Commit Graph

3319 Commits

Author SHA1 Message Date
Zebediah Figura
44af049de7 Rebase against 2828d0820a1661e46f606f28db090d710cef11f4. 2021-03-18 00:32:41 -05:00
Alistair Leslie-Hughes
c747e46d75 Rebase against 4d5824112e13160e538013a25f1c13a124565180. 2021-03-17 09:44:07 +11:00
Zebediah Figura
1f89c15143 Rebase against 23ffd0a7986421958c23cffce138afa389209920. 2021-03-15 18:28:35 -05:00
Alistair Leslie-Hughes
7ec998e17a Release v6.4 2021-03-15 08:31:03 +11:00
Zebediah Figura
4a427fa757 Rebase against 4336ed0b84b3dd3097bbbbf8e4b9de2e4d444ad7. 2021-03-12 16:12:02 -06:00
Alistair Leslie-Hughes
5bcba4ef5a Rebase against 0ae1669ec2798193b11fd2d2ac74d51203f673b2. 2021-03-12 10:33:43 +11:00
Zebediah Figura
acc0de4def Rebase against 580413032c61bc142078d08efb1d1167fe385a97. 2021-03-10 19:40:52 -06:00
Alistair Leslie-Hughes
e7c08665ab Rebase against 9107f591d3d73a3b4040db2e13ef51d9846591c9. 2021-03-10 08:55:33 +11:00
Zebediah Figura
cb2a6e06e1 Rebase against 5bccf6fc3f309207ef4162df335157649f627f50. 2021-03-05 21:21:19 -06:00
Zebediah Figura
3a33c70a9a Rebase against 31af1aeb7895bddf59a73886b89759f76881bc9e. 2021-03-04 17:50:31 -06:00
Alistair Leslie-Hughes
64efb6f0d3 Added ntdll-RtlFirstFreeAce patchset 2021-03-04 12:06:54 +11:00
Alistair Leslie-Hughes
404b698d44 Rebase against 6d5659103f49db9e045087dd0093acc3b9a4b919. 2021-03-04 11:24:46 +11:00
Zebediah Figura
0b1ffe4b94 Rebase against 7fa74fa78e2f8fedeea6fa3c796f0f2eb202825e. 2021-03-02 20:22:19 -06:00
Zebediah Figura
5d8901ac21 ntdll-set_full_cpu_context: Remove patch set.
These prefixes are redundant. We're restoring the context from 32-bit code, so
%ss = %ds already, and if we're on this side of the code then our %ss = the
target %ss.

Still, why was the patch written?

Before 44fbc018ed, there was a single path to restore contexts, and it looked
like this:

    output( "2:\tpushl 0x94(%%ecx)\n");     /* SegEs */
    output( "\tpopl %%es\n" );
    output( "\tpushl 0x90(%%ecx)\n");       /* SegFs */
    output( "\tpopl %%fs\n" );
    output( "\tpushl 0x8c(%%ecx)\n");       /* SegGs */
    output( "\tpopl %%gs\n" );

    output( "\tmovl 0x9c(%%ecx),%%edi\n");  /* Edi */
    output( "\tmovl 0xa0(%%ecx),%%esi\n");  /* Esi */
    output( "\tmovl 0xa8(%%ecx),%%edx\n");  /* Edx */
    output( "\tmovl 0xa4(%%ecx),%%ebx\n");  /* Ebx */
    output( "\tmovl 0xb0(%%ecx),%%eax\n");  /* Eax */
    output( "\tmovl 0xb4(%%ecx),%%ebp\n");  /* Ebp */

    output( "\tpushl 0xc8(%%ecx)\n");       /* SegSs */
    output( "\tpopl %%ss\n" );
    output( "\tmovl 0xc4(%%ecx),%%esp\n");  /* Esp */

    output( "\tpushl 0xc0(%%ecx)\n");       /* EFlags */
    output( "\tpushl 0xbc(%%ecx)\n");       /* SegCs */
    output( "\tpushl 0xb8(%%ecx)\n");       /* Eip */
    output( "\tpushl 0x98(%%ecx)\n");       /* SegDs */
    output( "\tmovl 0xac(%%ecx),%%ecx\n");  /* Ecx */

    output( "\tpopl %%ds\n" );
    output( "\tiret\n" );

Very simple: we restore most registers (but not %ds), then switch stacks, then
push control registers and %ds to the current (target) stack, then pop %ds and
iret.

