[Bug 47017] New: Symantec Eraser Control Driver 'eeCtrl64.sys' (Norton 360 ) crashes on unimplemented function ntoskrnl.exe.IoGetStackLimits

wine-bugs at winehq.org wine-bugs at winehq.org
Sun Apr 14 13:35:32 CDT 2019 

https://bugs.winehq.org/show_bug.cgi?id=47017

            Bug ID: 47017
           Summary: Symantec Eraser Control Driver 'eeCtrl64.sys' (Norton
                    360) crashes on unimplemented function
                    ntoskrnl.exe.IoGetStackLimits
           Product: Wine
           Version: 4.6
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ntoskrnl
          Assignee: wine-bugs at winehq.org
          Reporter: focht at gmx.net
      Distribution: ---

Hello folks,

as it says. Happens during installation (first time kernel service/driver
install/load).

--- snip ---
$ WINEDEBUG=+seh,+relay,+msi,+ntoskrnl wine ./N360-TW-21.1.0-EN.exe >>log.txt
2>&1
...
002d:Call advapi32.CreateServiceW(0d8d87d0,0d9bb980 L"eeCtrl",1f9177f0
L"Symantec Eraser Control driver",80000002,00000001,00000001,00000001,0d9c7018
L"C:\\Program Files (x86)\\Common Files\\Symantec
Shared\\EENGINE\\eeCtrl64.sys",00000000,00000000,00000000,00000000,00000000)
ret=1f87019e 
...
007c:trace:ntoskrnl:load_driver_module L"C:\\Program Files (x86)\\Common
Files\\Symantec Shared\\EENGINE\\eeCtrl64.sys": relocating from 0x10000 to
0x450000 
...
007c:Call driver init 0x4b6118
(obj=0x278c0,str=L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\eeCtrl") 
...
007c:trace:ntoskrnl:IoCreateSymbolicLink L"\\??\\EraserCtrlDrv" ->
L"\\Device\\EraserCtrlDrv" 
...
007c:Call ntoskrnl.exe.RtlInitUnicodeString(0032f370,0002f750 L"C:\\Program
Files (x86)\\Common Files\\Symantec Shared\\EENGINE\\EPERSIST.DAT")
ret=0046a48a
...
007c:Ret  ntoskrnl.exe.RtlInitUnicodeString() retval=00000092 ret=0046a48a
007c:Call ntoskrnl.exe.ZwOpenKey(0032f350,00020019,0032f2b0) ret=0046ca8d
007c:Call ntdll.NtOpenKey(0032f350,00020019,0032f2b0) ret=7bc8de2f
007c:Ret  ntdll.NtOpenKey() retval=00000000 ret=7bc8de2f
007c:Ret  ntoskrnl.exe.ZwOpenKey() retval=00000000 ret=0046ca8d
007c:Call ntoskrnl.exe.RtlInitUnicodeString(0032f2a0,004565b8 L"Started")
ret=0046c9ee
007c:Call ntdll.RtlInitUnicodeString(0032f2a0,004565b8 L"Started") ret=7bc8de2f
...
007c:Ret  ntoskrnl.exe.ZwOpenKey() retval=00000000 ret=0046ca8d
007c:Call KERNEL32.RaiseException(80000100,00000001,00000002,0032f220)
ret=7fe82b71c7a9
007c:trace:seh:NtRaiseException code=80000100 flags=1 addr=0x7b452d3c
ip=7b452d3c tid=007c
007c:trace:seh:NtRaiseException  info[0]=00007fe82b71c7cd
007c:trace:seh:NtRaiseException  info[1]=00007fe82b71e2b4
wine: Call from 0x7b452d3c to unimplemented function
ntoskrnl.exe.IoGetStackLimits, aborting
...
--- snip ---

On WINEPREFIX bootstrapping after installation it runs into bug 47014 (service
is autostart).

One purpose/use-case of the function is mentioned here:

https://community.osr.com/discussion/280922

--- quote ---
I want to know, what is stack based file object?
In my minifilter, I am using file object from post-create callback for reading
file, I used IoGetStackLimit to check if it is stack based file object or not.
--- quote ---

An actual usage example can be found in Microsoft driver examples on Github:

https://github.com/Microsoft/Windows-driver-samples/blob/6c1981b8504329521343ad00f32daa847fa6083a/filesys/fastfat/strucsup.c#L3728

--- snip ---

/*++
Routine Description:
    Frees the buffer of an string (STRING, UNICODE_STRING, ANSI_STRING,
OEM_STRING)
    structure if it is not within the current thread's stack limits.
    Regardless of action performed,  on exit String->Buffer will be set to NULL
and
    String->MaximumLength to zero.
Arguments:
    String - pointer to string structure
--*/

{
    ULONG_PTR High, Low;
    PSTRING LocalString = String;

    PAGED_CODE();

    if (NULL != LocalString->Buffer)  {

        IoGetStackLimits( &Low, &High );

        if (((ULONG_PTR)(LocalString->Buffer) < Low) ||
            ((ULONG_PTR)(LocalString->Buffer) > High))  {

            ExFreePool( LocalString->Buffer);
        }

        LocalString->Buffer = NULL;
    }

    LocalString->MaximumLength = LocalString->Length = 0;
}
--- snip ---

https://github.com/Microsoft/Windows-driver-samples/blob/6c1981b8504329521343ad00f32daa847fa6083a/filesys/miniFilter/avscan/filter/avscan.c#L1997

Wine source:

https://source.winehq.org/git/wine.git/blob/HEAD:/dlls/ntoskrnl.exe/ntoskrnl.exe.spec#l408

--- snip ---
 408 @ stub IoGetStackLimits
--- snip ---

$ sha1sum N360-TW-21.1.0-EN.exe 
aa05ccf9668e166ef28923d451f1c2ecad6f75f1  N360-TW-21.1.0-EN.exe

$ du -sh N360-TW-21.1.0-EN.exe 
203M    N360-TW-21.1.0-EN.exe

$ wine --version
wine-4.6

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list