[Bug 38659] New: Windows Sysinternals Process Explorer v16.05 crashes on startup (registry SID profile data in 'ProfileList' must contain 'Flags' and 'ProfileImagePath' values)
wine-bugs at winehq.org
wine-bugs at winehq.org
Sun May 31 08:33:38 CDT 2015
https://bugs.winehq.org/show_bug.cgi?id=38659
Bug ID: 38659
Summary: Windows Sysinternals Process Explorer v16.05 crashes
on startup (registry SID profile data in 'ProfileList'
must contain 'Flags' and 'ProfileImagePath' values)
Product: Wine
Version: 1.7.44
Hardware: x86
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: -unknown
Assignee: wine-bugs at winehq.org
Reporter: focht at gmx.net
Distribution: ---
Hello folks,
I received a 'garbage' rated test report for Process Explorer 16.x appdb entry.
The app worked in earlier versions (<16.x).
--- snip ---
$ WINEDEBUG=+tid,+seh,+relay wine ./procexp.exe >>log.txt 2>&1
...
0029:Call oleaut32.SysAllocString(004b0940 L"Software\\Microsoft\\Command
Processor") ret=004060ea
0029:Ret oleaut32.SysAllocString() retval=0021de1c ret=004060ea
0029:Call ntdll.RtlAllocateHeap(00110000,00000000,0000000c) ret=0048fb78
0029:Ret ntdll.RtlAllocateHeap() retval=00217e40 ret=0048fb78
0029:Call oleaut32.SysAllocString(004afa48 L"\\") ret=004036e8
0029:Ret oleaut32.SysAllocString() retval=00201c6c ret=004036e8
0029:Call ntdll.RtlAllocateHeap(00110000,00000000,0000000c) ret=0048fb78
0029:Ret ntdll.RtlAllocateHeap() retval=00217e58 ret=0048fb78
0029:Call oleaut32.SysAllocString(00000008) ret=004036e8
0029:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7dfcd8b5
ip=7dfcd8b5 tid=0029
0029:trace:seh:raise_exception info[0]=00000000
0029:trace:seh:raise_exception info[1]=00000008
0029:trace:seh:raise_exception eax=00000008 ebx=0078e7b0 ecx=0078e7b0
edx=00000004 esi=0078e7e0 edi=0078e7b4
0029:trace:seh:raise_exception ebp=0078e778 esp=0078e768 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00210202
...
Unhandled exception: page fault on read access to 0x00000008 in 32-bit code
(0x7dfcd8b5).
...
Backtrace:
=>0 0x7dfcd8b5 lstrlenW+0x15(str=*** invalid address 0x8 ***)
[/home/focht/projects/wine/wine.repo/src/include/winbase.h:2597] in oleaut32
(0x0078e778)
1 0x7dfcdb81 SysAllocString+0x29(str=<couldn't compute location>)
[/home/focht/projects/wine/wine.repo/src/dlls/oleaut32/oleaut.c:232] in
oleaut32 (0x0078e798)
2 0x7bc7bdce relay_call+0x39() in ntdll (0x0078e7c4)
3 0x7dfc86e1 in oleaut32 (+0x86e0) (0x0078e7fc)
4 0x004036e8 in procexp (+0x36e7) (0x0078e7fc)
5 0x004063f9 in procexp (+0x63f8) (0x0078e85c)
6 0x0040a77f in procexp (+0xa77e) (0x0078e91c)
7 0x0040a4c6 in procexp (+0xa4c5) (0x0078e96c)
8 0x0040aeea in procexp (+0xaee9) (0x0078e9b4)
9 0x0040458d in procexp (+0x458c) (0x0078e9d8)
10 0x00493c26 in procexp (+0x93c25) (0x0078ea10)
11 0x00493ccd in procexp (+0x93ccc) (0x0078ea18)
...
0x7dfcd8b5 lstrlenW+0x15
[/home/focht/projects/wine/wine.repo/src/include/winbase.h:2597] in oleaut32:
movzwl 0x0(%eax),%eax
2597 while (*s) s++;
Modules:
Module Address Debug info Name (128 modules)
PE 400000- 68a000 Export procexp
ELF 470b0000-470ce000 Deferred libgcc_s.so.1
...
Threads:
process tid prio (all id:s are in hex)
...
00000025 (D) Z:\home\focht\Downloads\procexp.exe
0000002b 0
00000029 0 <==
00000026 0
--- snip ---
Unfortunately the crash is a manifestation of a problem that happened much
earlier.
It can also be attributed to sloppy programming since it's the only location
where this instance/data pointer is (de)referenced without prior validation.
--- snip ---
...
004063E4 A1 4CE44D00 MOV EAX,DWORD PTR DS:[4DE44C] ; NULL ptr
004063E9 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
004063EC 83C0 08 ADD EAX,8
004063EF C645 FC 02 MOV BYTE PTR SS:[EBP-4],2
004063F3 50 PUSH EAX
004063F4 E8 97D2FFFF CALL procexp.00403690 ; *boom*
--- snip ---
Putting a hardware watchpoint to that location for trapping r/w accesses didn't
bring further insight - the crash is the first (read) access.
Now all references to that memory location have to be investigated.
--- snip ---
00403F80 MOV ECX,DWORD PTR DS:[4DE44C]
...
004041E4 MOV DWORD PTR DS:[4DE44C],EBX
...
00404429 MOV DWORD PTR DS:[4DE44C],ESI
...
004045B6 PUSH DWORD PTR DS:[4DE44C]
...
004063E4 MOV EAX,DWORD PTR DS:[4DE44C] ; crash, NULL ptr
...
0040EA6F MOV DWORD PTR DS:[4DE44C],EAX
...
0041C8DE MOV ECX,DWORD PTR DS:[4DE44C]
--- snip ---
Breakpoints at all branches/parent call sites before a write (0x004041E4,
0x00404429, 0x0040EA6F).
Finally we arrive at this location:
--- snip ---
...
0040425A 33DB XOR EBX,EBX
0040425C 50 PUSH EAX
0040425D 53 PUSH EBX
0040425E FFB5 D4EBFFFF PUSH DWORD PTR SS:[EBP-142C]
00404264 899D D8EBFFFF MOV DWORD PTR SS:[EBP-1428],EBX
0040426A E8 91C20000 CALL procexp.00410500 ; retval = 0x103
0040426F 83C4 0C ADD ESP,0C
00404272 85C0 TEST EAX,EAX
00404274 0F85 20020000 JNZ procexp.0040449A
0040427A 8B3D ECF04A00 MOV EDI,DWORD PTR DS:[<&ADVAPI32.RegQueryValueExW>]
...
004042CF 50 PUSH EAX
004042D0 6A 00 PUSH 0
004042D2 6A 00 PUSH 0
004042D4 68 144A4B00 PUSH procexp.004B4A14 ; UNICODE "Flags"
004042D9 FFB5 BCEBFFFF PUSH DWORD PTR SS:[EBP-1444]
004042DF FFD7 CALL EDI
...
00404336 50 PUSH EAX
00404337 8D85 A8EBFFFF LEA EAX,DWORD PTR SS:[EBP-1458]
0040433D 50 PUSH EAX
0040433E 8D85 E0FBFFFF LEA EAX,DWORD PTR SS:[EBP-420]
00404344 50 PUSH EAX
00404345 53 PUSH EBX
00404346 6A 00 PUSH 0
00404348 FF15 BCF04A00 CALL DWORD PTR DS:[<&ADVAPI32.LookupAccountSidW>]
...
00404382 51 PUSH ECX
00404383 6A 00 PUSH 0
00404385 6A 00 PUSH 0
00404387 68 204A4B00 PUSH procexp.004B4A20 ; UNICODE "ProfileImagePath"
0040438C FFB5 BCEBFFFF PUSH DWORD PTR SS:[EBP-1444]
00404392 FFD7 CALL EDI
...
00404415 FFB5 E0EBFFFF PUSH DWORD PTR SS:[EBP-1420] ; pSID2
0040441B 53 PUSH EBX ; pSID1
0040441C FF15 84F04A00 CALL DWORD PTR DS:[<&ADVAPI32.EqualSid>]
00404422 85C0 TEST EAX,EAX
00404424 74 0B JE SHORT procexp.00404431
00404426 C606 01 MOV BYTE PTR DS:[ESI],1
00404429 8935 4CE44D00 MOV DWORD PTR DS:[4DE44C],ESI
0040442F EB 03 JMP SHORT procexp.00404434
...
--- snip ---
The trace log (with additional +ntdll,+reg):
--- snip ---
...
003e:Call advapi32.OpenProcessToken(ffffffff,00000008,0078d584) ret=00404059
003e:trace:ntdll:NtOpenProcessTokenEx
(0xffffffff,0x00000008,0x00000000,0x78d584)
003e:Ret advapi32.OpenProcessToken() retval=00000001 ret=00404059
003e:Call
advapi32.GetTokenInformation(0000008c,00000001,0078d5a4,00001000,0078d570)
ret=00404088
003e:trace:ntdll:NtQueryInformationToken (0x8c,1,0x78d5a4,4096,0x78d570)
003e:Ret advapi32.GetTokenInformation() retval=00000001 ret=00404088
003e:Call KERNEL32.CloseHandle(0000008c) ret=004040b3
003e:Ret KERNEL32.CloseHandle() retval=00000001 ret=004040b3
003e:Call advapi32.LookupAccountNameW(00000000,004b4954 L"NT
AUTHORITY",00000000,0078d57c,0078e7ac,0078d588,0078d578) ret=004040ea
...