This was vulnerable to signal races:

+    /* As soon as we have switched stacks the context structure could
+     * be invalid (when signal handlers are executed for example). Copy
+     * values on the target stack before changing ESP. */

so 44fbc018ed changed the path to a different one:

    output( "\tpushl 0xc8(%%ecx)\n" );      /* SegSs */
    output( "\tpopl %%es\n" );
    output( "\tmovl 0xc4(%%ecx),%%eax\n" ); /* Esp */
    output( "\tleal -4*4(%%eax),%%eax\n" );

    output( "\tmovl 0xc0(%%ecx),%%edx\n" ); /* EFlags */
    output( "\t.byte 0x26\n\tmovl %%edx,3*4(%%eax)\n" );
    output( "\tmovl 0xbc(%%ecx),%%edx\n" ); /* SegCs */
    output( "\t.byte 0x26\n\tmovl %%edx,2*4(%%eax)\n" );
    output( "\tmovl 0xb8(%%ecx),%%edx\n" ); /* Eip */
    output( "\t.byte 0x26\n\tmovl %%edx,1*4(%%eax)\n" );
    output( "\tmovl 0xb0(%%ecx),%%edx\n" ); /* Eax */
    output( "\t.byte 0x26\n\tmovl %%edx,0*4(%%eax)\n" );

    output( "\tpushl %%es\n" );
    output( "\tpushl 0x98(%%ecx)\n" );      /* SegDs */

    output(" \tpushl 0x94(%%ecx)\n" );      /* SegEs */
    output( "\tpopl %%es\n" );
    output( "\tpushl 0x90(%%ecx)\n");       /* SegFs */
    output( "\tpopl %%fs\n" );
    output( "\tpushl 0x8c(%%ecx)\n");       /* SegGs */
    output( "\tpopl %%gs\n" );

    output( "\tmovl 0x9c(%%ecx),%%edi\n" ); /* Edi */
    output( "\tmovl 0xa0(%%ecx),%%esi\n" ); /* Esi */
    output( "\tmovl 0xa4(%%ecx),%%ebx\n" ); /* Ebx */
    output( "\tmovl 0xa8(%%ecx),%%edx\n" ); /* Edx */
    output( "\tmovl 0xb4(%%ecx),%%ebp\n" ); /* Ebp */
    output( "\tmovl 0xac(%%ecx),%%ecx\n" ); /* Ecx */

    output( "\tpopl %%ds\n" );
    output( "\tpopl %%ss\n" );
    output( "\tmovl %%eax,%%esp\n" );

    output( "\tpopl %%eax\n" );
    output( "\tiret\n" );

That is, we set %es to the target %ss, write control regs onto the target stack
using %es, switch to the target stack, then pop + iret. In this case the %es
overrides make perfect sense: the target stack might be different from ours
(i.e. we are returning to 16-bit code).

Evidently this was invalid:

+    /* Restore the context when the stack segment changes. We can't use
+     * the same code as above because we do not know if the stack segment
+     * is 16 or 32 bit, and 'movl' will throw an exception when we try to
+     * access memory above the limit. */

In 4c8b3f63be1 slackner introduced two different paths. If we need to switch
stacks, we use the original path. (I think it's still vulnerable to signal
races, but we have no way of preventing those.) Meanwhile the other path can be
simplified a bit, since we're already on the target stack:

-    output( "\tpushl 0xc8(%%ecx)\n" );      /* SegSs */
-    output( "\tpopl %%es\n" );
     output( "\tmovl 0xc4(%%ecx),%%eax\n" ); /* Esp */
     output( "\tleal -4*4(%%eax),%%eax\n" );

     output( "\tmovl 0xc0(%%ecx),%%edx\n" ); /* EFlags */
-    output( "\t.byte 0x26\n\tmovl %%edx,3*4(%%eax)\n" );
+    output( "\t.byte 0x36\n\tmovl %%edx,3*4(%%eax)\n" );
     output( "\tmovl 0xbc(%%ecx),%%edx\n" ); /* SegCs */
-    output( "\t.byte 0x26\n\tmovl %%edx,2*4(%%eax)\n" );
+    output( "\t.byte 0x36\n\tmovl %%edx,2*4(%%eax)\n" );
     output( "\tmovl 0xb8(%%ecx),%%edx\n" ); /* Eip */
-    output( "\t.byte 0x26\n\tmovl %%edx,1*4(%%eax)\n" );
+    output( "\t.byte 0x36\n\tmovl %%edx,1*4(%%eax)\n" );
     output( "\tmovl 0xb0(%%ecx),%%edx\n" ); /* Eax */
-    output( "\t.byte 0x26\n\tmovl %%edx,0*4(%%eax)\n" );
+    output( "\t.byte 0x36\n\tmovl %%edx,0*4(%%eax)\n" );

-    output( "\tpushl %%es\n" );
     output( "\tpushl 0x98(%%ecx)\n" );      /* SegDs */

@@ -890,11 +889,37 @@ static void build_call_from_regs_x86(void)
     output( "\tmovl 0xac(%%ecx),%%ecx\n" ); /* Ecx */

     output( "\tpopl %%ds\n" );
-    output( "\tpopl %%ss\n" );
     output( "\tmovl %%eax,%%esp\n" );

     output( "\tpopl %%eax\n" );
     output( "\tiret\n" );

Sebastian got rid of the setting of %es, and replaced the %es prefixes with %ss
prefixes. What I think happened is that he made a subtle mistake—or, well, not a
mistake, but a redundancy. %es: was changed to %ss: by analogy, but it's
actually not necessary: we're operating on the source stack, and we know the
source stack is 32-bit, and we haven't set %ds yet, so %ds == %ss already, and
we can use the %implicit %ds prefix.

Alexandre presumably saw this in bab6ece63, and silently removed them. My guess
is that Sebastian saw that, wasn't sure, but (in the best case) didn't want to
submit his fix upstream until he had checked whether it was actually correct,
and never got around to checking. (Alternatively, he thought that the %ss should
have been retained for clarity, and decided not to try to submit that upstream.)
2021-03-02 20:22:01 -06:00
Zebediah Figura
6b24c39d32 Rebase against 3c2db20f66806074b047b0b3c76aa86ad79e3175. 2021-03-01 16:31:44 -06:00
Zebediah Figura
15f4220e49 Fix some whitespace errors. 2021-02-28 15:17:57 -06:00
Alistair Leslie-Hughes
e83fdffe77 Release v6.3 2021-02-27 17:52:14 +11:00
Zebediah Figura
750044c08c ntdll-Junction_Points: Updates from Erich E. Hoover.
Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=50586
Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=50285
2021-02-27 00:07:31 -06:00
Zebediah Figura
dfc989712e server-default_integrity: Support the "runas" verb, and set EnableLUA to 1.
Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=50727
2021-02-26 22:47:31 -06:00
Zebediah Figura
783002b5de Rebase against 0f972e2247932f255f131792724e4796b4b2b87a. 2021-02-26 22:46:07 -06:00
Zebediah Figura
e4debaae9b Rebase against 35e43ccf1b42e9f67d7765753f0c3ef8cf102c46. 2021-02-25 21:04:11 -06:00
Alistair Leslie-Hughes
9a7b25dfd2 Rebase against 1649389edca12d2998f72a159b2bbbf247176163. 2021-02-25 10:39:29 +11:00
Alistair Leslie-Hughes
43a3110e95 Rebase against 4981785f0fbcafbdc6a9dc4f71d06b137d558597.
This rebase is affected by the same upstream bug.
https://bugs.winehq.org/show_bug.cgi?id=50713
2021-02-23 13:31:24 +11:00
Zebediah Figura
37fa6ccbbd packager-DllMain: Use --prefer-native instead of DLL_WINE_PREATTACH. 2021-02-21 13:55:56 -06:00
Zebediah Figura
9aeea5d12e Rebase against 4de079bb7247c8b849558c0f27a280a9546c5570. 2021-02-19 19:32:08 -06:00
Zebediah Figura
aa8a3d90cb Rebase against b8719736c5a022fa9c50f64adfc3ef58b40460f2. 2021-02-18 20:16:43 -06:00
Zebediah Figura
811467bf6a server-default_integrity: New patch set.
This patch set, as an alternative approach to advapi32-Token_Integrity_Level,
creates all processes as a limited administrator by default. This doesn't
