Added patch to fix multiple uninitialized memory issues in wineserver.

2025-01-28 22:04:43 -08:00 · 2015-08-16 07:20:22 +02:00 · 2015-08-16 07:20:22 +02:00 · 1de318660f
commit 1de318660f
parent b8546ff85a
4 changed files with 108 additions and 0 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -10,6 +10,7 @@ wine-staging (1.7.50) UNRELEASED; urgency=low
  * Added patch to improve startup performance by delaying font initialization
    (fixes Wine Staging Bug #401).
  * Added patch to set SFGAO_HASSUBFOLDER only when there are really subfolders.
+  * Added patch to fix multiple uninitialized memory issues in wineserver.
  * Removed patch to move security cookie initialization from memory management
    to loader.
 -- Sebastian Lackner <sebastian@fds-team.de>  Tue, 11 Aug 2015 06:12:14 +0200
--- a/patches/patchinstall.sh
+++ b/patches/patchinstall.sh
@ -220,6 +220,7 @@ patch_enable_all ()
 	enable_server_RootDirectory_File="$1"
 	enable_server_Shared_Memory="$1"
 	enable_server_Stored_ACLs="$1"
+	enable_server_Uninitialized_Memory="$1"
 	enable_setupapi_SetupDiSelectBestCompatDrv="$1"
 	enable_setupapi_SetupDiSetDeviceInstallParamsW="$1"
 	enable_setupapi_SetupPromptForDisk="$1"
@ -749,6 +750,9 @@ patch_enable ()
 		server-Stored_ACLs)
 			enable_server_Stored_ACLs="$2"
 			;;
+		server-Uninitialized_Memory)
+			enable_server_Uninitialized_Memory="$2"
+			;;
 		setupapi-SetupDiSelectBestCompatDrv)
 			enable_setupapi_SetupDiSelectBestCompatDrv="$2"
 			;;
@ -4585,6 +4589,20 @@ if test "$enable_server_Shared_Memory" -eq 1; then
 	) >> "$patchlist"
 fi

+# Patchset server-Uninitialized_Memory
+# |
+# | Modified files:
+# |   *	server/device.c
+# |
+if test "$enable_server_Uninitialized_Memory" -eq 1; then
+	patch_apply server-Uninitialized_Memory/0001-server-Initialize-irp-thread-immediately-after-creat.patch
+	patch_apply server-Uninitialized_Memory/0002-server-Avoid-leaking-uninitialized-stack-value-to-ap.patch
+	(
+		echo '+    { "Sebastian Lackner", "server: Initialize irp->thread immediately after creation of irp_call object.", 1 },';
+		echo '+    { "Sebastian Lackner", "server: Avoid leaking uninitialized stack value to application.", 1 },';
+	) >> "$patchlist"
+fi
+
 # Patchset setupapi-SetupDiSelectBestCompatDrv
 # |
 # | This patchset fixes the following Wine bugs:
--- a/patches/server-Uninitialized_Memory/0001-server-Initialize-irp-thread-immediately-after-creat.patch
+++ b/patches/server-Uninitialized_Memory/0001-server-Initialize-irp-thread-immediately-after-creat.patch
@ -0,0 +1,25 @@
+From 0051325fd29e84924ad64047a2476329f0e1abbf Mon Sep 17 00:00:00 2001
+From: Sebastian Lackner <sebastian@fds-team.de>
+Date: Sun, 16 Aug 2015 07:17:48 +0200
+Subject: server: Initialize irp->thread immediately after creation of irp_call
+ object.
+
+---
+ server/device.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/server/device.c b/server/device.c
+index e6dc15e..812bce3 100644
+--- a/server/device.c
+++ b/server/device.c
+@@ -259,6 +259,7 @@ static struct irp_call *create_irp( struct device_file *file, const irp_params_t
+     if ((irp = alloc_object( &irp_call_ops )))
+     {
+         irp->file     = (struct device_file *)grab_object( file );
+        irp->thread   = NULL;
+         irp->async    = NULL;
+         irp->params   = *params;
+         irp->status   = STATUS_PENDING;
+-- 
+2.5.0
+
--- a/patches/server-Uninitialized_Memory/0002-server-Avoid-leaking-uninitialized-stack-value-to-ap.patch
+++ b/patches/server-Uninitialized_Memory/0002-server-Avoid-leaking-uninitialized-stack-value-to-ap.patch
@ -0,0 +1,64 @@
+From 283ccffad0622e4ae4a68d1dbe441c808d9f9503 Mon Sep 17 00:00:00 2001
+From: Sebastian Lackner <sebastian@fds-team.de>
+Date: Sun, 16 Aug 2015 07:18:36 +0200
+Subject: server: Avoid leaking uninitialized stack value to application.
+
+---
+ server/device.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/server/device.c b/server/device.c
+index 812bce3..9ef587c 100644
+--- a/server/device.c
+++ b/server/device.c
+@@ -384,6 +384,7 @@ static struct object *device_open_file( struct object *obj, unsigned int access,
+         struct irp_call *irp;
+         irp_params_t params;
+ 
+        memset( &params, 0, sizeof(params) );
+         params.create.major   = IRP_MJ_CREATE;
+         params.create.access  = access;
+         params.create.sharing = sharing;
+@@ -422,6 +423,7 @@ static int device_file_close_handle( struct object *obj, struct process *process
+         struct irp_call *irp;
+         irp_params_t params;
+ 
+        memset( &params, 0, sizeof(params) );
+         params.close.major = IRP_MJ_CLOSE;
+         params.close.file  = file->user_ptr;
+ 
+@@ -516,6 +518,7 @@ static obj_handle_t device_file_read( struct fd *fd, const async_data_t *async_d
+     obj_handle_t handle;
+     irp_params_t params;
+ 
+    memset( &params, 0, sizeof(params) );
+     params.read.major = IRP_MJ_READ;
+     params.read.key   = 0;
+     params.read.pos   = pos;
+@@ -537,6 +540,7 @@ static obj_handle_t device_file_write( struct fd *fd, const async_data_t *async_
+     obj_handle_t handle;
+     irp_params_t params;
+ 
+    memset( &params, 0, sizeof(params) );
+     params.write.major = IRP_MJ_WRITE;
+     params.write.key   = 0;
+     params.write.pos   = pos;
+@@ -557,6 +561,7 @@ static obj_handle_t device_file_flush( struct fd *fd, const async_data_t *async_
+     obj_handle_t handle;
+     irp_params_t params;
+ 
+    memset( &params, 0, sizeof(params) );
+     params.flush.major = IRP_MJ_FLUSH_BUFFERS;
+     params.flush.file  = file->user_ptr;
+ 
+@@ -576,6 +581,7 @@ static obj_handle_t device_file_ioctl( struct fd *fd, ioctl_code_t code, const a
+     obj_handle_t handle;
+     irp_params_t params;
+ 
+    memset( &params, 0, sizeof(params) );
+     params.ioctl.major = IRP_MJ_DEVICE_CONTROL;
+     params.ioctl.code  = code;
+     params.ioctl.file = file->user_ptr;
+-- 
+2.5.0
+