[Bug 39127] New: Multiple applications wrapped with XenoCode Postbuild 2009 application sandboxing crash with stack overflow ('NtWaitForSingleObject' must not call 'NtWaitForMultipleObjects')

wine-bugs at winehq.org wine-bugs at winehq.org
Thu Aug 20 12:12:58 CDT 2015 

https://bugs.winehq.org/show_bug.cgi?id=39127

            Bug ID: 39127
           Summary: Multiple applications wrapped with XenoCode Postbuild
                    2009 application sandboxing crash with stack overflow
                    ('NtWaitForSingleObject' must not call
                    'NtWaitForMultipleObjects')
           Product: Wine
           Version: 1.7.49
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ntdll
          Assignee: wine-bugs at winehq.org
          Reporter: focht at gmx.net
      Distribution: ---

Hello folks,

as the summary says.

Continuation of bug 30399

The app crashes very quickly:

--- snip ---
$ wine ./Stylizer.exe
fixme:ole:RemUnknown_QueryInterface No interface for iid
{00000019-0000-0000-c000-000000000046}
wine: Unhandled stack overflow at address 0x377db8 (thread 0009), starting
debugger...
err:seh:setup_exception_record stack overflow 816 bytes in thread 0009 eip
00377d91 esp 00241000 stack 0x240000-0x241000-0x340000
--- snip ---

--- snip ---
-=[ ProtectionID v0.6.6.7 DECEMBER]=-
(c) 2003-2015 CDKiLLER & TippeX
Build 24/12/14-22:48:13
Ready...
Scanning -> Z:\home\focht\Downloads\Stylizer.exe
File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 15854203 (0F1EA7Bh)
Byte(s)
Compilation TimeStamp : 0x50B3AB61 -> Mon 26th Nov 2012 17:48:17 (GMT)
[TimeStamp] 0x50B3AB61 -> Mon 26th Nov 2012 17:48:17 (GMT) | PE Header | - |
Offset: 0x00000088 | VA: 0x00400088 | -
-> File has 15719035 (0EFDA7Bh) bytes of appended data starting at offset
021000h
[File Heuristics] -> Flag #1 : 00000000000001001000000000000100 (0x00048004)
[Entrypoint Section Entropy] : 6.37 (section #0) ".text   " | Size : 0x3ABE
(15038) byte(s)
[DllCharacteristics] -> Flag : (0x8000) -> TSA
[SectionCount] 6 (0x6) | ImageSize 0x30B000 (3190784) byte(s)
[!] XenoCode Postbuild 2009 detected !
[CdKeySerial] found "Invalid code" @ VA: 0x00001E60 / Offset: 0x00001260
- Scan Took : 0.332 Second(s) [00000014Ch (332) tick(s)] [558 of 573 scan(s)
done]
--- snip ---

Relay tracing interferes with the way the native API sandboxing scheme works
and use of dedicated trace channels doesn't reveal much.

Debugging reveals the culprit.

'NtWaitForSingleObject':

--- snip ---
7BC99B3E    E9 2A057284     JMP 003BA06D                 ; trampoline
7BC99B43    E4 F0           IN AL,0F0 
7BC99B45    FF71 FC         PUSH DWORD PTR DS:[ECX-4]
7BC99B48    55              PUSH EBP
7BC99B49    89E5            MOV EBP,ESP
7BC99B4B    51              PUSH ECX
7BC99B4C    83EC 24         SUB ESP,24
7BC99B4F    89C8            MOV EAX,ECX
7BC99B51    8B50 04         MOV EDX,DWORD PTR DS:[EAX+4]
7BC99B54    8855 F4         MOV BYTE PTR SS:[EBP-0C],DL
7BC99B57    0FB655 F4       MOVZX EDX,BYTE PTR SS:[EBP-0C]
7BC99B5B    8B48 08         MOV ECX,DWORD PTR DS:[EAX+8]
7BC99B5E    894C24 10       MOV DWORD PTR SS:[ESP+10],ECX
7BC99B62    895424 0C       MOV DWORD PTR SS:[ESP+0C],EDX
7BC99B66    C74424 08 00000 MOV DWORD PTR SS:[ESP+8],0
7BC99B6E    894424 04       MOV DWORD PTR SS:[ESP+4],EAX
7BC99B72    C70424 01000000 MOV DWORD PTR SS:[ESP],1
7BC99B79    E8 E7FEFFFF     CALL NtWaitForMultipleObjects
7BC99B7E    83EC 14         SUB ESP,14
7BC99B81    8B4D FC         MOV ECX,DWORD PTR SS:[EBP-4]
7BC99B84    C9              LEAVE
7BC99B85    8D61 FC         LEA ESP,[ECX-4]
7BC99B88    C2 0C00         RETN 0C 
...
00A3004E    8D4C24 04       LEA ECX,[ESP+4]             ; saved prolog chunk
00A30052    83E4 F0         AND ESP,FFFFFFF0
00A30055    E9 EB9A267B     JMP 7BC99B45
--- snip ---

NtWaitForMultipleObjects:

--- snip --- 
7BC99A65    E9 81067284     JMP 003BA0EB                ; trampoline
7BC99A6A    F0:81EC 3001000 LOCK SUB ESP,130
7BC99A71    8B55 10         MOV EDX,DWORD PTR SS:[EBP+10]
7BC99A74    8B45 14         MOV EAX,DWORD PTR SS:[EBP+14]
7BC99A77    885424 1C       MOV BYTE PTR SS:[ESP+1C],DL
7BC99A7B    884424 18       MOV BYTE PTR SS:[ESP+18],AL
7BC99A7F    C78424 28010000 MOV DWORD PTR SS:[ESP+128],2
7BC99A8A    837D 08 00      CMP DWORD PTR SS:[EBP+8],0
7BC99A8E    74 06           JE SHORT 7BC99A96 
...
--- snip ---

The trampoline/hook state tracking code gets confused due to
'NtWaitForSingleObject' calling 'NtWaitForMultipleObjects' which causes a
recursion in the continuation code.

Native NT API doesn't do this by design since each function has an own syscall.

If you use a static/inline helper which is shared/called by both, the app
starts fine.

NOTE: Although the app bundles .NET on its own, you will need 'winetricks -q
dotnet20' to work around bug 38956

$ sha1sum Stylizer5Setup.exe 
fa99802266f80441ac4f091e90b20691e170f12d  Stylizer5Setup.exe

$ du -sh Stylizer5Setup.exe 
16M    Stylizer5Setup.exe

$ wine --version
wine-1.7.49-184-g5021e91

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list