[Bug 46205] New: Multiple kernel drivers need implementation of ' ntoskrnl.ObReferenceObjectByHandle' for 'PsThreadType' (PETHREAD)
wine-bugs at winehq.org
wine-bugs at winehq.org
Tue Nov 27 16:46:23 CST 2018
https://bugs.winehq.org/show_bug.cgi?id=46205
Bug ID: 46205
Summary: Multiple kernel drivers need implementation of
'ntoskrnl.ObReferenceObjectByHandle' for
'PsThreadType' (PETHREAD)
Product: Wine
Version: 3.21
Hardware: x86-64
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: ntoskrnl
Assignee: wine-bugs at winehq.org
Reporter: focht at gmx.net
Distribution: ---
Hello folks,
continuation of bug 44588 (and partially bug 44910)
--- snip ---
$ WINEDEBUG=+seh,+loaddll,+process,+service,+ntoskrnl wineboot >>log.txt 2>&1
...
000f:trace:service:scmdatabase_load_services Loading service L"bizVSerial"
000f:trace:service:load_service_config Image path =
L"System32\\drivers\\bizVSerialNT.sys"
000f:trace:service:load_service_config Group = (null)
000f:trace:service:load_service_config Service account name = L"LocalSystem"
000f:trace:service:load_service_config Display name = L"Franson
VSerial"
000f:trace:service:load_service_config Service dependencies : (none)
000f:trace:service:load_service_config Group dependencies : (none)
...
0017:trace:service:service_thread 0x10d60
0017:trace:service:SERV_OpenSCManagerW ((null),(null),0x00000001)
0015:trace:service:svcctl_OpenSCManagerW ((null), (null), 1)
0017:trace:service:SERV_OpenSCManagerW returning 0x11920
0017:trace:service:RegisterServiceCtrlHandlerExW L"winedevice" 0x7f47d7011ab0
0x11800
0017:trace:service:SetServiceStatus 0x110c0 30 4 5 0 0 0 0
...
000f:trace:service:process_send_start_message 0x143b0 L"bizVSerial" (nil) 0
0016:trace:service:service_handle_control L"winedevice" control 2147483648 data
0x11bb2 data_size 22
0016:trace:ntoskrnl:ZwLoadDriver
(L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\bizVSerial")
...
0016:trace:service:QueryServiceConfigW Image path =
L"System32\\drivers\\bizVSerialNT.sys"
0016:trace:service:QueryServiceConfigW Group = L""
0016:trace:service:QueryServiceConfigW Dependencies = L""
0016:trace:service:QueryServiceConfigW Service account name = L"LocalSystem"
0016:trace:service:QueryServiceConfigW Display name = L"Franson
VSerial"
0016:trace:ntoskrnl:open_driver opened service for driver
L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\bizVSerial"
0016:trace:service:SetServiceStatus 0x12e50 30 2 0 0 0 0 2710
0014:trace:service:svcctl_SetServiceStatus (0x15e80, 0x15754)
0016:trace:ntoskrnl:IoCreateDriver (L"\\Driver\\bizVSerial", 0x7f47c8c949c0)
0016:trace:ntoskrnl:load_driver loading driver
L"System32\\drivers\\bizVSerialNT.sys"
0016:trace:loaddll:load_native_dll Loaded
L"C:\\windows\\System32\\drivers\\bizVSerialNT.sys" at 0x460000: native
0016:trace:seh:NtRaiseException code=c0000005 flags=0 addr=0x468034 ip=468034
tid=0016
0016:trace:seh:NtRaiseException info[0]=0000000000000000
0016:trace:seh:NtRaiseException info[1]=fffff78000000320
0016:trace:seh:NtRaiseException rax=fffff78000000320 rbx=0000000000013178
rcx=0000000000013010 rdx=0000000000013178
0016:trace:seh:NtRaiseException rsi=00007f47d73b84b1 rdi=00007f47c8cd1c71
rbp=000000000033f8a0 rsp=000000000033f788
0016:trace:seh:NtRaiseException r8=0000000000466100 r9=00002b992ddfa232
r10=000000000000a000 r11=0000000000012ee0
0016:trace:seh:NtRaiseException r12=0000000000013010 r13=0000000000000000
r14=0000000000011b18 r15=0000000000468008
0016:trace:seh:call_vectored_handlers calling handler at 0x7f47c8c93260
code=c0000005 flags=0
0016:trace:seh:call_vectored_handlers handler at 0x7f47c8c93260 returned
ffffffff
0016:trace:ntoskrnl:IoCreateDevice (0x13010, 496, L"\\Device\\bizvSerialMgr",
34, 0, 0, 0x33f790)
0016:trace:ntoskrnl:IoCreateSymbolicLink L"\\DosDevices\\bizSerialMgr" ->
L"\\Device\\bizvSerialMgr"
0016:trace:ntoskrnl:KeInitializeEvent event 0x136e8, type 0, state 0.
