Added patches to improve security cookie handling.

2025-01-28 22:04:43 -08:00 · 2015-07-26 02:33:17 +02:00 · 2015-07-26 02:33:17 +02:00 · a5fac42aff
commit a5fac42aff
parent 278c0ed870
6 changed files with 113 additions and 18 deletions
--- a/README.md
+++ b/README.md
@ -39,10 +39,12 @@ Wine. All those differences are also documented on the
 Included bug fixes and improvements
 -----------------------------------

-**Bug fixes and features included in the next upcoming release [5]:**
+**Bug fixes and features included in the next upcoming release [7]:**

 * Add stubs for d3dx10_43.D3DX10CreateEffectFromFileA/W ([Wine Bug #27739](https://bugs.winehq.org/show_bug.cgi?id=27739))
 * Check architecture before trying to load libraries ([Wine Bug #38021](https://bugs.winehq.org/show_bug.cgi?id=38021))
+* Fix loading of libraries with incomplete IMAGE_LOAD_CONFIG_DIRECTORY struct
+* Fix security cookie handling for UPX compressed executables ([Wine Bug #38949](https://bugs.winehq.org/show_bug.cgi?id=38949))
 * Forward exitcode from child process when in wineconsole
 * Share source of d3dx9_36 with d3dx9_33 to avoid Wine DLL forwards ([Wine Bug #21817](https://bugs.winehq.org/show_bug.cgi?id=21817))
 * Silence repeated LocaleNameToLCID/LCIDToLocaleName unsupported flags FIXMEs ([Wine Bug #30076](https://bugs.winehq.org/show_bug.cgi?id=30076))
--- a/debian/changelog
+++ b/debian/changelog
@ -11,6 +11,7 @@ wine-staging (1.7.48) UNRELEASED; urgency=low
  * Added patch with stubs for d3dx10_43.D3DX10CreateEffectFromFileA/W.
  * Added patch to silence repeated LocaleNameToLCID/LCIDToLocaleName
    unsupported flags FIXMEs.
+  * Added patches to improve security cookie handling.
  * Removed patch to allow to enable/disable InsertMode in wineconsole settings
    (accepted upstream).
  * Removed patch to improve IoGetDeviceObjectPointer stub to appease SecuROM
--- a/patches/ntdll-Security_Cookie/0001-ntdll-Handle-partial-image-load-config-structs.-try-.patch
+++ b/patches/ntdll-Security_Cookie/0001-ntdll-Handle-partial-image-load-config-structs.-try-.patch
@ -0,0 +1,39 @@
+From 85b9819021a4e4b8f31050f5e894eb36b56e8cba Mon Sep 17 00:00:00 2001
+From: Martin Storsjo <martin@martin.st>
+Date: Thu, 23 Jul 2015 10:36:06 +0300
+Subject: ntdll: Handle partial image load config structs. (try 3)
+
+Some DLLs have a struct that only is large enough to contain the fields
+that are relevant. Don't require the full struct to be available;
+only make sure that it is large enough to contain the SecurityCookie
+field.
+
+This fixes loading ucrtbase.dll (from the redistributable visual
+studio 2015 c++ runtime), which requires the security cookie to be
+initialized. The 32 bit version of this DLL had loadcfg_size == 64,
+where offsetof(IMAGE_LOAD_CONFIG_DIRECTORY, SecurityCookie) == 60.
+That is, SecurityCookie is the last field included in the struct in
+that case.
+
+This fixes loading ucrtbase.dll.
+---
+ dlls/ntdll/virtual.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/dlls/ntdll/virtual.c b/dlls/ntdll/virtual.c
+index ff947da..479ca79 100644
+--- a/dlls/ntdll/virtual.c
+++ b/dlls/ntdll/virtual.c
+@@ -1320,7 +1320,8 @@ static NTSTATUS map_image( HANDLE hmapping, int fd, char *base, SIZE_T total_siz
+ 
+     loadcfg = RtlImageDirectoryEntryToData( (HMODULE)ptr, TRUE,
+                                             IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG, &loadcfg_size );
+-    if (loadcfg && loadcfg_size >= sizeof(*loadcfg))
+    if (loadcfg &&
+        loadcfg_size >= offsetof(IMAGE_LOAD_CONFIG_DIRECTORY, SecurityCookie) + sizeof(loadcfg->SecurityCookie))
+         set_security_cookie((ULONG_PTR *)loadcfg->SecurityCookie);
+ 
+     /* set the image protections */
+-- 
+2.4.5
+
--- a/patches/ntdll-Security_Cookie/0002-ntdll-Validate-SecurityCookie-pointer-before-derefer.patch
+++ b/patches/ntdll-Security_Cookie/0002-ntdll-Validate-SecurityCookie-pointer-before-derefer.patch
@ -0,0 +1,30 @@
+From e365fdbc966b3aab4dbfced4c651965cc8cd9c23 Mon Sep 17 00:00:00 2001
+From: Sebastian Lackner <sebastian@fds-team.de>
+Date: Tue, 21 Jul 2015 20:33:47 +0200
+Subject: ntdll: Validate SecurityCookie pointer before dereferencing.
+
+---
+ dlls/ntdll/virtual.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/dlls/ntdll/virtual.c b/dlls/ntdll/virtual.c
+index 479ca79..2fd8198 100644
+--- a/dlls/ntdll/virtual.c
+++ b/dlls/ntdll/virtual.c
+@@ -1320,9 +1320,11 @@ static NTSTATUS map_image( HANDLE hmapping, int fd, char *base, SIZE_T total_siz
+ 
+     loadcfg = RtlImageDirectoryEntryToData( (HMODULE)ptr, TRUE,
+                                             IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG, &loadcfg_size );
+-    if (loadcfg &&
+-        loadcfg_size >= offsetof(IMAGE_LOAD_CONFIG_DIRECTORY, SecurityCookie) + sizeof(loadcfg->SecurityCookie))
+    if (loadcfg && loadcfg_size >= offsetof(IMAGE_LOAD_CONFIG_DIRECTORY, SecurityCookie) + sizeof(loadcfg->SecurityCookie) &&
+        (ULONG_PTR)ptr <= loadcfg->SecurityCookie && loadcfg->SecurityCookie <= (ULONG_PTR)ptr + total_size - sizeof(ULONG_PTR))
+    {
+         set_security_cookie((ULONG_PTR *)loadcfg->SecurityCookie);
+    }
+ 
+     /* set the image protections */
+ 
+-- 
+2.4.5
+
--- a/patches/ntdll-Security_Cookie/definition
+++ b/patches/ntdll-Security_Cookie/definition
@ -0,0 +1,2 @@
+Fixes: Fix loading of libraries with incomplete IMAGE_LOAD_CONFIG_DIRECTORY struct
+Fixes: [38949] Fix security cookie handling for UPX compressed executables
--- a/patches/patchinstall.sh
+++ b/patches/patchinstall.sh
@ -169,6 +169,7 @@ patch_enable_all ()
 	enable_ntdll_NtSetLdtEntries="$1"
 	enable_ntdll_Pipe_SpecialCharacters="$1"
 	enable_ntdll_RtlIpStringToAddress="$1"
+	enable_ntdll_Security_Cookie="$1"
 	enable_ntdll_ThreadTime="$1"
 	enable_ntdll_Threading="$1"
 	enable_ntdll_User_Shared_Data="$1"
@ -576,6 +577,9 @@ patch_enable ()
 		ntdll-RtlIpStringToAddress)
 			enable_ntdll_RtlIpStringToAddress="$2"
 			;;
+		ntdll-Security_Cookie)
+			enable_ntdll_Security_Cookie="$2"
+			;;
 		ntdll-ThreadTime)
 			enable_ntdll_ThreadTime="$2"
 			;;
@ -1961,6 +1965,23 @@ if test "$enable_Staging" -eq 1; then
 	) >> "$patchlist"
 fi

+# Patchset server-Misc_ACL
+# |
+# | This patchset fixes the following Wine bugs:
+# |   *	[#15980] GetSecurityInfo returns NULL DACL for process object
+# |
+# | Modified files:
+# |   *	dlls/advapi32/tests/security.c, server/process.c, server/security.h, server/token.c
+# |
+if test "$enable_server_Misc_ACL" -eq 1; then
+	patch_apply server-Misc_ACL/0001-server-Add-default-security-descriptor-ownership-for.patch
+	patch_apply server-Misc_ACL/0002-server-Add-default-security-descriptor-DACL-for-proc.patch
+	(
+		echo '+    { "Erich E. Hoover", "server: Add default security descriptor ownership for processes.", 1 },';
+		echo '+    { "Erich E. Hoover", "server: Add default security descriptor DACL for processes.", 1 },';
+	) >> "$patchlist"
+fi
+
 # Patchset server-CreateProcess_ACLs
 # |
 # | This patchset fixes the following Wine bugs:
@ -1980,23 +2001,6 @@ if test "$enable_server_CreateProcess_ACLs" -eq 1; then
 	) >> "$patchlist"
 fi

-# Patchset server-Misc_ACL
-# |
-# | This patchset fixes the following Wine bugs:
-# |   *	[#15980] GetSecurityInfo returns NULL DACL for process object
-# |
-# | Modified files:
-# |   *	dlls/advapi32/tests/security.c, server/process.c, server/security.h, server/token.c
-# |
-if test "$enable_server_Misc_ACL" -eq 1; then
-	patch_apply server-Misc_ACL/0001-server-Add-default-security-descriptor-ownership-for.patch
-	patch_apply server-Misc_ACL/0002-server-Add-default-security-descriptor-DACL-for-proc.patch
-	(
-		echo '+    { "Erich E. Hoover", "server: Add default security descriptor ownership for processes.", 1 },';
-		echo '+    { "Erich E. Hoover", "server: Add default security descriptor DACL for processes.", 1 },';
-	) >> "$patchlist"
-fi
-
 # Patchset advapi32-LsaLookupSids
 # |
 # | Modified files:
@ -3582,6 +3586,23 @@ if test "$enable_ntdll_RtlIpStringToAddress" -eq 1; then
 	) >> "$patchlist"
 fi

+# Patchset ntdll-Security_Cookie
+# |
+# | This patchset fixes the following Wine bugs:
+# |   *	[#38949] Fix security cookie handling for UPX compressed executables
+# |
+# | Modified files:
+# |   *	dlls/ntdll/virtual.c
+# |
+if test "$enable_ntdll_Security_Cookie" -eq 1; then
+	patch_apply ntdll-Security_Cookie/0001-ntdll-Handle-partial-image-load-config-structs.-try-.patch
+	patch_apply ntdll-Security_Cookie/0002-ntdll-Validate-SecurityCookie-pointer-before-derefer.patch
+	(
+		echo '+    { "Martin Storsjo", "ntdll: Handle partial image load config structs.", 3 },';
+		echo '+    { "Sebastian Lackner", "ntdll: Validate SecurityCookie pointer before dereferencing.", 1 },';
+	) >> "$patchlist"
+fi
+
 # Patchset ntdll-ThreadTime
 # |
 # | This patchset fixes the following Wine bugs: