Uploaded image for project: 'Core ReactOS'
  1. Core ReactOS
  2. CORE-8200

Frequent crashes in RPC server applications

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Major
    • 0.4.0
    • Build System, Wine
    • None
    • 53,171

    Description

      In tests (and other things) involving RPC calls, we often see:

      • HEAP: Trying to free an invalid address XXXXXXXX!
      • we got fault packet with status 0x3e6
        and possibly other failures.

      We use -Oif when generating server & client stubs with widl since r53171. Wine does not use that flag, so they get different stubs, which exercise different code paths.

      When -Oif is enabled, there is a use-after-free condition in rpcrt4 where the conformance/variance check on an array can reference parameters that have already been freed. For example:

        85     /* Lookup entries in an endpoint map using the given input pattern */
        86     [idempotent]
        87     void ept_map(
        88         [in]        handle_t            h,
        89         [in]        uuid_p_t            object,
        90         [in]        twr_p_t             map_tower,
        91         [in, out]   ept_lookup_handle_t *entry_handle,
        92         [in]        unsigned32          max_towers,
        93         [out]       unsigned32          *num_towers,
        94         [out, length_is(*num_towers), size_is(max_towers)]
        95                     twr_p_t             *towers,
        96         [out]       error_status_t      *status
        97     );

      Parameter buffers are freed in order, so the buffer for max_towers will be freed in the STUBLESS_FREE stage of the RPC call (server side) before the towers parameter. However, on free of towers, it's conformance (max_towers) and variance (*num_towers) are checked, which will cause an access to the already freed memory at *num_towers.

      This is a bug in Wine's rpcrt4, and that should be fixed; but I currently don't know how. In any case, by using -Oif with widl we are just asking for trouble because Wine does not use this flag, hence the relevant code in rpcrt4 is not well tested. This sacrifices application compatibility and general system stability just because we want to use a more modern RPC mechanism – which is not an acceptable trade-off.
      http://svn.reactos.org/svn/reactos?view=revision&revision=53171

      Attachments

        1. disable-widl-oif.patch
          2 kB
        2. server_s.c
          154 kB
        3. server_s.c
          144 kB
        4. 0001-CMAKE-RPC.patch
          3 kB
        5. 0001-CMAKE-RPC-svn.patch
          3 kB
        6. rpcrt4_advance_mustfree.diff
          1 kB
        7. widl-fix-string.patch
          1 kB
        8. widl-fix-string.patch
          1 kB

        Issue Links

          Activity

            People

              zefklop jgardou
              ThFabba ThFabba
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: