[Bug 38659] New: Windows Sysinternals Process Explorer v16.05 crashes on startup (registry SID profile data in 'ProfileList' must contain 'Flags' and 'ProfileImagePath' values)

wine-bugs at winehq.org wine-bugs at winehq.org
Sun May 31 08:33:38 CDT 2015


https://bugs.winehq.org/show_bug.cgi?id=38659

            Bug ID: 38659
           Summary: Windows Sysinternals Process Explorer v16.05 crashes
                    on startup (registry SID profile data in 'ProfileList'
                    must contain 'Flags' and 'ProfileImagePath' values)
           Product: Wine
           Version: 1.7.44
          Hardware: x86
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: -unknown
          Assignee: wine-bugs at winehq.org
          Reporter: focht at gmx.net
      Distribution: ---

Hello folks,

I received a 'garbage' rated test report for Process Explorer 16.x appdb entry.
The app worked in earlier versions (<16.x).

--- snip ---
$ WINEDEBUG=+tid,+seh,+relay wine ./procexp.exe >>log.txt 2>&1
...
0029:Call oleaut32.SysAllocString(004b0940 L"Software\\Microsoft\\Command
Processor") ret=004060ea
0029:Ret  oleaut32.SysAllocString() retval=0021de1c ret=004060ea
0029:Call ntdll.RtlAllocateHeap(00110000,00000000,0000000c) ret=0048fb78
0029:Ret  ntdll.RtlAllocateHeap() retval=00217e40 ret=0048fb78
0029:Call oleaut32.SysAllocString(004afa48 L"\\") ret=004036e8
0029:Ret  oleaut32.SysAllocString() retval=00201c6c ret=004036e8
0029:Call ntdll.RtlAllocateHeap(00110000,00000000,0000000c) ret=0048fb78
0029:Ret  ntdll.RtlAllocateHeap() retval=00217e58 ret=0048fb78
0029:Call oleaut32.SysAllocString(00000008) ret=004036e8
0029:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7dfcd8b5
ip=7dfcd8b5 tid=0029
0029:trace:seh:raise_exception  info[0]=00000000
0029:trace:seh:raise_exception  info[1]=00000008
0029:trace:seh:raise_exception  eax=00000008 ebx=0078e7b0 ecx=0078e7b0
edx=00000004 esi=0078e7e0 edi=0078e7b4
0029:trace:seh:raise_exception  ebp=0078e778 esp=0078e768 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00210202
...
Unhandled exception: page fault on read access to 0x00000008 in 32-bit code
(0x7dfcd8b5).
...
Backtrace:
=>0 0x7dfcd8b5 lstrlenW+0x15(str=*** invalid address 0x8 ***)
[/home/focht/projects/wine/wine.repo/src/include/winbase.h:2597] in oleaut32
(0x0078e778)
  1 0x7dfcdb81 SysAllocString+0x29(str=<couldn't compute location>)
[/home/focht/projects/wine/wine.repo/src/dlls/oleaut32/oleaut.c:232] in
oleaut32 (0x0078e798)
  2 0x7bc7bdce relay_call+0x39() in ntdll (0x0078e7c4)
  3 0x7dfc86e1 in oleaut32 (+0x86e0) (0x0078e7fc)
  4 0x004036e8 in procexp (+0x36e7) (0x0078e7fc)
  5 0x004063f9 in procexp (+0x63f8) (0x0078e85c)
  6 0x0040a77f in procexp (+0xa77e) (0x0078e91c)
  7 0x0040a4c6 in procexp (+0xa4c5) (0x0078e96c)
  8 0x0040aeea in procexp (+0xaee9) (0x0078e9b4)
  9 0x0040458d in procexp (+0x458c) (0x0078e9d8)
  10 0x00493c26 in procexp (+0x93c25) (0x0078ea10)
  11 0x00493ccd in procexp (+0x93ccc) (0x0078ea18) 
...
0x7dfcd8b5 lstrlenW+0x15
[/home/focht/projects/wine/wine.repo/src/include/winbase.h:2597] in oleaut32:
movzwl    0x0(%eax),%eax
2597        while (*s) s++;
Modules:
Module    Address            Debug info    Name (128 modules)
PE      400000-  68a000    Export          procexp
ELF    470b0000-470ce000    Deferred        libgcc_s.so.1 
...
Threads:
process  tid      prio (all id:s are in hex)
...
00000025 (D) Z:\home\focht\Downloads\procexp.exe
    0000002b    0
    00000029    0 <==
    00000026    0 
--- snip ---

Unfortunately the crash is a manifestation of a problem that happened much
earlier.
It can also be attributed to sloppy programming since it's the only location
where this instance/data pointer is (de)referenced without prior validation.

