[Bug 45743] New: Firefox crashes on startup due to missing pipe server object type information (needed for Gecko's HandleDispatcher::DuplicateHandleProxy)
wine-bugs at winehq.org
wine-bugs at winehq.org
Fri Aug 31 06:45:09 CDT 2018
https://bugs.winehq.org/show_bug.cgi?id=45743
Bug ID: 45743
Summary: Firefox crashes on startup due to missing pipe server
object type information (needed for Gecko's
HandleDispatcher::DuplicateHandleProxy)
Product: Wine
Version: 3.14
Hardware: x86-64
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: wineserver
Assignee: wine-bugs at winehq.org
Reporter: focht at gmx.net
Distribution: ---
Hello folks,
as it says.
--- snip ---
$ pwd
/home/focht/.wine/drive_c/Program Files (x86)/Mozilla Firefox
$ WINEDEBUG=+pid,+seh,+loaddll,+process,+relay,+ntdll,+server wine
./firefox.exe >>log.txt 2>&1
...
0008:0055:Starting thread proc 0x7bca4d0b (arg=0x2cb4a980)
...
0008:0055:Call KERNEL32.GetProcAddress(7bc30000,00427c48 "NtQueryObject")
ret=004232be
0008:0055:Ret KERNEL32.GetProcAddress() retval=7bc37154 ret=004232be
0008:0055:Call
KERNEL32.DuplicateHandle(00000328,000000f0,ffffffff,3030fb70,00000000,00000000,00000002)
ret=0041444c
0008:0055:Ret KERNEL32.DuplicateHandle() retval=00000001 ret=0041444c
0008:0055:Call KERNEL32.GetLastError() ret=0040ba5d
0008:0055:Ret KERNEL32.GetLastError() retval=00000000 ret=0040ba5d
0008:0055:Call
ntdll.NtQueryObject(000003f8,00000002,3030fb90,0000009e,3030fb6c) ret=0041449f
0008:0055:trace:ntdll:NtQueryObject
(0x3f8,0x00000002,0x3030fb90,0x0000009e,0x3030fb6c)
0008:0055:Ret ntdll.NtQueryObject() retval=00000000 ret=0041449f
0008:0055:Call ntdll.wcslen(3030fbf0 L"Section") ret=0041673c
0008:0055:Ret ntdll.wcslen() retval=00000007 ret=0041673c
0008:0055:Call ntdll.wcslen(3030fbf0 L"Section") ret=0041673c
0008:0055:Ret ntdll.wcslen() retval=00000007 ret=0041673c
0008:0055:Call ntdll.RtlCompareUnicodeString(3030fa9c,3030faac,00000001)
ret=004167bb
0008:0055:Ret ntdll.RtlCompareUnicodeString() retval=00000000 ret=004167bb
0008:0055:Call
KERNEL32.DuplicateHandle(ffffffff,000003f8,ffffffff,3030fc8c,000f0006,00000000,00000000)
ret=0041481f
0008:0055:Ret KERNEL32.DuplicateHandle() retval=00000001 ret=0041481f
0008:0055:Call KERNEL32.CloseHandle(000003f8) ret=0040177b
0008:0055:Ret KERNEL32.CloseHandle() retval=00000001 ret=0040177b
0008:0055:Call ucrtbase.memset(2d07e1a0,000000e5,000000a0) ret=1000603f
0008:0055:Ret ucrtbase.memset() retval=2d07e1a0 ret=1000603f
0008:0055:Call KERNEL32.SetEvent(00000338) ret=00420f64
0008:0055:Ret KERNEL32.SetEvent() retval=00000001 ret=00420f64
0008:0055:Call ucrtbase.memset(3030fd24,00000000,00000034) ret=00420f32
0008:0055:Ret ucrtbase.memset() retval=3030fd24 ret=00420f32
0008:0055:Call ucrtbase.memcpy(30e843e0,2cff0094,00000098) ret=00410459
0008:0055:Ret ucrtbase.memcpy() retval=30e843e0 ret=00410459
0008:0055:Call ucrtbase.memset(3030fc74,00000000,0000003c) ret=00420bfb
0008:0055:Ret ucrtbase.memset() retval=3030fc74 ret=00420bfb
0008:0055:Call ucrtbase.memcmp(00428b6c,3030fcb0,00000028) ret=00422697
0008:0055:Ret ucrtbase.memcmp() retval=ffffffff ret=00422697
0008:0055:Call ucrtbase.memcmp(00428b94,3030fcb0,00000028) ret=004226ab
0008:0055:Ret ucrtbase.memcmp() retval=ffffffff ret=004226ab
0008:0055:Call ucrtbase.memcmp(2ff07370,3030fcb0,00000028) ret=004106ca
0008:0055:Ret ucrtbase.memcmp() retval=00000000 ret=004106ca
0008:0055:Call
KERNEL32.DuplicateHandle(00000328,00000170,ffffffff,3030fb70,00000000,00000000,00000002)
ret=0041444c
0008:0055:Ret KERNEL32.DuplicateHandle() retval=00000001 ret=0041444c
0008:0055:Call KERNEL32.GetLastError() ret=0040ba5d
0008:0055:Ret KERNEL32.GetLastError() retval=00000000 ret=0040ba5d
0008:0055:Call
ntdll.NtQueryObject(00000408,00000002,3030fb90,0000009e,3030fb6c) ret=0041449f
0008:0055:trace:ntdll:NtQueryObject
(0x408,0x00000002,0x3030fb90,0x0000009e,0x3030fb6c)
0008:0055:Ret ntdll.NtQueryObject() retval=00000000 ret=0041449f
0008:0055:trace:seh:raise_exception code=c0000005 flags=0 addr=0x4144ba
ip=004144ba tid=0055
0008:0055:trace:seh:raise_exception info[0]=00000001
0008:0055:trace:seh:raise_exception info[1]=00000000
0008:0055:trace:seh:raise_exception eax=00000000 ebx=00000000 ecx=00000000
edx=00000000 esi=3030fc74 edi=00000002
0008:0055:trace:seh:raise_exception ebp=3030fc34 esp=3030fb58 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010246
0008:0055:trace:seh:call_vectored_handlers calling handler at 0x16d95c3
code=c0000005 flags=0
0008:0055:trace:seh:call_vectored_handlers handler at 0x16d95c3 returned 0
0008:0055:trace:seh:call_stack_handlers calling handler at 0x7bcb3bc4
code=c0000005 flags=0
0008:0055:Call KERNEL32.UnhandledExceptionFilter(3030f654) ret=7bcb3bff
...
--- snip ---
Tracing the handle back across multiple dupes:
--- snip ---
...
0008:002c:Call advapi32.CreateProcessAsUserW(0000031c,2f832a50 L"C:\\Program
Files (x86)\\Mozilla Firefox\\firefox.exe",2fae7800 L"\"C:\\Program Files
(x86)\\Mozilla Firefox\\firefox.exe\" -contentproc
--channel=\"8.0.218090689\\870550889\" -childID 1 -isForBrowser -prefsHandle
756 -prefsLen 5527 -schedulerPrefs 0001,2 -greomni \"C:\\Program Files
(x86)\\Mozilla Firefox\\omni.ja\" -appomni \"C:\\Program Files (x86)\\Mozilla
Fire"...,00000000,00000000,00000001,0108040c,3041c020,00000000,09c2f0b0,09c2ef94)
ret=00422051
...
002c: new_process( inherit_all=1, create_flags=0108040c, socket_fd=194,
exe_file=0318, process_access=001fffff, process_attr=00000000,
thread_access=001fffff, thread_attr=00000000, cpu=x86, info_size=1482, ...
002c: new_process() = 0 { info=0320, pid=0056, phandle=0328, tid=0057,
thandle=032c }
...
