[Bug 37585] New: 64-bit Google Chrome 38.x crashes (core dlls must be prelinked at fixed addresses)

wine-bugs at winehq.org wine-bugs at winehq.org
Tue Nov 18 16:57:04 CST 2014 

https://bugs.winehq.org/show_bug.cgi?id=37585

            Bug ID: 37585
           Summary: 64-bit Google Chrome 38.x crashes (core dlls must be
                    prelinked at fixed addresses)
           Product: Wine
           Version: 1.7.31
          Hardware: x86
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ntdll
          Assignee: wine-bugs at winehq.org
          Reporter: focht at gmx.net
      Distribution: ---

Hello folks,

as 64-bit Google Chrome has finally been released I thought to give it a try.

Only useful for improving Wine 64-bit compatibility, not really meant to be
used seriously since native port exists.

--- snip ---
$ pwd
/home/focht/wineprefix64/drive_c/Program Files (x86)/Google/Chrome/Application

$ file chrome.exe 
chrome.exe: PE32+ executable (GUI) x86-64, for MS Windows

$ WINEDEBUG=+tid,+seh,+relay,+server,+virtual,+module wine64 ./chrome.exe
>>log.txt 2>&1
...
003f:Call advapi32.CreateProcessAsUserW(000002f8,05fad480 L"C:\\Program Files
(x86)\\Google\\Chrome\\Application\\chrome.exe",0011f680 L"\"C:\\Program Files
(x86)\\Google\\Chrome\\Application\\chrome.exe\" --type=renderer
--enable-deferred-image-decoding --lang=en-US
--force-fieldtrials=Prerender/PrerenderEnabled/UMA-New-Install-Uniformity-Trial/Control/UMA-Session-Randomized-Uniformity-Trial-5-Percent/default/UMA-Uniformity-Trial-1-P"...,00000000,00000000,00000000,383330300100040c,00000000,00000000,05bbc4d0,05bbbe98)
ret=14003e6bb 
...
003f: new_process() = 0 { info=0308, pid=0051, phandle=030c, tid=0052,
thandle=0310 }
003f: select( flags=2, cookie=05bbadb4, timeout=infinite, prev_apc=0000,
result={}, data={WAIT,handles={0308}} )
003f: select() = PENDING { timeout=infinite, call={APC_NONE}, apc_handle=0000 }
003f: *wakeup* signaled=0
003f: get_new_process_info( info=0308 )
003f: get_new_process_info() = 0 { success=1, exit_code=259 }
003f: close_handle( handle=0308 )
003f: close_handle() = 0
003f: close_handle( handle=0304 )
003f: close_handle() = 0
003f:Ret  advapi32.CreateProcessAsUserW() retval=00000001 ret=14003e6bb
...
003f:Call KERNEL32.VirtualAllocEx(0000030c,00000000,0000006c,00001000,00000004)
ret=1400443eb
003f:trace:virtual:NtAllocateVirtualMemory 0x30c (nil) 0000006c 1000 00000004
003f: queue_apc( handle=030c,
call={APC_VIRTUAL_ALLOC,addr==00000000,size=0000006c,zero_bits=0,op_type=1000,prot=4}
)
003f: queue_apc() = 0 { handle=0304, self=0 }
003f: select( flags=2, cookie=05bbbc14, timeout=infinite, prev_apc=0000,
result={}, data={WAIT_ALL,handles={0304}} )
003f: select() = PENDING { timeout=infinite, call={APC_NONE}, apc_handle=0000 }
003f: *wakeup* signaled=0
003f: get_apc_result( handle=0304 )
003f: get_apc_result() = 0 {
result={APC_VIRTUAL_ALLOC,status=0,addr=00240000,size=00001000} }
003f:Ret  KERNEL32.VirtualAllocEx() retval=00240000 ret=1400443eb
003f:Call
KERNEL32.WriteProcessMemory(0000030c,00240000,00113070,0000006c,05bbc350)
ret=14004440f
003f: write_process_memory( handle=030c, addr=00240000,
data={01,00,00,00,00,00,00,00,00,00,00,00,60,00,00,00,00,00,00,00,30,00,00,00,00,00,00,00,01,00,00,00,00,33,6b,00,65,00,72,00,6e,00,65,00,6c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,00,00,30,00,00,00,00,00,00,00,02,00,00,00,0e,00,00,00,78,e0,04,40,01,00,00,00,43,72,65,61,74,65,4e,61,6d,65,64,50,69,70,65,57,00,00,00,00,01,00,11,00}
)
003f: write_process_memory() = 0
003f:Ret  KERNEL32.WriteProcessMemory() retval=00000001 ret=14004440f
....
003f:Call
KERNEL32.VirtualAllocEx(0000030c,0025c000,00001000,00001000,100000040)
ret=140044b18
003f:trace:virtual:NtAllocateVirtualMemory 0x30c 0x25c000 00001000 1000
00000040
003f: queue_apc( handle=030c,
call={APC_VIRTUAL_ALLOC,addr==0025c000,size=00001000,zero_bits=0,op_type=1000,prot=40}
)
003f: queue_apc() = 0 { handle=0304, self=0 }
003f: select( flags=2, cookie=05bbbb94, timeout=infinite, prev_apc=0000,
result={}, data={WAIT_ALL,handles={0304}} )
003f: select() = PENDING { timeout=infinite, call={APC_NONE}, apc_handle=0000 }
003f: *wakeup* signaled=0
003f: get_apc_result( handle=0304 )
003f: get_apc_result() = 0 {
result={APC_VIRTUAL_ALLOC,status=0,addr=0025c000,size=00001000} }
003f:Ret  KERNEL32.VirtualAllocEx() retval=0025c000 ret=140044b18
003f:Call KERNEL32.GetModuleHandleW(14007d2b0 L"ntdll.dll") ret=1400447aa
003f:trace:module:LdrGetDllHandle L"ntdll.dll" -> 0x7fa7c6270000 (load path
L"C:\\Program Files
(x86)\\Google\\Chrome\\Application;.;C:\\windows\\system32;C:\\windows\\system;C:\\windows;C:\\windows\\system32;C:\\windows;C:\\windows\\system32\\wbem")
003f:Ret  KERNEL32.GetModuleHandleW() retval=7fa7c6270000 ret=1400447aa
003f:Call KERNEL32.GetModuleHandleExW(00000006,7fa7c6273fe0,05bbc0e0)
ret=1400447f5
003f:Ret  KERNEL32.GetModuleHandleExW() retval=00000001 ret=1400447f5
...
003f:Call
KERNEL32.ReadProcessMemory(0000030c,7fa7c627462c,05bbc010,00000020,05bbc040)
ret=14004e728
003f: read_process_memory( handle=030c, addr=7fa7c627462c )
003f: read_process_memory() = ACCESS_VIOLATION { data={} }
003f:Ret  KERNEL32.ReadProcessMemory() retval=00000000 ret=14004e728 
...
003f:Call KERNEL32.GetLastError() ret=14003bb29
003f:Ret  KERNEL32.GetLastError() retval=000003e6 ret=14003bb29
003f:Call KERNEL32.TerminateProcess(0000030c,00000000) ret=14003eafd
003f: terminate_process( handle=030c, exit_code=0 )
003f: terminate_process() = 0 { self=0 }
003f:Ret  KERNEL32.TerminateProcess() retval=00000001 ret=14003eafd
003f:Call KERNEL32.WaitForSingleObject(0000030c,00000032) ret=14003e406
003f: select( flags=2, cookie=05bbbdc4, timeout=+0.0500000, prev_apc=0000,
result={}, data={WAIT,handles={030c}} )
003f: select() = 0 { timeout=1d0037eb30ca43e (+0.0500000), call={APC_NONE},
apc_handle=0000 }
003f:Ret  KERNEL32.WaitForSingleObject() retval=00000000 ret=14003e406
003f:Call KERNEL32.GetExitCodeProcess(0000030c,05bbc3d0) ret=14003e414
003f: get_process_info( handle=030c )
003f: get_process_info() = 0 { pid=0051, ppid=0008, affinity=0000000f,
peb=7fffff7ef000, start_time=1d0037eb2fe710c (-0.0431540),
end_time=1d0037eb304b832 (-0.0020110), exit_code=0, priority=2, cpu=x86_64,
debugger_present=0 }
003f:Ret  KERNEL32.GetExitCodeProcess() retval=00000001 ret=14003e414 
...
003f:trace:seh:raise_exception code=80000003 flags=0 addr=0x14001d86d
ip=14001d86d tid=003f
003f:trace:seh:raise_exception  rax=0000000000000000 rbx=00000001400a3f88
rcx=0000000005bbeb1f rdx=0000000005bbeae0
003f:trace:seh:raise_exception  rsi=0000000000110980 rdi=000000000000dead
rbp=0000000005bbc500 rsp=0000000005bbc3d0
003f:trace:seh:raise_exception   r8=0000003071e48cfd  r9=000000000000001e
r10=0000000000000000 r11=0000003071f811c0
003f:trace:seh:raise_exception  r12=0000000000101160 r13=0000000000101140
r14=0000000000075680 r15=000000000000dead 
--- snip ---