--- snip ---
...
004063E4  A1 4CE44D00       MOV EAX,DWORD PTR DS:[4DE44C] ; NULL ptr
004063E9  8D4D E0           LEA ECX,DWORD PTR SS:[EBP-20]
004063EC  83C0 08           ADD EAX,8
004063EF  C645 FC 02        MOV BYTE PTR SS:[EBP-4],2
004063F3  50                PUSH EAX
004063F4  E8 97D2FFFF       CALL procexp.00403690         ; *boom*  
--- snip ---

Putting a hardware watchpoint to that location for trapping r/w accesses didn't
bring further insight - the crash is the first (read) access.

Now all references to that memory location have to be investigated.

--- snip ---
00403F80   MOV ECX,DWORD PTR DS:[4DE44C]
...
004041E4   MOV DWORD PTR DS:[4DE44C],EBX 
...
00404429   MOV DWORD PTR DS:[4DE44C],ESI
...
004045B6   PUSH DWORD PTR DS:[4DE44C]
...
004063E4   MOV EAX,DWORD PTR DS:[4DE44C] ; crash, NULL ptr
...
0040EA6F   MOV DWORD PTR DS:[4DE44C],EAX
...
0041C8DE   MOV ECX,DWORD PTR DS:[4DE44C]
--- snip ---

Breakpoints at all branches/parent call sites before a write (0x004041E4,
0x00404429, 0x0040EA6F).

Finally we arrive at this location:

--- snip ---
...
0040425A  33DB            XOR EBX,EBX
0040425C  50              PUSH EAX
0040425D  53              PUSH EBX
0040425E  FFB5 D4EBFFFF   PUSH DWORD PTR SS:[EBP-142C]
00404264  899D D8EBFFFF   MOV DWORD PTR SS:[EBP-1428],EBX
0040426A  E8 91C20000     CALL procexp.00410500            ; retval = 0x103
0040426F  83C4 0C         ADD ESP,0C
00404272  85C0            TEST EAX,EAX
00404274  0F85 20020000   JNZ procexp.0040449A     
0040427A  8B3D ECF04A00   MOV EDI,DWORD PTR DS:[<&ADVAPI32.RegQueryValueExW>]
...
004042CF  50              PUSH EAX
004042D0  6A 00           PUSH 0
004042D2  6A 00           PUSH 0
004042D4  68 144A4B00     PUSH procexp.004B4A14           ; UNICODE "Flags"
004042D9  FFB5 BCEBFFFF   PUSH DWORD PTR SS:[EBP-1444]
004042DF  FFD7            CALL EDI
...
00404336  50              PUSH EAX
00404337  8D85 A8EBFFFF   LEA EAX,DWORD PTR SS:[EBP-1458]
0040433D  50              PUSH EAX
0040433E  8D85 E0FBFFFF   LEA EAX,DWORD PTR SS:[EBP-420]
00404344  50              PUSH EAX
00404345  53              PUSH EBX
00404346  6A 00           PUSH 0
00404348  FF15 BCF04A00   CALL DWORD PTR DS:[<&ADVAPI32.LookupAccountSidW>]
...
00404382  51              PUSH ECX
00404383  6A 00           PUSH 0
00404385  6A 00           PUSH 0
00404387  68 204A4B00     PUSH procexp.004B4A20  ;  UNICODE "ProfileImagePath"
0040438C  FFB5 BCEBFFFF   PUSH DWORD PTR SS:[EBP-1444]
00404392  FFD7            CALL EDI
...
00404415  FFB5 E0EBFFFF   PUSH DWORD PTR SS:[EBP-1420]         ; pSID2
0040441B  53              PUSH EBX                             ; pSID1
0040441C  FF15 84F04A00   CALL DWORD PTR DS:[<&ADVAPI32.EqualSid>]
00404422  85C0            TEST EAX,EAX
00404424  74 0B           JE SHORT procexp.00404431
00404426  C606 01         MOV BYTE PTR DS:[ESI],1
00404429  8935 4CE44D00   MOV DWORD PTR DS:[4DE44C],ESI
0040442F  EB 03           JMP SHORT procexp.00404434
...
--- snip ---

The trace log (with additional +ntdll,+reg):

