[Bug 44927] New: StarForce v3 kernel driver 'sfdrv01' causes 'winedevice' hosting process to crash due to relocation entry crossing page boundary
wine-bugs at winehq.org
wine-bugs at winehq.org
Fri Apr 6 04:57:26 CDT 2018
https://bugs.winehq.org/show_bug.cgi?id=44927
Bug ID: 44927
Summary: StarForce v3 kernel driver 'sfdrv01' causes
'winedevice' hosting process to crash due to
relocation entry crossing page boundary
Product: Wine
Version: 3.5
Hardware: x86-64
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: programs
Assignee: wine-bugs at winehq.org
Reporter: focht at gmx.net
Distribution: ---
Hello folks,
as it says.
--- snip ---
$ WINEDEBUG=+seh,+relay,+ntoskrnl,+ntdll,+module,+virtual,+winedevice wine
notepad >>log.txt 2>&1
...
0026:trace:winedevice:load_driver loading driver
L"System32\\drivers\\sfdrv01.sys"
0026:Call KERNEL32.LoadLibraryW(0011cc98 L"System32\\drivers\\sfdrv01.sys")
ret=7effa9de
...
0026:trace:module:load_native_dll Trying native dll
L"C:\\windows\\System32\\drivers\\sfdrv01.sys"
0026:trace:virtual:map_view got mem in reserved area 0x780000-0x791000
0026:trace:module:map_image mapped PE file at 0x780000-0x791000
0026:trace:module:map_image mapping section .text at 0x781000 off 400 size 1e00
virt 1d5a flags 68000020
0026:trace:module:map_image clearing 0x782e00 - 0x783000
0026:trace:module:map_image mapping section .rdata at 0x783000 off 2200 size
600 virt 421 flags 48000040
0026:trace:module:map_image clearing 0x783600 - 0x784000
0026:trace:module:map_image mapping section .data at 0x784000 off 2800 size 400
virt 1420 flags c8000040
0026:trace:module:map_image clearing 0x784400 - 0x785000
0026:trace:module:map_image mapping section PAGE at 0x786000 off 2c00 size 6e00
virt 6d7e flags 60000020
0026:trace:module:map_image clearing 0x78ce00 - 0x78d000
0026:trace:module:map_image mapping section INIT at 0x78d000 off 9a00 size 1200
virt 101a flags e2000020
0026:trace:module:map_image clearing 0x78e200 - 0x78f000
0026:trace:module:map_image mapping section .rsrc at 0x78f000 off ac00 size 400
virt 3f0 flags 42000040
0026:trace:module:map_image clearing 0x78f400 - 0x790000
0026:trace:module:map_image mapping section .reloc at 0x790000 off b000 size
a00 virt 9fc flags 42000040
0026:trace:module:map_image clearing 0x790a00 - 0x791000
0026:trace:virtual:VIRTUAL_DumpView View: 0x780000 - 0x790fff (image)
0026:trace:virtual:VIRTUAL_DumpView 0x780000 - 0x780fff c-r--
0026:trace:virtual:VIRTUAL_DumpView 0x781000 - 0x782fff c-r-x
0026:trace:virtual:VIRTUAL_DumpView 0x783000 - 0x783fff c-r--
0026:trace:virtual:VIRTUAL_DumpView 0x784000 - 0x785fff c-rW-
0026:trace:virtual:VIRTUAL_DumpView 0x786000 - 0x78cfff c-r-x
0026:trace:virtual:VIRTUAL_DumpView 0x78d000 - 0x78efff c-rWx
0026:trace:virtual:VIRTUAL_DumpView 0x78f000 - 0x790fff c-r--
...