003e:Ret advapi32.LookupAccountNameW() retval=00000000 ret=004040ea
003e:Call ntdll.RtlAllocateHeap(00110000,00000000,00000001) ret=0048fb78
003e:Ret ntdll.RtlAllocateHeap() retval=00201e10 ret=0048fb78
003e:Call advapi32.LookupAccountNameW(00000000,004b0550
L"System",00201e10,0078d57c,0078e7ac,0078d588,0078d578) ret=00404124
003e:Ret advapi32.LookupAccountNameW() retval=00000000 ret=00404124
...
003e:Call ntdll.NtOpenKey(0078d598,00020019,0078d4fc) ret=004065a3
003e:trace:reg:NtOpenKey
((nil),L"\\Registry\\Machine\\Software\\Microsoft\\Windows
NT\\CurrentVersion\\ProfileList",20019,0x78d598)
003e:trace:reg:NtOpenKey <- 0x8c
003e:Ret ntdll.NtOpenKey() retval=00000000 ret=004065a3
003e:Call ntdll.RtlNtStatusToDosError(00000000) ret=004065aa
003e:Ret ntdll.RtlNtStatusToDosError() retval=00000000 ret=004065aa
003e:Call KERNEL32.InterlockedDecrement(00201e48) ret=0040661d
003e:Ret KERNEL32.InterlockedDecrement() retval=00000000 ret=0040661d
003e:Call oleaut32.SysFreeString(00201e5c L"Software\\Microsoft\\Windows
NT\\CurrentVersion\\ProfileList") ret=0040662e
003e:Ret oleaut32.SysFreeString() retval=00000000 ret=0040662e
003e:Call ntdll.RtlFreeHeap(00110000,00000000,00201e40) ret=0048fb11
003e:Ret ntdll.RtlFreeHeap() retval=00000001 ret=0048fb11
003e:Call KERNEL32.InterlockedDecrement(00205270) ret=00406664
003e:Ret KERNEL32.InterlockedDecrement() retval=00000000 ret=00406664
003e:Call oleaut32.SysFreeString(00205284
L"\\Registry\\Machine\\Software\\Microsoft\\Windows
NT\\CurrentVersion\\ProfileList") ret=00406675
003e:Ret oleaut32.SysFreeString() retval=00000000 ret=00406675
003e:Call ntdll.RtlFreeHeap(00110000,00000000,00205268) ret=0048fb11
003e:Ret ntdll.RtlFreeHeap() retval=00000001 ret=0048fb11
003e:Call
advapi32.RegQueryInfoKeyW(0000008c,00000000,00000000,00000000,00000000,0078d544,00000000,00000000,00000000,00000000,00000000,00000000)
ret=0041052c
003e:trace:reg:RegQueryInfoKeyW
(0x8c,(nil),0,(nil),(nil),0x78d544,(nil),(nil),(nil),(nil),(nil))
003e:Ret advapi32.RegQueryInfoKeyW() retval=00000000 ret=0041052c
003e:Call ntdll.RtlReAllocateHeap(00110000,00000000,00201bc0,00000004)
ret=0048fc04
003e:Ret ntdll.RtlReAllocateHeap() retval=00201bc0 ret=0048fc04
003e:Call advapi32.RegEnumKeyW(0000008c,00000000,00201bc0,00000001)
ret=0041056a
003e:trace:reg:RegEnumKeyExW
(0x8c,0,0x201bc0,0x78d4fc(1),(nil),(nil),(nil),(nil))
003e:Ret advapi32.RegEnumKeyW() retval=00000103 ret=0041056a
003e:Call advapi32.RegCloseKey(0000008c) ret=004044a6
003e:Ret advapi32.RegCloseKey() retval=00000000 ret=004044a6
...
--- snip ---
Wine's 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList'
doesn't have any profile subkeys (bug 15670) hence the enumeration fails and
the active profile data can't be retrieved/set.
Technet blog entry:
http://blogs.technet.com/b/heyscriptingguy/archive/2005/06/03/hey-scripting-guy-how-can-i-list-all-the-user-profiles-on-a-computer.aspx
This app requires 'Flags' and 'ProfileImagePath' values to be present below the
profile key.
Yes, there is bug 15670 (.NET applications that make use of
System.IO.IsolatedStorage crash (missing "HKLM\Software\Microsoft\Windows
NT\CurrentVersion\ProfileList\<UserSID>" registry subkey) but I decided to make
this a separate bug since all those apps listed only require the profile SID
subkey to exist.
$ sha1sum ProcessExplorer.zip
521c2a2962eaadd572bcd09f2bca182803420198 ProcessExplorer.zip
$ du -sh ProcessExplorer.zip
1.1M ProcessExplorer.zip
$ wine --version
wine-1.7.44
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list