PAGE_FAULT_BEYOND_END_OF_ALLOCATION is used for cases when OS component
(e.g. NT kernel) caused overrun or underrun condition – it might happen
when invalid pointer (that points into buffer allocated from special pool)
is passed to system function.
DRIVER_PAGE_FAULT_BEYOND_END_OF_ALLOCATION is used to handle similar
situation but for 3rd party drivers, like in your test case.
Note that in both cases it is usually 3rd party driver that is causing the
problem.
I’m not really sure about your diagrams but IIRC special pool uses several
techniques to detect invalid access. By using adjacent inaccessible pages
(access to it causes page fault handled in a special way) before and after
a page that contains buffer it is possible to immediately detect overrun
or underrun conditions (bug checks PAGE_FAULT_BEYOND_END_OF_ALLOCATION and
DRIVER_PAGE_FAULT_BEYOND_END_OF_ALLOCATION). This method allows to detect
both write and read incorrect accesses.
By using special data patterns it is possible to detect buffer corruptions
while freeing the buffer (bug check
SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION). Only some write accesses can be
detected by this method.
Kris
-----Original Message-----
From: yushang [mailto:xxxxx@gmail.com]
Posted At: Saturday, July 17, 2010 6:44 PM
Posted To: ntdev
Conversation: about special pool
Subject: Re: about special pool
The diagrams are drawed by me not from MSDN. I think the diagams are
totally wrong now, the correct one should be
1,Verify End
v pointer
|Tagpppppppp| |
|<- 4K Page ->|
2,Verify Start
v pointer
| |ppppppppTag|
<- 4K Page ->|
where p is the patterns filled , kernel will check these patterns to
find out underrun or overrun. I’ve tried some situations but found
them don’t match with the MSDN article , for example
x = ExAllocatePoolWithTag( NonPagedPool , 0x10 , TEST_TAG );
*(x+0x11) = 0x99;
should trigger bug check 0xCD(PAGE_FAULT_BEYOND_END_OF_ALLOCATION),
but I got 0xD6(DRIVER_PAGE_FAULT_BEYOND_END_OF_ALLOCATION) , they are
the same ? thanks
2010/7/18 M. M. O’Brien :
> You lost me here - I don’t see that diagram on that page.
>
> mm
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of yushang
> Sent: Saturday, July 17, 2010 8:00 AM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] about special pool
>
> Dear all,
> Following is the diagrams of special pool , I have no question with
> diagram 1 , from this
> http://msdn.microsoft.com/en-us/library/ff551832.aspx page , memory
> layout for Verify Start seems to be diagram 2 , but from my machine I
> see diagram 3 , which mean I can overrun to the end of a page .
> Apparentlly it is not reasonable . Could someone explain this for me ?
> thanks.
> 1,Verify End
> v pointer
> | Tag| |
> <- 4K Page ->|
>
> 2,Verify Start
> v pointer
> | |Tag |
> <- 4K Page ->|
>
> 3,Verify Start
> v pointer
> | | Tag|
> <- 4K Page ->|
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>