[Bug 45561] New: Windows Sysinternals 'PsService' v2.x tool, part of ' PsTools' crashes when trying to query the service configuration (needs ' QueryServiceConfig2A/W' level 2 'SERVICE_CONFIG_FAILURE_ACTIONS')
wine-bugs at winehq.org
wine-bugs at winehq.org
Fri Aug 3 07:02:16 CDT 2018
https://bugs.winehq.org/show_bug.cgi?id=45561
Bug ID: 45561
Summary: Windows Sysinternals 'PsService' v2.x tool, part of
'PsTools' crashes when trying to query the service
configuration (needs 'QueryServiceConfig2A/W' level 2
'SERVICE_CONFIG_FAILURE_ACTIONS')
Product: Wine
Version: 3.13
Hardware: x86-64
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: advapi32
Assignee: wine-bugs at winehq.org
Reporter: focht at gmx.net
Distribution: ---
Hello folks,
as it says.
--- snip ---
$ pwd
/home/focht/.wine/drive_c/Program Files/pstools
$ wine ./PsService /?
PsService v2.25 - Service information and configuration utility
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com
PsService lists or controls services on a local or remote system.
Usage: PsService.exe [\\Computer [-u Username [-p Password]]] <cmd> <optns>
Cmd is one of the following:
query Queries the status of a service
config Queries the configuration
setconfig Sets the configuration
start Starts a service
stop Stops a service
restart Stops and then restarts a service
pause Pauses a service
cont Continues a paused service
depend Enumerates the services that depend on the one specified
find Searches for an instance of a service on the network
security Reports the security permissions assigned to a service
Use the username and password to log into the remote computer in cases where
your account does not have permissions to perform the action you specify.
Omitting a command queries the active services on the specified computer.
Enter -? for help on a particular command.
Use option -nobanner to supress the startup banner and copyright message.
--- snip ---
--- snip ---
$ WINEDEBUG=+seh,+relay wine ./PsService.exe config >>log.txt 2>&1
...
00b3:Call ntdll.RtlAllocateHeap(00110000,00000000,0000001e) ret=00405f54
00b3:Ret ntdll.RtlAllocateHeap() retval=0015cba8 ret=00405f54
00b3:Call
advapi32.QueryServiceConfig2W(0015cb48,00000002,0015cba8,0000001e,0033fde4)
ret=00402bf5
00b3:fixme:service:QueryServiceConfig2W Level 2 not implemented
00b3:Ret advapi32.QueryServiceConfig2W() retval=00000000 ret=00402bf5
00b3:Call KERNEL32.GetLastError() ret=00408d44
00b3:Ret KERNEL32.GetLastError() retval=0000007c ret=00408d44
...
00b3:Call KERNEL32.WideCharToMultiByte(000004e4,00000000,0033f88c L"
",00000001,0033f8bc,00000005,00000000,0033f884) ret=00413d80
00b3:Ret KERNEL32.WideCharToMultiByte() retval=00000001 ret=00413d80
00b3:trace:seh:raise_exception code=c0000005 flags=0 addr=0x40c5d0 ip=0040c5d0
tid=00b3
00b3:trace:seh:raise_exception info[0]=00000000
00b3:trace:seh:raise_exception info[1]=00530054
00b3:trace:seh:raise_exception eax=00000000 ebx=00000000 ecx=00530054
edx=ffffffff esi=00530054 edi=7ffffffe
00b3:trace:seh:raise_exception ebp=0033fd80 esp=0033f8ec cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010202
00b3:trace:seh:call_stack_handlers calling handler at 0x407640 code=c0000005
flags=0
00b3:trace:seh:call_stack_handlers handler at 0x407640 returned 1
00b3:trace:seh:call_stack_handlers calling handler at 0x407640 code=c0000005
flags=0
00b3:Call KERNEL32.GetLastError() ret=00408d44
00b3:Ret KERNEL32.GetLastError() retval=0000007c ret=00408d44
00b3:trace:seh:call_stack_handlers handler at 0x407640 returned 1
00b3:trace:seh:call_stack_handlers calling handler at 0x7b48ffea code=c0000005
flags=0
wine: Unhandled page fault on read access to 0x00530054 at address 0x40c5d0
(thread 00b3), starting debugger...
00b3:trace:seh:start_debugger Starting debugger "winedbg --auto 178 92"
00b3:trace:seh:call_stack_handlers handler at 0x7b48ffea returned 1
Unhandled exception: page fault on read access to 0x00530054 in 32-bit code
(0x0040c5d0).
Register dump:
CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b
EIP:0040c5d0 ESP:0033f8ec EBP:0033fd80 EFLAGS:00010202( R- -- I - - - )
EAX:00000000 EBX:00000000 ECX:00530054 EDX:ffffffff
ESI:00530054 EDI:7ffffffe
...
