[Bug 48798] RegCloseKey: Uninitialized read from get_language_sort

Tue Mar 24 13:13:30 CDT 2020

https://bugs.winehq.org/show_bug.cgi?id=48798

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
    Regression SHA1|                            |b780e5f5b1bd018629bfa31431e
                   |                            |216c7579fe9aa
                 CC|                            |focht at gmx.net
     Ever confirmed|0                           |1
             Status|UNCONFIRMED                 |NEW
           Keywords|                            |regression

--- Comment #4 from Anastasius Focht <focht at gmx.net> ---
Hello folks,

I was about to create a bug report myself since I encountered weird app/game
crashes and traced it back to this problem. Didn't find it via Bugzilla
regression sha1 search but fortunately 'get_language_sort' showed up in bug
list while typing the summary ;-)

Encountered while checking bug 38741 ("Assetto Corsa (Steam) Launcher (.NET 4.0
app) crashes on startup")

Prerequisite: 'winetricks -q dotnet40'

--- snip ---
$ pwd
/home/focht/.wine/drive_c/Games/Assetto Corsa

$ WINEDEBUG=+seh,+relay,+wincodecs,+reg,+server wine
./AssettoCorsa_Launcher.exe >>log_server.txt 2>&1
...
002d:Call
windowscodecs.IWICImagingFactory_CreateDecoderFromStream_Proxy(0533311c,05332848,0032eb68,00000000,0032eb78)
ret=15b83331
002d:trace:wincodecs:ImagingFactory_CreateDecoderFromStream
(0x5333118,0x5332848,{f0e749ca-edef-4589-a73a-ee0e626a2a2b},0,0x32eb78)
002d:Call advapi32.RegOpenKeyExW(80000000,78fbe7dc
L"CLSID",00000000,00020019,0032e8a0) ret=78f6a7b0
002d:Call ntdll.RtlInitUnicodeString(0032e7ec,78fbe7dc L"CLSID") ret=7b0325a9
002d:Ret  ntdll.RtlInitUnicodeString() retval=0000000c ret=7b0325a9
002d:Call ntdll.NtOpenKeyEx(0032e8a0,00020019,0032e7f4,00000000) ret=7b0325cb
002d:trace:reg:open_key (0x24,L"CLSID",20019,0x32e8a0)
002d: open_key( parent=0024, access=00020019, attributes=00000000,
name=L"CLSID" )
002d: open_key() = 0 { hkey=003c }
002d:trace:reg:open_key <- 0x3c
002d:Ret  ntdll.NtOpenKeyEx() retval=00000000 ret=7b0325cb
002d:Call ntdll.RtlNtStatusToDosError(00000000) ret=7b0325d2
002d:Ret  ntdll.RtlNtStatusToDosError() retval=00000000 ret=7b0325d2
002d:Ret  advapi32.RegOpenKeyExW() retval=00000000 ret=78f6a7b0 
...
002d:Call windowscodecs.WICCreateImagingFactory_Proxy(00000236,0dfe6090)
ret=15b83010
002d:trace:wincodecs:WICCreateImagingFactory_Proxy 236, 0xdfe6090
002d:trace:wincodecs:ImagingFactory_CreateInstance
({ec5ec8a9-c395-4314-9c77-54d7a935ff70},0xdfe6090)
002d:Call ntdll.RtlAllocateHeap(00110000,00000000,0000000c) ret=78f64726
002d:Ret  ntdll.RtlAllocateHeap() retval=0532d320 ret=78f64726
002d:trace:wincodecs:ImagingFactory_QueryInterface
(0x532d320,{ec5ec8a9-c395-4314-9c77-54d7a935ff70},0xdfe6090)
002d:trace:wincodecs:ImagingFactory_AddRef (0x532d320) refcount=2
002d:trace:wincodecs:ImagingFactory_Release (0x532d320) refcount=1
002d:Ret  windowscodecs.WICCreateImagingFactory_Proxy() retval=00000000
ret=15b83010
002d:Call
windowscodecs.IWICImagingFactory_CreateDecoderFromStream_Proxy(0532d324,05352598,0032eb68,00000000,0032eb78)
ret=15b83331
002d:trace:wincodecs:ImagingFactory_CreateDecoderFromStream
(0x532d320,0x5352598,{f0e749ca-edef-4589-a73a-ee0e626a2a2b},0,0x32eb78)
002d:Call advapi32.RegOpenKeyExW(80000000,78fbe7dc
L"CLSID",00000000,00020019,0032e8a0) ret=78f6a7b0
002d:Call ntdll.RtlInitUnicodeString(0032e7ec,78fbe7dc L"CLSID") ret=7b0325a9
002d:Ret  ntdll.RtlInitUnicodeString() retval=0000000c ret=7b0325a9
002d:Call ntdll.NtOpenKeyEx(0032e8a0,00020019,0032e7f4,00000000) ret=7b0325cb
002d:trace:reg:open_key (0x24,L"CLSID",20019,0x32e8a0)
002d: open_key( parent=0024, access=00020019, attributes=00000000,
name=L"CLSID" )
002d: open_key() = INVALID_HANDLE { hkey=0000 }
002d:trace:reg:open_key <- (nil)
002d:Ret  ntdll.NtOpenKeyEx() retval=c0000008 ret=7b0325cb
002d:Call ntdll.RtlNtStatusToDosError(c0000008) ret=7b0325d2
002d:Ret  ntdll.RtlNtStatusToDosError() retval=00000006 ret=7b0325d2
002d:Ret  advapi32.RegOpenKeyExW() retval=00000006 ret=78f6a7b0
002d:Call advapi32.RegOpenKeyExW(80000000,78fbe7dc
L"CLSID",00000000,00020019,0032e8a0) ret=78f6a7b0
002d:Call ntdll.RtlInitUnicodeString(0032e7ec,78fbe7dc L"CLSID") ret=7b0325a9
002d:Ret  ntdll.RtlInitUnicodeString() retval=0000000c ret=7b0325a9
002d:Call ntdll.NtOpenKeyEx(0032e8a0,00020019,0032e7f4,00000000) ret=7b0325cb
002d:trace:reg:open_key (0x24,L"CLSID",20019,0x32e8a0)
002d: open_key( parent=0024, access=00020019, attributes=00000000,
name=L"CLSID" )
002d: open_key() = INVALID_HANDLE { hkey=0000 }
002d:trace:reg:open_key <- (nil)
002d:Ret  ntdll.NtOpenKeyEx() retval=c0000008 ret=7b0325cb
002d:Call ntdll.RtlNtStatusToDosError(c0000008) ret=7b0325d2
002d:Ret  ntdll.RtlNtStatusToDosError() retval=00000006 ret=7b0325d2
002d:Ret  advapi32.RegOpenKeyExW() retval=00000006 ret=78f6a7b0
002d:warn:wincodecs:ImagingFactory_CreateDecoderFromStream failed to load from
a stream 0x80070006
002d:trace:wincodecs:IWICStreamImpl_Seek (0x5352598, 0, 0, (nil))
002d:trace:wincodecs:StreamOnMemory_Seek (0x534ff48, 0, 0, (nil))
002d:trace:wincodecs:IWICStreamImpl_Read (0x5352598, 0x32e9cc, 4, 0x32e9c8)
002d:trace:wincodecs:StreamOnMemory_Read (0x534ff48, 0x32e9cc, 4, 0x32e9c8)
002d:warn:wincodecs:ImagingFactory_CreateDecoderFromStream first 4 bytes of
stream=89 50 4e 47
002d:Ret  windowscodecs.IWICImagingFactory_CreateDecoderFromStream_Proxy()
retval=80070006 ret=15b83331 
...
System.Windows.Markup.XamlParseException: Provide value on
'System.Windows.Baml2006.TypeConverterMarkupExtension' threw an exception. --->
System.Runtime.InteropServices.COMException: Invalid handle. (Exception from
HRESULT: 0x80070006 (E_HANDLE))
   at
System.Windows.Media.Imaging.BitmapDecoder.SetupDecoderFromUriOrStream(Uri uri,
Stream stream, BitmapCacheOption cacheOption, Guid& clsId, Boolean&
isOriginalWritable, Stream& uriStream, UnmanagedMemoryStream&
unmanagedMemoryStream, SafeFileHandle& safeFilehandle)
   at System.Windows.Media.Imaging.BitmapDecoder.CreateFromUriOrStream(Uri
baseUri, Uri uri, Stream stream, BitmapCreateOptions createOptions,
BitmapCacheOption cacheOption, RequestCachePolicy uriCachePolicy, Boolean
insertInDecoderCache)
   at System.Windows.Media.Imaging.BitmapFrame.CreateFromUriOrStream(Uri
baseUri, Uri uri, Stream stream, BitmapCreateOptions createOptions,
BitmapCacheOption cacheOption, RequestCachePolicy uriCachePolicy)
   at
System.Windows.Media.ImageSourceConverter.ConvertFrom(ITypeDescriptorContext
context, CultureInfo culture, Object value)
   at
System.Windows.Baml2006.TypeConverterMarkupExtension.ProvideValue(IServiceProvider
serviceProvider)
   at
MS.Internal.Xaml.Runtime.ClrObjectRuntime.CallProvideValue(MarkupExtension me,
IServiceProvider serviceProvider)
   --- End of inner exception stack trace ---
   at System.Windows.Markup.XamlReader.RewrapException(Exception e,
IXamlLineInfo lineInfo, Uri baseUri)
   at System.Windows.Markup.WpfXamlLoader.Load(XamlReader xamlReader,
IXamlObjectWriterFactory writerFactory, Boolean skipJournaledProperties, Object
rootObject, XamlObjectWriterSettings settings, Uri baseUri)
   at System.Windows.Markup.WpfXamlLoader.LoadBaml(XamlReader xamlReader,
Boolean skipJournaledProperties, Object rootObject, XamlAccessLevel
accessLevel, Uri baseUri)
   at System.Windows.Markup.XamlReader.LoadBaml(Stream stream, ParserContext
parserContext, Object parent, Boolean closeStream)
   at System.Windows.Application.LoadComponent(Object component, Uri
resourceLocator)
   at AC.Launcher.MainWindow.InitializeComponent()
   at AC.Launcher.MainWindow..ctor(Boolean softwaremode)
   at AC.Launcher.Startup.Main(String[] args)
--- snip ---

