diff --git a/debian/changelog b/debian/changelog index a6e5b274..db277b9e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -10,6 +10,7 @@ wine-staging (1.7.50) UNRELEASED; urgency=low * Added patch to improve startup performance by delaying font initialization (fixes Wine Staging Bug #401). * Added patch to set SFGAO_HASSUBFOLDER only when there are really subfolders. + * Added patch to fix multiple uninitialized memory issues in wineserver. * Removed patch to move security cookie initialization from memory management to loader. -- Sebastian Lackner Tue, 11 Aug 2015 06:12:14 +0200 diff --git a/patches/patchinstall.sh b/patches/patchinstall.sh index 1e4c5974..251ef264 100755 --- a/patches/patchinstall.sh +++ b/patches/patchinstall.sh @@ -220,6 +220,7 @@ patch_enable_all () enable_server_RootDirectory_File="$1" enable_server_Shared_Memory="$1" enable_server_Stored_ACLs="$1" + enable_server_Uninitialized_Memory="$1" enable_setupapi_SetupDiSelectBestCompatDrv="$1" enable_setupapi_SetupDiSetDeviceInstallParamsW="$1" enable_setupapi_SetupPromptForDisk="$1" @@ -749,6 +750,9 @@ patch_enable () server-Stored_ACLs) enable_server_Stored_ACLs="$2" ;; + server-Uninitialized_Memory) + enable_server_Uninitialized_Memory="$2" + ;; setupapi-SetupDiSelectBestCompatDrv) enable_setupapi_SetupDiSelectBestCompatDrv="$2" ;; @@ -4585,6 +4589,20 @@ if test "$enable_server_Shared_Memory" -eq 1; then ) >> "$patchlist" fi +# Patchset server-Uninitialized_Memory +# | +# | Modified files: +# | * server/device.c +# | +if test "$enable_server_Uninitialized_Memory" -eq 1; then + patch_apply server-Uninitialized_Memory/0001-server-Initialize-irp-thread-immediately-after-creat.patch + patch_apply server-Uninitialized_Memory/0002-server-Avoid-leaking-uninitialized-stack-value-to-ap.patch + ( + echo '+ { "Sebastian Lackner", "server: Initialize irp->thread immediately after creation of irp_call object.", 1 },'; + echo '+ { "Sebastian Lackner", "server: Avoid leaking uninitialized stack value to application.", 1 },'; + ) >> "$patchlist" +fi + # Patchset setupapi-SetupDiSelectBestCompatDrv # | # | This patchset fixes the following Wine bugs: diff --git a/patches/server-Uninitialized_Memory/0001-server-Initialize-irp-thread-immediately-after-creat.patch b/patches/server-Uninitialized_Memory/0001-server-Initialize-irp-thread-immediately-after-creat.patch new file mode 100644 index 00000000..8df09b60 --- /dev/null +++ b/patches/server-Uninitialized_Memory/0001-server-Initialize-irp-thread-immediately-after-creat.patch @@ -0,0 +1,25 @@ +From 0051325fd29e84924ad64047a2476329f0e1abbf Mon Sep 17 00:00:00 2001 +From: Sebastian Lackner +Date: Sun, 16 Aug 2015 07:17:48 +0200 +Subject: server: Initialize irp->thread immediately after creation of irp_call + object. + +--- + server/device.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/server/device.c b/server/device.c +index e6dc15e..812bce3 100644 +--- a/server/device.c ++++ b/server/device.c +@@ -259,6 +259,7 @@ static struct irp_call *create_irp( struct device_file *file, const irp_params_t + if ((irp = alloc_object( &irp_call_ops ))) + { + irp->file = (struct device_file *)grab_object( file ); ++ irp->thread = NULL; + irp->async = NULL; + irp->params = *params; + irp->status = STATUS_PENDING; +-- +2.5.0 + diff --git a/patches/server-Uninitialized_Memory/0002-server-Avoid-leaking-uninitialized-stack-value-to-ap.patch b/patches/server-Uninitialized_Memory/0002-server-Avoid-leaking-uninitialized-stack-value-to-ap.patch new file mode 100644 index 00000000..dc037d03 --- /dev/null +++ b/patches/server-Uninitialized_Memory/0002-server-Avoid-leaking-uninitialized-stack-value-to-ap.patch @@ -0,0 +1,64 @@ +From 283ccffad0622e4ae4a68d1dbe441c808d9f9503 Mon Sep 17 00:00:00 2001 +From: Sebastian Lackner +Date: Sun, 16 Aug 2015 07:18:36 +0200 +Subject: server: Avoid leaking uninitialized stack value to application. + +--- + server/device.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/server/device.c b/server/device.c +index 812bce3..9ef587c 100644 +--- a/server/device.c ++++ b/server/device.c +@@ -384,6 +384,7 @@ static struct object *device_open_file( struct object *obj, unsigned int access, + struct irp_call *irp; + irp_params_t params; + ++ memset( ¶ms, 0, sizeof(params) ); + params.create.major = IRP_MJ_CREATE; + params.create.access = access; + params.create.sharing = sharing; +@@ -422,6 +423,7 @@ static int device_file_close_handle( struct object *obj, struct process *process + struct irp_call *irp; + irp_params_t params; + ++ memset( ¶ms, 0, sizeof(params) ); + params.close.major = IRP_MJ_CLOSE; + params.close.file = file->user_ptr; + +@@ -516,6 +518,7 @@ static obj_handle_t device_file_read( struct fd *fd, const async_data_t *async_d + obj_handle_t handle; + irp_params_t params; + ++ memset( ¶ms, 0, sizeof(params) ); + params.read.major = IRP_MJ_READ; + params.read.key = 0; + params.read.pos = pos; +@@ -537,6 +540,7 @@ static obj_handle_t device_file_write( struct fd *fd, const async_data_t *async_ + obj_handle_t handle; + irp_params_t params; + ++ memset( ¶ms, 0, sizeof(params) ); + params.write.major = IRP_MJ_WRITE; + params.write.key = 0; + params.write.pos = pos; +@@ -557,6 +561,7 @@ static obj_handle_t device_file_flush( struct fd *fd, const async_data_t *async_ + obj_handle_t handle; + irp_params_t params; + ++ memset( ¶ms, 0, sizeof(params) ); + params.flush.major = IRP_MJ_FLUSH_BUFFERS; + params.flush.file = file->user_ptr; + +@@ -576,6 +581,7 @@ static obj_handle_t device_file_ioctl( struct fd *fd, ioctl_code_t code, const a + obj_handle_t handle; + irp_params_t params; + ++ memset( ¶ms, 0, sizeof(params) ); + params.ioctl.major = IRP_MJ_DEVICE_CONTROL; + params.ioctl.code = code; + params.ioctl.file = file->user_ptr; +-- +2.5.0 +