0056:0057:Call KERNEL32.CreateNamedPipeW(010acf40
L"\\\\.\\pipe\\chrome.86.0.22204864",40080003,00000000,00000001,00001000,00001000,00001388,00000000)
ret=023d5c1f
0056:0057:trace:ntdll:NtCreateNamedPipeFile (0x33d6dc c0180000
L"\\??\\pipe\\chrome.86.0.22204864" 0x33d6b4 3 5 0 0 0 0 1 4096 4096 0x33d6a8)
0057: create_named_pipe( access=c0180000, options=00000000, sharing=00000003,
maxinstances=00000001, outsize=00001000, insize=00001000, timeout=+5.0000000,
flags=00000000,
objattr={rootdir=0000,attributes=00000040,sd={},name=L"\\??\\pipe\\chrome.86.0.22204864"}
)
0057: create_named_pipe() = 0 { handle=0164 }
...
0057: dup_handle( src_process=ffffffff, src_handle=0164, dst_process=ffffffff,
access=00000000, attributes=00000000, options=00000002 )
0057: dup_handle() = 0 { handle=0168, self=1, closed=0 }
...
0057: dup_handle( src_process=ffffffff, src_handle=0168, dst_process=ffffffff,
access=00000000, attributes=00000000, options=00000002 )
0057: dup_handle() = 0 { handle=0170, self=1, closed=0 }
....
0008:0055:Call
KERNEL32.DuplicateHandle(00000328,00000170,ffffffff,3030fb70,00000000,00000000,00000002)
ret=0041444c
0055: dup_handle( src_process=0328, src_handle=0170, dst_process=ffffffff,
access=00000000, attributes=00000000, options=00000002 )
0055: dup_handle() = 0 { handle=0408, self=0, closed=0 }
0008:0055:Ret KERNEL32.DuplicateHandle() retval=00000001 ret=0041444c
...
0008:0055:Call
ntdll.NtQueryObject(00000408,00000002,3030fb90,0000009e,3030fb6c) ret=0041449f
0008:0055:trace:ntdll:NtQueryObject
(0x408,0x00000002,0x3030fb90,0x0000009e,0x3030fb6c)
0055: get_object_type( handle=0408 )
0055: get_object_type() = 0 { total=0, type=L"" }
0008:0055:Ret ntdll.NtQueryObject() retval=00000000 ret=0041449f
--- snip ---
Wineserver debug session:
--- snip ---
...
(gdb) b no_get_type
Breakpoint 1 at 0x42c1a2: file
/home/focht/projects/wine/mainline-src/server/object.c, line 499.
(gdb) c
Continuing.
Breakpoint 1, no_get_type (obj=0x269c3e0) at
/home/focht/projects/wine/mainline-src/server/object.c:499
499 return NULL;
(gdb) bt
#0 no_get_type (obj=0x269c3e0) at
/home/focht/projects/wine/mainline-src/server/object.c:499
#1 0x0000000000415d55 in req_get_object_type (req=0x2692170,
reply=0x7fff998dce50) at
/home/focht/projects/wine/mainline-src/server/directory.c:524
#2 0x0000000000445c6d in call_req_handler (thread=0x2692020) at
/home/focht/projects/wine/mainline-src/server/request.c:303
#3 0x0000000000445e02 in read_request (thread=0x2692020) at
/home/focht/projects/wine/mainline-src/server/request.c:337
#4 0x000000000044e264 in thread_poll_event (fd=0x2692250, event=1) at
/home/focht/projects/wine/mainline-src/server/thread.c:272
#5 0x0000000000417188 in fd_poll_event (fd=0x2692250, event=1) at
/home/focht/projects/wine/mainline-src/server/fd.c:457
#6 0x000000000041756a in main_loop_epoll () at
/home/focht/projects/wine/mainline-src/server/fd.c:552
#7 0x0000000000417b80 in main_loop () at
/home/focht/projects/wine/mainline-src/server/fd.c:897
#8 0x0000000000423b73 in main (argc=3, argv=0x7fff998dd688) at
/home/focht/projects/wine/mainline-src/server/main.c:148
(gdb) p *req
$10 = {__header = {req = 256, request_size = 0, reply_size = 62}, handle =
1032}
(gdb) p *obj
$9 = {refcount = 4, handle_count = 3, ops = 0x47ee80 <pipe_server_ops>,
wait_queue = {next = 0x269c3f0, prev = 0x269c3f0}, name = 0x0, sd = 0x0,
obj_list = {next = 0x26a3620, prev = 0x26a8090}}
--- snip ---
I found the involved source code here:
https://github.com/mozilla/gecko-dev/blob/HEAD/security/sandbox/chromium/sandbox/win/src/handle_dispatcher.cc#L44
--- snip ---
bool HandleDispatcher::DuplicateHandleProxy(IPCInfo* ipc,
HANDLE source_handle,
uint32_t target_process_id,
uint32_t desired_access,
uint32_t options) {
static NtQueryObject QueryObject = NULL;
if (!QueryObject)
ResolveNTFunctionPtr("NtQueryObject", &QueryObject);
// Get a copy of the handle for use in the broker process.
HANDLE handle_temp;
if (!::DuplicateHandle(ipc->client_info->process, source_handle,
::GetCurrentProcess(), &handle_temp,
0, FALSE, DUPLICATE_SAME_ACCESS | options)) {
ipc->return_info.win32_result = ::GetLastError();
return false;
}
options &= ~DUPLICATE_CLOSE_SOURCE;
base::win::ScopedHandle handle(handle_temp);
// Get the object type (32 characters is safe; current max is 14).
BYTE buffer[sizeof(OBJECT_TYPE_INFORMATION) + 32 * sizeof(wchar_t)];
OBJECT_TYPE_INFORMATION* type_info =
reinterpret_cast<OBJECT_TYPE_INFORMATION*>(buffer);
ULONG size = sizeof(buffer) - sizeof(wchar_t);
NTSTATUS error =
QueryObject(handle.Get(), ObjectTypeInformation, type_info, size, &size);
if (!NT_SUCCESS(error)) {
ipc->return_info.nt_status = error;
return false;
}
type_info->Name.Buffer[type_info->Name.Length / sizeof(wchar_t)] = L'\0';
CountedParameterSet<HandleTarget> params;
params[HandleTarget::NAME] = ParamPickerMake(type_info->Name.Buffer);
params[HandleTarget::TARGET] = ParamPickerMake(target_process_id);
EvalResult eval = policy_base_->EvalPolicy(IPC_DUPLICATEHANDLEPROXY_TAG,
params.GetBase());
ipc->return_info.win32_result =
HandlePolicy::DuplicateHandleProxyAction(eval, handle.Get(),
target_process_id,
&ipc->return_info.handle,
desired_access, options);
return true;
}
--- snip ---
Used in several places:
https://github.com/mozilla/gecko-dev/search?q=DuplicateHandleProxy
Wine source:
https://source.winehq.org/git/wine.git/blob/d4e0f0a12fdca62fea49a635418d19eb0c0d72af:/server/named_pipe.c
--- snip ---
static const struct object_ops pipe_server_ops =
155 {
156 sizeof(struct pipe_server), /* size */
157 pipe_server_dump, /* dump */
158 no_get_type, /* get_type */
159 add_queue, /* add_queue */
...
--- snip ---
Although not strictly needed it might be worth to return type names for these
too (touches same file):
* pipe_client
* named_pipe
$ sha1sum Firefox\ Setup\ 61.0.2.exe
cbda1b0eaf06486ac0dc8cd29df386d75dc1107c Firefox Setup 61.0.2.exe
$ du -sh Firefox\ Setup\ 61.0.2.exe
35M Firefox Setup 61.0.2.exe
$ wine --version
wine-3.14-323-g6edf38c205
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list