[Bug 39570] Multiple application crash handlers fail to load symbol information using 'dbghelp.SymLoadModule64', reporting 'dbghelp:validate_addr64 Unsupported address 0xfffffffffxxxxxxx'
WineHQ Bugzilla
wine-bugs at winehq.org
Tue Apr 28 18:14:21 CDT 2020
https://bugs.winehq.org/show_bug.cgi?id=39570
Anastasius Focht <focht at gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
URL| |https://web.archive.org/web
| |/20141116142554/http://web.
| |mit.edu/gambit/summer12/spe
| |edoflight/A_Slower_Speed_of
| |_Light.zip
Keywords| |download
--- Comment #2 from Anastasius Focht <focht at gmx.net> ---
Hello folks,
revisiting, still present. Lots of time has passed since the initial report and
many bugs have been fixed which triggered app crash handlers. There is always
some way - by using fault injection technique.
Taking the game from bug 32237 as example.
https://web.archive.org/web/20141116142554/http://web.mit.edu/gambit/summer12/speedoflight/A_Slower_Speed_of_Light.zip
Requirements to fulfil:
* app crash handler is registered
* at least one (builtin) module loaded into > 2GB range
--- snip ---
Base Module
...
00400000 a slower speed of light.exe
00D50000 rpcrt4.dll
00EA0000 shcore.dll
00ED0000 ole32.dll
01230000 winmm.dll
01350000 msacm32.dll
01390000 oleaut32.dll
015F0000 imm32.dll
01620000 hid.dll
01640000 wsock32.dll
05E20000 mono.dll
06040000 psapi.dll
06050000 mswsock.dll
09130000 d3d9.dll
10000000 setupapi.dll
7A840000 opengl32.dll
7B000000 kernelbase.dll
7B420000 kernel32.dll
7BC30000 ntdll.dll
7DA60000 iphlpapi.dll
7DAB0000 netapi32.dll
7DAF0000 dnsapi.dll
7DB40000 shell32.dll
7E540000 gdi32.dll
7E680000 advapi32.dll
7E720000 ucrtbase.dll
7E830000 user32.dll
7EFD0000 ws2_32.dll
F75A0000 wined3d.dll <--- suitable
F7B20000 winex11.drv <--- suitable
--- snip ---
Find suitable place for fault injection:
--- snip ---
006A4780 | 55 | push ebp |
006A4781 | 8BEC | mov ebp,esp |
006A4783 | 8B45 08 | mov eax,dword ptr ss:[ebp+8] |
006A4786 | 83EC 10 | sub esp,10 |
006A4789 | 56 | push esi |
006A478A | 68 C816B800 | push a slower speed of light.B816C8 |
006A478F | A3 C06DC600 | mov dword ptr ds:[C66DC0],eax |
006A4794 | FF15 6453B200 | call dword ptr ds:[B25364] | load D3D9.dll
006A479A | 33F6 | xor esi,esi |
006A479C | A3 186EC600 | mov dword ptr ds:[C66E18],eax | lets die here
006A47A1 | 3BC6 | cmp eax,esi |
006A47A3 | 75 14 | jne a slower speed of light.6A47B9 |
006A47A5 | 68 B016B800 | push a slower speed of light.B816B0 |
006A47AA | E8 E127F6FF | call a slower speed of light.606F90 |
006A47AF | 83C4 04 | add esp,4 |
006A47B2 | 32C0 | xor al,al |
006A47B4 | 5E | pop esi |
006A47B5 | 8BE5 | mov esp,ebp |
006A47B7 | 5D | pop ebp |
006A47B8 | C3 | ret |
--- snip ---
D3D9.dll -> wined3d = target
Trigger NULL pointer access by patching the game binary:
--- snip ---
006A479C | A3 00000000 | mov dword ptr ds:[0],eax
--- snip ---
--- snip ---
$ pwd
/home/focht/Downloads/A Slower Speed of Light
# backup
$ mv 'A Slower Speed of Light.exe' 'A Slower Speed of Light.exe.bak'
$ printf '\x00\x00\x00' | \
dd of='A Slower Speed of Light.exe' bs=1 seek=2767774 count=3 conv=notrunc
--- snip ---
Run the game:
--- snip ---
$ WINEDEBUG=+seh,+loaddll,+dbghelp wine ./A\ Slower\ Speed\ of\ Light.exe
...
