[Bug 38714] 64-bit ARM Windows applications from Windows SDK for Windows 10 crash in entry (loader needs to set/randomize security cookie for PE modules)

wine-bugs at winehq.org wine-bugs at winehq.org
Tue Jun 16 19:12:59 CDT 2015 

https://bugs.winehq.org/show_bug.cgi?id=38714

--- Comment #2 from Anastasius Focht <focht at gmx.net> ---
Hello André,

I've seen your patch on mailing list.

https://source.winehq.org/patches/data/112108

Although the bug is about 64-bit ARM, apps targeting Windows 8.x x64 and
Windows 10 x64 will require the same mechanism.

You are not free to chose any "magic" cookie value when you do the security
cookie initialization in loader.

Example application, targeting newer 64-bit Windows x64:

http://files.emeditor.com/emed64_15.1.4_portable.zip

The app crashes with your patch.
Unfortunately through some fast exit path, without winedbg/debugger being able
to attach (bug 24038)

"init cookie" function at entry point:

--- snip ---
...
0000000140103CA0  mov     [rsp+20h], rbx
0000000140103CA5  push    rbp
0000000140103CA6  mov     rbp, rsp
0000000140103CA9  sub     rsp, 20h
0000000140103CAD  mov     rax, cs:qword_140135540 ; security cookie
0000000140103CB4  and     qword ptr [rbp+18h], 0
0000000140103CB9  mov     rbx, 2B992DDFA232h      ; default init value for x64?
0000000140103CC3  cmp     rax, rbx
0000000140103CC6  jnz     short 140103D37    ; no? init already done by loader
0000000140103CC8  lea     rcx, [rbp+18h]
0000000140103CCC  call    cs:GetSystemTimeAsFileTime
0000000140103CD2  mov     rax, qword ptr [rbp+18h]
0000000140103CD6  mov     [rbp+10h], rax
0000000140103CDA  call    cs:GetCurrentThreadId
0000000140103CE0  mov     eax, eax
0000000140103CE2  xor     [rbp+10h], rax
0000000140103CE6  call    cs:GetCurrentProcessId
0000000140103CEC  lea     rcx, [rbp+20h]
0000000140103CF0  mov     eax, eax
0000000140103CF2  xor     [rbp+10h], rax
0000000140103CF6  call    cs:QueryPerformanceCounter
0000000140103CFC  mov     eax, dword ptr [rbp+20h]
0000000140103CFF  shl     rax, 20h
0000000140103D03  lea     rcx, [rbp+10h]
0000000140103D07  xor     rax, qword ptr [rbp+20h]
0000000140103D0B  xor     rax, [rbp+10h]
0000000140103D0F  xor     rax, rcx
0000000140103D12  mov     rcx, 0FFFFFFFFFFFFh      ; highest word = zero!
0000000140103D1C  and     rax, rcx
0000000140103D1F  mov     rcx, 2B992DDFA233h
0000000140103D29  cmp     rax, rbx
0000000140103D2C  cmovz   rax, rcx
0000000140103D30  mov     cs:qword_140135540, rax  ; newly randomized cookie
0000000140103D37  mov     rbx, [rsp+48h]
0000000140103D3C  not     rax
0000000140103D3F  mov     cs:qword_140135548, rax
0000000140103D46  add     rsp, 20h
0000000140103D4A  pop     rbp
0000000140103D4B  retn
...
--- snip ---

Runtime check for proper security cookie value:

--- snip ---
00000001400FB080  cmp     rcx, cs:qword_140135540  ; security cookie
00000001400FB087  jnz     short 1400FB09A
00000001400FB089  rol     rcx, 10h                 ; get highest word
00000001400FB08D  test    cx, 0FFFFh               ; highest word == zero?
00000001400FB092  jnz     short 1400FB096
00000001400FB094  rep     retn                     ; yes, oki
00000001400FB096  ror     rcx, 10h                 ; restore highest word
00000001400FB09A  jmp     1400FAE5C                ; problem -> bail!
--- snip ---

--- snip ---
.data
...
0000000140135540  qword_140135540 dq 2B992DDFA232h ; default cookie magic x64
--- snip ---

Debugger:

ECX = 0x5ec0617fc0041eb9 = your "magic" value set in loader

--- snip ---
Wine-dbg>info reg

Register dump:
 rip:00000001400fb087 rsp:000000000023f2e8 rbp:000000000023f530 eflags:00000346
(   - --  IT Z- -P- )
 rax:0000000000000001 rbx:000000000023f330 rcx:5ec0617fc0041eb9
rdx:00000000ffffffff
 rsi:0000000000000100 rdi:0000000000000001  r8:0000000000000100 
r9:000000000023f950 r10:0000000000000001
 r11:000000000023f330 r12:000000000023f650 r13:0000000000000001
r14:00000000000004e4 r15:0000000000000100

Wine-dbg>si
0x00000001400fb089: rolq    $0x10,%rcx

Wine-dbg>si
0x00000001400fb08d: testw    $0xffff,%cx

Wine-dbg>info reg 
Register dump:
 rip:00000001400fb08d rsp:000000000023f2e8 rbp:000000000023f530 eflags:00000346
(   - --  IT Z- -P- )
 rax:0000000000000001 rbx:000000000023f330 rcx:617fc0041eb95ec0
rdx:00000000ffffffff
 rsi:0000000000000100 rdi:0000000000000001  r8:0000000000000100 
r9:000000000023f950 r10:0000000000000001
 r11:000000000023f330 r12:000000000023f650 r13:0000000000000001
r14:00000000000004e4 r15:0000000000000100

Wine-dbg>si
0x00000001400fb092: jnz    0x00000001400fb096

Wine-dbg>si
0x00000001400fb096: rorq    $0x10,%rcx

<process termination>
--- snip ---

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list