[Bug 45561] New: Windows Sysinternals 'PsService' v2.x tool, part of ' PsTools' crashes when trying to query the service configuration (needs ' QueryServiceConfig2A/W' level 2 'SERVICE_CONFIG_FAILURE_ACTIONS')

wine-bugs at winehq.org wine-bugs at winehq.org
Fri Aug 3 07:02:16 CDT 2018 

https://bugs.winehq.org/show_bug.cgi?id=45561

            Bug ID: 45561
           Summary: Windows Sysinternals 'PsService' v2.x tool, part of
                    'PsTools' crashes when trying to query the service
                    configuration (needs 'QueryServiceConfig2A/W' level 2
                    'SERVICE_CONFIG_FAILURE_ACTIONS')
           Product: Wine
           Version: 3.13
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: advapi32
          Assignee: wine-bugs at winehq.org
          Reporter: focht at gmx.net
      Distribution: ---

Hello folks,

as it says.

--- snip ---
$ pwd
/home/focht/.wine/drive_c/Program Files/pstools

$ wine ./PsService /?

PsService v2.25 - Service information and configuration utility
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com

PsService lists or controls services on a local or remote system.

Usage: PsService.exe [\\Computer [-u Username [-p Password]]] <cmd> <optns>
Cmd is one of the following:
   query      Queries the status of a service
   config     Queries the configuration
   setconfig  Sets the configuration
   start      Starts a service
   stop       Stops a service
   restart    Stops and then restarts a service
   pause      Pauses a service
   cont       Continues a paused service
   depend     Enumerates the services that depend on the one specified
   find       Searches for an instance of a service on the network
   security   Reports the security permissions assigned to a service
Use the username and password to log into the remote computer in cases where
your account does not have permissions to perform the action you specify.

Omitting a command queries the active services on the specified computer.
Enter -? for help on a particular command.
Use option -nobanner to supress the startup banner and copyright message.
--- snip ---

--- snip ---
$ WINEDEBUG=+seh,+relay wine ./PsService.exe config >>log.txt 2>&1
...
00b3:Call ntdll.RtlAllocateHeap(00110000,00000000,0000001e) ret=00405f54
00b3:Ret  ntdll.RtlAllocateHeap() retval=0015cba8 ret=00405f54
00b3:Call
advapi32.QueryServiceConfig2W(0015cb48,00000002,0015cba8,0000001e,0033fde4)
ret=00402bf5
00b3:fixme:service:QueryServiceConfig2W Level 2 not implemented
00b3:Ret  advapi32.QueryServiceConfig2W() retval=00000000 ret=00402bf5
00b3:Call KERNEL32.GetLastError() ret=00408d44
00b3:Ret  KERNEL32.GetLastError() retval=0000007c ret=00408d44 
...
00b3:Call KERNEL32.WideCharToMultiByte(000004e4,00000000,0033f88c L"
",00000001,0033f8bc,00000005,00000000,0033f884) ret=00413d80
00b3:Ret  KERNEL32.WideCharToMultiByte() retval=00000001 ret=00413d80
00b3:trace:seh:raise_exception code=c0000005 flags=0 addr=0x40c5d0 ip=0040c5d0
tid=00b3
00b3:trace:seh:raise_exception  info[0]=00000000
00b3:trace:seh:raise_exception  info[1]=00530054
00b3:trace:seh:raise_exception  eax=00000000 ebx=00000000 ecx=00530054
edx=ffffffff esi=00530054 edi=7ffffffe
00b3:trace:seh:raise_exception  ebp=0033fd80 esp=0033f8ec cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010202
00b3:trace:seh:call_stack_handlers calling handler at 0x407640 code=c0000005
flags=0
00b3:trace:seh:call_stack_handlers handler at 0x407640 returned 1
00b3:trace:seh:call_stack_handlers calling handler at 0x407640 code=c0000005
flags=0
00b3:Call KERNEL32.GetLastError() ret=00408d44
00b3:Ret  KERNEL32.GetLastError() retval=0000007c ret=00408d44
00b3:trace:seh:call_stack_handlers handler at 0x407640 returned 1
00b3:trace:seh:call_stack_handlers calling handler at 0x7b48ffea code=c0000005
flags=0
wine: Unhandled page fault on read access to 0x00530054 at address 0x40c5d0
(thread 00b3), starting debugger...
00b3:trace:seh:start_debugger Starting debugger "winedbg --auto 178 92"
00b3:trace:seh:call_stack_handlers handler at 0x7b48ffea returned 1
Unhandled exception: page fault on read access to 0x00530054 in 32-bit code
(0x0040c5d0).
Register dump:
 CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b
 EIP:0040c5d0 ESP:0033f8ec EBP:0033fd80 EFLAGS:00010202(  R- --  I   - - - )
 EAX:00000000 EBX:00000000 ECX:00530054 EDX:ffffffff
 ESI:00530054 EDI:7ffffffe
...
Backtrace:
=>0 0x0040c5d0 in psservice (+0xc5d0) (0x0033fd80)
  1 0x004060cf in psservice (+0x60ce) (0x0033fdc4)
  2 0x00402c26 in psservice (+0x2c25) (0x0033fde8)
  3 0x00404b38 in psservice (+0x4b37) (0x0033fe10)
  4 0x00403cb0 in psservice (+0x3caf) (0x0033fe28)
  5 0x004056cf in psservice (+0x56ce) (0x0033fe68)
  6 0x00407ed5 in psservice (+0x7ed4) (0x0033feb0)
  7 0x7b46dbfe call_process_entry+0x11() in kernel32 (0x0033fec8)
  8 0x7b46dd37 start_process+0x12c()
[/home/focht/projects/wine/mainline-src/dlls/kernel32/process.c:1101] in
kernel32 (0x0033ffd8)
  9 0x7b46dc0a start_process_wrapper+0x9() in kernel32 (0x0033ffec)
0x0040c5d0: cmpw    %ax,0x0(%ecx)
Modules:
Module    Address            Debug info    Name (102 modules)
PE      400000-  430000    Export          psservice
ELF    7b400000-7b7f4000    Dwarf           kernel32<elf>
  \-PE    7b420000-7b7f4000    \               kernel32
ELF    7bc00000-7bd10000    Deferred        ntdll<elf>
  \-PE    7bc30000-7bd10000    \               ntdll
ELF    7c000000-7c004000    Deferred        <wine-loader>
...
Threads:
process  tid      prio (all id:s are in hex)
...
000000b2 (D) C:\Program Files\pstools\PsService.exe
    000000b3    0 <== 
--- snip ---