--- snip ---
...
003e:Call advapi32.OpenProcessToken(ffffffff,00000008,0078d584) ret=00404059
003e:trace:ntdll:NtOpenProcessTokenEx
(0xffffffff,0x00000008,0x00000000,0x78d584)
003e:Ret  advapi32.OpenProcessToken() retval=00000001 ret=00404059
003e:Call
advapi32.GetTokenInformation(0000008c,00000001,0078d5a4,00001000,0078d570)
ret=00404088
003e:trace:ntdll:NtQueryInformationToken (0x8c,1,0x78d5a4,4096,0x78d570)
003e:Ret  advapi32.GetTokenInformation() retval=00000001 ret=00404088
003e:Call KERNEL32.CloseHandle(0000008c) ret=004040b3
003e:Ret  KERNEL32.CloseHandle() retval=00000001 ret=004040b3
003e:Call advapi32.LookupAccountNameW(00000000,004b4954 L"NT
AUTHORITY",00000000,0078d57c,0078e7ac,0078d588,0078d578) ret=004040ea
...
003e:Ret  advapi32.LookupAccountNameW() retval=00000000 ret=004040ea
003e:Call ntdll.RtlAllocateHeap(00110000,00000000,00000001) ret=0048fb78
003e:Ret  ntdll.RtlAllocateHeap() retval=00201e10 ret=0048fb78
003e:Call advapi32.LookupAccountNameW(00000000,004b0550
L"System",00201e10,0078d57c,0078e7ac,0078d588,0078d578) ret=00404124
003e:Ret  advapi32.LookupAccountNameW() retval=00000000 ret=00404124 
...
003e:Call ntdll.NtOpenKey(0078d598,00020019,0078d4fc) ret=004065a3
003e:trace:reg:NtOpenKey
((nil),L"\\Registry\\Machine\\Software\\Microsoft\\Windows
NT\\CurrentVersion\\ProfileList",20019,0x78d598)
003e:trace:reg:NtOpenKey <- 0x8c
003e:Ret  ntdll.NtOpenKey() retval=00000000 ret=004065a3
003e:Call ntdll.RtlNtStatusToDosError(00000000) ret=004065aa
003e:Ret  ntdll.RtlNtStatusToDosError() retval=00000000 ret=004065aa
003e:Call KERNEL32.InterlockedDecrement(00201e48) ret=0040661d
003e:Ret  KERNEL32.InterlockedDecrement() retval=00000000 ret=0040661d
003e:Call oleaut32.SysFreeString(00201e5c L"Software\\Microsoft\\Windows
NT\\CurrentVersion\\ProfileList") ret=0040662e
003e:Ret  oleaut32.SysFreeString() retval=00000000 ret=0040662e
003e:Call ntdll.RtlFreeHeap(00110000,00000000,00201e40) ret=0048fb11
003e:Ret  ntdll.RtlFreeHeap() retval=00000001 ret=0048fb11
003e:Call KERNEL32.InterlockedDecrement(00205270) ret=00406664
003e:Ret  KERNEL32.InterlockedDecrement() retval=00000000 ret=00406664
003e:Call oleaut32.SysFreeString(00205284
L"\\Registry\\Machine\\Software\\Microsoft\\Windows
NT\\CurrentVersion\\ProfileList") ret=00406675
003e:Ret  oleaut32.SysFreeString() retval=00000000 ret=00406675
003e:Call ntdll.RtlFreeHeap(00110000,00000000,00205268) ret=0048fb11
003e:Ret  ntdll.RtlFreeHeap() retval=00000001 ret=0048fb11
003e:Call
advapi32.RegQueryInfoKeyW(0000008c,00000000,00000000,00000000,00000000,0078d544,00000000,00000000,00000000,00000000,00000000,00000000)
ret=0041052c
003e:trace:reg:RegQueryInfoKeyW
(0x8c,(nil),0,(nil),(nil),0x78d544,(nil),(nil),(nil),(nil),(nil))
003e:Ret  advapi32.RegQueryInfoKeyW() retval=00000000 ret=0041052c
003e:Call ntdll.RtlReAllocateHeap(00110000,00000000,00201bc0,00000004)
ret=0048fc04
003e:Ret  ntdll.RtlReAllocateHeap() retval=00201bc0 ret=0048fc04
003e:Call advapi32.RegEnumKeyW(0000008c,00000000,00201bc0,00000001)
ret=0041056a
003e:trace:reg:RegEnumKeyExW
(0x8c,0,0x201bc0,0x78d4fc(1),(nil),(nil),(nil),(nil))
003e:Ret  advapi32.RegEnumKeyW() retval=00000103 ret=0041056a
003e:Call advapi32.RegCloseKey(0000008c) ret=004044a6
003e:Ret  advapi32.RegCloseKey() retval=00000000 ret=004044a6
...
--- snip ---

Wine's 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList'
doesn't have any profile subkeys (bug 15670) hence the enumeration fails and
the active profile data can't be retrieved/set.

Technet blog entry: 

http://blogs.technet.com/b/heyscriptingguy/archive/2005/06/03/hey-scripting-guy-how-can-i-list-all-the-user-profiles-on-a-computer.aspx

This app requires 'Flags' and 'ProfileImagePath' values to be present below the
profile key.

Yes, there is bug 15670 (.NET applications that make use of
System.IO.IsolatedStorage crash (missing "HKLM\Software\Microsoft\Windows
NT\CurrentVersion\ProfileList\<UserSID>" registry subkey) but I decided to make
this a separate bug since all those apps listed only require the profile SID
subkey to exist.

$ sha1sum ProcessExplorer.zip 
521c2a2962eaadd572bcd09f2bca182803420198  ProcessExplorer.zip

$ du -sh ProcessExplorer.zip 
1.1M    ProcessExplorer.zip

$ wine --version
wine-1.7.44

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.



More information about the wine-bugs mailing list