[Bug 50791] New: NtQueryObject( ..., ObjectBasicInformation, NULL, 0, &retLen) returns incorrect NTSTATUS error code when querying for buffer size

WineHQ Bugzilla wine-bugs at winehq.org
Thu Mar 11 05:20:32 CST 2021 

https://bugs.winehq.org/show_bug.cgi?id=50791

            Bug ID: 50791
           Summary: NtQueryObject( ..., ObjectBasicInformation, NULL, 0,
                    &retLen) returns incorrect NTSTATUS error code when
                    querying for buffer size
           Product: Wine
           Version: 6.3
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ntdll
          Assignee: wine-bugs at winehq.org
          Reporter: focht at gmx.net
      Distribution: ---

Hello folks,

found while testing 'EditSection' tool from Google
sandbox-attacksurface-analysis-tools v1.1.x fails list section. Follow up of
bug 45132

--- snip ---
$ WINEDEBUG=+seh,+relay,+ntdll,+server wine ./EditSection.exe >>log.txt 2>&1
...
0024:Call ntdll.NtQuerySystemInformation(00000005,001fb320,00002228,0033eae4)
ret=05a0be37
0024:trace:ntdll:NtQuerySystemInformation
(0x00000005,0x1fb320,0x00002228,0x33eae4)
0024: list_processes( )
0024: list_processes() = 0 { info_size=2024, process_count=9,
data={{start_time=1d7165dcc491236
(-5.4284020),thread_count=3,priority=2,pid=0020,parent_pid=0000,handle_count=256,unix_pid=293760,name=L"\\??\\Z:\\home\\focht\\Downloads\\commonobj\\EditSection.exe",threads={{start_time=1d7165dcbd1a2be
(-6.2111340),tid=0024,base_priority=0,current_priority=0,unix_tid=293760},{start_time=1d7165dcc64cd1e
(-5.2466700),tid=00fc,base_priority=0,current_priority=0,unix_tid=293825},{start_time=1d7165dcc65c214
(-5.2403990),tid=0100,base_priority=2,current_priority=2,unix_tid=293826}}},{start_time=1d7165dcbdadb18
(-6.1507090),thread_count=9,priority=2,pid=0038,parent_pid=0028,handle_count=128,unix_pid=293768,name=L"\\??\\C:\\windows\\system32\\services.exe",threads={{start_time=1d7165dcbd96030
(-6.1604090),tid=003c,base_priority=0,current_priority=0,unix_tid=293768},
...
{start_time=1d7165dcc4b8b06
(-5.4122020),thread_count=1,priority=2,pid=00f4,parent_pid=0020,handle_count=32,unix_pid=293824,name=L"\\??\\C:\\windows\\system32\\conhost.exe",threads={{start_time=1d7165dcc4a8198
(-5.4189970),tid=00f8,base_priority=0,current_priority=0,unix_tid=293824}}}} }
0024:Ret  ntdll.NtQuerySystemInformation() retval=00000000 ret=05a0be37 
...
0024:Call ntdll.NtOpenProcess(0033eccc,00001040,0033ec60,01e2d450) ret=05a0cc71
0024: open_process( pid=0020, access=00001040, attributes=00000000 )
0024: open_process() = 0 { handle=01cc }
0024:Ret  ntdll.NtOpenProcess() retval=00000000 ret=05a0cc71 
...
0024:Call ntdll.NtQueryObject(000001cc,00000000,00000000,00000000,0033ebc4)
ret=05a00b58
0024:Ret  ntdll.NtQueryObject() retval=c0000206 ret=05a00b58
0024:Call KERNEL32.RaiseException(e0434352,00000001,00000005,0033eaa0)
ret=013b48c7
0024:Call ntdll.memcpy(0033e9b8,0033eaa0,00000014) ret=7b0101c8
0024:Ret  ntdll.memcpy() retval=0033e9b8 ret=7b0101c8
0024:trace:seh:dispatch_exception code=e0434352 flags=1 addr=7B0101D8
ip=7b0101d8 tid=0024
0024:trace:seh:dispatch_exception  info[0]=80131600
0024:trace:seh:dispatch_exception  info[1]=00000000
0024:trace:seh:dispatch_exception  info[2]=00000000
0024:trace:seh:dispatch_exception  info[3]=00000000
0024:trace:seh:dispatch_exception  info[4]=01290000
0024:warn:seh:dispatch_exception unknown exception (code=e0434352) raised
0024:trace:seh:dispatch_exception  eax=0033e9a4 ebx=00000005 ecx=0033eaa0
edx=00000014 esi=00000005 edi=0033ea10
0024:trace:seh:dispatch_exception  ebp=0033e9f8 esp=0033e9a4 cs=7bc50023
ds=33002b es=7bc3002b fs=330063 gs=006b flags=00000212
0024:trace:seh:call_vectored_handlers calling handler at 01431BEA code=e0434352
flags=1 
--- snip ---