Debugger/disassembly:

--- snip ---
...
00402BE1  ADD ESP,4
00402BE4  MOV ESI,EAX
00402BE6  LEA EAX,[LOCAL.1]
00402BE9  PUSH EAX
00402BEA  PUSH EDI
00402BEB  PUSH ESI
00402BEC  PUSH 2                     ; SERVICE_CONFIG_FAILURE_ACTIONS
00402BEE  PUSH EBX
00402BEF  CALL DWORD PTR DS:[42CBE4] ; advapi32.QueryServiceConfig2W
00402BF5  CMP DWORD PTR DS:[ESI+0C],0
00402BF9  JE 00402C86
00402BFF  MOV EAX,DWORD PTR DS:[ESI+4]
00402C02  TEST EAX,EAX
00402C04  JZ SHORT 00402C14
00402C06  PUSH EAX
00402C07  PUSH OFFSET 00422884       ; "    REBOOT_MESSAGE      : %s"
00402C0C  CALL 00406061
00402C11  ADD ESP,8
00402C14  MOV EAX,DWORD PTR DS:[ESI+8]
00402C17  TEST EAX,EAX
00402C19  JZ SHORT 00402C29
00402C1B  PUSH EAX
00402C1C  PUSH OFFSET 004228B4       ; "    COMMAND      : %s"
00402C21  CALL 00406061
00402C26  ADD ESP,8
...
0040C5CF  |/DEC EDI
0040C5D0  ||CMP WORD PTR DS:[ECX],AX
0040C5D3  ||JE SHORT 0040C5DC
0040C5D5  ||ADD ECX,2
0040C5D8  ||TEST EDI,EDI
0040C5DA  |\JNZ SHORT 0040C5CF
...
--- snip ---

https://docs.microsoft.com/en-us/windows/desktop/api/winsvc/ns-winsvc-_service_failure_actionsa

--- snip ---
typedef struct _SERVICE_FAILURE_ACTIONSA {
  DWORD     dwResetPeriod;
  LPSTR     lpRebootMsg;
  LPSTR     lpCommand;
  } SERVICE_FAILURE_ACTIONSA, *LPSERVICE_FAILURE_ACTIONSA;
--- snip ---

Buffer passed (left untouched due to stub)

--- snip ---
$-8     00000030  0
$-4     12455355  USE
$ ==>   001100D8         ; dwResetPeriod
$+4     001100C8         ; lpRebootMsg
$+8     00530054         ; lpCommand -> access *boom*
$+C     00530020 
$+10    00000011  
$+14    45455246  FREE
--- snip ---

It's questionable why the app doesn't check for failure and tries to access the
struct members straight away.

The poor man's solution would be just to return an initialized
'_SERVICE_FAILURE_ACTIONS' structure, with strings being empty.
This way the app(s) don't crash why trying to access the strings.

https://source.winehq.org/git/wine.git/blob/HEAD:/dlls/advapi32/service.c#l1630

--- snip ---
1630 BOOL WINAPI QueryServiceConfig2W(SC_HANDLE hService, DWORD dwLevel, LPBYTE
buffer,
1631                                  DWORD size, LPDWORD needed)
1632 {
1633     BYTE *bufptr;
1634     DWORD err;
1635 
1636     TRACE("%p %u %p %u %p\n", hService, dwLevel, buffer, size, needed);
1637 
1638     if (!buffer && size)
1639     {
1640         SetLastError(ERROR_INVALID_ADDRESS);
1641         return FALSE;
1642     }
1643 
1644     switch (dwLevel)
1645     {
1646     case SERVICE_CONFIG_DESCRIPTION:
1647         if (!(bufptr = heap_alloc( size )))
1648         {
1649             SetLastError( ERROR_NOT_ENOUGH_MEMORY );
1650             return FALSE;
1651         }
1652         break;
1653 
1654     case SERVICE_CONFIG_PRESHUTDOWN_INFO:
1655         bufptr = buffer;
1656         break;
1657 
1658     default:
1659         FIXME("Level %d not implemented\n", dwLevel);
1660         SetLastError(ERROR_INVALID_LEVEL);
1661         return FALSE;
1662     }
...
--- snip ---

$ sha1sum PSTools.zip 
1e562ff2bae38856f8dcf3f939cdbe8e1bf6ccf3  PSTools.zip

$ du -sh PSTools.zip 
2.8M    PSTools.zip

$ wine --version
wine-3.13

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list