[Bug 49290] New: Denuvo Anti-Cheat 'denuvo-anti-cheat.sys' crashes on access to 'ComponentGlobals' out parameter, returned by 'wdfldr.sys.WdfVersionBind'

WineHQ Bugzilla wine-bugs at winehq.org
Fri May 29 13:12:31 CDT 2020 

https://bugs.winehq.org/show_bug.cgi?id=49290

            Bug ID: 49290
           Summary: Denuvo Anti-Cheat 'denuvo-anti-cheat.sys' crashes on
                    access to 'ComponentGlobals' out parameter, returned
                    by 'wdfldr.sys.WdfVersionBind'
           Product: Wine
           Version: 5.9
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: -unknown
          Assignee: wine-bugs at winehq.org
          Reporter: focht at gmx.net
      Distribution: ---

Hello folks,

continuation of bug 49193

--- snip ---
$ WINEDEBUG=+seh,+relay,+int,+ntoskrnl,+ntdll,+reg wine net start "Denuvo
Anti-Cheat" >>log.txt 2>&1
...
00d0:trace:seh:raise_exception  info[0]=0000000000000000
00d0:trace:seh:raise_exception  info[1]=0000000000000030
00d0:trace:seh:raise_exception  rax=0000000000000000 rbx=0000000000000000
rcx=5a6b5c4ad4f60000 rdx=0000000000000045
00d0:trace:seh:raise_exception  rsi=000000000078dfb8 rdi=000000000078de50
rbp=0000000000000000 rsp=0000000000b5f860
00d0:trace:seh:raise_exception   r8=0000000000000000  r9=0000000000b5ee22
r10=0000000000000000 r11=0000000000000000
00d0:trace:seh:raise_exception  r12=000000000078de50 r13=00007fffffea4000
r14=000000000078dfb8 r15=0000000000000000
00d0:trace:seh:call_vectored_handlers calling handler at 0x22d0a0 code=c0000005
flags=0
00d0:trace:seh:call_vectored_handlers handler at 0x22d0a0 returned 0
00d0:trace:seh:RtlVirtualUnwind type 1 rip c81116 rsp b5f860
00d0:trace:seh:dump_unwind_info **** func 1060-1182 
...
wine: Unhandled page fault on read access to 0000000000000030 at address
0000000000C81116 (thread 00d0), starting debugger... 
--- snip ---

Driver disassembly, showing it wants to access a field/member of opaque
'WDF_COMPONENT_GLOBALS' structure which is returned by WdfVersionBind():

--- snip ---
...
0000000140001104 | call denuvo-anti-cheat.14003AE20   |
0000000140001109 | cmp eax,ebp                        |
000000014000110B | mov ebx,eax                        |
000000014000110D | jl denuvo-anti-cheat.140001166     |
000000014000110F | mov rax,qword ptr ds:[1400AB9A8]   | ComponentGlobals
0000000140001116 | cmp byte ptr ds:[rax+30],bpl       | *boom*
000000014000111A | je denuvo-anti-cheat.140001140     |
000000014000111C | mov rax,qword ptr ds:[1400AB998]   |
0000000140001123 | cmp qword ptr ds:[rdi+68],rbp      |
0000000140001127 | cmovne rax,qword ptr ds:[rdi+68]   |
...
--- snip ---

Init/setup:

--- snip ---
...
000000014000108D | mov eax,208                        |
0000000140001092 | mov qword ptr ds:[1400AB9B0],rcx   |
0000000140001099 | lea rcx,qword ptr ds:[1400AB988]   |
00000001400010A0 | mov word ptr ds:[1400AB98A],ax     |
00000001400010A7 | lea rax,qword ptr ds:[1400AB9C0]   |
00000001400010AE | mov word ptr ds:[1400AB988],bp     |
00000001400010B5 | mov qword ptr ds:[1400AB990],rax   |
00000001400010BC | call qword ptr ds:[<&JMP.&RtlCopyUnicodeString>] |
00000001400010C2 | lea r9,qword ptr ds:[1400AB9A8]    | ComponentGlobals
00000001400010C9 | lea r8,qword ptr ds:[1400A7060]    | BindInfo
00000001400010D0 | lea rdx,qword ptr ds:[1400AB988]   | RegistryPath
00000001400010D7 | mov rcx,rdi                        | DriverObject
00000001400010DA | call denuvo-anti-cheat.14006F97A   | WdfVersionBind
00000001400010DF | cmp eax,ebp                        |
00000001400010E1 | jl denuvo-anti-cheat.14000116D     |
...
000000014006F97A | jmp qword ptr ds:[<&JMP.&WdfVersionBind>]        |
000000014006F980 | jmp qword ptr ds:[<&JMP.&WdfVersionBindClass>]   |
000000014006F986 | jmp qword ptr ds:[<&JMP.&WdfVersionUnbindClass>] |
000000014006F98C | jmp qword ptr ds:[<&JMP.&_purecall>]             |
--- snip ---

https://github.com/microsoft/Windows-Driver-Frameworks/blob/master/src/framework/shared/inc/private/common/fxldr.h#L294

--- snip ---
//-----------------------------------------------------------------------------
// WDFLDR.SYS exported function prototype definitions
//-----------------------------------------------------------------------------
_Must_inspect_result_
NTSTATUS
WdfVersionBind(
    __in    PDRIVER_OBJECT DriverObject,
    __in    PUNICODE_STRING RegistryPath,
    __inout PWDF_BIND_INFO BindInfo,
    __out   PWDF_COMPONENT_GLOBALS* ComponentGlobals
);
--- snip ---

$ wine --version
wine-5.9-162-gcb67fb39ff

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list