NO

Author Topic: POLINK /SAFESEH problem  (Read 3491 times)

japheth

  • Guest
POLINK /SAFESEH problem
« on: August 14, 2010, 01:37:34 PM »

Hello,

polink may create an invalid Load Configuration Directory because of a RVA miscalculation.

This is the test case. It must be assembled with Masm v8 or better:

Code: [Select]

;--- test .SAFESEH directive
;--- the assembler must be called with -coff and -safeseh

;--- problems: the MS linker emits a warning telling that it will
;--- ignore the directive. It does not, however.
;--- polink creates a faulty reference to the load config dir.

.386
.model flat, stdcall
option dotname

.safeseh exc_handler
.safeseh exc_handler2

.drectve segment info discard
; db "-subsystem:console -safeseh" ;MS link complains
db "-subsystem:console"
.drectve ends

DWORD_PTR typedef ptr
PVOID     typedef ptr

;--- two externals resolved by the linker

extern __safe_se_handler_table:ptr   ; base of safe handler entry table
extern __safe_se_handler_count:BYTE  ;

IMAGE_LOAD_CONFIG_DIRECTORY32_2 struct
Size_             DWORD ?
TimeDateStamp     DWORD ?
MajorVersion      WORD  ?
MinorVersion      WORD  ?
GlobalFlagsClear  DWORD ?
GlobalFlagsSet    DWORD ?
CriticalSectionDefaultTimeout DWORD ?
DeCommitFreeBlockThreshold    DWORD ?
DeCommitTotalFreeThreshold    DWORD ?
LockPrefixTable         DWORD ? ; VA
MaximumAllocationSize   DWORD ?
VirtualMemoryThreshold  DWORD ?
ProcessHeapFlags        DWORD ?
ProcessAffinityMask     DWORD ?
CSDVersion              WORD  ?
Reserved1               WORD  ?
EditList                DWORD ? ; VA
SecurityCookie          DWORD_PTR  ?
SEHandlerTable          PVOID ?
SEHandlerCount          DWORD ?
IMAGE_LOAD_CONFIG_DIRECTORY32_2 ends

.data

__security_cookie DWORD 0             ; /GS security cookie

;--- linker will search for public symbol _load_config_used!

public _load_config_used

_load_config_used IMAGE_LOAD_CONFIG_DIRECTORY32_2 {\
sizeof IMAGE_LOAD_CONFIG_DIRECTORY32_2, 0, 0, 0,
    0, 0, 0, 0,
    0, 0, 0, 0,
    0, 0, 0, 0,
    0, offset __security_cookie,
    offset __safe_se_handler_table,
    offset __safe_se_handler_count }

.code

exc_handler proc
ret
exc_handler endp

exc_handler2 proc
ret
exc_handler2 endp

start:
ret

end start

To create the binary module, run:

ml -c -coff -safeseh test.asm
polink -safeseh test.obj

compare the result with the binary achieved when linking with MS link:
link -safeseh test.obj

The error can be found by using MS dumpbin

POLINK version:
Code: [Select]

  Section contains the following load config:

            00000000 size
                  48 time date stamp Thu Jan 01 01:01:12 1970
                0.00 Version
                   0 GlobalFlags Clear
                   0 GlobalFlags Set
                   0 Critical Section Default Timeout
                   0 Decommit Free Block Threshold
                   0 Decommit Total Free Threshold
           800000000 Lock Prefix Table
                   0 Maximum Allocation Size
                   0 Virtual Memory Threshold
                   0 Process Heap Flags
                   0 Process Affinity Mask
                   0 CSD Version
                0000 Reserved
                     Edit list
            00000000 Security Cookie

MS LINK version:

Code: [Select]
  Section contains the following load config:

            00000048 size
                   0 time date stamp
                0.00 Version
                   0 GlobalFlags Clear
                   0 GlobalFlags Set
                   0 Critical Section Default Timeout
                   0 Decommit Free Block Threshold
                   0 Decommit Total Free Threshold
           800000000 Lock Prefix Table
                   0 Maximum Allocation Size
                   0 Virtual Memory Threshold
                   0 Process Heap Flags
                   0 Process Affinity Mask
                   0 CSD Version
                0000 Reserved
                     Edit list
            00000000 Security Cookie
            00402000 Safe Exception Handler Table
                   2 Safe Exception Handler Count