[Bug 48975] New: Multiple kernel drivers crash with unhandled privileged instruction while trying to scan PCI config space using PCI index (0xCF8) and data (0xCFC) ports
WineHQ Bugzilla
wine-bugs at winehq.org
Sun Apr 19 18:24:02 CDT 2020
https://bugs.winehq.org/show_bug.cgi?id=48975
Bug ID: 48975
Summary: Multiple kernel drivers crash with unhandled
privileged instruction while trying to scan PCI config
space using PCI index (0xCF8) and data (0xCFC) ports
Product: Wine
Version: 5.6
Hardware: x86-64
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: -unknown
Assignee: wine-bugs at winehq.org
Reporter: focht at gmx.net
Distribution: ---
Hello folks,
currently only for documentation/dupe collector as I found a couple of drivers
doing this.
>From the past:
* bug 23701
https://bugs.winehq.org/show_bug.cgi?id=23701
--- quote ---
The next crash is due to kernel driver trying to scan PCI config space using
PCI index (0xCF8) and data (0xCFC) ports in x86 architecture I/O ports address
space - a privileged operation.
Theoretically the driver PCI port I/O could be made to work using ioperm/iopl
but that requires root privileges, creating a big security hole.
Another way could be trapping and emulating PCI config space accesses using
Linux supplied PCI info. Though this area is most likely outside the scope of
Wine.
--- quote ---
https://web.archive.org/web/20200419230034/https://www.crucial.com/content/dam/crucial/support/scan/downloads/CrucialScan.exe
Another one from an old ASRock driver CD installer I've tried for fun ;-)
---
$ WINEDEBUG=+seh,+relay,+ntoskrnl wine ./ASRSetup.exe >>~/log.txt 2>&1
...
002e:trace:ntoskrnl:load_driver loading driver
L"C:\\windows\\SysWOW64\\Drivers\\AsrCDDrv.sys"
002e:Call KERNEL32.LoadLibraryW(00728c40
L"C:\\windows\\SysWOW64\\Drivers\\AsrCDDrv.sys") ret=1800152e8
...
002e:Ret KERNEL32.LoadLibraryW() retval=00d60000 ret=1800152e8
...
002e:Call driver init 0000000000D6612C
(obj=0000000000728A20,str=L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\AsrCDDrv")
...
002e:trace:ntoskrnl:IoCreateSymbolicLink L"\\DosDevices\\AsrCDDrv" ->
L"\\Device\\AsrCDDrv"
...
0009:Call
KERNEL32.DeviceIoControl(00000080,00222838,01a0b5dc,0000000c,01a0b5dc,0000000c,01a0b5e8,00000000)
ret=00411f1d
002f:Ret ntdll.NtWaitForMultipleObjects() retval=00000001 ret=7b04af97
002f:Ret KERNEL32.WaitForMultipleObjectsEx() retval=00000001 ret=18000d53e
...
002f:trace:ntoskrnl:IoGetAttachedDevice (0000000000728C50)
002f:trace:ntoskrnl:dispatch_ioctl ioctl 222838 device 0000000000728C50 file
0000000000728DC0 in_size 12 out_size 12
002f:trace:ntoskrnl:IoBuildDeviceIoControlRequest 222838, 0000000000728C50,
0000000000727710, 12, 0000000000727710, 12, 0, 0000000000000000,
0000000000000000
002f:trace:ntoskrnl:IoAllocateIrp 1, 0
002f:Call ntdll.RtlAllocateHeap(00790000,00000000,00000118) ret=18000dc2d
002f:Ret ntdll.RtlAllocateHeap() retval=00790330 ret=18000dc2d
002f:trace:ntoskrnl:ExAllocatePoolWithTag 280 pool 0 -> 0000000000790330
002f:trace:ntoskrnl:IoInitializeIrp 0000000000790330, 280, 1
002f:Call msvcrt.memset(00790330,00000000,00000118) ret=18000dcc7
002f:Ret msvcrt.memset() retval=00790330 ret=18000dcc7
002f:Call ntdll.NtGetTickCount() ret=180014eac
002f:Ret ntdll.NtGetTickCount() retval=02efb33b ret=180014eac
