[Bug 45656] New: Acronis Storage Filter Management Driver 'fltsrv.sys' crashes on unimplemented function 'ntoskrnl.exe.KeBugCheckEx' in ' CrashOnError' mode

wine-bugs at winehq.org wine-bugs at winehq.org
Fri Aug 17 04:23:07 CDT 2018 

https://bugs.winehq.org/show_bug.cgi?id=45656

            Bug ID: 45656
           Summary: Acronis Storage Filter Management Driver 'fltsrv.sys'
                    crashes on unimplemented function
                    'ntoskrnl.exe.KeBugCheckEx' in 'CrashOnError' mode
           Product: Wine
           Version: 3.13
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ntoskrnl
          Assignee: wine-bugs at winehq.org
          Reporter: focht at gmx.net
      Distribution: ---

Hello folks,

as it says.

--- snip ---
$ WINEDEBUG=+seh,+relay,+ntoskrnl,+reg wineboot >>log.txt 2>&1
...
0028:Call ntoskrnl.exe.RtlInitUnicodeString(0065fb3c,00792420 L"CrashOnError")
ret=007858d1
0028:Call ntdll.RtlInitUnicodeString(0065fb3c,00792420 L"CrashOnError")
ret=7bc813a3
0028:Ret  ntdll.RtlInitUnicodeString() retval=0065fb3c ret=7bc813a3
0028:Ret  ntoskrnl.exe.RtlInitUnicodeString() retval=0065fb3c ret=007858d1
0028:Call ntoskrnl.exe.ZwOpenKey(0065fa94,00000001,0065fa6c) ret=00790c21
0028:Call ntdll.NtOpenKey(0065fa94,00000001,0065fa6c) ret=7bc813a3
0028:trace:reg:open_key
((nil),L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\fltsrv\\Parameters",1,0x65fa94)
0028:trace:reg:open_key <- 0x44
0028:Ret  ntdll.NtOpenKey() retval=00000000 ret=7bc813a3
0028:Ret  ntoskrnl.exe.ZwOpenKey() retval=00000000 ret=00790c21
0028:Call
ntoskrnl.exe.ZwQueryValueKey(00000044,0065fa28,00000002,0065fa5c,00000014,0065fa30)
ret=00790c86
0028:Call
ntdll.NtQueryValueKey(00000044,0065fa28,00000002,0065fa5c,00000014,0065fa30)
ret=7bc813a3
0028:trace:reg:NtQueryValueKey (0x44,L"CrashOnError",2,0x65fa5c,20)
0028:Ret  ntdll.NtQueryValueKey() retval=00000000 ret=7bc813a3
0028:Ret  ntoskrnl.exe.ZwQueryValueKey() retval=00000000 ret=00790c86
0028:Call ntoskrnl.exe.ZwClose(00000044) ret=00790b84
0028:Call ntdll.NtClose(00000044) ret=7bc813a3
0028:Ret  ntdll.NtClose() retval=00000000 ret=7bc813a3
0028:Ret  ntoskrnl.exe.ZwClose() retval=00000000 ret=00790b84 
...
0028:fixme:ntoskrnl:KeWaitForSingleObject stub: 0x155a74, 0, 0, 0, (nil)
0028:Ret  ntoskrnl.exe.KeWaitForSingleObject() retval=c0000002 ret=00785cf4
0028:Call ntoskrnl.exe.DbgQueryDebugFilterState(0000004d,00000000) ret=007861db
0028:fixme:ntoskrnl:DbgQueryDebugFilterState stub: 0x4d (nil)
0028:Ret  ntoskrnl.exe.DbgQueryDebugFilterState() retval=c0000002 ret=007861db
0028:Call ntoskrnl.exe.vDbgPrintExWithPrefix(00797194 "[fltsrv]
",0000004d,00000000,0079148a "Expression '%s' failed with status 0x%x, Source
File: %s, line %ld\n",0065fa68) ret=00786228
0028:Call ntdll.vDbgPrintExWithPrefix(00797194 "[fltsrv]
",0000004d,00000000,0079148a "Expression '%s' failed with status 0x%x, Source
File: %s, line %ld\n",0065fa68) ret=7bc813a3
0028:err:ntdll:vDbgPrintExWithPrefix [fltsrv] 4d: Expression 'LockWithStatus()'
failed with status 0xc0000002, Source File: threading\mutex.cpp, line 32
0028:Ret  ntdll.vDbgPrintExWithPrefix() retval=00000000 ret=7bc813a3
0028:Ret  ntoskrnl.exe.vDbgPrintExWithPrefix() retval=00000000 ret=00786228
0028:Call KERNEL32.RaiseException(80000100,00000001,00000002,0065f9e8)
ret=7e98b3d7
0028:trace:seh:raise_exception code=80000100 flags=1 addr=0x7b44733b
ip=7b44733b tid=0028
0028:trace:seh:raise_exception  info[0]=7e98b400
0028:trace:seh:raise_exception  info[1]=7e98d8d5
wine: Call from 0x7b44733b to unimplemented function ntoskrnl.exe.KeBugCheckEx,
aborting
0028:trace:seh:call_vectored_handlers calling handler at 0x7e982845
code=80000100 flags=1
0028:trace:seh:call_vectored_handlers handler at 0x7e982845 returned 0
0028:trace:seh:call_stack_handlers calling handler at 0x7bcb3a74 code=80000100
flags=1
0028:Call KERNEL32.UnhandledExceptionFilter(0065f494) ret=7bcb3aaf
wine: Unimplemented function ntoskrnl.exe.KeBugCheckEx called at address
0x7b44733b (thread 0028), starting debugger... 
--- snip ---

