ntdll:info win32k.sys is sometimes loaded at 0x00000000

Zebediah Figura (she/her) zfigura at codeweavers.com
Thu Nov 26 10:43:05 CST 2020 

On 11/26/20 9:49 AM, Francois Gouget wrote:
> 
> So we get ntdll:info failures because win32k.sys appears to sometimes be 
> loaded at the NULL address. This seems to impact only two VMs: wvistau64 
> and w7pro64.
> 
> https://test.winehq.org/data/tests/ntdll:info.html
> 
> 
> Checking the win32k.sys load addresses I get:
> https://testbot.winehq.org/JobDetails.pl?Key=82496
> 
> 32-bit
> BF800000 wxppro
> BF800000 w2003std
> 00000000 wvistau64
> 00010000 w2008s64
> 92F60000 w7u
> 00080000 win7u-64 (personal VMware VM)
> 00000000 w7pro64
> 8EA28000 w8
> 0002A000 w864
> 3E760000 w10pro64
> 
> 64-bit
> FFFFF96000000000 wvistau64
> FFFFF96000010000 w2008s64
> FFFFF96000000000 w7pro64
> FFFFF9600002A000 w864
> FFFFF8AD3E760000 w10pro64
> 
> So the lower 32 bits of the 64 bit load address always match the 32 bit 
> load address for 32-bit processes. Except that for 64-bit processes 
> this is not a NULL pointer because the upper 32 bits are non-zero.
> 
> Could it be that on Windows 7 and lower 64-bit OSes the 32-bit 
> win32k.sys load address is accidentally NULL because Microsoft 
> overlooked this? Maybe because of the (then) new ASLR code?
> 
> Would the following patch be ok?
> 
> commit 41ebdf0560a41b130a798ca1f14ffcd6f6feaaa9
> Author: Francois Gouget <fgouget at free.fr>
> Date:   Wed Nov 25 20:15:09 2020 +0100
> 
>     ntdll/tests: win32k.sys is sometimes loaded at 0x0 on 64-bit Win <= 7.
>     
>     Signed-off-by: Francois Gouget <fgouget at codeweavers.com>
> 
> diff --git a/dlls/ntdll/tests/info.c b/dlls/ntdll/tests/info.c
> index 5db7a800cbe..ed8a9354bdc 100644
> --- a/dlls/ntdll/tests/info.c
> +++ b/dlls/ntdll/tests/info.c
> @@ -490,7 +490,9 @@ static void test_query_module(void)
>          const SYSTEM_MODULE *module = &info->Modules[i];
>  
>          ok(module->LoadOrderIndex == i, "%u: got index %u\n", i, module->LoadOrderIndex);
> -        ok(!!module->ImageBaseAddress, "%u: got NULL address\n", i);
> +        ok(module->ImageBaseAddress ||
> +           (!module->ImageBaseAddress && strstr((char*)module->Name, "\\win32k.sys")), /* 64-bit Vista and Win7 */
> +           "%u: got NULL address for %s\n", i, module->Name);
>          ok(module->ImageSize, "%u: got 0 size\n", i);
>          ok(module->LoadCount, "%u: got 0 load count\n", i);
>      }
> @@ -516,7 +518,9 @@ static void test_query_module(void)
>          const SYSTEM_MODULE *module = &infoex->BaseInfo;
>  
>          ok(module->LoadOrderIndex == i, "%u: got index %u\n", i, module->LoadOrderIndex);
> -        ok(!!module->ImageBaseAddress, "%u: got NULL address\n", i);
> +        ok(module->ImageBaseAddress ||
> +           (!module->ImageBaseAddress && strstr((char*)module->Name, "\\win32k.sys")), /* 64-bit Vista and Win7 */
> +           "%u: got NULL address for %s\n", i, module->Name);
>          ok(module->ImageSize, "%u: got 0 size\n", i);
>          ok(module->LoadCount, "%u: got 0 load count\n", i);
>  
> 

Personally I'd think it's not worth testing the address at all if on
wow64; there's no reason this should be specific to win32k.sys.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x0D9D358A07A17840.asc
Type: application/pgp-keys
Size: 1769 bytes
Desc: not available
URL: <http://www.winehq.org/pipermail/wine-devel/attachments/20201126/ae8bac06/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <http://www.winehq.org/pipermail/wine-devel/attachments/20201126/ae8bac06/attachment-0001.sig>

More information about the wine-devel mailing list