[Bug 46954] New: Relay trace causes crash in wine_dbgstr_wn helper due to invalid string pointer access

wine-bugs at winehq.org wine-bugs at winehq.org
Wed Apr 3 17:20:47 CDT 2019 

https://bugs.winehq.org/show_bug.cgi?id=46954

            Bug ID: 46954
           Summary: Relay trace causes crash in wine_dbgstr_wn helper due
                    to invalid string pointer access
           Product: Wine
           Version: 4.5
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: -unknown
          Assignee: wine-bugs at winehq.org
          Reporter: focht at gmx.net
      Distribution: ---

Hello folks,

found while checking a patch for bug 46903

Relay tracing crashes the app:

--- snip ---
$  WINEDEBUG=+seh,+loaddll,+relay,+ntdll wine ./ADHOCSIGNER.EXE
./TouchInputPC.exe >>log.txt 2>&1
...
00ac:Call user32.SetPropA(00060044,7cd7c748 "__wine_x11_whole_window",05400001)
ret=7cd53e2e
...
00ac:Ret  user32.SetPropA() retval=00000001 ret=7cd53e2e 
....
00ac:Call user32.EnumPropsW(00060044,004018cb) ret=00401b3e
...
00ac:Call KERNEL32.GlobalGetAtomNameW(0000c06a,0033f91c,00000100) ret=7e7a26a7
00ac:Call
ntdll.NtQueryInformationAtom(0000c06a,00000000,0033f67e,00000206,00000000)
ret=7b42fe3f
00ac:Ret  ntdll.NtQueryInformationAtom() retval=00000000 ret=7b42fe3f
00ac:Ret  KERNEL32.GlobalGetAtomNameW() retval=00000017 ret=7e7a26a7
00ac:Call user32.RemovePropW(00060044,0033f91c L"__wine_x11_whole_window")
ret=004018e5
00ac:Ret  user32.RemovePropW() retval=05400001 ret=004018e5
00ac:Call oleaut32.SysFreeString(code=c0000005 flags=0 addr=0x7bc7c011
ip=7bc7c011 tid=00ac
00ac:trace:seh:raise_exception  info[0]=00000000
00ac:trace:seh:raise_exception  info[1]=05400001
00ac:trace:seh:raise_exception  eax=7bd0d000 ebx=7bd0d000 ecx=00000000
edx=05400001 esi=0033f880 edi=0033fb88
00ac:trace:seh:raise_exception  ebp=0033f778 esp=0033f630 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010202
00ac:trace:seh:call_stack_handlers calling handler at 0x7b4980f1 code=c0000005
flags=0
...
wine: Unhandled page fault on read access to 0x05400001 at address 0x7bc7c011
(thread 00ac), starting debugger... 
...
Unhandled exception: page fault on read access to 0x05400001 in 32-bit code
(0x7bc7c011).
Register dump:
 CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b
 EIP:7bc7c011 ESP:0033f630 EBP:0033f778 EFLAGS:00010202(  R- --  I   - - - )
 EAX:7bd0d000 EBX:7bd0d000 ECX:00000000 EDX:05400001
 ESI:0033f880 EDI:0033fb88
Stack dump:
0x0033f630:  00000000 00000000 0033f6fc f7d9c2e2
0x0033f640:  f7d88680 00000000 00000000 7bc42361
0x0033f650:  7bd0d000 ffffffff 0033f888 7bc42b08
0x0033f660:  7bd18922 0033f6c8 00000017 7bc42a86
0x0033f670:  0033f91c 00000017 7bd18600 0000031a
0x0033f680:  f7d88680 00000000 0033f6a8 0033f6b0
Backtrace:
=>0 0x7bc7c011 wine_dbgstr_wn+0x74()
[/home/focht/projects/wine/mainline-src/include/wine/debug.h:277] in ntdll
(0x0033f778)
  1 0x7bc7c2b3 debugstr_w+0x1c()
[/home/focht/projects/wine/mainline-src/include/wine/debug.h:515] in ntdll
(0x0033f798)
  2 0x7bc7cc57 trace_string_w+0x4e()
[/home/focht/projects/wine/mainline-src/dlls/ntdll/relay.c:321] in ntdll
(0x0033f7c8)
  3 0x7bc7cf02 relay_trace_entry+0x237()
[/home/focht/projects/wine/mainline-src/dlls/ntdll/relay.c:357] in ntdll
(0x0033f868)
  4 0x7bc7d2eb relay_call+0x16() in ntdll (0x0033f8a0)
  5 0x7d6d6276 __wine_stub_OleLoadPictureFileEx+0xed() in oleaut32 (0x0033f8b8)
  6 0x004018fe EntryPoint+0xffffffff() in adhocsigner (0x0033f8b8)
  7 0x7e7a205a EnumPropsW_relay+0x32()
[/home/focht/projects/wine/mainline-src/dlls/user32/property.c:92] in user32
(0x0033f8e8)
  8 0x7e7a26d4 EnumPropsExW+0xa2()
[/home/focht/projects/wine/mainline-src/dlls/user32/property.c:248] in user32
(0x0033fb38)
  9 0x7e7a20da EnumPropsW+0x31()
[/home/focht/projects/wine/mainline-src/dlls/user32/property.c:110] in user32
(0x0033fb68) 
--- snip ---

The app provided callback for user32.EnumPropsW() tries to remove Wine internal
window properties. User32.RemovePropW() returns 0x05400001 which in turn gets
passed to oleaut32.SysFreeString(). This should obviously fail due to invalid
parameter.

Unfortunately the relay debug print functionality no longer catches invalid
string pointer access. Quick inspection of Wine changes hint at this:

https://source.winehq.org/git/wine.git/commitdiff/9f75f7189935aeec55df79a5abbc3d2691ec5f7e
("include: Make wine_dbgstr_an()/wine_dbgstr_wn() into inline functions.")

_NTSYSTEM_ is always defined for ntdll (relay) which leaves the pointer
test/access without SEH protection.

https://source.winehq.org/git/wine.git/blob/HEAD:/include/wine/debug.h#l267

$ wine --version
wine-4.5-138-g8268c47462

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list