0016:trace:ntoskrnl:KeInitializeEvent event 0x136c8, type 0, state 0.
0016:fixme:ntoskrnl:ObReferenceObjectByHandle stub: 0x3c 1fffff (nil) 0 0x136e0
(nil)
0016:trace:ntoskrnl:init_driver init done for L"bizVSerial" obj 0x13010
0016:trace:ntoskrnl:init_driver - DriverInit = 0x468008
0016:trace:ntoskrnl:init_driver - DriverStartIo = (nil)
0016:trace:ntoskrnl:init_driver - DriverUnload = 0x4613c0
0016:trace:ntoskrnl:init_driver - MajorFunction[0] = 0x461180
0016:trace:ntoskrnl:init_driver - MajorFunction[1] = 0x7f47c8c997b0
0016:trace:ntoskrnl:init_driver - MajorFunction[2] = 0x461228
0016:trace:ntoskrnl:init_driver - MajorFunction[3] = 0x46133c
0016:trace:ntoskrnl:init_driver - MajorFunction[4] = 0x461304
0016:trace:ntoskrnl:init_driver - MajorFunction[5] = 0x461398
0018:trace:ntoskrnl:KeWaitForMultipleObjects count 2, objs 0x56fd80, wait_type
1, reason 0, mode 0, alertable 0, timeout (nil), wait_blocks 0x56fd90.
0016:trace:ntoskrnl:init_driver - MajorFunction[6] = 0x461398
0016:trace:ntoskrnl:init_driver - MajorFunction[7] = 0x7f47c8c997b0
0016:trace:ntoskrnl:init_driver - MajorFunction[8] = 0x7f47c8c997b0
0016:trace:ntoskrnl:init_driver - MajorFunction[9] = 0x461398
0016:trace:ntoskrnl:init_driver - MajorFunction[10] = 0x7f47c8c997b0
0016:trace:ntoskrnl:init_driver - MajorFunction[11] = 0x7f47c8c997b0
0016:trace:ntoskrnl:init_driver - MajorFunction[12] = 0x7f47c8c997b0
0016:trace:ntoskrnl:init_driver - MajorFunction[13] = 0x7f47c8c997b0
0016:trace:ntoskrnl:init_driver - MajorFunction[14] = 0x4612e0
0016:trace:ntoskrnl:init_driver - MajorFunction[15] = 0x7f47c8c997b0
0016:trace:ntoskrnl:init_driver - MajorFunction[16] = 0x7f47c8c997b0
0016:trace:ntoskrnl:init_driver - MajorFunction[17] = 0x7f47c8c997b0
0016:trace:ntoskrnl:init_driver - MajorFunction[18] = 0x461374
0016:trace:ntoskrnl:init_driver - MajorFunction[19] = 0x7f47c8c997b0
0016:trace:ntoskrnl:init_driver - MajorFunction[20] = 0x7f47c8c997b0
0016:trace:ntoskrnl:init_driver - MajorFunction[21] = 0x7f47c8c997b0
0016:trace:ntoskrnl:init_driver - MajorFunction[22] = 0x7f47c8c997b0
0016:trace:ntoskrnl:init_driver - MajorFunction[23] = 0x7f47c8c997b0
0016:trace:ntoskrnl:init_driver - MajorFunction[24] = 0x7f47c8c997b0
0016:trace:ntoskrnl:init_driver - MajorFunction[25] = 0x7f47c8c997b0
0016:trace:ntoskrnl:init_driver - MajorFunction[26] = 0x7f47c8c997b0
0016:trace:ntoskrnl:init_driver - MajorFunction[27] = 0x7f47c8c997b0
0016:trace:service:SetServiceStatus 0x12e50 30 4 5 0 0 0 0
0015:trace:service:svcctl_SetServiceStatus (0x15e80, 0x15cf4)
...
0017:trace:ntoskrnl:unload_driver L"\\Driver\\bizVSerial"
0017:trace:service:SetServiceStatus 0x12e50 30 3 0 0 0 0 0
...
0017:trace:ntoskrnl:KeSetEvent event 0x136c8, increment 0, wait 0.
0017:trace:ntoskrnl:KeWaitForMultipleObjects count 1, objs 0x44f900, wait_type
1, reason 6, mode 0, alertable 0, timeout (nil), wait_blocks (nil).
0018:trace:ntoskrnl:KeResetEvent event 0x136c8.
