Some executables cause BSOD in WinPE

lesderid commented 1 year ago

Running some MSYS2 executables (e.g. fish) under WinPE (Windows Server 2022, specifically 20348.1) causes a crash in ntfs.sys:

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the BugCheck
Arg2: fffff80625609454, Address of the instruction which caused the BugCheck
Arg3: ffffbb0539194290, Address of the context record for the exception that caused the BugCheck
Arg4: 0000000000000000, zero.

[...]

PROCESS_NAME:  fish.exe

STACK_TEXT:  
ffffbb05`39194cb0 fffff806`2560573c     : ffffd485`cb2f0a68 ffffd485`cd83fb00 00000000`00ff00ff ffffbb05`39194f28 : Ntfs!NtfsFindStartingNode+0x5d4
ffffbb05`39194d80 fffff806`25602872     : ffffd485`cd83fb00 ffffbb05`39195130 ffffd485`cd83fb00 00000000`00000000 : Ntfs!NtfsCommonCreate+0x56c
ffffbb05`39195020 fffff806`21276425     : ffffd485`c956f030 ffffd485`cd83fb00 ffffbb05`39195300 ffffd485`cdd9b630 : Ntfs!NtfsFsdCreate+0x202
ffffbb05`391952a0 fffff806`20f4637a     : ffffd485`cd83fb00 ffffbb05`39195390 ffffbb05`39195399 fffff806`20f450b3 : nt!IofCallDriver+0x55
ffffbb05`391952e0 fffff806`20f7a264     : ffffbb05`39195390 ffffd485`cd83fc60 ffffd485`c9512cd0 fffff806`21688e9b : FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x27a
ffffbb05`39195350 fffff806`21276425     : ffffd485`c9512c00 ffffd485`c95596b0 00000000`00000000 00000000`00000000 : FLTMGR!FltpCreate+0x314
ffffbb05`39195400 fffff806`21687331     : ffffd485`cbc14a20 ffffd485`c95596b0 ffffbb05`39195701 00000000`00000040 : nt!IofCallDriver+0x55
ffffbb05`39195440 fffff806`21745e27     : 00000038`00000068 ffffd485`cbc14a20 d485cdd9`b790ffff ffffd485`cdd9b7c0 : nt!IopParseDevice+0x891
ffffbb05`39195600 fffff806`2168b9f5     : fffff806`21745d60 ffffbb05`39195770 ffffd485`c8cfb6c0 ffffd485`cdd9b7c0 : nt!IopParseFile+0xc7
ffffbb05`39195670 fffff806`2168ae91     : 00000000`00000000 ffffbb05`391958a0 00000000`00000040 ffffd485`c8cfb6c0 : nt!ObpLookupObjectName+0x625
ffffbb05`39195810 fffff806`216b5d9f     : 00000000`00000000 00000000`00000001 ffffd485`cbc14a20 00000007`ffffb0d0 : nt!ObOpenObjectByNameEx+0x1f1
ffffbb05`39195940 fffff806`216b58e8     : 00000007`ffffb090 00000000`00000000 00000007`ffffb0d0 00000007`ffffb0c0 : nt!IopCreateFile+0x40f
ffffbb05`391959e0 fffff806`21437735     : 00000000`00000000 00000007`ffffb0c0 00000008`00025508 00000008`00000068 : nt!NtOpenFile+0x58
ffffbb05`39195a70 00007ffc`d416efa4     : 00000001`80113101 00000007`ffffb270 00000008`000253d0 00000008`000254c8 : nt!KiSystemServiceCopyEnd+0x25
00000007`ffffafb8 00000001`80113101     : 00000007`ffffb270 00000008`000253d0 00000008`000254c8 00000000`00000080 : ntdll!NtOpenFile+0x14
00000007`ffffafc0 00000007`ffffb270     : 00000008`000253d0 00000008`000254c8 00000000`00000080 00000007`00000007 : msys_2_0!cuserid+0x29bc1
00000007`ffffafc8 00000008`000253d0     : 00000008`000254c8 00000000`00000080 00000007`00000007 00000000`00004020 : 0x00000007`ffffb270
00000007`ffffafd0 00000008`000254c8     : 00000000`00000080 00000007`00000007 00000000`00004020 00000000`00000060 : 0x00000008`000253d0
00000007`ffffafd8 00000000`00000080     : 00000007`00000007 00000000`00004020 00000000`00000060 00000000`00000005 : 0x00000008`000254c8
00000007`ffffafe0 00000007`00000007     : 00000000`00004020 00000000`00000060 00000000`00000005 00000007`ffffb160 : 0x80
00000007`ffffafe8 00000000`00004020     : 00000000`00000060 00000000`00000005 00000007`ffffb160 00000001`801766ac : 0x00000007`00000007
00000007`ffffaff0 00000000`00000060     : 00000000`00000005 00000007`ffffb160 00000001`801766ac 00000007`ffffb310 : 0x4020
00000007`ffffaff8 00000000`00000005     : 00000007`ffffb160 00000001`801766ac 00000007`ffffb310 00000000`00001e01 : 0x60
00000007`ffffb000 00000007`ffffb160     : 00000001`801766ac 00000007`ffffb310 00000000`00001e01 00000000`00000180 : 0x5
00000007`ffffb008 00000001`801766ac     : 00000007`ffffb310 00000000`00001e01 00000000`00000180 00000007`ffffb050 : 0x00000007`ffffb160
00000007`ffffb010 00000007`ffffb310     : 00000000`00001e01 00000000`00000180 00000007`ffffb050 00000001`8026f480 : msys_2_0!truncl+0xac
00000007`ffffb018 00000000`00001e01     : 00000000`00000180 00000007`ffffb050 00000001`8026f480 00000007`00000080 : 0x00000007`ffffb310
00000007`ffffb020 00000000`00000180     : 00000007`ffffb050 00000001`8026f480 00000007`00000080 00000007`ffffb080 : 0x1e01
00000007`ffffb028 00000007`ffffb050     : 00000001`8026f480 00000007`00000080 00000007`ffffb080 00000000`00000644 : 0x180
00000007`ffffb030 00000001`8026f480     : 00000007`00000080 00000007`ffffb080 00000000`00000644 00000000`00000000 : 0x00000007`ffffb050
00000007`ffffb038 00000007`00000080     : 00000007`ffffb080 00000000`00000644 00000000`00000000 00000000`00000028 : msys_2_0!sys_nerr+0x24140
00000007`ffffb040 00000007`ffffb080     : 00000000`00000644 00000000`00000000 00000000`00000028 01d9ab0f`2761782a : 0x00000007`00000080
00000007`ffffb048 00000000`00000644     : 00000000`00000000 00000000`00000028 01d9ab0f`2761782a 00000000`0000000a : 0x00000007`ffffb080
00000007`ffffb050 00000000`00000000     : 00000000`00000028 01d9ab0f`2761782a 00000000`0000000a 00000000`00000200 : 0x644

[...]

~NtOpenFile was called with ObjectAttributes.ObjectName containing \??\X:\msys\dev\.~

(I realise this is probably not a supported configuration. It also arguably isn't an MSYS2 bug, as it's a user mode program that causes a kernel mode crash. I'm creating this issue mostly so there's a record of it.)

lesderid commented 1 year ago

After further debugging, it seems that WinPE doesn't like mmap. The arguments (prot and flags), file size, and file path don't seem to matter.

lesderid commented 1 year ago

I was able to fix it, but I'm not sure yet how to properly trigger the bug outside of MSYS. I might try to figure this out first before I submit the patch, to make sure I'm not missing anything.

msys2 / msys2-runtime

Some executables cause BSOD in WinPE #160