
Backtrace:
=>0 0x00000000004561b0 in atksgt.sys (+0x161b0) (0x000000000043deb0)
  1 0x00000000004561ef in atksgt.sys (+0x161ee) (0x000000000043deb0)
  2 0x00007f1fc04e8167 init_driver+0x138(module=0x440000, keyname=0x43e100)
[/home/focht/projects/wine/wine-git/programs/winedevice/device.c:154] in
winedevice (0x000000000043deb0)
  3 0x00007f1fc04e8929 load_driver+0x569()
[/home/focht/projects/wine/wine-git/programs/winedevice/device.c:254] in
winedevice (0x000000000043e1b0)
  4 0x00007f1fc04e8cc3 ServiceMain+0x16b(argc=0x1, argv=0x118f0)
[/home/focht/projects/wine/wine-git/programs/winedevice/device.c:308] in
winedevice (0x000000000043e2e0)
  5 0x00007f1fc029fe84 service_thread+0x238(arg=0x10d70)
[/home/focht/projects/wine/wine-git/dlls/advapi32/service.c:302] in advapi32
(0x000000000043e480)
  6 0x00007f1fc6d84c7b call_thread_func+0x4e(entry=0x7f1fc029fc4b, arg=0x10d70,
frame=0x43e5e0)
[/home/focht/projects/wine/wine-git/dlls/ntdll/signal_x86_64.c:3230] in ntdll
(0x000000000043e5d0)
...
0x00000000004561b0: movq    (%rax),%rax
Modules:
Module    Address                    Debug info    Name (28 modules)
PE              440000-          457000     Export          atksgt.sys
ELF            7b800000-        7bb3e000     Deferred        kernel32<elf>
  \-PE            7b820000-        7bb3e000    \               kernel32 
...
Threads:
process  tid      prio (all id:s are in hex)
...
00000012 (D) C:\windows\system32\winedevice.exe
    00000019    0 <==
    00000017    0
    00000013    0 
--- snip ---

Disassembly of relevant driver code snippet:

--- snip ---
...
00000000004561A6  mov     rax, 0FFFFF78000000320h
00000000004561B0  mov     rax, [rax]
00000000004561B3  xor     rax, rcx
...
--- snip ---

The address lies within the range of kernel mode shadow mapping of
USER_SHARED_DATA for x64.

See:
http://www.virtualbox.org/svn/vbox/trunk/src/VBox/Debugger/DBGPlugInWinNt.cpp

--- snip ---
/** KI_USER_SHARED_DATA for i386 */
#define NTKUSERSHAREDDATA_WINNT32   UINT32_C(0xffdf0000)
/** KI_USER_SHARED_DATA for AMD64 */
#define NTKUSERSHAREDDATA_WINNT64   UINT64_C(0xfffff78000000000)
--- snip ---

Unfortunately that memory range can't be mapped in Linux user process address
space.
One way could be to handle traps specifically for this address range and
emulate member accesses (shadow data structure).

The driver seems to access only two members of KI_USER_SHARED_DATA:

KI_USER_SHARED_DATA+0x014 -> SharedSystemTime
KI_USER_SHARED_DATA+0x320 -> SharedTickCount

Regards

-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the wine-bugs mailing list