[Bug 39127] New: Multiple applications wrapped with XenoCode Postbuild 2009 application sandboxing crash with stack overflow ('NtWaitForSingleObject' must not call 'NtWaitForMultipleObjects')
wine-bugs at winehq.org
wine-bugs at winehq.org
Thu Aug 20 12:12:58 CDT 2015
https://bugs.winehq.org/show_bug.cgi?id=39127
Bug ID: 39127
Summary: Multiple applications wrapped with XenoCode Postbuild
2009 application sandboxing crash with stack overflow
('NtWaitForSingleObject' must not call
'NtWaitForMultipleObjects')
Product: Wine
Version: 1.7.49
Hardware: x86-64
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: ntdll
Assignee: wine-bugs at winehq.org
Reporter: focht at gmx.net
Distribution: ---
Hello folks,
as the summary says.
Continuation of bug 30399
The app crashes very quickly:
--- snip ---
$ wine ./Stylizer.exe
fixme:ole:RemUnknown_QueryInterface No interface for iid
{00000019-0000-0000-c000-000000000046}
wine: Unhandled stack overflow at address 0x377db8 (thread 0009), starting
debugger...
err:seh:setup_exception_record stack overflow 816 bytes in thread 0009 eip
00377d91 esp 00241000 stack 0x240000-0x241000-0x340000
--- snip ---
--- snip ---
-=[ ProtectionID v0.6.6.7 DECEMBER]=-
(c) 2003-2015 CDKiLLER & TippeX
Build 24/12/14-22:48:13
Ready...
Scanning -> Z:\home\focht\Downloads\Stylizer.exe
File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 15854203 (0F1EA7Bh)
Byte(s)
Compilation TimeStamp : 0x50B3AB61 -> Mon 26th Nov 2012 17:48:17 (GMT)
[TimeStamp] 0x50B3AB61 -> Mon 26th Nov 2012 17:48:17 (GMT) | PE Header | - |
Offset: 0x00000088 | VA: 0x00400088 | -
-> File has 15719035 (0EFDA7Bh) bytes of appended data starting at offset
021000h
[File Heuristics] -> Flag #1 : 00000000000001001000000000000100 (0x00048004)
[Entrypoint Section Entropy] : 6.37 (section #0) ".text " | Size : 0x3ABE
(15038) byte(s)
[DllCharacteristics] -> Flag : (0x8000) -> TSA
[SectionCount] 6 (0x6) | ImageSize 0x30B000 (3190784) byte(s)
[!] XenoCode Postbuild 2009 detected !
[CdKeySerial] found "Invalid code" @ VA: 0x00001E60 / Offset: 0x00001260
- Scan Took : 0.332 Second(s) [00000014Ch (332) tick(s)] [558 of 573 scan(s)
done]
--- snip ---
Relay tracing interferes with the way the native API sandboxing scheme works
and use of dedicated trace channels doesn't reveal much.
Debugging reveals the culprit.
'NtWaitForSingleObject':
--- snip ---
7BC99B3E E9 2A057284 JMP 003BA06D ; trampoline
7BC99B43 E4 F0 IN AL,0F0
7BC99B45 FF71 FC PUSH DWORD PTR DS:[ECX-4]
7BC99B48 55 PUSH EBP
7BC99B49 89E5 MOV EBP,ESP
7BC99B4B 51 PUSH ECX
7BC99B4C 83EC 24 SUB ESP,24
7BC99B4F 89C8 MOV EAX,ECX
7BC99B51 8B50 04 MOV EDX,DWORD PTR DS:[EAX+4]
7BC99B54 8855 F4 MOV BYTE PTR SS:[EBP-0C],DL
7BC99B57 0FB655 F4 MOVZX EDX,BYTE PTR SS:[EBP-0C]
7BC99B5B 8B48 08 MOV ECX,DWORD PTR DS:[EAX+8]
7BC99B5E 894C24 10 MOV DWORD PTR SS:[ESP+10],ECX
7BC99B62 895424 0C MOV DWORD PTR SS:[ESP+0C],EDX
7BC99B66 C74424 08 00000 MOV DWORD PTR SS:[ESP+8],0
7BC99B6E 894424 04 MOV DWORD PTR SS:[ESP+4],EAX
7BC99B72 C70424 01000000 MOV DWORD PTR SS:[ESP],1
7BC99B79 E8 E7FEFFFF CALL NtWaitForMultipleObjects
7BC99B7E 83EC 14 SUB ESP,14
7BC99B81 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4]
7BC99B84 C9 LEAVE
7BC99B85 8D61 FC LEA ESP,[ECX-4]
7BC99B88 C2 0C00 RETN 0C
...
00A3004E 8D4C24 04 LEA ECX,[ESP+4] ; saved prolog chunk
00A30052 83E4 F0 AND ESP,FFFFFFF0
00A30055 E9 EB9A267B JMP 7BC99B45
--- snip ---
NtWaitForMultipleObjects:
--- snip ---
7BC99A65 E9 81067284 JMP 003BA0EB ; trampoline
7BC99A6A F0:81EC 3001000 LOCK SUB ESP,130
7BC99A71 8B55 10 MOV EDX,DWORD PTR SS:[EBP+10]
7BC99A74 8B45 14 MOV EAX,DWORD PTR SS:[EBP+14]
7BC99A77 885424 1C MOV BYTE PTR SS:[ESP+1C],DL
7BC99A7B 884424 18 MOV BYTE PTR SS:[ESP+18],AL
7BC99A7F C78424 28010000 MOV DWORD PTR SS:[ESP+128],2
7BC99A8A 837D 08 00 CMP DWORD PTR SS:[EBP+8],0
7BC99A8E 74 06 JE SHORT 7BC99A96
...
--- snip ---
The trampoline/hook state tracking code gets confused due to
'NtWaitForSingleObject' calling 'NtWaitForMultipleObjects' which causes a
recursion in the continuation code.
Native NT API doesn't do this by design since each function has an own syscall.
If you use a static/inline helper which is shared/called by both, the app
starts fine.
NOTE: Although the app bundles .NET on its own, you will need 'winetricks -q
dotnet20' to work around bug 38956
$ sha1sum Stylizer5Setup.exe
fa99802266f80441ac4f091e90b20691e170f12d Stylizer5Setup.exe
$ du -sh Stylizer5Setup.exe
16M Stylizer5Setup.exe
$ wine --version
wine-1.7.49-184-g5021e91
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list