[Bug 37356] Multiple software protection/DRM schemes crash due to ' ntoskrnl.MmMapLockedPagesSpecifyCache' returning NULL (Tages v5.x, ProtectDISC 6.x)
wine-bugs at winehq.org
wine-bugs at winehq.org
Sat Apr 7 21:14:30 CDT 2018
https://bugs.winehq.org/show_bug.cgi?id=37356
Anastasius Focht <focht at gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |DUPLICATE
Fixed by SHA1| |68f23a1138ed697257c348011d7
| |7ec8519b44294
Summary|Multiple software |Multiple software
|protection/DRM schemes need |protection/DRM schemes
|ntoskrnl |crash due to
|'MmMapLockedPagesSpecifyCac |'ntoskrnl.MmMapLockedPagesS
|he' implementation (Tages |pecifyCache' returning NULL
|v5.x, ProtectDISC 6.x) |(Tages v5.x, ProtectDISC
| |6.x)
--- Comment #5 from Anastasius Focht <focht at gmx.net> ---
Hello folks,
yes, I've noticed it now too.
It's a dupe of bug 37355 ("Multiple software protection schemes need ntoskrnl
'MmMapLockedPagesSpecifyCache' implementation (Tages Protection v5.x,
BattleEye's 'bedaisy.sys')")
--- snip ---
...
0034:Call ntdll.RtlInitUnicodeString(0054fb50,0054fb58 L"\\Device\\atksgt")
ret=7bc7f49b
0034:Ret ntdll.RtlInitUnicodeString() retval=0054fb50 ret=7bc7f49b
0034:Ret ntoskrnl.exe.RtlInitUnicodeString() retval=0054fb50 ret=00780387
0034:Call
ntoskrnl.exe.IoGetDeviceObjectPointer(0054fb50,00020000,0054fb4c,0054fb48)
ret=007803a1
0034:fixme:ntoskrnl:IoGetDeviceObjectPointer stub: L"\\Device\\atksgt" 20000
0x54fb4c 0x54fb48
0034:Ret ntoskrnl.exe.IoGetDeviceObjectPointer() retval=00000000 ret=007803a1
0034:trace:ntoskrnl:ObDereferenceObject ((nil)): stub
0034:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7803c1 ip=007803c1
tid=0034
0034:trace:seh:raise_exception info[0]=00000001
0034:trace:seh:raise_exception info[1]=00000000
0034:trace:seh:raise_exception eax=00000000 ebx=0054fc70 ecx=0054fb44
edx=00552f44 esi=0011cd18 edi=0054fe14
0034:trace:seh:raise_exception ebp=00000000 esp=0054fb48 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010216
0034:trace:seh:call_vectored_handlers calling handler at 0x7ec112b1
code=c0000005 flags=0
0034:trace:seh:call_vectored_handlers handler at 0x7ec112b1 returned 0
0034:trace:seh:call_stack_handlers calling handler at 0x7bcb1a8e code=c0000005
flags=0
0034:Call KERNEL32.UnhandledExceptionFilter(0054f644) ret=7bcb1ac9
wine: Unhandled page fault on write access to 0x00000000 at address 0x7803c1
(thread 0034), starting debugger...
--- snip ---
The current stub:
https://source.winehq.org/git/wine.git/blob/HEAD:/dlls/ntoskrnl.exe/ntoskrnl.c#l1211
--- snip ---
1211 NTSTATUS WINAPI IoGetDeviceObjectPointer( UNICODE_STRING *name,
ACCESS_MASK access, PFILE_OBJECT *file, PDEVICE_OBJECT *device )
1212 {
1213 static DEVICE_OBJECT stub_device;
1214 static DRIVER_OBJECT stub_driver;
1215
1216 FIXME( "stub: %s %x %p %p\n", debugstr_us(name), access, file, device
);
1217
1218 stub_device.StackSize = 0x80; /* minimum value to appease SecuROM 5.x
*/
1219 stub_device.DriverObject = &stub_driver;
1220
1221 *file = NULL;
1222 *device = &stub_device;
1223
1224 return STATUS_SUCCESS;
1225 }
--- snip ---
'ObDereferenceObject(NULL)' in trace log is the result of
'IoGetDeviceObjectPointer()' returning NULL file object.
This is expected, the driver doesn't need the file object.
https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/attaching-the-filter-device-object-to-the-target-device-object
("Attaching the Filter Device Object to the Target Device Object")
Driver disassembly:
--- snip ---
00780300 SUB ESP,30
00780303 XOR EAX,EAX
00780305 MOV ECX,65
0078030A MOV WORD PTR SS:[ESP+14],CX
0078030F MOV WORD PTR SS:[ESP+1C],CX
...
00780381 CALL DWORD PTR DS:[<&ntoskrnl.RtlInitUnicodeString>]
00780387 LEA EDX,DWORD PTR SS:[ESP]
0078038B PUSH EDX
0078038C LEA EAX,DWORD PTR SS:[ESP+8]
00780390 PUSH EAX
00780391 PUSH 20000
00780396 LEA ECX,DWORD PTR SS:[ESP+14]
0078039A PUSH ECX
0078039B CALL DWORD PTR DS:[<&ntoskrnl.IoGetDeviceObjectPointer>]
007803A1 TEST EAX,EAX
007803A3 JL SHORT lirsgt.007803BD
007803A5 MOV EDX,DWORD PTR SS:[ESP] ; stub_device
007803A9 MOV EAX,DWORD PTR DS:[EDX+28] ; _DEVICE_OBJECT.Timer
007803AC MOV ECX,DWORD PTR SS:[ESP+34] ; arg1
007803B0 MOV DWORD PTR DS:[ECX+30],EAX
007803B3 MOV ECX,DWORD PTR SS:[ESP+4]
007803B7 CALL DWORD PTR DS:[<&ntoskrnl.ObfDereferenceObject>]
007803BD MOV EAX,DWORD PTR SS:[ESP+38]
007803C1 MOV WORD PTR DS:[EAX],5 ; arg2 == NULL *boom*
007803C6 MOV WORD PTR DS:[EAX+2],5
007803CC MOV BYTE PTR DS:[EAX+4],2
007803D0 ADD ESP,30
007803D3 RETN 8
--- snip ---
The problem here is the caller supplying NULL arg2 (ptr) to this function.
Looking at the caller:
--- snip ---
...
007829B3 PUSH 20 ; Priority
007829B5 PUSH 0 ; BugCheckOnFailure
007829B7 PUSH 0 ; BaseAddress
007829B9 PUSH 1 ; CacheType
007829BB PUSH 0 ; AccessMode
007829BD PUSH EAX ; MemoryDescriptorList
007829BE CALL DWORD PTR DS:[<&ntoskrnl.MmMapLockedPagesSpecifyCache>]
007829C4 PUSH EAX ; arg2 -> address of mapped pages
007829C5 PUSH ESI ; arg1
007829C6 CALL lirsgt.00780300 ; see above snippet
007829CB JMP lirsgt.00783F5E
...
--- snip ---
arg2 == NULL -> bug 37355 ("Multiple software protection schemes need ntoskrnl
'MmMapLockedPagesSpecifyCache' implementation (Tages Protection v5.x,
BattleEye's 'bedaisy.sys')")
$ wine --version
wine-3.5-91-g3263d51a1f
Regards
*** This bug has been marked as a duplicate of bug 37355 ***
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list