Bug 505862 - Wine 1.1.23 - buffer overflow in services.exe
Wine 1.1.23 - buffer overflow in services.exe
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: gcc (Show other bugs)
rawhide
i686 Linux
low Severity high
: ---
: ---
Assigned To: Jakub Jelinek
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-06-14 08:00 EDT by Alexander Suleymanov
Modified: 2009-09-10 17:16 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-03 05:01:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Crash log (9.63 KB, text/plain)
2009-06-14 08:00 EDT, Alexander Suleymanov
no flags Details
Pre-processed rpc_message.c (444.42 KB, text/x-c++src)
2009-09-01 09:11 EDT, Pekka Pietikäinen
no flags Details
1.1.29-1 rawhide bug report (8.17 KB, text/plain)
2009-09-09 22:59 EDT, Justin Noah
no flags Details

  None (edit)
Description Alexander Suleymanov 2009-06-14 08:00:52 EDT
Created attachment 347815 [details]
Crash log

Description of problem:
Latest Wine package breaks services.exe.so and mountmgr:

*** buffer overflow detected ***: C:\windows\system32\services.exe terminated
....
err:rpc:RpcAssoc_BindConnection receive failed with error 1726
err:wineboot:start_services_process Unexpected termination of services.exe - exit code 0
err:service:service_control_dispatcher failed to open service manager error 1726
(full log attached)

Also, Drive management in winecfg is broken to (as it seems to me - it depends on services.exe).
 
err:winecfg:open_mountmgr failed to open mount manager err 2

Version-Release number of selected component (if applicable): 1.1.23

How reproducible:
Always

Steps to Reproduce:
1. Upgrade WINE-package to the latest Rawhide 1.1.23-1 version
2. Run any WINE-dependant app
  
Actual results:
1. Running apps results in services.exe buffer overflow errors
2. Wine-applications run, but complain about missing CD-drives and so
3. Wine mount manager is not running.

Expected results:
Got the regression fixed

Additional info:
This bug didn't appear until the recent Rawhide update (14.06). Wine 1.2.21 from Rawhide-repo works fine. May be, bug is related to the mountmgr changes introduced in Wine 1.1.23
Full error log from console is attached. 
Removing ~/.wine dir and setting up a new one doesn't solve the problem.
SELinux is completely disabled (through boot option).
Comment 1 Yanko Kaneti 2009-06-21 11:06:27 EDT
still the case with 1.1.24-1.fc12
Comment 2 Pekka Pietikäinen 2009-08-31 19:16:56 EDT
Confirmed and filed upstream at http://bugs.winehq.org/show_bug.cgi?id=19899

Probably gcc is getting better at finding overflows and after a recompile finds an off-by-one or whatnot in Wine.
Comment 3 Pekka Pietikäinen 2009-09-01 07:01:50 EDT
Hmn, according to upstream it's just gcc misdetecting stuff. The code uses an evil (but apparently valid?) construct, 

dlls/rpcrt4/rpc_message.c:

typedef struct
{
  unsigned short length;  /* Length of the string including null terminator */
  char string[1];         /* String data in single byte, null terminated form */
} RpcAddressString;



  header_size = sizeof(header->bind_ack) +
                ROUND_UP(FIELD_OFFSET(RpcAddressString, string[strlen(ServerAddress) + 1]), 4) +
                sizeof(RpcResults) +
                sizeof(RPC_SYNTAX_IDENTIFIER);

  header = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, header_size);
...
  server_address = (RpcAddressString*)(&header->bind_ack + 1);
  server_address->length = strlen(ServerAddress) + 1;
  strcpy(server_address->string, ServerAddress);

