[Bug 45326] Multiple 64-bit kernel drivers crash on unimplemented function ntoskrnl.exe.__C_specific_handler (NoxPlayer 6.x, MTA:SA 1.5.x)

wine-bugs at winehq.org wine-bugs at winehq.org
Sun Nov 18 06:33:53 CST 2018 

https://bugs.winehq.org/show_bug.cgi?id=45326

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |focht at gmx.net
            Summary|unimplemented function      |Multiple 64-bit kernel
                   |ntoskrnl.exe.__C_specific_h |drivers crash on
                   |andler, aborting            |unimplemented function
                   |                            |ntoskrnl.exe.__C_specific_h
                   |                            |andler (NoxPlayer 6.x,
                   |                            |MTA:SA 1.5.x)
           Hardware|x86                         |x86-64

--- Comment #11 from Anastasius Focht <focht at gmx.net> ---
Hello folks,

confirming too.

Taking the example from comment #10 -> NoxPlayer 6.x

NoxPlayer is heavily based on VirtualBox infrastructure, which includes
multiple kernel drivers.

Trace log:

--- snip ---
$ WINEDEBUG=+seh,+relay,+ntoskrnl,+service wine net start YSDrv >>log.txt 2>&1
...
0009:Call KERNEL32.WideCharToMultiByte(000001b5,00000000,00335d80 L"The VBox
Support Driver service is
starting.\r\n",0000002e,00145688,0000002e,00000000,00000000) ret=7efeb7a7 
...
002f:trace:service:QueryServiceConfigW Image path           = L"C:\\Program
Files (x86)\\Bignox\\BigNoxVM\\RT\\YSDrv.sys"
002f:trace:service:QueryServiceConfigW Group                = L""
002f:trace:service:QueryServiceConfigW Dependencies         = L""
002f:trace:service:QueryServiceConfigW Service account name = L"LocalSystem"
002f:trace:service:QueryServiceConfigW Display name         = L"VBox Support
Driver"
002f:Ret  advapi32.QueryServiceConfigW() retval=00000001 ret=7fca4a16a2a6
002f:trace:ntoskrnl:open_driver opened service for driver
L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\YSDrv" 
...
002f:trace:ntoskrnl:load_driver loading driver L"C:\\Program Files
(x86)\\Bignox\\BigNoxVM\\RT\\YSDrv.sys"
002f:Call KERNEL32.LoadLibraryW(00027070 L"C:\\Program Files
(x86)\\Bignox\\BigNoxVM\\RT\\YSDrv.sys") ret=7fca4a15cc0c 
...
002f:Call driver init 0x1400127e0
(obj=0x26ee0,str=L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\YSDrv")
...
002f:fixme:ntoskrnl:MmGetSystemRoutineAddress L"KeQueryMaximumGroupCount" not
found
...
002f:fixme:ntoskrnl:MmGetSystemRoutineAddress L"KeGetProcessorIndexFromNumber"
not found
...
002f:fixme:ntoskrnl:MmGetSystemRoutineAddress L"KeGetProcessorNumberFromIndex"
not found
...
002f:fixme:ntoskrnl:MmGetSystemRoutineAddress L"KeIpiGenericCall" not found
...
002f:fixme:ntoskrnl:MmGetSystemRoutineAddress L"KeSetTargetProcessorDpcEx" not
found
...
002f:fixme:ntoskrnl:MmGetSystemRoutineAddress L"KeInitializeAffinityEx" not
found
...
002f:fixme:ntoskrnl:MmGetSystemRoutineAddress L"KeAddProcessorAffinityEx" not
found
...
002f:fixme:ntoskrnl:MmGetSystemRoutineAddress L"KeGetProcessorIndexFromNumber"
not found
...
002f:fixme:ntoskrnl:MmGetSystemRoutineAddress L"KeGetProcessorNumberFromIndex"
not found 
...
002f:fixme:ntoskrnl:MmGetSystemRoutineAddress L"KeGetCurrentProcessorNumberEx"
not found 
...
002f:fixme:ntoskrnl:MmGetSystemRoutineAddress L"KeQueryMaximumProcessorCount"
not found 
...
002f:fixme:ntoskrnl:MmGetSystemRoutineAddress L"KeQueryMaximumProcessorCountEx"
not found 
...
002f:fixme:ntoskrnl:MmGetSystemRoutineAddress L"KeQueryMaximumGroupCount" not
found 
...
002f:fixme:ntoskrnl:MmGetSystemRoutineAddress L"KeQueryActiveProcessorCount"
not found 
...
002f:fixme:ntoskrnl:MmGetSystemRoutineAddress L"KeQueryActiveProcessorCountEx"
not found 
...
002f:fixme:ntoskrnl:MmGetSystemRoutineAddress
L"KeQueryLogicalProcessorRelationship" not found 
...
002f:fixme:ntoskrnl:MmGetSystemRoutineAddress
L"KeRegisterProcessorChangeCallback" not found 
...
002f:fixme:ntoskrnl:MmGetSystemRoutineAddress
L"KeDeregisterProcessorChangeCallback" not found 
...
002f:fixme:ntoskrnl:MmGetSystemRoutineAddress L"KeQueryInterruptTimePrecise"
not found 
...
002f:fixme:ntoskrnl:MmGetSystemRoutineAddress L"KeQuerySystemTimePrecise" not