00b0:trace:loaddll:load_so_dll Loaded L"C:\\windows\\system32\\wined3d.dll" at
0xf75a0000: builtin
00b0:trace:loaddll:load_native_dll Loaded L"C:\\windows\\system32\\d3d9.dll" at
0x9130000: PE builtin
00b0:trace:seh:raise_exception code=c0000005 flags=0 addr=0x6a479c ip=006a479c
tid=00b0
00b0:trace:seh:raise_exception info[0]=00000001
00b0:trace:seh:raise_exception info[1]=00000018
00b0:trace:seh:raise_exception eax=09130000 ebx=01e073e8 ecx=0911fc90
edx=7bc7f9b9 esi=00000000 edi=00000000
00b0:trace:seh:raise_exception ebp=0911ff0c esp=0911fef8 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010246
00b0:trace:seh:call_stack_handlers calling handler at 0x7bcd7650 code=c0000005
flags=0
00b0:trace:loaddll:load_native_dll Loaded L"C:\\windows\\system32\\dbghelp.dll"
at 0x9260000: PE builtin
00b0:trace:dbghelp:SymInitializeW (FFFFFFFF L".;Z:\\home\\focht\\Downloads\\A
Slower Speed of Light;Z:\\home\\focht\\Downloads\\A Slower Speed of
Light;C:\\windows;C:\\windows\\system32;SRV*c:\\websymbols*http://msdl.microsoft.com/download/symbols;"
0)
00b0:trace:dbghelp:check_live_target got debug info address 0x7c000000 from PEB
7FFDF000
00b0:trace:dbghelp:get_wine_loader_name returning L"wine"
00b0:trace:dbghelp:elf_load_file Processing elf file 'L"wine"' at 7c000000
00b0:trace:dbghelp:get_wine_loader_name returning L"wine"
00b0:trace:dbghelp:pcs_callback 01B82C10 8 0911D7F8
00b0:trace:dbghelp:SymLoadModuleEx (FFFFFFFF 00000000
"Z:\\home\\focht\\Downloads\\A Slower Speed of Light\\A Slower Speed of
Light.exe" "A Slower Speed of Light.exe" 400000 00945000 00000000 00000000)
00b0:trace:dbghelp:SymLoadModuleExW (FFFFFFFF 00000000
L"Z:\\home\\focht\\Downloads\\A Slower Speed of Light\\A Slower Speed of
Light.exe" L"A Slower Speed of Light.exe" 400000 00945000 00000000 00000000)
00b0:warn:dbghelp:module_is_container_loaded Couldn't find container for
L"Z:\\home\\focht\\Downloads\\A Slower Speed of Light\\A Slower Speed of
Light.exe"
00b0:trace:dbghelp:module_new => PE 400000-d45000
L"Z:\\home\\focht\\Downloads\\A Slower Speed of Light\\A Slower Speed of
Light.exe"
00b0:trace:dbghelp:pe_load_stabs failed to load the STABS debug info
00b0:trace:dbghelp:pe_load_dwarf failed to load the DWARF debug info
...
00b0:trace:dbghelp:SymGetModuleInfoW64 FFFFFFFF 1640000 0911D228
00b0:trace:dbghelp:SymLoadModuleEx (FFFFFFFF 00000000
"C:\\windows\\system32\\winex11.drv" "winex11.drv" fffffffff7b30000 00090000
00000000 00000000)
00b0:trace:dbghelp:SymLoadModuleExW (FFFFFFFF 00000000
L"C:\\windows\\system32\\winex11.drv" L"winex11.drv" fffffffff7b30000 00090000
00000000 00000000)
...
00b0:fixme:dbghelp:validate_addr64 Unsupported address fffffffff7b30000
...
00b0:trace:dbghelp:SymGetModuleInfoW64 FFFFFFFF fffffffff7b30000 0911D228
...
00b0:trace:dbghelp:SymGetModuleInfoW64 FFFFFFFF 6050000 0911D228
00b0:trace:dbghelp:SymLoadModuleEx (FFFFFFFF 00000000
"C:\\windows\\system32\\d3d9.dll" "d3d9.dll" 9130000 0010b000 00000000
00000000)
00b0:trace:dbghelp:SymLoadModuleExW (FFFFFFFF 00000000
L"C:\\windows\\system32\\d3d9.dll" L"d3d9.dll" 9130000 0010b000 00000000
00000000)
00b0:warn:dbghelp:module_is_container_loaded Couldn't find container for
L"C:\\windows\\system32\\d3d9.dll"
00b0:trace:dbghelp:module_new => PE 9130000-923b000
L"C:\\windows\\system32\\d3d9.dll"
00b0:trace:dbghelp:pe_load_stabs failed to load the STABS debug info
00b0:trace:dbghelp:pe_load_dwarf failed to load the DWARF debug info
00b0:trace:dbghelp:path_find_symbol_file (pcs = 01B82C10, full_path =
"/home/focht/projects/wine/mainline-build-i686/dlls/d3d9/d3d9.pdb", guid =
{9642e7fd-fb42-11c6-4c4c-44205044422e}, dw1 = 0x00000000, dw2 = 0x00000001,
buffer = 0911E3C8)
...
00b0:trace:dbghelp:SymGetModuleInfoW64 FFFFFFFF 9130000 0911D228
00b0:trace:dbghelp:SymLoadModuleEx (FFFFFFFF 00000000
"C:\\windows\\system32\\wined3d.dll" "wined3d.dll" fffffffff75a0000 00160000
00000000 00000000)
00b0:trace:dbghelp:SymLoadModuleExW (FFFFFFFF 00000000
L"C:\\windows\\system32\\wined3d.dll" L"wined3d.dll" fffffffff75a0000 00160000
00000000 00000000)
...
00b0:fixme:dbghelp:validate_addr64 Unsupported address fffffffff75a0000
...
00b0:trace:dbghelp:SymGetLineFromAddr64 FFFFFFFF 0 0911DD98 0911F808
00b0:trace:dbghelp:SymGetModuleInfoW64 FFFFFFFF 0 0911A598
00b0:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7bc56ae5
ip=7bc56ae5 tid=00b0
00b0:trace:seh:raise_exception info[0]=00000000
00b0:trace:seh:raise_exception info[1]=00000014
00b0:trace:seh:raise_exception eax=00000000 ebx=00000000 ecx=0911c244
edx=00000003 esi=00000000 edi=00000000
00b0:trace:seh:raise_exception ebp=0911c238 esp=0911c220 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010202
00b0:trace:seh:call_stack_handlers calling handler at 0x7bcb25d0 code=c0000005
flags=0
00b0:trace:seh:call_stack_handlers handler at 0x7bcb25d0 returned 2
00b0:trace:seh:call_stack_handlers calling handler at 0x7bcd7650 code=c0000005
flags=10
00b0:trace:seh:call_stack_handlers handler at 0x7bcd7650 returned 1
00b0:err:seh:raise_exception Unhandled exception code c0000005 flags 0 addr
0x7bc56ae5
--- snip ---
There is actually another fault in Wine code itself during walk, but that's a
different issue.
$ sha1sum A_Slower_Speed_of_Light.zip
f722493dd3afc6475500cc296d36f38d824a0d7d A_Slower_Speed_of_Light.zip
$ du -sh A_Slower_Speed_of_Light.zip
99M A_Slower_Speed_of_Light.zip
$ wine --version
wine-5.7-97-g7ccc45f754
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list