[Bug 50791] New: NtQueryObject( ..., ObjectBasicInformation, NULL, 0, &retLen) returns incorrect NTSTATUS error code when querying for buffer size
WineHQ Bugzilla
wine-bugs at winehq.org
Thu Mar 11 05:20:32 CST 2021
https://bugs.winehq.org/show_bug.cgi?id=50791
Bug ID: 50791
Summary: NtQueryObject( ..., ObjectBasicInformation, NULL, 0,
&retLen) returns incorrect NTSTATUS error code when
querying for buffer size
Product: Wine
Version: 6.3
Hardware: x86-64
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: ntdll
Assignee: wine-bugs at winehq.org
Reporter: focht at gmx.net
Distribution: ---
Hello folks,
found while testing 'EditSection' tool from Google
sandbox-attacksurface-analysis-tools v1.1.x fails list section. Follow up of
bug 45132
--- snip ---
$ WINEDEBUG=+seh,+relay,+ntdll,+server wine ./EditSection.exe >>log.txt 2>&1
...
0024:Call ntdll.NtQuerySystemInformation(00000005,001fb320,00002228,0033eae4)
ret=05a0be37
0024:trace:ntdll:NtQuerySystemInformation
(0x00000005,0x1fb320,0x00002228,0x33eae4)
0024: list_processes( )
0024: list_processes() = 0 { info_size=2024, process_count=9,
data={{start_time=1d7165dcc491236
(-5.4284020),thread_count=3,priority=2,pid=0020,parent_pid=0000,handle_count=256,unix_pid=293760,name=L"\\??\\Z:\\home\\focht\\Downloads\\commonobj\\EditSection.exe",threads={{start_time=1d7165dcbd1a2be
(-6.2111340),tid=0024,base_priority=0,current_priority=0,unix_tid=293760},{start_time=1d7165dcc64cd1e
(-5.2466700),tid=00fc,base_priority=0,current_priority=0,unix_tid=293825},{start_time=1d7165dcc65c214
(-5.2403990),tid=0100,base_priority=2,current_priority=2,unix_tid=293826}}},{start_time=1d7165dcbdadb18
(-6.1507090),thread_count=9,priority=2,pid=0038,parent_pid=0028,handle_count=128,unix_pid=293768,name=L"\\??\\C:\\windows\\system32\\services.exe",threads={{start_time=1d7165dcbd96030
(-6.1604090),tid=003c,base_priority=0,current_priority=0,unix_tid=293768},
...
{start_time=1d7165dcc4b8b06
(-5.4122020),thread_count=1,priority=2,pid=00f4,parent_pid=0020,handle_count=32,unix_pid=293824,name=L"\\??\\C:\\windows\\system32\\conhost.exe",threads={{start_time=1d7165dcc4a8198
(-5.4189970),tid=00f8,base_priority=0,current_priority=0,unix_tid=293824}}}} }
0024:Ret ntdll.NtQuerySystemInformation() retval=00000000 ret=05a0be37
...
0024:Call ntdll.NtOpenProcess(0033eccc,00001040,0033ec60,01e2d450) ret=05a0cc71
0024: open_process( pid=0020, access=00001040, attributes=00000000 )
0024: open_process() = 0 { handle=01cc }
0024:Ret ntdll.NtOpenProcess() retval=00000000 ret=05a0cc71
...
0024:Call ntdll.NtQueryObject(000001cc,00000000,00000000,00000000,0033ebc4)
ret=05a00b58
0024:Ret ntdll.NtQueryObject() retval=c0000206 ret=05a00b58
0024:Call KERNEL32.RaiseException(e0434352,00000001,00000005,0033eaa0)
ret=013b48c7
0024:Call ntdll.memcpy(0033e9b8,0033eaa0,00000014) ret=7b0101c8
0024:Ret ntdll.memcpy() retval=0033e9b8 ret=7b0101c8
0024:trace:seh:dispatch_exception code=e0434352 flags=1 addr=7B0101D8
ip=7b0101d8 tid=0024
0024:trace:seh:dispatch_exception info[0]=80131600
0024:trace:seh:dispatch_exception info[1]=00000000
0024:trace:seh:dispatch_exception info[2]=00000000
0024:trace:seh:dispatch_exception info[3]=00000000
0024:trace:seh:dispatch_exception info[4]=01290000
0024:warn:seh:dispatch_exception unknown exception (code=e0434352) raised
0024:trace:seh:dispatch_exception eax=0033e9a4 ebx=00000005 ecx=0033eaa0
edx=00000014 esi=00000005 edi=0033ea10
0024:trace:seh:dispatch_exception ebp=0033e9f8 esp=0033e9a4 cs=7bc50023
ds=33002b es=7bc3002b fs=330063 gs=006b flags=00000212
0024:trace:seh:call_vectored_handlers calling handler at 01431BEA code=e0434352
flags=1
--- snip ---
The NTSTATUS code 0xc0000206 = STATUS_INVALID_BUFFER_SIZE is unexpected for the
app.