actually seem to break most applications, apparently since they assume that
their manifest is enough to force them to run as administrator and don't bother
verifying that's what they get, and since we don't actually prevent accessing
low-integrity objects. I'm adding this patch to wine-staging in order to smoke
out any applications that might be broken, as it's still a very risky patch.
2021-02-17 20:57:47 -06:00
Zebediah Figura
2a9a56c4d0 Rebase against c6a3072051fb88edd3847c750c2ec852f11870f6. 2021-02-17 20:40:31 -06:00
Alistair Leslie-Hughes
d0873d2c72 Rebase against a55a37d1dae2231d8dec9f3191449f89be0b10dc. 2021-02-17 09:56:43 +11:00
Alistair Leslie-Hughes
4046ffe6c9 Rebase against a9c8196e97ec255f4f69d005ea1cbf8fcf2537e8. 2021-02-16 11:02:22 +11:00
Alistair Leslie-Hughes
3b5ea332d6 Release v6.2 2021-02-13 17:25:34 +11:00
Alistair Leslie-Hughes
81e3e6dafa Rebase against 4f7e621dc58fd82924e64c695dc61a78c55fd44e. 2021-02-13 17:11:37 +11:00
Alistair Leslie-Hughes
41cb9f5179 Rebase against b922b5aeef18fd30b13a4e86c115d68e505c9393. 2021-02-12 11:53:19 +11:00
Zebediah Figura
41e15516bd Rebase against 2d6b0b67d91b6433744ec859b10b8ee8eb4a37b3. 2021-02-10 19:45:27 -06:00
Zebediah Figura
6347bdd1fc Rebase against 7a9745022b1bfcc235b922be98a8fdc91976c587. 2021-02-08 16:01:40 -06:00
Zebediah Figura
677b445b0d Rebase against 4f1b297a14bbd304fb20da7c4b64266c14d110e5. 2021-02-05 18:01:09 -06:00
Zebediah Figura
a2f82c5c85 Rebase against dd417540bb3afb3aa5a04a007eea9a7ee347655b. 2021-02-04 17:28:33 -06:00
Zebediah Figura
cfe1b94e0f ntdll-Junction_Points: Updates from Erich E. Hoover. 2021-02-03 19:44:26 -06:00
Zebediah Figura
2be4bfb8fe Rebase against 2201ca08fb03d069fa2ccf46773c150a6f7988bc. 2021-02-03 16:10:49 -06:00
Alistair Leslie-Hughes
cae1b3eba0 Rebase against 433b9081ba7c862feb947400f507228e793d7d4c. 2021-02-03 10:11:33 +11:00
Alistair Leslie-Hughes
a6054cf2e9 Rebase against cfbbde2abce1eedc7f53db3f8af8078fe4a11cac. 2021-02-02 10:51:17 +11:00
Alistair Leslie-Hughes
f6dacd2f9a Release v6.1 2021-01-31 19:09:00 +11:00
Alistair Leslie-Hughes
43c064ef3c Rebase against 47ac628b4a4e476c1b044765c95d5be2a7101d14. 2021-01-31 18:52:51 +11:00
Alistair Leslie-Hughes
5c5a8f3b2c Rebase against f72ef20e88fba67254caf0124ab8713e3d15fa2a. 2021-01-29 11:11:41 +11:00
Alistair Leslie-Hughes
bd135b1477 Updated xactengine3_7-Notification patchset 2021-01-28 13:24:47 +11:00
Alistair Leslie-Hughes
9692b2e5eb Rebase against 24b9203d3544001dd51894f1c1edd99819367198. 2021-01-28 09:08:29 +11:00
Alistair Leslie-Hughes
bcf5899a3c Drop ntdll-Interrupt-0x2e patchset
The program itself later updated not to use that interrupt, and nobody seems to have an old copy of it.
2021-01-27 11:19:20 +11:00
Alistair Leslie-Hughes
73480ec459 Rebase against c1824d578ac514d29e79a5a00d6759f11dbe4813. 2021-01-27 11:13:11 +11:00
Alistair Leslie-Hughes
fd3372e71c Rebase against 2d6462cdee2bd87a49382794e5a554f33c367f09. 2021-01-26 15:37:12 +11:00
Alistair Leslie-Hughes
3dec70bf32 Updated dsound-EAX patchset 2021-01-25 19:18:14 +11:00