Child process address space for 64-bit 'ntdll.dll':

--- snip ---
0054:trace:module:load_dll looking for L"ntdll.dll" in L"C:\\Program Files
(x86)\\Google\\Chrome\\Application;.;C:\\windows\\system32;C:\\windows\\system;C:\\windows;C:\\windows\\system32;C:\\windows;C:\\windows\\system32\\wbem"
0054:trace:module:load_dll Found L"C:\\windows\\system32\\ntdll.dll" for
L"ntdll.dll" at 0x7f3184050000, count=3
0054:trace:virtual:NtProtectVirtualMemory 0xffffffffffffffff 0x7f317d8f9bc0
000002d0 00000004
0054:trace:virtual:VIRTUAL_SetProt 0x7f317d8f9000-0x7f317d8f9fff c-rW-
0054:trace:virtual:VIRTUAL_DumpView View: 0x7f317d680000 - 0x7f317d8fbfff
(system)
0054:trace:virtual:VIRTUAL_DumpView       0x7f317d680000 - 0x7f317d680fff c-r--
0054:trace:virtual:VIRTUAL_DumpView       0x7f317d681000 - 0x7f317d8f4fff c-r-x
0054:trace:virtual:VIRTUAL_DumpView       0x7f317d8f5000 - 0x7f317d8f8fff c-rw-
0054:trace:virtual:VIRTUAL_DumpView       0x7f317d8f9000 - 0x7f317d8f9fff c-rW-
0054:trace:virtual:VIRTUAL_DumpView       0x7f317d8fa000 - 0x7f317d8fbfff c-rw- 
--- snip ---

App sandboxing scheme at work, setting up intermediate trampoline code in the
child and then patch out the API entries.

Unfortunately the code relies on 64-bit Windows core dlls being mapped at the
same (fixed) locations across processes hence it fails here, triggering abort
in the parent.
Probably same rationale applies here as for 32-bit Windows core dlls.

$ sha1sum googlechromestandaloneenterprise64.msi 
586f91c05925e22fd5f891aa3e99e1cb9762950a 
googlechromestandaloneenterprise64.msi

$ du -sh googlechromestandaloneenterprise64.msi 
47M    googlechromestandaloneenterprise64.msi

$ wine --version
wine-1.7.31-47-g516ed8e

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list