Backtrace:
=>0 0x0040c5d0 in psservice (+0xc5d0) (0x0033fd80)
1 0x004060cf in psservice (+0x60ce) (0x0033fdc4)
2 0x00402c26 in psservice (+0x2c25) (0x0033fde8)
3 0x00404b38 in psservice (+0x4b37) (0x0033fe10)
4 0x00403cb0 in psservice (+0x3caf) (0x0033fe28)
5 0x004056cf in psservice (+0x56ce) (0x0033fe68)
6 0x00407ed5 in psservice (+0x7ed4) (0x0033feb0)
7 0x7b46dbfe call_process_entry+0x11() in kernel32 (0x0033fec8)
8 0x7b46dd37 start_process+0x12c()
[/home/focht/projects/wine/mainline-src/dlls/kernel32/process.c:1101] in
kernel32 (0x0033ffd8)
9 0x7b46dc0a start_process_wrapper+0x9() in kernel32 (0x0033ffec)
0x0040c5d0: cmpw %ax,0x0(%ecx)
Modules:
Module Address Debug info Name (102 modules)
PE 400000- 430000 Export psservice
ELF 7b400000-7b7f4000 Dwarf kernel32<elf>
\-PE 7b420000-7b7f4000 \ kernel32
ELF 7bc00000-7bd10000 Deferred ntdll<elf>
\-PE 7bc30000-7bd10000 \ ntdll
ELF 7c000000-7c004000 Deferred <wine-loader>
...
Threads:
process tid prio (all id:s are in hex)
...
000000b2 (D) C:\Program Files\pstools\PsService.exe
000000b3 0 <==
--- snip ---
Debugger/disassembly:
--- snip ---
...
00402BE1 ADD ESP,4
00402BE4 MOV ESI,EAX
00402BE6 LEA EAX,[LOCAL.1]
00402BE9 PUSH EAX
00402BEA PUSH EDI
00402BEB PUSH ESI
00402BEC PUSH 2 ; SERVICE_CONFIG_FAILURE_ACTIONS
00402BEE PUSH EBX
00402BEF CALL DWORD PTR DS:[42CBE4] ; advapi32.QueryServiceConfig2W
00402BF5 CMP DWORD PTR DS:[ESI+0C],0
00402BF9 JE 00402C86
00402BFF MOV EAX,DWORD PTR DS:[ESI+4]
00402C02 TEST EAX,EAX
00402C04 JZ SHORT 00402C14
00402C06 PUSH EAX
00402C07 PUSH OFFSET 00422884 ; " REBOOT_MESSAGE : %s"
00402C0C CALL 00406061
00402C11 ADD ESP,8
00402C14 MOV EAX,DWORD PTR DS:[ESI+8]
00402C17 TEST EAX,EAX
00402C19 JZ SHORT 00402C29
00402C1B PUSH EAX
00402C1C PUSH OFFSET 004228B4 ; " COMMAND : %s"
00402C21 CALL 00406061
00402C26 ADD ESP,8
...
0040C5CF |/DEC EDI
0040C5D0 ||CMP WORD PTR DS:[ECX],AX
0040C5D3 ||JE SHORT 0040C5DC
0040C5D5 ||ADD ECX,2
0040C5D8 ||TEST EDI,EDI
0040C5DA |\JNZ SHORT 0040C5CF
...
--- snip ---
https://docs.microsoft.com/en-us/windows/desktop/api/winsvc/ns-winsvc-_service_failure_actionsa
--- snip ---
typedef struct _SERVICE_FAILURE_ACTIONSA {
DWORD dwResetPeriod;
LPSTR lpRebootMsg;
LPSTR lpCommand;
} SERVICE_FAILURE_ACTIONSA, *LPSERVICE_FAILURE_ACTIONSA;
--- snip ---
Buffer passed (left untouched due to stub)
--- snip ---
$-8 00000030 0
$-4 12455355 USE
$ ==> 001100D8 ; dwResetPeriod
$+4 001100C8 ; lpRebootMsg
$+8 00530054 ; lpCommand -> access *boom*
$+C 00530020
$+10 00000011
$+14 45455246 FREE
--- snip ---
It's questionable why the app doesn't check for failure and tries to access the
struct members straight away.
The poor man's solution would be just to return an initialized
'_SERVICE_FAILURE_ACTIONS' structure, with strings being empty.
This way the app(s) don't crash why trying to access the strings.
https://source.winehq.org/git/wine.git/blob/HEAD:/dlls/advapi32/service.c#l1630
--- snip ---
1630 BOOL WINAPI QueryServiceConfig2W(SC_HANDLE hService, DWORD dwLevel, LPBYTE
buffer,
1631 DWORD size, LPDWORD needed)
1632 {
1633 BYTE *bufptr;
1634 DWORD err;
1635
1636 TRACE("%p %u %p %u %p\n", hService, dwLevel, buffer, size, needed);
1637
1638 if (!buffer && size)
1639 {
1640 SetLastError(ERROR_INVALID_ADDRESS);
1641 return FALSE;
1642 }
1643
1644 switch (dwLevel)
1645 {
1646 case SERVICE_CONFIG_DESCRIPTION:
1647 if (!(bufptr = heap_alloc( size )))
1648 {
1649 SetLastError( ERROR_NOT_ENOUGH_MEMORY );
1650 return FALSE;
1651 }
1652 break;
1653
1654 case SERVICE_CONFIG_PRESHUTDOWN_INFO:
1655 bufptr = buffer;
1656 break;
1657
1658 default:
1659 FIXME("Level %d not implemented\n", dwLevel);
1660 SetLastError(ERROR_INVALID_LEVEL);
1661 return FALSE;
1662 }
...
--- snip ---
$ sha1sum PSTools.zip
1e562ff2bae38856f8dcf3f939cdbe8e1bf6ccf3 PSTools.zip
$ du -sh PSTools.zip
2.8M PSTools.zip
$ wine --version
wine-3.13
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list