One has to explicitly enable "crash mode" by adding the following registry key:

--- snip ---
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\fltsrv\Parameters]
"CrashOnError"=dword:00000001
--- snip ---

Source:

https://source.winehq.org/git/wine.git/blob/HEAD:/dlls/ntoskrnl.exe/ntoskrnl.exe.spec#l519

--- snip ---
 519 @ stub KeBugCheckEx
--- snip ---

Microsoft docs:

https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/nf-wdm-kebugcheckex

--- snip ---
NTKERNELAPI DECLSPEC_NORETURN VOID KeBugCheckEx(
  ULONG     BugCheckCode,
  ULONG_PTR BugCheckParameter1,
  ULONG_PTR BugCheckParameter2,
  ULONG_PTR BugCheckParameter3,
  ULONG_PTR BugCheckParameter4
);
--- snip ---

One could argue that the (default) unimplemented stub behaviour already does
the right thing, causing the hosting process to crash/terminate. The bugcheck
codes are lost though (stack dump not deep enough).
Alternatively add a stub, ERR() bugcheck codes and terminate the driver hosting
process or still trigger a crash which invokes crash handler (default
'winedbg').

I'm also fine if the decision is to leave the current behaviour.

Also referenced in:

* bug 41001 ("64-bit Core Temp 1.x kernel driver 'ALSysIO.sys' crashes on
unimplemented function ntoskrnl.exe.RtlUnwindEx") -> imports table
* bug 42744 ("Ninite don't installs apps") -> recycled/tainted WINEPREFIX

ProtectionID scan:

--- snip ---
-=[ ProtectionID v0.6.9.0 DECEMBER]=-
(c) 2003-2017 CDKiLLER & TippeX
Build 24/12/17-21:05:42
Ready...
Scanning -> C:\windows\system32\drivers\fltsrv.sys
File Type : 32-Bit Driver (BAD checksum - won't load!), Good Checksum = 01ED8Bh
Size : 0123744 (01E360h) Byte(s)  | Machine: 0x14C (I386)
Compilation TimeStamp : 0x5638DF2A -> Tue 03rd Nov 2015 16:22:02 (GMT)
[TimeStamp] 0x5638DF2A -> Tue 03rd Nov 2015 16:22:02 (GMT) | PE Header | - |
Offset: 0x000000F0 | VA: 0x004000F0 | -
[TimeStamp] 0x5638DF2A -> Tue 03rd Nov 2015 16:22:02 (GMT) | DebugDirectory | -
| Offset: 0x000139B4 | VA: 0x004151B4 | -
-> File Appears to be Digitally Signed @ Offset 017A00h, size : 06960h / 026976
byte(s)
[LoadConfig] Struct determined as v8 (Expected size 140 | Actual size 64)
[!] Executable uses SEH Tables (/SAFESEH) (3 calculated 2 recorded... 1 invalid
addresses) 
[!]    * table may be compressed / encrypted *
[LoadConfig] CodeIntegrity -> Flags 0x5352 | Catalog 0x5344 (21316) | Catalog
Offset 0x1E431CED | Reserved 0x4EDC114E
[LoadConfig] GuardAddressTakenIatEntryTable 0x356CB182 | Count 0x821065B8
(2182112696)
[LoadConfig] GuardLongJumpTargetTable 0x1 | Count 0x325C3A4B (844905035)
[LoadConfig] HybridMetadataPointer 0x5C373232 | DynamicValueRelocTable
0x6E72656B
[LoadConfig] FailFastIndirectProc 0x775C6C65 | FailFastPointer 0x2E5C6E69
[LoadConfig] UnknownZero1 0x7074756F
[File Heuristics] -> Flag #1 : 00000100000001001101000000000100 (0x0404D004)
[Entrypoint Section Entropy] : 6.66 (section #0) ".text   " | Size : 0x13308
(78600) byte(s)
[DllCharacteristics] -> Flag : (0x0140) -> ASLR | DEP
[SectionCount] 6 (0x6) | ImageSize 0x1C000 (114688) byte(s)
[VersionInfo] Company Name : Acronis International GmbH
[VersionInfo] Product Name : Acronis Storage Filter Management
[VersionInfo] Product Version : 1.3.0.2227
[VersionInfo] File Description : Acronis Storage Filter Management Driver
[VersionInfo] File Version : 1.3.0.2227
[VersionInfo] Original FileName : fltsrv.sys
[VersionInfo] Internal Name : fltsrv
[VersionInfo] Version Comments : Acronis Storage Filter Management
[VersionInfo] Legal Trademarks : Acronis International GmbH. All rights
reserved.
[VersionInfo] Legal Copyrights : Copyright © Acronis International GmbH.
2002-2013.
[ModuleReport] [IAT] Modules -> ntoskrnl.exe | HAL.dll
[Debug Info] (record 1 of 1) (file offset 0x139B0)
Characteristics : 0x0 | TimeDateStamp : 0x5638DF2A (Tue 03rd Nov 2015 16:22:02
(GMT)) | MajorVer : 0 / MinorVer : 0 -> (0.0)
Type : 2 (0x2) -> CodeView | Size : 0x4C (76) 
AddressOfRawData : 0x166A4 | PointerToRawData : 0x14EA4
CvSig : 0x53445352 | SigGuid 1E431CED-114E-4EDC-82B16C35B8651082
Age : 0x1 (1) | Pdb : K:\2227\kernel\win\.output\Win32\Release\fltsrv.pdb
[!] File appears to have no protection or is using an unknown protection
- Scan Took : 0.247 Second(s) [0000000F7h (247) tick(s)] [135 of 580 scan(s)
done]
--- snip ---

$ sha1sum ADD12_trial_en-US.exe 
da5cd4fb2b457b86bc9a76b0fafd96ceec5608e6e  ADD12_trial_en-US.exe

$ du -sh ADD12_trial_en-US.exe 
293M    ADD12_trial_en-US.exe

$ wine --version
wine-3.13-318-gccf6211c0a

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list