0026:Ret KERNEL32.LoadLibraryW() retval=00780000 ret=7effa9de
0026:Call ntoskrnl.exe.RtlImageNtHeader(00780000) ret=7effa9ff
0026:Call ntdll.RtlImageNtHeader(00780000) ret=7bc7f49b
0026:Ret ntdll.RtlImageNtHeader() retval=007800d8 ret=7bc7f49b
0026:Ret ntoskrnl.exe.RtlImageNtHeader() retval=007800d8 ret=7effa9ff
0026:Call
ntoskrnl.exe.NtQuerySystemInformation(00000000,0065f9c4,0000002c,00000000)
ret=7effaa32
0026:Call ntdll.NtQuerySystemInformation(00000000,0065f9c4,0000002c,00000000)
ret=7bc7f49b
0026:trace:ntdll:NtQuerySystemInformation
(0x00000000,0x65f9c4,0x0000002c,(nil))
0026:Ret ntdll.NtQuerySystemInformation() retval=00000000 ret=7bc7f49b
0026:Ret ntoskrnl.exe.NtQuerySystemInformation() retval=00000000 ret=7effaa32
0026:Call
ntoskrnl.exe.RtlImageDirectoryEntryToData(00780000,00000001,00000005,0065f9c0)
ret=7effaa66
0026:Call
ntdll.RtlImageDirectoryEntryToData(00780000,00000001,00000005,0065f9c0)
ret=7bc7f49b
0026:Ret ntdll.RtlImageDirectoryEntryToData() retval=00790000 ret=7bc7f49b
0026:Ret ntoskrnl.exe.RtlImageDirectoryEntryToData() retval=00790000
ret=7effaa66
0026:trace:winedevice:load_driver_module L"System32\\drivers\\sfdrv01.sys":
relocating from 0x10000 to 0x780000
0026:Call KERNEL32.VirtualProtect(00781000,00001000,00000040,0065f9bc)
ret=7effaafa
0026:trace:virtual:NtProtectVirtualMemory 0xffffffff 0x781000 00001000 00000040
0026:trace:virtual:VIRTUAL_DumpView View: 0x780000 - 0x790fff (image)
0026:trace:virtual:VIRTUAL_DumpView 0x780000 - 0x780fff c-r--
0026:trace:virtual:VIRTUAL_DumpView 0x781000 - 0x781fff c-rWx
0026:trace:virtual:VIRTUAL_DumpView 0x782000 - 0x782fff c-r-x
0026:trace:virtual:VIRTUAL_DumpView 0x783000 - 0x783fff c-r--
0026:trace:virtual:VIRTUAL_DumpView 0x784000 - 0x785fff c-rW-
0026:trace:virtual:VIRTUAL_DumpView 0x786000 - 0x78cfff c-r-x
0026:trace:virtual:VIRTUAL_DumpView 0x78d000 - 0x78efff c-rWx
0026:trace:virtual:VIRTUAL_DumpView 0x78f000 - 0x790fff c-r--
0026:Ret KERNEL32.VirtualProtect() retval=00000001 ret=7effaafa
...
0026:Call ntdll.LdrProcessRelocationBlock(00781000,00000082,00790008,00770000)
ret=7effab18
...
0026:Ret ntdll.LdrProcessRelocationBlock() retval=0079010c ret=7effab18
...
0026:Call KERNEL32.VirtualProtect(00788000,00001000,00000040,0065f9bc)
ret=7effaafa
0026:trace:virtual:NtProtectVirtualMemory 0xffffffff 0x788000 00001000 00000040
0026:trace:virtual:VIRTUAL_DumpView View: 0x780000 - 0x790fff (image)
0026:trace:virtual:VIRTUAL_DumpView 0x780000 - 0x780fff c-r--
0026:trace:virtual:VIRTUAL_DumpView 0x781000 - 0x782fff c-r-x
0026:trace:virtual:VIRTUAL_DumpView 0x783000 - 0x783fff c-r--
0026:trace:virtual:VIRTUAL_DumpView 0x784000 - 0x785fff c-rW-
0026:trace:virtual:VIRTUAL_DumpView 0x786000 - 0x787fff c-r-x
0026:trace:virtual:VIRTUAL_DumpView 0x788000 - 0x788fff c-rWx
0026:trace:virtual:VIRTUAL_DumpView 0x789000 - 0x78cfff c-r-x
0026:trace:virtual:VIRTUAL_DumpView 0x78d000 - 0x78efff c-rWx
0026:trace:virtual:VIRTUAL_DumpView 0x78f000 - 0x790fff c-r--
0026:Ret KERNEL32.VirtualProtect() retval=00000001 ret=7effaafa
0026:Call ntdll.LdrProcessRelocationBlock(00788000,00000028,00790388,00770000)
ret=7effab18
...
