[Bug 48975] New: Multiple kernel drivers crash with unhandled privileged instruction while trying to scan PCI config space using PCI index (0xCF8) and data (0xCFC) ports

WineHQ Bugzilla wine-bugs at winehq.org
Sun Apr 19 18:24:02 CDT 2020 

https://bugs.winehq.org/show_bug.cgi?id=48975

            Bug ID: 48975
           Summary: Multiple kernel drivers crash with unhandled
                    privileged instruction while trying to scan PCI config
                    space using PCI index (0xCF8) and data (0xCFC) ports
           Product: Wine
           Version: 5.6
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: -unknown
          Assignee: wine-bugs at winehq.org
          Reporter: focht at gmx.net
      Distribution: ---

Hello folks,

currently only for documentation/dupe collector as I found a couple of drivers
doing this.

>From the past:

* bug 23701

https://bugs.winehq.org/show_bug.cgi?id=23701

--- quote ---
The next crash is due to kernel driver trying to scan PCI config space using
PCI index (0xCF8) and data (0xCFC) ports in x86 architecture I/O ports address
space - a privileged operation.

Theoretically the driver PCI port I/O could be made to work using ioperm/iopl
but that requires root privileges, creating a big security hole.
Another way could be trapping and emulating PCI config space accesses using
Linux supplied PCI info. Though this area is most likely outside the scope of
Wine.
--- quote ---

https://web.archive.org/web/20200419230034/https://www.crucial.com/content/dam/crucial/support/scan/downloads/CrucialScan.exe

Another one from an old ASRock driver CD installer I've tried for fun ;-)

---
$ WINEDEBUG=+seh,+relay,+ntoskrnl wine ./ASRSetup.exe >>~/log.txt 2>&1
...
002e:trace:ntoskrnl:load_driver loading driver
L"C:\\windows\\SysWOW64\\Drivers\\AsrCDDrv.sys" 
002e:Call KERNEL32.LoadLibraryW(00728c40
L"C:\\windows\\SysWOW64\\Drivers\\AsrCDDrv.sys") ret=1800152e8 
...
002e:Ret  KERNEL32.LoadLibraryW() retval=00d60000 ret=1800152e8
...
002e:Call driver init 0000000000D6612C
(obj=0000000000728A20,str=L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\AsrCDDrv") 
...
002e:trace:ntoskrnl:IoCreateSymbolicLink L"\\DosDevices\\AsrCDDrv" ->
L"\\Device\\AsrCDDrv" 
...
0009:Call
KERNEL32.DeviceIoControl(00000080,00222838,01a0b5dc,0000000c,01a0b5dc,0000000c,01a0b5e8,00000000)
ret=00411f1d
002f:Ret  ntdll.NtWaitForMultipleObjects() retval=00000001 ret=7b04af97
002f:Ret  KERNEL32.WaitForMultipleObjectsEx() retval=00000001 ret=18000d53e
...
002f:trace:ntoskrnl:IoGetAttachedDevice (0000000000728C50)
002f:trace:ntoskrnl:dispatch_ioctl ioctl 222838 device 0000000000728C50 file
0000000000728DC0 in_size 12 out_size 12
002f:trace:ntoskrnl:IoBuildDeviceIoControlRequest 222838, 0000000000728C50,
0000000000727710, 12, 0000000000727710, 12, 0, 0000000000000000,
0000000000000000
002f:trace:ntoskrnl:IoAllocateIrp 1, 0
002f:Call ntdll.RtlAllocateHeap(00790000,00000000,00000118) ret=18000dc2d
002f:Ret  ntdll.RtlAllocateHeap() retval=00790330 ret=18000dc2d
002f:trace:ntoskrnl:ExAllocatePoolWithTag 280 pool 0 -> 0000000000790330
002f:trace:ntoskrnl:IoInitializeIrp 0000000000790330, 280, 1
002f:Call msvcrt.memset(00790330,00000000,00000118) ret=18000dcc7
002f:Ret  msvcrt.memset() retval=00790330 ret=18000dcc7
002f:Call ntdll.NtGetTickCount() ret=180014eac
002f:Ret  ntdll.NtGetTickCount() retval=02efb33b ret=180014eac
002f:trace:ntoskrnl:KeEnterCriticalRegion semi-stub
002f:Call driver dispatch 0000000000D6106C
(device=0000000000728C50,irp=0000000000790330)