App source code:
https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/blob/341923290548c5f06238e4c5e12c4f7cbfd201f5/NtApiDotNet/NtObject.cs#L51
--- snip ---
...
private static NtResult<SafeStructureInOutBuffer<T>>
QueryObject<T>(SafeKernelObjectHandle handle,
ObjectInformationClass object_info, bool throw_on_error) where T :
new()
{
SafeStructureInOutBuffer<T> ret = null;
NtStatus status = NtStatus.STATUS_BUFFER_TOO_SMALL;
try
{
status = NtSystemCalls.NtQueryObject(handle, object_info,
SafeHGlobalBuffer.Null, 0, out int return_length);
if ((status != NtStatus.STATUS_BUFFER_TOO_SMALL) && (status !=
NtStatus.STATUS_INFO_LENGTH_MISMATCH))
return
status.CreateResultFromError<SafeStructureInOutBuffer<T>>(throw_on_error);
if (return_length == 0)
ret = new SafeStructureInOutBuffer<T>();
else
ret = new SafeStructureInOutBuffer<T>(return_length,
false);
status = NtSystemCalls.NtQueryObject(handle, object_info, ret,
ret.Length, out return_length);
return status.CreateResult(throw_on_error, () => ret);
}
finally
{
if (ret != null && !status.IsSuccess())
{
ret.Close();
ret = null;
}
}
}
--- snip ---
Wine source:
https://source.winehq.org/git/wine.git/blob/580413032c61bc142078d08efb1d1167fe385a97:/dlls/ntdll/unix/file.c#l6581
--- snip ---
6581
/**************************************************************************
6582 * NtQueryObject (NTDLL.@)
6583 */
6584 NTSTATUS WINAPI NtQueryObject( HANDLE handle, OBJECT_INFORMATION_CLASS
info_class,
6585 void *ptr, ULONG len, ULONG *used_len )
6586 {
6587 NTSTATUS status;
6588
6589 TRACE("(%p,0x%08x,%p,0x%08x,%p)\n", handle, info_class, ptr, len,
used_len);
6590
6591 if (used_len) *used_len = 0;
6592
6593 switch (info_class)
6594 {
6595 case ObjectBasicInformation:
6596 {
6597 OBJECT_BASIC_INFORMATION *p = ptr;
6598
6599 if (len < sizeof(*p)) return STATUS_INVALID_BUFFER_SIZE;
6600
6601 SERVER_START_REQ( get_object_info )
6602 {
6603 req->handle = wine_server_obj_handle( handle );
6604 status = wine_server_call( req );
6605 if (status == STATUS_SUCCESS)
6606 {
6607 memset( p, 0, sizeof(*p) );
6608 p->GrantedAccess = reply->access;
6609 p->PointerCount = reply->ref_count;
6610 p->HandleCount = reply->handle_count;
6611 if (used_len) *used_len = sizeof(*p);
6612 }
6613 }
6614 SERVER_END_REQ;
6615 break;
6616 }
...
--- snip ---
The incorrect NTSTATUS error code was always present. It was introduced with
https://source.winehq.org/git/wine.git/commitdiff/bae75024a430dd4486e4f5d7861cf8d6d4b85990
("server/ntdll: Simplistic implementation of
NtQueryObject(ObjectBasicInformation).")
$ sha1sum Release-v1.1.14.7z
8cd7991e675a995a3d67ef0aca2a8bf0e1512f6a Release-v1.1.14.7z
$ du -sh Release-v1.1.14.7z
384K Release-v1.1.14.7z
$ wine --version
wine-6.3-295-g580413032c6
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list