This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Cygwin / MSYS2 runtime fails on Wine beause of accessing to (*ReferencedDomains)->Domains[-1]

From: Qian Hong <fracting at gmail dot com>
To: cygwin at cygwin dot com
Date: Wed, 1 Apr 2015 18:15:51 +0800
Subject: Cygwin / MSYS2 runtime fails on Wine beause of accessing to (*ReferencedDomains)->Domains[-1]
Authentication-results: sourceware.org; auth=none
Reply-to: fracting at gmail dot com

Hi folks,

When playing with Cygwin / MSYS2 on Wine, I found a crashing related
to LsaLookupSids.


In winsup/cygwin/uinfo.cc, we want to copy an Unicode string from
arg.full_acc->dom to dom:

1768     *wcpncpy (dom, arg.full_acc->dom->Buffer,
1769           arg.full_acc->dom->Length / sizeof (WCHAR)) = L'\0';

where arg.full_acc->dom->Buffer came from dlst->Domains[nlst[ncnt].DomainIndex]

winsup/cygwin/grp.cc:

650           fetch_acc_t full_acc =
651         {
652           .sid = sidp_buf[ncnt],
653           .name = &nlst[ncnt].Name,
654           .dom = &dlst->Domains[nlst[ncnt].DomainIndex].Name,
655           .acc_type = nlst[ncnt].Use
656         };

According to my test [1]. DomainIndex can be -1 sometimes, which seems
valid according to a similar MSDN entry [2]:

--- snip ---

Otherwise, the corresponding TranslatedNames entry MUST be updated with:

Use: SidTypeUnknown.

Name: Empty, unless LookupLevel is LsapLookupWksta. In that case, Name
MUST contain the textual representation of the corresponding SID, as
in step 2.

Flags: 0x00000000 (also see the following paragraph).

DomainIndex: -1.
--- snip ---

On windows, I never found crashing when accessing to Domains[-1]:
While it might be safe, but it might not be meaningful, here is an
example output of content of Domains[-1]:

lsa.c:431: haha names[8].DomainIndex -1
lsa.c:432: use 8 /* SidTypeUnknown */
lsa.c:433: name L"S-1-5-5-0-117053"
lsa.c:434: domain name L"\0000\0002\08c0" /* seems like garbage */
lsa.c:436: domain sid 00000020 /* not like a valid sid */

By comparing to a normal output, I strongly doubt Domains[-1] is meaningful.

lsa.c:431: names[7].DomainIndex 1
lsa.c:432: use 5
lsa.c:433: name L"This Organization"
lsa.c:434: domain name L"NT AUTHORITY"
lsa.c:436: domain sid 009808E8

Anyone know whether it is expected to access Domains[-1] in this case?

On Wine, accessing to Domains[-1] cause a crashing, I'll proposal a
patch to Wine to workaround this [as attachment], but it would be
great to see this issue also fixed at the Cygwin side if it is a
hidden bug.

Thanks for any comments and keep the great work!


[1] https://testbot.winehq.org/JobDetails.pl?Key=12577 (see attachment
for test case source code)
[2] https://msdn.microsoft.com/en-us/library/cc234496.aspx


-- 
Regards,
Qian Hong

-
http://www.winehq.org

Attachment: 0001-advapi32-prepend-a-hidden-Domain-1-to-prevent-applicat.txt
Description: Text document

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Follow-Ups:
- Re: Cygwin / MSYS2 runtime fails on Wine beause of accessing to (*ReferencedDomains)->Domains[-1]
  - From: Corinna Vinschen

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]