Critical bug in PatchWiz.dll - erases entire drive

4 views
Skip to first unread message

Keir@discussions.microsoft.com Jim Keir

unread,
Jan 15, 2008, 7:24:02 PM1/15/08
to
I've found a huge, steaming bug in PatchWiz 4.0.6000 . Under some
circumstances, sadly those described in the SDK patching example, it can
erase all writeable files on your drive.

To reproduce (carefully):
- Provide suitable PCP and source/target folders
- Call UiCreatePatchPackage with the optional hWnd parameter set to NULL and
RemoveTempFolderIfPresent set to FALSE. Harmless, right?

Internally (I've debugged this) the ascii version convert the strings to
wide-char and then pass them to UiCreatePatchPackageW . This unconditionally
sets 0x8000 in the flags field, then it passes it all to
UiCreatePatchPackageExW . That bombs because the UIALL flag (0x8000) is set
and the window parameter is null. The error-handling then kicks in but it
appears that some internal defaults haven't yet been overwritten. It tries to
delete the temp folder despite being told not to both in the function call
*and* the PCP, and also hasn't yet set the temp folder location. It seems
that another internal call fails (code 87) with the result that it deletes
every writable file on the drive.

The corresponding logfile line is:
ERROR: During cleanup, could not delete the temporary folder: .

Rather annoyed. As you might imagine. Don't believe me? Go ahead and try it ;)

Stefan Krueger [MVP]

unread,
Jan 18, 2008, 12:07:24 PM1/18/08
to
FYI the Windows Installer team is currently trying to reproduce the problem.

--
Stefan Krueger
Microsoft Windows Installer MVP

Please post your questions in the newsgroup or vist one of these web sites:

Windows Installer FAQ
http://www.msifaq.com - http://www.msifaq.de

InstallSite - Resources for Setup Developers
http://www.installsite.org
http://www.installsite.de (GERMAN)


"Jim Keir" <Jim Ke...@discussions.microsoft.com> schrieb im Newsbeitrag
news:18BB7434-39DE-42FF...@microsoft.com...

Adrian Accinelli

unread,
Jan 18, 2008, 9:38:55 PM1/18/08
to

"Stefan Krueger [MVP]" <skru...@newsgroups.nospam> wrote in message
news:1541C2AB-AEB6-4224...@microsoft.com...

> FYI the Windows Installer team is currently trying to reproduce the
> problem.
>
> --
> Stefan Krueger
> Microsoft Windows Installer MVP
>

>>"Jim Keir" <Jim Ke...@discussions.microsoft.com> wrote in message
>>news:18BB7434-39DE-42FF...@microsoft.com...


>>- Call UiCreatePatchPackage with the optional hWnd parameter set to NULL
>>and RemoveTempFolderIfPresent set to FALSE. Harmless, right?

Nice work Jim! That's a whopper alright :) In any case I was able to
independently reproduce this bug using patchwiz.dll 4.0.6000.16384 (virtual
machines are your friend!). I'll try the newer 4.0.6001.16651 on Monday. I
wasn't able to reproduce using msimsp.exe so obviously this is the typical
testing route for patchwiz at Microsoft.

However one of my tools does this exactly this on a regular basis with code
like:
UiCreatePatchPackage( ThisPatchPCP.GetBuffer(),
ThisPatchFinalName.GetBuffer(), PatchLog.GetBuffer(), NULL, NULL, TRUE );

but I have never noticed a problem because this tool has been limited to
patchwiz.dll version 3.1.4000.1830 (which does not exhibit this behaviour).


Some useful tidbits in case others are trying to reproduce/find problem.
--

***** Log starting: 2008-01-18 20:43:10 *****

INFO: Using Pcp Path: C:\PatchTest\test.pcp.
INFO: Using Temporary Directory: C:\temp\~pcw_tmp.tmp.
ERROR: Internal PatchWiz Error occurred.
ERROR: The Last Error Received is: 87
INFO: Temporary folder is about to be cleaned out and deleted:
ERROR: Internal PatchWiz Error occurred.
ERROR: The Last Error Received is: 5
ERROR: Internal PatchWiz Error occurred.
.... last two statements repeated for every file application is unable
to delete


--
Stack: Server 2003 Beta 3 (courtesy of process monitor)

fltmgr.sys fltmgr.sys + 0x283b 0x81ca683b
C:\Windows\system32\drivers\fltmgr.sys
fltmgr.sys fltmgr.sys + 0x4ff8 0x81ca8ff8
C:\Windows\system32\drivers\fltmgr.sys
fltmgr.sys fltmgr.sys + 0x17e9a 0x81cbbe9a
C:\Windows\system32\drivers\fltmgr.sys
fltmgr.sys fltmgr.sys + 0x1850b 0x81cbc50b
C:\Windows\system32\drivers\fltmgr.sys
ntkrnlpa.exe ntkrnlpa.exe + 0x43e5a 0x81443e5a
C:\Windows\system32\ntkrnlpa.exe
ntkrnlpa.exe ntkrnlpa.exe + 0x238113 0x81638113
C:\Windows\system32\ntkrnlpa.exe
ntkrnlpa.exe ntkrnlpa.exe + 0x214ff9 0x81614ff9
C:\Windows\system32\ntkrnlpa.exe
ntkrnlpa.exe ntkrnlpa.exe + 0x2145ad 0x816145ad
C:\Windows\system32\ntkrnlpa.exe
ntkrnlpa.exe ntkrnlpa.exe + 0x239afd 0x81639afd
C:\Windows\system32\ntkrnlpa.exe
ntkrnlpa.exe ntkrnlpa.exe + 0x2414ef 0x816414ef
C:\Windows\system32\ntkrnlpa.exe
ntkrnlpa.exe ntkrnlpa.exe + 0x4ab7a 0x8144ab7a
C:\Windows\system32\ntkrnlpa.exe
ntdll.dll ntdll.dll + 0x5beb8 0x76fbbeb8 C:\Windows\System32\ntdll.dll
kernel32.dll kernel32.dll + 0x1a9ef 0x7678a9ef
C:\Windows\system32\kernel32.dll
patchwiz.dll UiCreatePatchPackageA + 0x297a 0x71275823
c:\Patch\tools\patchwiz.dll
patchwiz.dll UiCreatePatchPackageA + 0x2971 0x7127581a
c:\Patch\tools\patchwiz.dll
patchwiz.dll UiCreatePatchPackageA + 0x2971 0x7127581a
c:\Patch\tools\patchwiz.dll
patchwiz.dll UiCreatePatchPackageA + 0x2971 0x7127581a
c:\Patch\tools\patchwiz.dll
patchwiz.dll UiCreatePatchPackageA + 0x2971 0x7127581a
c:\Patch\tools\patchwiz.dll
patchwiz.dll UiCreatePatchPackageA + 0x2971 0x7127581a
c:\Patch\tools\patchwiz.dll
patchwiz.dll UiCreatePatchPackageA + 0x2971 0x7127581a
c:\Patch\tools\patchwiz.dll
patchwiz.dll UiCreatePatchPackageA + 0x2971 0x7127581a
c:\Patch\tools\patchwiz.dll
patchwiz.dll UiCreatePatchPackageA + 0x2971 0x7127581a
c:\Patch\tools\patchwiz.dll
patchwiz.dll UiCreatePatchPackageA + 0x416d 0x71277016
c:\Patch\tools\patchwiz.dll
patchwiz.dll UiCreatePatchPackageW + 0x3f 0x71272d62
c:\Patch\tools\patchwiz.dll
patchwiz.dll UiCreatePatchPackageA + 0xcf 0x71272f78
c:\Patch\tools\patchwiz.dll


Sincerely,
Adrian Accinelli


Jim Keir

unread,
Jan 19, 2008, 8:06:00 AM1/19/08
to
Hi,

I've had a mail saying they've reproduced it internally so hopefully it'll
get fixed. Adrian, your situation is exactly what I was worried about; if one
of your users decides to replace V3.1 with V4 to get the speed enhancements,
they're in for a nasty surprise.

Thanks for validating it.

Cheers,
Jim

Adrian Accinelli

unread,
Jan 21, 2008, 5:39:39 PM1/21/08
to

"Adrian Accinelli" <hclnosp...@newsgroup.nospam> wrote in message
news:OyWiYMkW...@TK2MSFTNGP06.phx.gbl...
>
<snip>

> machines are your friend!). I'll try the newer 4.0.6001.16651 on Monday.
> I wasn't able to reproduce using msimsp.exe so obviously this is the
> typical testing route for patchwiz at Microsoft.

FYI -- I just tried this newer version 4.0.6001.16651 of patchwiz.dll and
had the same results (unexpected deletion of files on drive).

Sincerely,
Adrian Accinelli


Reply all
Reply to author
Forward
0 new messages