002f:trace:ntoskrnl:KeEnterCriticalRegion semi-stub
002f:Call driver dispatch 0000000000D6106C
(device=0000000000728C50,irp=0000000000790330)
002f:trace:seh:raise_exception code=c0000096 flags=0 addr=0xd6123c ip=d6123c
tid=002f
002f:trace:seh:raise_exception rax=0000000000000000 rbx=0000000000000cfc
rcx=000000000000000c rdx=0000000000000000
002f:trace:seh:raise_exception rsi=0000000000727710 rdi=0000000000790330
rbp=0000000000790330 rsp=0000000000d4f920
002f:trace:seh:raise_exception r8=0000000000000000 r9=0000000000000000
r10=0000000000000000 r11=0000000000000cfc
002f:trace:seh:raise_exception r12=0000000000000000 r13=0000000000728dc0
r14=0000000000000000 r15=0000000000727710
002f:trace:seh:call_vectored_handlers calling handler at 0x18000b9b0
code=c0000096 flags=0
002f:trace:seh:call_vectored_handlers handler at 0x18000b9b0 returned ffffffff
002f:trace:seh:raise_exception code=c0000096 flags=0 addr=0xd6126a ip=d6126a
tid=002f
002f:trace:seh:raise_exception rax=0000000080000000 rbx=0000000000000cfc
rcx=0000000000100000 rdx=0000000000000cf8
002f:trace:seh:raise_exception rsi=0000000000727710 rdi=0000000000790330
rbp=0000000000790330 rsp=0000000000d4f920
002f:trace:seh:raise_exception r8=0000000000000000 r9=0000000000000000
r10=0000000000000000 r11=0000000000000cfc
002f:trace:seh:raise_exception r12=0000000000000000 r13=0000000000728dc0
r14=0000000000000000 r15=0000000000727710
002f:trace:seh:call_vectored_handlers calling handler at 0x18000b9b0
code=c0000096 flags=0
002f:trace:seh:call_vectored_handlers handler at 0x18000b9b0 returned 0
...
wine: Unhandled privileged instruction at address 0000000000D6126A (thread
002f), starting debugger...
002f:trace:seh:start_debugger Starting debugger L"winedbg --auto 43 80"
--- snip ---
First one is emulated 'cli', second one is PCI_CONFIG_ADDRESS.
Disassembly of crash location:
--- snip ---
...
0000000000D61394 movzx eax, word ptr [rsi+4]
0000000000D61398 movzx r10d, byte ptr [rsi+2]
0000000000D6139D movzx r9d, byte ptr [rsi+1]
0000000000D613A2 movzx edx, byte ptr [rsi]
0000000000D613A5 movzx r11d, ax
0000000000D613A9 mov ebx, 0CFCh
0000000000D613AE and r11w, 3
0000000000D613B3 add r11w, bx
0000000000D613B7 cli ; ok
0000000000D613B8 mov ecx, eax
0000000000D613BA mov r8d, eax
0000000000D613BD shr ecx, 8
0000000000D613C0 and r8d, 0FCh
0000000000D613C7 and ecx, 0Fh
0000000000D613CA sub ecx, 0FFFFFF80h
0000000000D613CD shl ecx, 8
0000000000D613D0 add ecx, edx
0000000000D613D2 lea edx, [rbx-4]
0000000000D613D5 shl ecx, 5
0000000000D613D8 add ecx, r9d
0000000000D613DB lea eax, [r10+rcx*8]
0000000000D613DF shl eax, 8
0000000000D613E2 add eax, r8d
0000000000D613E2 add eax, r8d
0000000000D613E5 out dx, eax ; PCI_CONFIG_ADDRESS
; PCI Configuration Space Address Register
; bits 7..0: configuration space offset
; bits 10..8: function number
; bits 15..11: device number
; bits 23..16: bus number
0000000000D613E6 movzx edx, r11w
0000000000D613EA in al, dx ; PCI_CONFIG_DATA
0000000000D613EB mov [rsi+8], al
0000000000D613EE sti ; ok
...
--- snip ---
Linux userspace lib/tools:
https://git.kernel.org/pub/scm/utils/pciutils/pciutils.git
$ wine --version
wine-5.6-193-g59987bc9ec
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list