Added patch to avoid accessing stack below ESP when restoring thread context.

README.md

@@ -38,7 +38,7 @@ Wine. All those differences are also documented on the
 Included bug fixes and improvements
 ===================================
 
-**Bugfixes and features included in the next upcoming release [7]:**
+**Bugfixes and features included in the next upcoming release [8]:**
 
 * Add stub for ntoskrnl.ExAcquireResourceExclusiveLite
 * Add stub for ntoskrnl.ExDeleteResourceLite
@@ -46,6 +46,7 @@ Included bug fixes and improvements
 * Avoid race-conditions in NtReadFile() operations with write watches.
 * Avoid race-conditions with write watches in WS2_async_accept.
 * Basic handling of write watches triggered while we're on the signal stack.
+* Do not access stack below ESP when restoring thread context.
 * Implement D3DXGetShaderOutputSemantics
 
 

debian/changelog

@@ -9,6 +9,7 @@ wine-staging (1.7.37) UNRELEASED; urgency=low
   * Added patch to add stub for ntoskrnl.ExAcquireResourceExclusiveLite.
   * Added patch to add stub for ntoskrnl.ExReleaseResourceForThread.
   * Added patch to add stub for ntoskrnl.ExDeleteResourceLite.
+  * Added patch to avoid accessing stack below ESP when restoring thread context.
   * Removed patches for UTF7 support (accepted upstream).
   * Removed patches for SIO_ADDRESS_LIST_CHANGE ioctl (accepted upstream).
  -- Sebastian Lackner <sebastian@fds-team.de>  Sun, 08 Feb 2015 20:29:38 +0100

patches/patchinstall.sh

@@ -182,6 +182,7 @@ patch_enable_all ()
 	enable_wine_inf_Performance="$1"
 	enable_wineboot_HKEY_DYN_DATA="$1"
 	enable_winebuild_LinkerVersion="$1"
+	enable_winebuild_Restore_Context="$1"
 	enable_winecfg_Libraries="$1"
 	enable_winecfg_Staging="$1"
 	enable_wined3d_CSMT_Helper="$1"
@@ -573,6 +574,9 @@ patch_enable ()
 		winebuild-LinkerVersion)
 			enable_winebuild_LinkerVersion="$2"
 			;;
+		winebuild-Restore_Context)
+			enable_winebuild_Restore_Context="$2"
+			;;
 		winecfg-Libraries)
 			enable_winecfg_Libraries="$2"
 			;;
@@ -3146,6 +3150,18 @@ if test "$enable_winebuild_LinkerVersion" -eq 1; then
 	) >> "$patchlist"
 fi
 
+# Patchset winebuild-Restore_Context
+# |
+# | Modified files:
+# |   *	tools/winebuild/relay.c
+# |
+if test "$enable_winebuild_Restore_Context" -eq 1; then
+	patch_apply winebuild-Restore_Context/0001-winebuild-Do-not-access-memory-below-ESP-when-restor.patch
+	(
+		echo '+    { "Sebastian Lackner", "winebuild: Do not access memory below ESP when restoring thread contexts.", 1 },';
+	) >> "$patchlist"
+fi
+
 # Patchset winecfg-Libraries
 # |
 # | This patchset fixes the following Wine bugs:

patches/winebuild-Restore_Context/0001-winebuild-Do-not-access-memory-below-ESP-when-restor.patch

