[Bug 46089] New: TopoEdit tool from Windows 10 SDK (10.0.17763.x) crashes in ntdll.LdrResolveDelayLoadedAPI during resolver failure ( NULL dll failure hook)

wine-bugs at winehq.org wine-bugs at winehq.org
Sun Nov 4 13:48:51 CST 2018 

https://bugs.winehq.org/show_bug.cgi?id=46089

            Bug ID: 46089
           Summary: TopoEdit tool from Windows 10 SDK (10.0.17763.x)
                    crashes in ntdll.LdrResolveDelayLoadedAPI during
                    resolver failure (NULL dll failure hook)
           Product: Wine
           Version: 3.19
          Hardware: aarch64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ntdll
          Assignee: wine-bugs at winehq.org
          Reporter: focht at gmx.net
      Distribution: ---

Hello folks,

as it says.

Encountered while playing with some 64-bit ARM apps from Win10 SDK (running in
qemuarm64 machine). Most likely present with x86_64 Wine too.

Trace log:

--- snip ---
$ WINEDEBUG=+seh,+relay,+loaddll,+process,+module,+ntdll wine64 ./topoedit.exe
>>log.txt 2>&1
...
002b:Ret  PE DLL (proc=0x180035d70,module=0x180000000
L"tedutil.dll",reason=PROCESS_ATTACH,res=0x22fc48) retval=1
002b:trace:module:process_attach (L"tedutil.dll",0x22fc48) - END
002b:trace:module:process_attach (L"topoedit.exe",0x22fc48) - END
002b:Starting process
L"Z:\\home\\focht\\Downloads\\win10sdk_arm64\\arm64\\topoedit.exe"
(entryproc=0x14001ddb0) 
...
002b:Call KERNEL32.LoadLibraryExW(140020a08 L"TEDUTIL.dll",00000000,00000000)
ret=140012c64
...
002b:Ret  KERNEL32.LoadLibraryExW() retval=180000000 ret=140012c64
002b:Call
ntdll.LdrResolveDelayLoadedAPI(140000000,140022588,00000000,7b43da8c,140027010,00000000)
ret=14001e8fc
002b:fixme:module:LdrResolveDelayLoadedAPI (0x140000000, 0x140022588, (nil),
0x7b43da8c, 0x140027010, 0x00000000), partial stub
002b:trace:module:load_dll looking for
L"ext-ms-win-shell-comctl32-init-l1-1-0.dll" in
L"Z:\\home\\focht\\Downloads\\win10sdk_arm64\\arm64;C:\\windows\\system32;C:\\windows\\system;C:\\windows;.;C:\\windows\\system32;C:\\windows;C:\\windows\\system32\\wbem"
...
002b:trace:module:get_load_order looking for
L"ext-ms-win-shell-comctl32-init-l1-1-0.dll"
002b:trace:module:get_load_order got hardcoded default for
L"ext-ms-win-shell-comctl32-init-l1-1-0.dll"
002b:trace:module:load_builtin_dll Trying built-in
L"ext-ms-win-shell-comctl32-init-l1-1-0.dll"
002b:warn:module:load_builtin_dll cannot open .so lib for builtin
L"ext-ms-win-shell-comctl32-init-l1-1-0.dll":
/home/focht/projects/wine/mainline-install-aarch64/bin/../lib64/wine/ext-ms-win-shell-comctl32-init-l1-1-0.dll.so:
cannot open shared object file: No such file or directory
002b:warn:module:load_dll Failed to load module
L"ext-ms-win-shell-comctl32-init-l1-1-0.dll"; status=c0000135
002b:trace:seh:raise_exception  info[0]=0000000000000000
002b:trace:seh:raise_exception  info[1]=0000000000000000
002b:trace:seh:call_stack_handlers calling handler at 0x7b4d6330 code=c0000005
flags=0
002b:Call ntdll.NtCurrentTeb() ret=7b466c40
002b:Ret  ntdll.NtCurrentTeb() retval=7ffd8000 ret=7b466c40
002b:Call ntdll.NtCreateEvent(0022edf0,001f0003,0022edf8,00000000,00000000)
ret=7b466f00
002b:Ret  ntdll.NtCreateEvent() retval=00000000 ret=7b466f00
002b:Call ntdll.NtCurrentTeb() ret=7b4c5924
002b:Ret  ntdll.NtCurrentTeb() retval=7ffd8000 ret=7b4c5924
wine: Unhandled page fault on read access to 0x00000000 at address (nil)
(thread 002b), starting debugger... 
...
System information:
    Wine build: wine-3.19-117-g4852130c82
    Platform: arm64
    Version: Windows 8.1
    Host system: Linux
    Host version: 4.14.67-yocto-standard
--- snip ---

Running with debugger:

--- snip ---
Unhandled exception: page fault on read access to 0x00000000 in 64-bit code
(0x0000000000000000).
Register dump:
ARM64 EL0t Mode
 Pc:0000000000000000 Sp:000000000023f5d0 Lr:000000007bc891b4
Cpsr:60000000(-ZC-)
 x0: 0000000000000004 x1: 000000000023f6a0 x2: 0000000000000010 x3:
000000007bd0c200 x4: 000000000023f6a0
 x5: 0246490a4d1b1d40 x6: 401d1b4d0a494602 x7: 6e652e646c6e672e x8:
000000000023f6a0 x9: 0000000000000000
 x10:00000000c0000135 x11:000000000000267c x12:000000000000267c
x13:000000000002267c x14:0000000000000000
 x15:0000000000000008 ip0:000000000002267c ip1:0000000000000000
x18:000000007ffd8000 x19:0000000140000000
 x20:0000000000000001 x21:00000000002519be x22:0000000000000000
x23:000000014001f6f8 x24:0000000140025000
 x25:0000000140025000 x26:000000007b4eaf38 x27:000000007b4ee926
x28:000000007b4a2b60 Fp:000000000023f740
...
Backtrace:
=>0 0x0000000000000000 (0x000000000023f740)
  1 0x000000007bc891b4 LdrResolveDelayLoadedAPI+0x3c7(base=0x140000000,
desc=0x140022588, dllhook=(nil), syshook=0x7b494fa8, addr=0x140027010, flags=0)
[/home/focht/projects/wine/mainline-src/dlls/ntdll/loader.c:2995] in ntdll
(0x000000000023f740)
  2 0x000000007bc891b4 LdrResolveDelayLoadedAPI+0x3c7(base=0x7b4a2b60,
desc=0x7b8252b8, dllhook=0x140000000, syshook=0x140022588, addr=(nil), flags=0)
[/home/focht/projects/wine/mainline-src/dlls/ntdll/loader.c:2995] in ntdll
(0x000000000023f750)
  3 0x000000014001e8fc in topoedit (+0x1e8fb) (0x000000000023f820)
  4 0x0000000140012c90 in topoedit (+0x12c8f) (0x000000000023f820)
0x0000000000000000: -- no code accessible --

Wine-dbg>frame 1
2995        return dllhook(4, &delayinfo);

Wine-dbg>info locals
0x000000007bc891b3 LdrResolveDelayLoadedAPI+0x3c7: (0023f740)
    void* base=0x140000000 (parameter [fp-32])
    IMAGE_DELAYLOAD_DESCRIPTOR* desc=0x140022588 (parameter [fp-40])
    PDELAYLOAD_FAILURE_DLL_CALLBACK dllhook=(nil) (parameter [fp-48])
    void* syshook=0x7b494fa8 (parameter [fp-56])
    IMAGE_THUNK_DATA* addr=0x140027010 (parameter [fp-64])
    ULONG flags=0 (parameter [fp-68])
    IMAGE_THUNK_DATA* pIAT=0x140027010 (local [fp-80])
    IMAGE_THUNK_DATA* pINT=0x1400225d8 (local [fp-88])
    DELAYLOAD_INFO delayinfo={Size=0x48, DelayloadDescriptor=0x140022588,
ThunkAddress=0x140027010,
TargetDllName="ext-ms-win-shell-comctl32-init-l1-1-0.dll",
TargetApiDescriptor={ImportDescribedByName=0x1, Description={Name=*** invalid
address 0x267c ***, Ordinal=0x267c}}, TargetModuleBase=0x0(nil),
Unused=0x0(nil), LastError=0xc0000135} (local [fp-160])
    UNICODE_STRING mod={Length=0, MaximumLength=0, Buffer=0x0(nil)} (local
[fp-176])
    CHAR* name="ext-ms-win-shell-comctl32-init-l1-1-0.dll" (local [sp+184])
    HMODULE* phmod=0x140025858 (local [sp+176])
    NTSTATUS nts=0xc0000135 (local [sp+172])
    FARPROC fp=0x7bd0915d (local [sp+160])
    DWORD id=0 (local [sp+156])
--- snip ---

'ext-ms-win-shell-comctl32-init-l1-1-0.dll' doesn't exist as stub dll in Wine
hence the delay load failure. Wine's 'LdrResolveDelayLoadedAPI' implementation
unconditionally calls the dll provided failure hook without checking for NULL
pointer.