The NTSTATUS code 0xc0000206 = STATUS_INVALID_BUFFER_SIZE is unexpected for the
app.

App source code:

https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/blob/341923290548c5f06238e4c5e12c4f7cbfd201f5/NtApiDotNet/NtObject.cs#L51

--- snip ---
...
        private static NtResult<SafeStructureInOutBuffer<T>>
QueryObject<T>(SafeKernelObjectHandle handle,
            ObjectInformationClass object_info, bool throw_on_error) where T :
new()
        {
            SafeStructureInOutBuffer<T> ret = null;
            NtStatus status = NtStatus.STATUS_BUFFER_TOO_SMALL;
            try
            {
                status = NtSystemCalls.NtQueryObject(handle, object_info,
SafeHGlobalBuffer.Null, 0, out int return_length);
                if ((status != NtStatus.STATUS_BUFFER_TOO_SMALL) && (status !=
NtStatus.STATUS_INFO_LENGTH_MISMATCH))
                    return
status.CreateResultFromError<SafeStructureInOutBuffer<T>>(throw_on_error);

                if (return_length == 0)
                    ret = new SafeStructureInOutBuffer<T>();
                else
                    ret = new SafeStructureInOutBuffer<T>(return_length,
false);
                status = NtSystemCalls.NtQueryObject(handle, object_info, ret,
ret.Length, out return_length);
                return status.CreateResult(throw_on_error, () => ret);
            }
            finally
            {
                if (ret != null && !status.IsSuccess())
                {
                    ret.Close();
                    ret = null;
                }
            }
        }
--- snip ---

Wine source:

https://source.winehq.org/git/wine.git/blob/580413032c61bc142078d08efb1d1167fe385a97:/dlls/ntdll/unix/file.c#l6581

--- snip ---
6581
/**************************************************************************
6582  *           NtQueryObject   (NTDLL.@)
6583  */
6584 NTSTATUS WINAPI NtQueryObject( HANDLE handle, OBJECT_INFORMATION_CLASS
info_class,
6585                                void *ptr, ULONG len, ULONG *used_len )
6586 {
6587     NTSTATUS status;
6588 
6589     TRACE("(%p,0x%08x,%p,0x%08x,%p)\n", handle, info_class, ptr, len,
used_len);
6590 
6591     if (used_len) *used_len = 0;
6592 
6593     switch (info_class)
6594     {
6595     case ObjectBasicInformation:
6596     {
6597         OBJECT_BASIC_INFORMATION *p = ptr;
6598 
6599         if (len < sizeof(*p)) return STATUS_INVALID_BUFFER_SIZE;
6600 
6601         SERVER_START_REQ( get_object_info )
6602         {
6603             req->handle = wine_server_obj_handle( handle );
6604             status = wine_server_call( req );
6605             if (status == STATUS_SUCCESS)
6606             {
6607                 memset( p, 0, sizeof(*p) );
6608                 p->GrantedAccess = reply->access;
6609                 p->PointerCount = reply->ref_count;
6610                 p->HandleCount = reply->handle_count;
6611                 if (used_len) *used_len = sizeof(*p);
6612             }
6613         }
6614         SERVER_END_REQ;
6615         break;
6616     }
...
--- snip ---

The incorrect NTSTATUS error code was always present. It was introduced with
https://source.winehq.org/git/wine.git/commitdiff/bae75024a430dd4486e4f5d7861cf8d6d4b85990
("server/ntdll: Simplistic implementation of
NtQueryObject(ObjectBasicInformation).")

$ sha1sum Release-v1.1.14.7z 
8cd7991e675a995a3d67ef0aca2a8bf0e1512f6a  Release-v1.1.14.7z

$ du -sh Release-v1.1.14.7z 
384K    Release-v1.1.14.7z

$ wine --version
wine-6.3-295-g580413032c6

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list