Added patch to fix crash of winedevice when relocation entry crosses page boundary.

2025-04-13 14:42:51 -07:00 · 2014-11-10 04:09:18 +01:00
parent 475485ce5b
commit c3920efc17
5 changed files with 121 additions and 1 deletions
--- a/patches/winedevice-Fix_Relocation/0001-winedevice-Avoid-invalid-memory-access-when-relocati.patch
+++ b/patches/winedevice-Fix_Relocation/0001-winedevice-Avoid-invalid-memory-access-when-relocati.patch
@@ -0,0 +1,95 @@
+From 2e1fed5c492efaeaab25f61ed0640230f8415750 Mon Sep 17 00:00:00 2001
+From: Sebastian Lackner <sebastian@fds-team.de>
+Date: Mon, 10 Nov 2014 04:05:38 +0100
+Subject: winedevice: Avoid invalid memory access when relocation block
+ addresses memory outside of the current page.
+
+---
+ programs/winedevice/device.c | 48 ++++++++++++++++++++++++++++++++++++++------
+ 1 file changed, 42 insertions(+), 6 deletions(-)
+
+diff --git a/programs/winedevice/device.c b/programs/winedevice/device.c
+index 72bc124..b4736b3 100644
+--- a/programs/winedevice/device.c
+++ b/programs/winedevice/device.c
+@@ -61,6 +61,38 @@ static LDR_MODULE *find_ldr_module( HMODULE module )
+     return NULL;
+ }
+ 
+/* change permissions of a specific memory range, save original permissions */
+static void virtual_protect_save( void *addr, SIZE_T size, ULONG new_prot, ULONG *old_prot )
+{
+    SYSTEM_BASIC_INFORMATION info;
+    UINT i = 0;
+
+    NtQuerySystemInformation( SystemBasicInformation, &info, sizeof(info), NULL );
+    while (size)
+    {
+        SIZE_T block_size = min( size, info.PageSize - ((UINT_PTR)addr & (info.PageSize - 1)) );
+        VirtualProtect( addr, block_size, new_prot, &old_prot[i++] );
+        addr  = (void *)((char *)addr + block_size);
+        size -= block_size;
+    }
+}
+
+/* restore permissions for a specific memory range */
+static void virtual_protect_load( void *addr, SIZE_T size, ULONG *old_prot )
+{
+    SYSTEM_BASIC_INFORMATION info;
+    UINT i = 0;
+
+    NtQuerySystemInformation( SystemBasicInformation, &info, sizeof(info), NULL );
+    while (size)
+    {
+        SIZE_T block_size = min( size, info.PageSize - ((UINT_PTR)addr & (info.PageSize - 1)) );
+        VirtualProtect( addr, block_size, old_prot[i++], NULL );
+        addr  = (void *)((char *)addr + block_size);
+        size -= block_size;
+    }
+}
+
+ /* load the driver module file */
+ static HMODULE load_driver_module( const WCHAR *name )
+ {
+@@ -84,7 +116,7 @@ static HMODULE load_driver_module( const WCHAR *name )
+     if (nt->OptionalHeader.SectionAlignment < info.PageSize ||
+         !(nt->FileHeader.Characteristics & IMAGE_FILE_DLL))
+     {
+-        DWORD old;
+        DWORD old_prot[3];
+         IMAGE_BASE_RELOCATION *rel, *end;
+ 
+         if ((rel = RtlImageDirectoryEntryToData( module, TRUE, IMAGE_DIRECTORY_ENTRY_BASERELOC, &size )))
+@@ -92,20 +124,24 @@ static HMODULE load_driver_module( const WCHAR *name )
+             WINE_TRACE( "%s: relocating from %p to %p\n",
+                         wine_dbgstr_w(name), (char *)module - delta, module );
+             end = (IMAGE_BASE_RELOCATION *)((char *)rel + size);
+-            while (rel < end && rel->SizeOfBlock)
+            while (rel < end - 1 && rel->SizeOfBlock)
+             {
+                 void *page = (char *)module + rel->VirtualAddress;
+-                VirtualProtect( page, info.PageSize, PAGE_EXECUTE_READWRITE, &old );
+                /* LdrProcessRelocationBlock can access the memory range from page - (page + 0xfff + 8), so
+                 * changing permissions of a single page is not sufficient. We assume here that the minimum
+                 * page size is 0x1000, so we have to save/restore two or three pages, depending on the
+                 * virtual address. */
+                virtual_protect_save( page, 0xfff + 8, PAGE_EXECUTE_READWRITE, old_prot );
+                 rel = LdrProcessRelocationBlock( page, (rel->SizeOfBlock - sizeof(*rel)) / sizeof(USHORT),
+                                                  (USHORT *)(rel + 1), delta );
+-                if (old != PAGE_EXECUTE_READWRITE) VirtualProtect( page, info.PageSize, old, NULL );
+                virtual_protect_load( page, 0xfff + 8, old_prot );
+                 if (!rel) goto error;
+             }
+             /* make sure we don't try again */
+             size = FIELD_OFFSET( IMAGE_NT_HEADERS, OptionalHeader ) + nt->FileHeader.SizeOfOptionalHeader;
+-            VirtualProtect( nt, size, PAGE_READWRITE, &old );
+            VirtualProtect( nt, size, PAGE_READWRITE, &old_prot[0] );
+             nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress = 0;
+-            VirtualProtect( nt, size, old, NULL );
+            VirtualProtect( nt, size, old_prot[0], NULL );
+         }
+     }
+ 
+-- 
+2.1.3
+
--- a/patches/winedevice-Fix_Relocation/definition
+++ b/patches/winedevice-Fix_Relocation/definition
@@ -0,0 +1,4 @@
+Author: Sebastian Lackner
+Subject: Avoid invalid memory access when relocation block addresses memory outside of the current page.
+Revision: 1
+Fixes: [28254] Fix crash of winedevice when relocation entry crosses page boundary