0017:trace:seh:NtRaiseException code=c0000005 flags=0 addr=0x7f47c8ca3183
ip=7f47c8ca3183 tid=0017
0017:trace:seh:NtRaiseException info[0]=0000000000000001
0017:trace:seh:NtRaiseException info[1]=00000000deadbeb7
0017:trace:seh:NtRaiseException rax=00000000deadbeaf rbx=000000000044f900
rcx=00007f47d6aed879 rdx=0000000000000000
0017:trace:seh:NtRaiseException rsi=000000000044f5c0 rdi=0000000000000000
rbp=000000000044f8a0 rsp=000000000044f580
0017:trace:seh:NtRaiseException r8=0000000000000000 r9=0000000000000000
r10=000000000044f340 r11=0000000000000246
0017:trace:seh:NtRaiseException r12=0000000000013010 r13=0000000000000001
r14=000000000044f908 r15=000000000044f900
0017:trace:seh:call_vectored_handlers calling handler at 0x7f47c8c93260
code=c0000005 flags=0
...
wine: Unhandled page fault on write access to 0xdeadbeb7 at address
0x7f47c8ca3183 (thread 0017), starting debugger...
0017:trace:seh:start_debugger Starting debugger "winedbg --auto 17 60"
0017:trace:process:CreateProcessInternalW app (null) cmdline L"winedbg --auto
17 60"
0017:trace:process:find_exe_file looking for L"winedbg"
0017:trace:process:find_exe_file Trying native exe
L"C:\\windows\\system32\\winedbg.exe"
0017:trace:process:CreateProcessInternalW starting
L"C:\\windows\\system32\\winedbg.exe" as Win64 binary (10000000-10018000,
x86_64)
0017:err:seh:start_debugger Couldn't start debugger ("winedbg --auto 17 60")
(1115)
--- snip ---
The kernel driver creates a secondary thread via 'PsCreateSystemThread' and
wait s in driver unload routine for the thread to exit. Wine's
'ObReferenceObjectByHandle' is currently a stub, returning a fake (invalid)
handle. This causes 'KeWaitForSingleObject' to dereference an invalid handle
later.
The sequence is pretty standard for Windows kernel drivers. One of the many
driver examples on Github:
https://github.com/Microsoft/Windows-driver-samples/blob/master/general/cancel/sys/cancel.c
--- snip ---
...
NTSTATUS DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING
RegistryPath)
{
...
//
// Start the polling thread.
//
devExtension->ThreadShouldStop = FALSE;
status = PsCreateSystemThread(&threadHandle,
(ACCESS_MASK)0,
NULL,
(HANDLE) 0,
NULL,
CsampPollingThread,
deviceObject );
if ( !NT_SUCCESS( status ))
{
IoDeleteSymbolicLink( &unicodeDosDeviceName );
IoDeleteDevice( deviceObject );
return status;
}
//
// Convert the Thread object handle into a pointer to the Thread object
// itself. Then close the handle.
//
ObReferenceObjectByHandle(threadHandle,
THREAD_ALL_ACCESS,
NULL,
KernelMode,
&devExtension->ThreadObject,
NULL );
ZwClose(threadHandle);
}
...
VOID CsampPollingThread( _In_ PVOID Context)
{
...
//
// Now enter the main IRP-processing loop
//
for(;;)
{
...
//
// See if thread was awakened because driver is unloading itself...
//
if ( DevExtension->ThreadShouldStop ) {
PsTerminateSystemThread( STATUS_SUCCESS );
}
...
}
...
}
...
VOID CsampUnload( _In_ PDRIVER_OBJECT DriverObject)
{
...
//
// Set the Stop flag
//
devExtension->ThreadShouldStop = TRUE;
...
//
// Wait for the thread to terminate
//
KeWaitForSingleObject(devExtension->ThreadObject,
Executive,
KernelMode,
FALSE,
NULL );
ObDereferenceObject(devExtension->ThreadObject);
...
}
--- snip ---
Microsoft docs:
https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/nf-wdm-obreferenceobjectbyhandle
Wine source:
https://source.winehq.org/git/wine.git/blob/HEAD:/dlls/ntoskrnl.exe/ntoskrnl.c#l2580
--- snip ---
2580 /***********************************************************************
2581 * ObReferenceObjectByHandle (NTOSKRNL.EXE.@)
2582 */
2583 NTSTATUS WINAPI ObReferenceObjectByHandle( HANDLE obj, ACCESS_MASK access,
2584 POBJECT_TYPE type,
2585 KPROCESSOR_MODE mode, PVOID*
ptr,
2586 POBJECT_HANDLE_INFORMATION
info)
2587 {
2588 FIXME( "stub: %p %x %p %d %p %p\n", obj, access, type, mode, ptr,
info);
2589
2590 if(ptr)
2591 *ptr = UlongToHandle(0xdeadbeaf);
2592
2593 return STATUS_SUCCESS;
2594 }
--- snip ---
$ sha1sum GpsGateClient.exe
bd5ac140199054a7b4502994439fcc78009fee35 GpsGateClient.exe
$ du -sh GpsGateClient.exe
2.5M GpsGateClient.exe
$ wine --version
wine-3.21-87-g65677e2b2f
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list