[Bug 40373] New: Double free in RPCRT4

wine-bugs at winehq.org wine-bugs at winehq.org
Mon Mar 28 16:30:53 CDT 2016 

https://bugs.winehq.org/show_bug.cgi?id=40373

            Bug ID: 40373
           Summary: Double free in RPCRT4
           Product: Wine
           Version: unspecified
          Hardware: x86
                OS: Windows
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: rpc
          Assignee: wine-bugs at winehq.org
          Reporter: timo.kreuzer at web.de

Created attachment 54078
  --> https://bugs.winehq.org/attachment.cgi?id=54078
idl file

RPCRT4 can double free parameter allocations from NdrStubCall2

The specific situation where this happened is the following:

- The idl file was lsa.idl from ReactOS (file attached)
- The function was LsarRetrievePrivateData
- The parameter was EncryptedData
- It happened in cleanup of marshalled parameters within NdrStubCall2, after
calling this function

What happened:

- NdrStubCall2 iterates though the marshaling phases
- On STUBLESS_MUSTFREE:
  - params[i].attr.MustFree is TRUE for parameter i = 2 (EncryptedData)
  - call_freer() is invoked with a pointer pointing to the parameter (pointer
to the parameter location!)
  - param->attr.IsByValue is FALSE, so pMemory = *(unsigned char **)pMemory;
      pMemory is now equal to the value EncryptedData (a pointer to a pointer)
  - NdrFreer[pFormat[0] & NDR_TABLE_MASK] (NdrPointerFree) is called
  - NdrPointerFree calls PointerFree
  - desc = pFormat + *(const SHORT*)pFormat;
  - (attr & RPC_FC_P_DEREF) is TRUE, so current_pointer = *(unsigned
char**)Pointer; (In the observed case this is NULL, since the function returned
NULL in that OUT parameter)
  - NdrFreer[*desc & NDR_TABLE_MASK] (NdrPointerFree) is called with
current_pointer (doing nothing, since it's NULL)
  - Pointer is not within pStubMsg->Buffer
  - attr & RPC_FC_P_ONSTACK is not set (this is different on midl!)
  - NdrFree(pStubMsg, Pointer) is called, freeing the pointer
 - On STUBLESS_FREE:
   - params[i].attr.ServerAllocSize is != 0
   - HeapFree(GetProcessHeap(), 0, *(void **)pArg) is called on the pointer
that was freed before.

I cannot say exactly what is wrong here, but I see 2 potential problems:
- The type for the parameter has different flags between midl and widl (the
parameter data is the same), where widl is missing the [alloced_on_stack] flag:
midl:
/* 2076 */    
            0x11, 0x14,    /* FC_RP [alloced_on_stack] [pointer_deref] */
/* 2078 */    NdrFcShort( 0xffb6 ),    /* Offset= -74 (2004) */

widl:
/* 3112 (PLSAPR_CR_CIPHER_VALUE *) */
        0x11, 0x10,        /* FC_RP [pointer_deref] */
        NdrFcShort(0xfffa),    /* Offset= -6 (3108) */
With this flag, the parameter is not freed, but that might not be the correct
solution.

- Parameters with ServerAlloc are allocated from the heap, while according to
https://msdn.microsoft.com/library/windows/desktop/aa374362%28v=vs.85%29.aspx,
it should be allocated on the stack, so it would not be freed.

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list