002f:trace:seh:raise_exception code=c0000096 flags=0 addr=0xd6123c ip=d6123c
tid=002f
002f:trace:seh:raise_exception  rax=0000000000000000 rbx=0000000000000cfc
rcx=000000000000000c rdx=0000000000000000
002f:trace:seh:raise_exception  rsi=0000000000727710 rdi=0000000000790330
rbp=0000000000790330 rsp=0000000000d4f920
002f:trace:seh:raise_exception   r8=0000000000000000  r9=0000000000000000
r10=0000000000000000 r11=0000000000000cfc
002f:trace:seh:raise_exception  r12=0000000000000000 r13=0000000000728dc0
r14=0000000000000000 r15=0000000000727710
002f:trace:seh:call_vectored_handlers calling handler at 0x18000b9b0
code=c0000096 flags=0
002f:trace:seh:call_vectored_handlers handler at 0x18000b9b0 returned ffffffff

002f:trace:seh:raise_exception code=c0000096 flags=0 addr=0xd6126a ip=d6126a
tid=002f
002f:trace:seh:raise_exception  rax=0000000080000000 rbx=0000000000000cfc
rcx=0000000000100000 rdx=0000000000000cf8
002f:trace:seh:raise_exception  rsi=0000000000727710 rdi=0000000000790330
rbp=0000000000790330 rsp=0000000000d4f920
002f:trace:seh:raise_exception   r8=0000000000000000  r9=0000000000000000
r10=0000000000000000 r11=0000000000000cfc
002f:trace:seh:raise_exception  r12=0000000000000000 r13=0000000000728dc0
r14=0000000000000000 r15=0000000000727710
002f:trace:seh:call_vectored_handlers calling handler at 0x18000b9b0
code=c0000096 flags=0
002f:trace:seh:call_vectored_handlers handler at 0x18000b9b0 returned 0
...
wine: Unhandled privileged instruction at address 0000000000D6126A (thread
002f), starting debugger...
002f:trace:seh:start_debugger Starting debugger L"winedbg --auto 43 80" 
--- snip ---

First one is emulated 'cli', second one is PCI_CONFIG_ADDRESS.

Disassembly of crash location:

--- snip ---
...
0000000000D61394  movzx   eax, word ptr [rsi+4]
0000000000D61398  movzx   r10d, byte ptr [rsi+2]
0000000000D6139D  movzx   r9d, byte ptr [rsi+1]
0000000000D613A2  movzx   edx, byte ptr [rsi]
0000000000D613A5  movzx   r11d, ax
0000000000D613A9  mov     ebx, 0CFCh
0000000000D613AE  and     r11w, 3
0000000000D613B3  add     r11w, bx
0000000000D613B7  cli                ; ok
0000000000D613B8  mov     ecx, eax
0000000000D613BA  mov     r8d, eax
0000000000D613BD  shr     ecx, 8
0000000000D613C0  and     r8d, 0FCh
0000000000D613C7  and     ecx, 0Fh
0000000000D613CA  sub     ecx, 0FFFFFF80h
0000000000D613CD  shl     ecx, 8
0000000000D613D0  add     ecx, edx
0000000000D613D2  lea     edx, [rbx-4]
0000000000D613D5  shl     ecx, 5
0000000000D613D8  add     ecx, r9d
0000000000D613DB  lea     eax, [r10+rcx*8]
0000000000D613DF  shl     eax, 8
0000000000D613E2  add     eax, r8d
0000000000D613E2  add     eax, r8d
0000000000D613E5  out     dx, eax   ; PCI_CONFIG_ADDRESS
                                    ; PCI Configuration Space Address Register
                                    ; bits   7..0: configuration space offset
                                    ; bits  10..8: function number
                                    ; bits 15..11: device number
                                    ; bits 23..16: bus number
0000000000D613E6  movzx   edx, r11w
0000000000D613EA  in      al, dx    ; PCI_CONFIG_DATA
0000000000D613EB  mov     [rsi+8], al
0000000000D613EE  sti               ; ok 
...
--- snip ---

Linux userspace lib/tools:

https://git.kernel.org/pub/scm/utils/pciutils/pciutils.git

$ wine --version
wine-5.6-193-g59987bc9ec

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list