Why would such thing fail on wineserver side:

--- snip ---
002d:trace:reg:open_key (0x24,L"CLSID",20019,0x32e8a0)
002d: open_key( parent=0024, access=00020019, attributes=00000000,
name=L"CLSID" )
002d: open_key() = INVALID_HANDLE { hkey=0000 }
002d:trace:reg:open_key <- (nil)
--- snip ---

Going back in time and find this:

--- snip ---
002d:Call KERNEL32.LCMapStringEx(01941620 L"",00000100,01a3a37c
L"0",00000001,01a3a38c,00000001,00000000,00000000,00000000) ret=7916d04d
002d:Call ntdll.memcmp(7b059070,00aa05d4,00000010) ret=7b01fc72
002d:Ret  ntdll.memcmp() retval=ffffffff ret=7b01fc72
002d:Call ntdll.memcmp(7b059070,00aa0328,00000010) ret=7b01fc72
002d:Ret  ntdll.memcmp() retval=ffffffff ret=7b01fc72
002d:Call ntdll.memcmp(7b059070,00aa01c0,00000010) ret=7b01fc72
002d:Ret  ntdll.memcmp() retval=ffffffff ret=7b01fc72
002d:Call ntdll.memcmp(7b059070,00aa010c,00000010) ret=7b01fc72
002d:Ret  ntdll.memcmp() retval=ffffffff ret=7b01fc72
002d:Call ntdll.memcmp(7b059070,00aa00c4,00000010) ret=7b01fc72
002d:Ret  ntdll.memcmp() retval=ffffffff ret=7b01fc72
002d:Call ntdll.memcmp(7b059070,00aa00a0,00000010) ret=7b01fc72
002d:Ret  ntdll.memcmp() retval=00000000 ret=7b01fc72
002d:Call ntdll.NtClose(05002f2b) ret=7b033207
002d: close_handle( handle=5002f2b )
002d: close_handle() = INVALID_HANDLE
002d:Ret  ntdll.NtClose() retval=c0000008 ret=7b033207
002d:Call ntdll.RtlNtStatusToDosError(c0000008) ret=7b03320e
002d:Ret  ntdll.RtlNtStatusToDosError() retval=00000006 ret=7b03320e
002d:Ret  KERNEL32.LCMapStringEx() retval=00000001 ret=7916d04d 
--- snip ---

Yikes. Taking random data and pass it to NtClose().
What could possibly go wrong. Many things ;-)

--- snip ---
$ egrep -B1 "002d:.*close_handle\(\) = INVALID_HANDLE.*" log_server.txt

002d: close_handle( handle=a99830 )
002d: close_handle() = INVALID_HANDLE
--
002d: close_handle( handle=1302 )
002d: close_handle() = INVALID_HANDLE
--
002d: close_handle( handle=1302 )
002d: close_handle() = INVALID_HANDLE
--
002d: close_handle( handle=32c6b8 )
002d: close_handle() = INVALID_HANDLE
--
002d: close_handle( handle=32c6a8 )
002d: close_handle() = INVALID_HANDLE
--
002d: close_handle( handle=7bce8a74 )
002d: close_handle() = INVALID_HANDLE
--
...
--
002d: close_handle( handle=003f )
002d: close_handle() = INVALID_HANDLE
--
002d: close_handle( handle=003f )
002d: close_handle() = INVALID_HANDLE
--
002d: close_handle( handle=32ebb4 )
002d: close_handle() = INVALID_HANDLE
--
002d: close_handle( handle=1991ac8 )
002d: close_handle() = INVALID_HANDLE
--
002d: close_handle( handle=003f )
002d: close_handle() = INVALID_HANDLE
--
002d: close_handle( handle=003f )
002d: close_handle() = INVALID_HANDLE
--
002d: close_handle( handle=32e8b8 )
002d: close_handle() = INVALID_HANDLE
--
002d: close_handle( handle=79142ec3 )
002d: close_handle() = INVALID_HANDLE
--
002d: close_handle( handle=5002f2b )
002d: close_handle() = INVALID_HANDLE
--
002d: close_handle( handle=5002f2b )
002d: close_handle() = INVALID_HANDLE
--
002d: close_handle( handle=5002f2b )
002d: close_handle() = INVALID_HANDLE
--
...
--
002d: close_handle( handle=003f )
002d: close_handle() = INVALID_HANDLE
--
002d: close_handle( handle=003f )
002d: close_handle() = INVALID_HANDLE
--
002d: close_handle( handle=003f )
002d: close_handle() = INVALID_HANDLE
--
002d: close_handle( handle=32e8b8 )
002d: close_handle() = INVALID_HANDLE
--
002d: close_handle( handle=79142ec3 )
002d: close_handle() = INVALID_HANDLE
--
002d: close_handle( handle=1611658 )
002d: close_handle() = INVALID_HANDLE
--- snip ---

Regression introduced by
https://source.winehq.org/git/wine.git/commitdiff/b780e5f5b1bd018629bfa31431e216c7579fe9aa
("kernelbase: Use linguistic case table for LCMAP_LINGUISTIC_CASING.")

https://source.winehq.org/git/wine.git/blob/84cca2baae23c6afa0c8070f5009fdcfa218e039:/dlls/kernelbase/locale.c#l655

--- snip ---
 655 static const struct sortguid *get_language_sort( const WCHAR *locale )
 656 {
 657     WCHAR *p, *end, buffer[LOCALE_NAME_MAX_LENGTH], guidstr[39];
 658     const struct sortguid *ret;
 659     UNICODE_STRING str;
 660     GUID guid;
 661     HKEY key;
 662     DWORD size, type;
 663 
 664     if (locale == LOCALE_NAME_USER_DEFAULT)
 665     {
 666         if (current_locale_sort) return current_locale_sort;
 667         GetUserDefaultLocaleName( buffer, ARRAY_SIZE( buffer ));
 668     }
 669     else lstrcpynW( buffer, locale, LOCALE_NAME_MAX_LENGTH );
 670 
 671     if (buffer[0] && !RegOpenKeyExW( nls_key, L"Sorting\\Ids", 0,
KEY_READ, &key ))
 672     {
 673         for (;;)
 674         {
 675             size = sizeof(guidstr);
 676             if (!RegQueryValueExW( key, buffer, NULL, &type, (BYTE
*)guidstr, &size ) && type == REG_SZ)
 677             {
 678                 RtlInitUnicodeString( &str, guidstr );
 679                 if (!RtlGUIDFromString( &str, &guid ))
 680                 {
 681                     ret = find_sortguid( &guid );
 682                     goto done;
 683                 }
 684                 break;
 685             }
 686             for (p = end = buffer; *p; p++) if (*p == '-' || *p == '_')
end = p;
 687             if (end == buffer) break;
 688             *end = 0;
 689         }
 690     }
 691     ret = find_sortguid( &default_sort_guid );
 692 done:
 693     RegCloseKey( key );
 694     return ret;
 695 }
--- snip ---

Ideally we want to fix this ASAP, before the next Wine 5.5 release!
Otherwise expect quite a number of bug reports with all kinds of weird
crashes/app/game behaviour.

$ wine --version
wine-5.4-255-g00e55c8fc0

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.