[Bug 47017] New: Symantec Eraser Control Driver 'eeCtrl64.sys' (Norton 360 ) crashes on unimplemented function ntoskrnl.exe.IoGetStackLimits
wine-bugs at winehq.org
wine-bugs at winehq.org
Sun Apr 14 13:35:32 CDT 2019
https://bugs.winehq.org/show_bug.cgi?id=47017
Bug ID: 47017
Summary: Symantec Eraser Control Driver 'eeCtrl64.sys' (Norton
360) crashes on unimplemented function
ntoskrnl.exe.IoGetStackLimits
Product: Wine
Version: 4.6
Hardware: x86-64
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: ntoskrnl
Assignee: wine-bugs at winehq.org
Reporter: focht at gmx.net
Distribution: ---
Hello folks,
as it says. Happens during installation (first time kernel service/driver
install/load).
--- snip ---
$ WINEDEBUG=+seh,+relay,+msi,+ntoskrnl wine ./N360-TW-21.1.0-EN.exe >>log.txt
2>&1
...
002d:Call advapi32.CreateServiceW(0d8d87d0,0d9bb980 L"eeCtrl",1f9177f0
L"Symantec Eraser Control driver",80000002,00000001,00000001,00000001,0d9c7018
L"C:\\Program Files (x86)\\Common Files\\Symantec
Shared\\EENGINE\\eeCtrl64.sys",00000000,00000000,00000000,00000000,00000000)
ret=1f87019e
...
007c:trace:ntoskrnl:load_driver_module L"C:\\Program Files (x86)\\Common
Files\\Symantec Shared\\EENGINE\\eeCtrl64.sys": relocating from 0x10000 to
0x450000
...
007c:Call driver init 0x4b6118
(obj=0x278c0,str=L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\eeCtrl")
...
007c:trace:ntoskrnl:IoCreateSymbolicLink L"\\??\\EraserCtrlDrv" ->
L"\\Device\\EraserCtrlDrv"
...
007c:Call ntoskrnl.exe.RtlInitUnicodeString(0032f370,0002f750 L"C:\\Program
Files (x86)\\Common Files\\Symantec Shared\\EENGINE\\EPERSIST.DAT")
ret=0046a48a
...
007c:Ret ntoskrnl.exe.RtlInitUnicodeString() retval=00000092 ret=0046a48a
007c:Call ntoskrnl.exe.ZwOpenKey(0032f350,00020019,0032f2b0) ret=0046ca8d
007c:Call ntdll.NtOpenKey(0032f350,00020019,0032f2b0) ret=7bc8de2f
007c:Ret ntdll.NtOpenKey() retval=00000000 ret=7bc8de2f
007c:Ret ntoskrnl.exe.ZwOpenKey() retval=00000000 ret=0046ca8d
007c:Call ntoskrnl.exe.RtlInitUnicodeString(0032f2a0,004565b8 L"Started")
ret=0046c9ee
007c:Call ntdll.RtlInitUnicodeString(0032f2a0,004565b8 L"Started") ret=7bc8de2f
...
007c:Ret ntoskrnl.exe.ZwOpenKey() retval=00000000 ret=0046ca8d
007c:Call KERNEL32.RaiseException(80000100,00000001,00000002,0032f220)
ret=7fe82b71c7a9
007c:trace:seh:NtRaiseException code=80000100 flags=1 addr=0x7b452d3c
ip=7b452d3c tid=007c
007c:trace:seh:NtRaiseException info[0]=00007fe82b71c7cd
007c:trace:seh:NtRaiseException info[1]=00007fe82b71e2b4
wine: Call from 0x7b452d3c to unimplemented function
ntoskrnl.exe.IoGetStackLimits, aborting
...
--- snip ---
On WINEPREFIX bootstrapping after installation it runs into bug 47014 (service
is autostart).
One purpose/use-case of the function is mentioned here:
https://community.osr.com/discussion/280922
--- quote ---
I want to know, what is stack based file object?
In my minifilter, I am using file object from post-create callback for reading
file, I used IoGetStackLimit to check if it is stack based file object or not.
--- quote ---
An actual usage example can be found in Microsoft driver examples on Github:
https://github.com/Microsoft/Windows-driver-samples/blob/6c1981b8504329521343ad00f32daa847fa6083a/filesys/fastfat/strucsup.c#L3728
--- snip ---
/*++
Routine Description:
Frees the buffer of an string (STRING, UNICODE_STRING, ANSI_STRING,
OEM_STRING)
structure if it is not within the current thread's stack limits.
Regardless of action performed, on exit String->Buffer will be set to NULL
and
String->MaximumLength to zero.
Arguments:
String - pointer to string structure
--*/
{
ULONG_PTR High, Low;
PSTRING LocalString = String;
PAGED_CODE();
if (NULL != LocalString->Buffer) {
IoGetStackLimits( &Low, &High );
if (((ULONG_PTR)(LocalString->Buffer) < Low) ||
((ULONG_PTR)(LocalString->Buffer) > High)) {
ExFreePool( LocalString->Buffer);
}
LocalString->Buffer = NULL;
}
LocalString->MaximumLength = LocalString->Length = 0;
}
--- snip ---
https://github.com/Microsoft/Windows-driver-samples/blob/6c1981b8504329521343ad00f32daa847fa6083a/filesys/miniFilter/avscan/filter/avscan.c#L1997
Wine source:
https://source.winehq.org/git/wine.git/blob/HEAD:/dlls/ntoskrnl.exe/ntoskrnl.exe.spec#l408
--- snip ---
408 @ stub IoGetStackLimits
--- snip ---
$ sha1sum N360-TW-21.1.0-EN.exe
aa05ccf9668e166ef28923d451f1c2ecad6f75f1 N360-TW-21.1.0-EN.exe
$ du -sh N360-TW-21.1.0-EN.exe
203M N360-TW-21.1.0-EN.exe
$ wine --version
wine-4.6
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list