@@ -0,0 +1,83 @@
+From 2c9e4af027218dd83ee68bed4ff5ab277ce8948a Mon Sep 17 00:00:00 2001
+From: Sebastian Lackner <sebastian@fds-team.de>
+Date: Thu, 12 Feb 2015 11:09:34 +0100
+Subject: winebuild: Do not access memory below ESP when restoring thread
+ contexts.
+
+Based on a patch by John Reiser.
+---
+ tools/winebuild/relay.c | 49 +++++++++++++++++++++++++++++++++----------------
+ 1 file changed, 33 insertions(+), 16 deletions(-)
+
+diff --git a/tools/winebuild/relay.c b/tools/winebuild/relay.c
+index cc7dd37..aa7158e 100644
+--- a/tools/winebuild/relay.c
++++ b/tools/winebuild/relay.c
+@@ -852,31 +852,48 @@ static void build_call_from_regs_x86(void)
+ 
+     /* Restore the context structure */
+ 
+-    output( "2:\tpushl 0x94(%%ecx)\n");     /* SegEs */
++    output( "2:\n" );
++
++    /* As soon as we have switched stacks the context structure could
++     * be invalid (when signal handlers are executed for example). Copy
++     * values on the target stack before changing ESP. */
++
++    output( "\tpushl 0xc8(%%ecx)\n" );      /* SegSs */
++    output( "\tpopl %%es\n" );
++    output( "\tmovl 0xc4(%%ecx),%%eax\n" ); /* Esp */
++    output( "\tsubl $4*4, %%eax\n" );
++
++    output( "\tmovl 0xc0(%%ecx),%%edx\n" ); /* EFlags */
++    output( "\t.byte 0x26\n\tmovl %%edx,3*4(%%eax)\n" );
++    output( "\tmovl 0xbc(%%ecx),%%edx\n" ); /* SegCs */
++    output( "\t.byte 0x26\n\tmovl %%edx,2*4(%%eax)\n" );
++    output( "\tmovl 0xb8(%%ecx),%%edx\n" ); /* Eip */
++    output( "\t.byte 0x26\n\tmovl %%edx,1*4(%%eax)\n" );
++    output( "\tmovl 0xb0(%%ecx),%%edx\n" ); /* Eax */
++    output( "\t.byte 0x26\n\tmovl %%edx,0*4(%%eax)\n" );
++
++    output( "\tpushl %%es\n" );
++    output( "\tpushl 0x98(%%ecx)\n" );      /* SegDs */
++
++    output(" \tpushl 0x94(%%ecx)\n" );      /* SegEs */
+     output( "\tpopl %%es\n" );
+     output( "\tpushl 0x90(%%ecx)\n");       /* SegFs */
+     output( "\tpopl %%fs\n" );
+     output( "\tpushl 0x8c(%%ecx)\n");       /* SegGs */
+     output( "\tpopl %%gs\n" );
+ 
+-    output( "\tmovl 0x9c(%%ecx),%%edi\n");  /* Edi */
+-    output( "\tmovl 0xa0(%%ecx),%%esi\n");  /* Esi */
+-    output( "\tmovl 0xa8(%%ecx),%%edx\n");  /* Edx */
+-    output( "\tmovl 0xa4(%%ecx),%%ebx\n");  /* Ebx */
+-    output( "\tmovl 0xb0(%%ecx),%%eax\n");  /* Eax */
+-    output( "\tmovl 0xb4(%%ecx),%%ebp\n");  /* Ebp */
++    output( "\tmovl 0x9c(%%ecx),%%edi\n" ); /* Edi */
++    output( "\tmovl 0xa0(%%ecx),%%esi\n" ); /* Esi */
++    output( "\tmovl 0xa4(%%ecx),%%ebx\n" ); /* Ebx */
++    output( "\tmovl 0xa8(%%ecx),%%edx\n" ); /* Edx */
++    output( "\tmovl 0xb4(%%ecx),%%ebp\n" ); /* Ebp */
++    output( "\tmovl 0xac(%%ecx),%%ecx\n" ); /* Ecx */
+ 
+-    output( "\tpushl 0xc8(%%ecx)\n");       /* SegSs */
++    output( "\tpopl %%ds\n" );
+     output( "\tpopl %%ss\n" );
+-    output( "\tmovl 0xc4(%%ecx),%%esp\n");  /* Esp */
++    output( "\tmovl %%eax,%%esp\n" );
+ 
+-    output( "\tpushl 0xc0(%%ecx)\n");       /* EFlags */
+-    output( "\tpushl 0xbc(%%ecx)\n");       /* SegCs */
+-    output( "\tpushl 0xb8(%%ecx)\n");       /* Eip */
+-    output( "\tpushl 0x98(%%ecx)\n");       /* SegDs */
+-    output( "\tmovl 0xac(%%ecx),%%ecx\n");  /* Ecx */
+-
+-    output( "\tpopl %%ds\n" );
++    output( "\tpopl %%eax\n" );
+     output( "\tiret\n" );
+     output_cfi( ".cfi_endproc" );
+     output_function_size( "__wine_call_from_regs" );
+-- 
+2.2.2
+

patches/winebuild-Restore_Context/definition

@@ -0,0 +1 @@
+Fixes: Do not access stack below ESP when restoring thread context.