found 
...
002f:fixme:ntoskrnl:MmGetSystemRoutineAddress L"HalRequestIpi" not found 
...
002f:Call ntoskrnl.exe.PsGetVersion(0033f5c0,0033f5c8,0033f5d0,00000000)
ret=140024c75
002f:Call ntdll.RtlGetVersion(0033f2b0) ret=7fca4a167b5d
002f:Ret  ntdll.RtlGetVersion() retval=00000000 ret=7fca4a167b5d
002f:Ret  ntoskrnl.exe.PsGetVersion() retval=00000001 ret=140024c75
002f:Call ntoskrnl.exe.RtlGetVersion(0033f490) ret=140024cd1
002f:Call ntdll.RtlGetVersion(0033f490) ret=7bc808ef
002f:Ret  ntdll.RtlGetVersion() retval=00000000 ret=7bc808ef
002f:Ret  ntoskrnl.exe.RtlGetVersion() retval=00000000 ret=140024cd1
002f:trace:seh:NtRaiseException code=c0000096 flags=0 addr=0x1400251ac
ip=1400251ac tid=002f
002f:trace:seh:NtRaiseException  rax=0000000000000002 rbx=0000000000027070
rcx=00007fca58290997 rdx=0000000000000000
002f:trace:seh:NtRaiseException  rsi=0000000000026ee0 rdi=0000000000027048
rbp=0000000000000000 rsp=000000000033f5c0
002f:trace:seh:NtRaiseException   r8=0000000000000000  r9=000000000033ec00
r10=0000000000000000 r11=0000000000000000
002f:trace:seh:NtRaiseException  r12=0000000000026ee0 r13=0000000000000000
r14=00000000000259e8 r15=00000001400127e0
002f:trace:seh:call_vectored_handlers calling handler at 0x7fca4a15c1a0
code=c0000096 flags=0
002f:trace:seh:call_vectored_handlers handler at 0x7fca4a15c1a0 returned
ffffffff
002f:trace:seh:NtRaiseException code=c0000096 flags=0 addr=0x1400251c5
ip=1400251c5 tid=002f
002f:trace:seh:NtRaiseException  rax=0000000000000002 rbx=0000000000027070
rcx=00007fca58290997 rdx=0000000000000000
002f:trace:seh:NtRaiseException  rsi=0000000000026ee0 rdi=0000000000027048
rbp=0000000000000000 rsp=000000000033f5c0
002f:trace:seh:NtRaiseException   r8=0000000000000000  r9=000000000033ec00
r10=0000000000000000 r11=0000000000000000
002f:trace:seh:NtRaiseException  r12=0000000000026ee0 r13=0000000000000000
r14=00000000000259e8 r15=00000001400127e0
002f:trace:seh:call_vectored_handlers calling handler at 0x7fca4a15c1a0
code=c0000096 flags=0
002f:trace:seh:call_vectored_handlers handler at 0x7fca4a15c1a0 returned
ffffffff
002f:trace:seh:NtRaiseException code=c0000005 flags=0 addr=0x1400251ed
ip=1400251ed tid=002f
002f:trace:seh:NtRaiseException  info[0]=0000000000000000
002f:trace:seh:NtRaiseException  info[1]=0000000000000020
002f:trace:seh:NtRaiseException  rax=0000000000000000 rbx=00000000756e6547
rcx=000000006c65746e rdx=0000000049656e69
002f:trace:seh:NtRaiseException  rsi=0000000000026ee0 rdi=0000000000027048
rbp=0000000000000000 rsp=000000000033f5c0
002f:trace:seh:NtRaiseException   r8=0000000000000000  r9=000000000033ec00
r10=0000000000000000 r11=0000000000000000
002f:trace:seh:NtRaiseException  r12=0000000000026ee0 r13=0000000000000000
r14=00000000000259e8 r15=00000001400127e0
002f:trace:seh:call_vectored_handlers calling handler at 0x7fca4a15c1a0
code=c0000005 flags=0
002f:trace:seh:call_vectored_handlers handler at 0x7fca4a15c1a0 returned 0
002f:trace:seh:RtlVirtualUnwind type 1 rip 1400251ed rsp 33f5c0
002f:trace:seh:dump_unwind_info **** func 24e70-2542f
002f:trace:seh:dump_unwind_info unwind info at 0x14003ab6c flags 1 prolog 0x10
bytes function 0x140024e70-0x14002542f
002f:trace:seh:dump_unwind_info     0x10: subq $0x60,%rsp
002f:trace:seh:dump_unwind_info     0xc: pushq %r15
002f:trace:seh:dump_unwind_info     0xa: pushq %r14
002f:trace:seh:dump_unwind_info     0x8: pushq %r13
002f:trace:seh:dump_unwind_info     0x6: pushq %r12
002f:trace:seh:dump_unwind_info     0x4: pushq %rdi
002f:trace:seh:dump_unwind_info     0x3: pushq %rsi
002f:trace:seh:dump_unwind_info     0x2: pushq %rbx
002f:trace:seh:dump_unwind_info     handler 0x14002b3e8 data at 0x14003ab84
002f:trace:seh:call_handler calling handler 0x14002b3e8 (rec=0x33f480,
frame=0x33f5c0 context=0x33e950, dispatch=0x33e820)
002f:trace:seh:NtRaiseException code=80000100 flags=1 addr=0x7bc5e16c
ip=7bc5e16c tid=002f
002f:trace:seh:NtRaiseException  info[0]=0000000140057848
002f:trace:seh:NtRaiseException  info[1]=00000001400572ee
wine: Call from 0x7bc5e16c to unimplemented function
ntoskrnl.exe.__C_specific_handler, aborting 
--- snip ---

Driver registry entry:

--- snip ---
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\YSDrv]
"DisplayName"="VBox Support Driver"
"ErrorControl"=dword:00000001
"ImagePath"="C:\\Program Files (x86)\\Bignox\\BigNoxVM\\RT\\YSDrv.sys"
"ObjectName"="LocalSystem"
"PreshutdownTimeout"=dword:0002bf20
"Start"=dword:00000003
"Type"=dword:00000001
--- snip ---

Dissecting the trace log:

--- snip ---
00000001400251AC  mov     r8, cr8   ; read old TPR
--- snip ---

64-bit TPR access, exception handled (instruction emulated)

https://xem.github.io/minix86/manual/intel-x86-and-64-manual-vol3/o_fe12b1e2a880e0ce-390.html

("Chapter 10.8.3 Interrupt, Task and Processor Priority")

--- snip ---
00000001400251B0  mov     [rsp+98h+arg_10], r8
00000001400251B8  mov     [rsp+98h+arg_0], r8b
00000001400251C0  mov     eax, 2
00000001400251C5  mov     cr8, rax  ; write new task priority (TPR)
--- snip ---

64-bit TPR access, exception handled (instruction emulated)

--- snip ---
00000001400251C9  xor     eax, eax
00000001400251CB  xor     ecx, ecx
00000001400251CD  cpuid
00000001400251CF  mov     [rsp+98h+var_44], eax
00000001400251D3  mov     [rsp+98h+var_50], ebx
00000001400251D7  mov     [rsp+98h+var_48], ecx
00000001400251DB  mov     [rsp+98h+var_4C], edx
00000001400251DF  mov     byte ptr [rsp+98h+var_44], 0
00000001400251E4  mov     rax, gs:18h
00000001400251ED  mov     rdi, [rax+20h]              ; *boom*
00000001400251F1  mov     [rsp+98h+var_68], rdi
00000001400251F6  jmp     short loc_14002520F
00000001400251F8  xor     edi, edi
00000001400251FA  mov     [rsp+98h+var_68], rdi
00000001400251FF  movzx   eax, [rsp+98h+arg_0]
0000000140025207  mov     [rsp+98h+arg_10], rax
...
--- snip ---

GS:[0x18] -> NT SubSystemTib

Looks like it's trying to access some unknown member there.

I found the C scope table for the function-specific exception handler here:

--- snip ---
...
000000014003AB88  C_SCOPE_TABLE <rva loc_1400251E4, rva loc_1400251F8, 1, \
000000014003AB88                 rva loc_1400251F8>
...
--- snip ---

which indicates a NULL 'NT SubSystemTib' is kinda expected on Win64

---

In case of MTA San Andreas 1.5.x (https://mtasa.com/download/), the driver
causing this (due to other Wine insufficiencies):

--- snip ---
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FairplayKD]
"DisplayName"="FairplayKD"
"ErrorControl"=dword:00000001
"ImagePath"="C:\\ProgramData\\MTA San Andreas
All\\Common\\temp\\FairplayKD.sys"
"ObjectName"="LocalSystem"
"PreshutdownTimeout"=dword:0002bf20
"Start"=dword:00000003
"Type"=dword:00000001
"WOW64"=dword:00000001
--- snip ---

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list