I'll ping gcc people on fedora-devel I think to see if they have better ideas, workaround probably would be #undef _FORTIFY_SOURCE in that source file.
Comment 4 Pekka Pietikäinen 2009-09-01 07:10:00 EDT
Actually I'll just NEEDINFO jakub, 

gcc bug, "disable it for that file" or "language lawyer the wine folk"?
Comment 5 Jakub Jelinek 2009-09-01 08:14:15 EDT
Firsty of all, which NVR of gcc has wine been compiled with?  There has been a bug or three in this area.  If you can reproduce it when wine is compiled with latest rawhide gcc, I'll need a preprocessed source on which the strcpy fails.
Comment 6 Pekka Pietikäinen 2009-09-01 09:10:35 EDT
1.1.28 got built on the 31th and gcc-4.4.1-6.x86_64 on the 18th, and I'm told the buildsystem for dist-f12 has the latest. (mock -r fedora-rawhide-i386 is being annoying, so double-checking with self-compiled stuff is proving difficult)...

Anyway, here's a gcc -E dump of the offending file I managed to get out of a non-mock wine build process. There's only one strcpy in there, so should be easy to find.
Comment 7 Pekka Pietikäinen 2009-09-01 09:11:31 EDT
Created attachment 359383 [details]
Pre-processed rpc_message.c
Comment 8 Jakub Jelinek 2009-09-03 04:56:00 EDT
Should be fixed in gcc-4.4.1-8, of course wine needs to be recompiled with it.
Comment 9 Jakub Jelinek 2009-09-03 05:01:49 EDT
Should be fixed in gcc-4.4.1-8 in rawhide.
Of course wine needs to be rebuilt with it.
Comment 10 Pekka Pietikäinen 2009-09-07 17:04:19 EDT
Rebuilt with 4.4.1-9 and everything is fine now, could someone with the right privileges kick a rebuild?

(man it's annoying to build on a 64-bit box, rpm thinks the buildreqs are fine 'cause I have the 64-bit ones, and then it fails, rawhide mock is broken too. Made a koji scratch build, i386 vs. i686 by accident but shouldn't matter wrt the bug being fixed and that's what I'm now running :) )
Comment 11 Justin Noah 2009-09-09 22:54:07 EDT
This is happening again with wine-1.1.29-1.fc12.i686. Not building, this is from the binary in the rawhide repository.

Reopen?
Comment 12 Justin Noah 2009-09-09 22:59:06 EDT
Created attachment 360409 [details]
1.1.29-1 rawhide bug report

This occurs if and only if (as far as I can tell) if the ~/.wine directory does not exist.

I ran winecfg again after the crash and it opened fine. Then I rm -rf ~/.wine, ran winecfg again and I get the same crash...
Comment 13 Justin Noah 2009-09-09 23:00:25 EDT
(In reply to comment #12)
> Created an attachment (id=360409) [details]
> 1.1.29-1 rawhide bug report
> 
> This occurs if and only if (as far as I can tell) if the ~/.wine directory does
> not exist.
> 
> I ran winecfg again after the crash and it opened fine. Then I rm -rf ~/.wine,
> ran winecfg again and I get the same crash...  

I forgot to mention that the Debugger window keeps opening at the end only after I press ok. Meaning I clicked ok a few times in the attachment.
Comment 14 Pekka Pietikäinen 2009-09-10 05:36:50 EDT
Ya, 1.1.29-1 needs a rebuild, wine-core from 
http://koji.fedoraproject.org/koji/taskinfo?taskID=1667704 should do the trick 
(rpm -Uvh --oldpackage/--force or whatnot) until someone with the right permissions triggers a rebuild to rawhide.
Comment 15 Andreas Bierfert 2009-09-10 12:15:26 EDT
fixed in wine-1.1.29-2.fc12
Comment 16 Justin Noah 2009-09-10 17:16:22 EDT
(In reply to comment #14)
> Ya, 1.1.29-1 needs a rebuild, wine-core from 
> http://koji.fedoraproject.org/koji/taskinfo?taskID=1667704 should do the trick 
> (rpm -Uvh --oldpackage/--force or whatnot) until someone with the right
> permissions triggers a rebuild to rawhide.  

Shouldn't you just invoke a:

yum localinstall --nogpgcheck {$wine_package_name}?

Note You need to log in before you can comment on or make changes to this bug.