[Bug 48161] AION (32bits) wine: Unhandled page fault on write access to 00000009 at address 00BF00C2 (thread 0009)

WineHQ Bugzilla wine-bugs at winehq.org
Tue Dec 3 12:24:29 CST 2019 

https://bugs.winehq.org/show_bug.cgi?id=48161

Paul Gofman <gofmanp at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |gofmanp at gmail.com

--- Comment #1 from Paul Gofman <gofmanp at gmail.com> ---
Created attachment 65863
  --> https://bugs.winehq.org/attachment.cgi?id=65863
partial proof of concept patch

It works for me with with the local build (default compiler options) and does
not (with crashes similar to the one in this bug reports) with a prebuilt Wine
binary I tested with.

The critical option in the prebuilt Wine is -fcf-protection flag. I could
reproduce the crashes with it and avoid the crash by replacing 2-3 dlls
compiled without the flag, otherwise the same.

-fcf-protection flag effectively results in adding endbr32 instructions to the
code, in particular, at the beginning of each function. The game's anticheat
seems to do a lot of trickery interpreting and rearranging API functions code.
It doesn't understand endbr32 and that results in broken instructions
execution. DECLSPEC_HOTPATCH (ms_hook_prologue) does not help here, as with it
in place gcc still injects endbr32 right after hook prologue, and it still
breaks things. I am attaching the patch as a proof of concept, which disables
cf-protection for a few functions which are excluded from relay debugging. With
this patch I could start the 32 bit game client with -fcf-protection build with
WINEDEBUG=+relay. There are much more functions which the game wants to
interpret, but relay thunks are good for it. Please note that using
ms_hook_prologue instead of nocf_check doesn't help.

IMO the only solution is not to build Wine with -fcf-protection option. The
option makes no sense anyway with Wine. Adding CET branch instrumentation does
nothing by itself. In a CET-enabled environment indirect branching (jump, call,
ret using some stored address) to any location not starting with enbdr will be
denied. Out of CET environment endbr's are just no-ops.

If someone will try to run Wine with CET enabled it won't work anyway.
ms_hook_prologue before endbr32 violates the CET requirement right away. I. e.,
"hot patchable" functions are simply incompatible with CET, or, in other words,
ms_hook_prologue and cf_protection attributes are mutually exclusive. This is
the most evident case, Wine use cases are probably incompatible with CET on
deeper level. -fcf-protection added to Wine build is just adding no-op
instructions which breaks some anti-cheats / DRMs.

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list