The system failure hook parameter is actually valid:

--- snip ---
Wine-dbg>disas 0x7b494fa8
0x000000007b494fa8 DelayLoadFailureHook
[/home/focht/projects/wine/mainline-src/dlls/kernel32/module.c:1220] in
kernel32: be_arm64_disasm_one_insn: not done
--- snip ---

I guess this one could be called in case the dll failure hook is not provided.

Wine source:

https://source.winehq.org/git/wine.git/blob/HEAD:/dlls/ntdll/loader.c#l2936

--- snip ---
2936 void* WINAPI LdrResolveDelayLoadedAPI( void* base, const
IMAGE_DELAYLOAD_DESCRIPTOR* desc,
2937                                        PDELAYLOAD_FAILURE_DLL_CALLBACK
dllhook, void* syshook,
2938                                        IMAGE_THUNK_DATA* addr, ULONG flags
)
2939 {
2940     IMAGE_THUNK_DATA *pIAT, *pINT;
2941     DELAYLOAD_INFO delayinfo;
2942     UNICODE_STRING mod;
2943     const CHAR* name;
2944     HMODULE *phmod;
2945     NTSTATUS nts;
2946     FARPROC fp;
2947     DWORD id;
2948 
2949     FIXME("(%p, %p, %p, %p, %p, 0x%08x), partial stub\n", base, desc,
dllhook, syshook, addr, flags);
2950 
2951     phmod = get_rva(base, desc->ModuleHandleRVA);
2952     pIAT = get_rva(base, desc->ImportAddressTableRVA);
2953     pINT = get_rva(base, desc->ImportNameTableRVA);
2954     name = get_rva(base, desc->DllNameRVA);
2955     id = addr - pIAT;
2956 
2957     if (!*phmod)
2958     {
2959         if (!RtlCreateUnicodeStringFromAsciiz(&mod, name))
2960         {
2961             nts = STATUS_NO_MEMORY;
2962             goto fail;
2963         }
2964         nts = LdrLoadDll(NULL, 0, &mod, phmod);
2965         RtlFreeUnicodeString(&mod);
2966         if (nts) goto fail;
2967     }
2968 
2969     if (IMAGE_SNAP_BY_ORDINAL(pINT[id].u1.Ordinal))
2970         nts = LdrGetProcedureAddress(*phmod, NULL,
LOWORD(pINT[id].u1.Ordinal), (void**)&fp);
2971     else
2972     {
2973         const IMAGE_IMPORT_BY_NAME* iibn = get_rva(base,
pINT[id].u1.AddressOfData);
2974         ANSI_STRING fnc;
2975 
2976         RtlInitAnsiString(&fnc, (char*)iibn->Name);
2977         nts = LdrGetProcedureAddress(*phmod, &fnc, 0, (void**)&fp);
2978     }
2979     if (!nts)
2980     {
2981         pIAT[id].u1.Function = (ULONG_PTR)fp;
2982         return fp;
2983     }
2984 
2985 fail:
2986     delayinfo.Size = sizeof(delayinfo);
2987     delayinfo.DelayloadDescriptor = desc;
2988     delayinfo.ThunkAddress = addr;
2989     delayinfo.TargetDllName = name;
2990     delayinfo.TargetApiDescriptor.ImportDescribedByName =
!IMAGE_SNAP_BY_ORDINAL(pINT[id].u1.Ordinal);
2991     delayinfo.TargetApiDescriptor.Description.Ordinal =
LOWORD(pINT[id].u1.Ordinal);
2992     delayinfo.TargetModuleBase = *phmod;
2993     delayinfo.Unused = NULL;
2994     delayinfo.LastError = nts;
2995     return dllhook(4, &delayinfo);
2996 }
--- snip ---

$ sha1sum 17763.1.180914-1434.rs5_release_WindowsSDK.iso 
e702b5e5f2597d01eaee1eb1be7a34b0da0b6211 
17763.1.180914-1434.rs5_release_WindowsSDK.iso

$ du -sh 17763.1.180914-1434.rs5_release_WindowsSDK.iso 
815M    17763.1.180914-1434.rs5_release_WindowsSDK.iso

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list