0026:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7bc6a3aa
ip=7bc6a3aa tid=0026
0026:trace:seh:raise_exception info[0]=00000001
0026:trace:seh:raise_exception info[1]=00789000
0026:trace:seh:raise_exception eax=00788ffe ebx=0065f920 ecx=0001302c
edx=0078302c esi=0065f970 edi=0065f930
0026:trace:seh:raise_exception ebp=0065f908 esp=0065f8e0 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010202
0026:trace:seh:call_vectored_handlers calling handler at 0x7ec122b1
code=c0000005 flags=0
0026:trace:seh:call_vectored_handlers handler at 0x7ec122b1 returned 0
0026:trace:seh:call_stack_handlers calling handler at 0x7bcb1a8e code=c0000005
flags=0
0026:Call KERNEL32.UnhandledExceptionFilter(0065f3e4) ret=7bcb1ac9
...
--- snip ---
Relocation directory:
--- snip ---
->Relocation Directory
1. Relocation Block:
VirtualAddress: 0x00001000 (".text")
SizeOfBlock: 0x0000010C (0x0082 block entries)
RVA Type
---------- -----------------
0x00001031 HIGHLOW
0x00001056 HIGHLOW
...
0x00001FA8 HIGHLOW
0x00001FC5 HIGHLOW
...
7. Relocation Block:
VirtualAddress: 0x00008000 ("PAGE")
SizeOfBlock: 0x00000058 (0x0028 block entries)
RVA Type
---------- -----------------
0x00008CCA HIGHLOW
0x00008D57 HIGHLOW
...
0x00008FED HIGHLOW
0x00008FFE HIGHLOW
n/a ABSOLUTE
...
--- snip ---
Last entry (39), RVA 0x8FFE crosses the page boundary.
Source:
https://source.winehq.org/git/wine.git/blob/HEAD:/programs/winedevice/device.c#l98
--- snip ---
98 static HMODULE load_driver_module( const WCHAR *name )
99 {
100 IMAGE_NT_HEADERS *nt;
101 const IMAGE_IMPORT_DESCRIPTOR *imports;
102 SYSTEM_BASIC_INFORMATION info;
103 int i;
104 INT_PTR delta;
105 ULONG size;
106 HMODULE module = LoadLibraryW( name );
107
108 if (!module) return NULL;
109 nt = RtlImageNtHeader( module );
110
111 if (!(delta = (char *)module - (char *)nt->OptionalHeader.ImageBase))
return module;
112
113 /* the loader does not apply relocations to non page-aligned binaries
or executables,
114 * we have to do it ourselves */
115
116 NtQuerySystemInformation( SystemBasicInformation, &info, sizeof(info),
NULL );
117 if (nt->OptionalHeader.SectionAlignment < info.PageSize ||
118 !(nt->FileHeader.Characteristics & IMAGE_FILE_DLL))
119 {
120 DWORD old;
121 IMAGE_BASE_RELOCATION *rel, *end;
122
123 if ((rel = RtlImageDirectoryEntryToData( module, TRUE,
IMAGE_DIRECTORY_ENTRY_BASERELOC, &size )))
124 {
125 WINE_TRACE( "%s: relocating from %p to %p\n",
126 wine_dbgstr_w(name), (char *)module - delta,
module );
127 end = (IMAGE_BASE_RELOCATION *)((char *)rel + size);
128 while (rel < end && rel->SizeOfBlock)
129 {
130 void *page = (char *)module + rel->VirtualAddress;
131 VirtualProtect( page, info.PageSize,
PAGE_EXECUTE_READWRITE, &old );
132 rel = LdrProcessRelocationBlock( page, (rel->SizeOfBlock -
sizeof(*rel)) / sizeof(USHORT),
133 (USHORT *)(rel + 1),
delta );
134 if (old != PAGE_EXECUTE_READWRITE) VirtualProtect( page,
info.PageSize, old, &old );
135 if (!rel) goto error;
136 }
137 /* make sure we don't try again */
138 size = FIELD_OFFSET( IMAGE_NT_HEADERS, OptionalHeader ) +
nt->FileHeader.SizeOfOptionalHeader;
139 VirtualProtect( nt, size, PAGE_READWRITE, &old );
140
nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress
= 0;
141 VirtualProtect( nt, size, old, &old );
142 }
143 }
--- snip ---
$ sha1sum tmsunrisedemo_setup.exe
2d44577a71718464c595d9da91a017fb0914afc4 tmsunrisedemo_setup.exe
$ du -sh tmsunrisedemo_setup.exe
210M tmsunrisedemo_setup.exe
$ wine --version
wine-3.5-91-g3263d51a1f
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list