Random BSOD on function FsRtlNotifyFullReportChange.

Gova_Gimer · July 19, 2018, 6:00pm

I have random BSOD on function FsRtlNotifyFullReportChange

I would like an answer,
Already a question how the FsRtlNotifyFullReportChange function can establish a BSOD?
I do not understand, I do not modify in any case the data of variable notifysync and dirnotifylist,
in my driver only the kernel OS windows notifications functions access this data.
I do not understand anything.

The variable pn et pn1 are correct.

WHY ???

The CCB is correct !

if ((irps->MajorFunction == IRP_MJ_DIRECTORY_CONTROL))
{
if ((irps->MinorFunction == IRP_MN_NOTIFY_CHANGE_DIRECTORY))
{
PPARAMVDF vdf;
PPARAMVCB vcb;
PCCB fsc;
ULONG CompletionFilter;
PFILE_OBJECT file;
BOOLEAN WatchTree;

file = irps->FileObject;
KdPrintf((“IRP_MN_NOTIFY_CHANGE_DIRECTORY VCB:%d FILE:%.8x\n”, ISVCB, file));
if (ISVCB == FALSE)
{
KdPrintf((“IRP_MN_NOTIFY_CHANGE_DIRECTORY EH !!! ISVCB==FALSE\n”));
status = STATUS_INVALID_PARAMETER;
goto ANC;

}
if (file == NULL)
{
KdPrintf((“IRP_MN_NOTIFY_CHANGE_DIRECTORY EH !!! file=NULLL\n”));
status = STATUS_INVALID_PARAMETER;
goto ANC;
}
KdPrintf((“IRP_MN_NOTIFY_CHANGE_DIRECTORY r?pertoire %wZ bt\n”, &file->FileName));
CompletionFilter = irps->Parameters.NotifyDirectory.CompletionFilter;
WatchTree = (irps->Flags& SL_WATCH_TREE) == SL_WATCH_TREE;
vcb = (PPARAMVCB)DeviceObject->DeviceExtension;
{
BOOLEAN pasbon = FALSE;
if (vcb->identifier != CIdentifier)
{
pasbon = TRUE;
KdPrintf((“IRP_MN_NOTIFY_CHANGE_DIRECTORY vcb->identifier != CIdentifier %x\n”, vcb->identifier));
}
if (vcb->sidentifier != CIdentifierVCB)
{
pasbon = TRUE;
KdPrintf((“IRP_MN_NOTIFY_CHANGE_DIRECTORY vcb->sidentifier != CIdentifierVCB %x\n”, vcb->sidentifier));
}
if (pasbon)
{
KdPrintf((“IRP_MN_NOTIFY_CHANGE_DIRECTORY PAS BON DONC 1\n”, vcb->sidentifier));
status = STATUS_INVALID_PARAMETER;
goto ANC;
}
}
vdf = (PPARAMVDF)vcb->Tdisk.DCB->DeviceExtension;
{
BOOLEAN pasbon = FALSE;
if (vdf->identifier != CIdentifier)
{
pasbon = TRUE;
KdPrintf((“IRP_MN_NOTIFY_CHANGE_DIRECTORY dcb->identifier != CIdentifier %x\n”, vcb->identifier));
}
if (vdf->sidentifier != CIdentifierDCB)
{
pasbon = TRUE;
KdPrintf((“IRP_MN_NOTIFY_CHANGE_DIRECTORY dcb->sidentifier != CIdentifierDCB %x\n”, vcb->sidentifier));
}
if (pasbon)
{
KdPrintf((“IRP_MN_NOTIFY_CHANGE_DIRECTORY PAS BON DONC 2\n”, vcb->sidentifier));
status = STATUS_INVALID_PARAMETER;
goto ANC;
}
}
if (vdf == NULL)
{
KdPrintf((“IRP_MN_NOTIFY_CHANGE_DIRECTORY Gros soucis vdf=NULL\n”));
status = STATUS_INVALID_PARAMETER;
goto ANC;
}

KdPrintf((“IRP_MN_NOTIFY_CHANGE_DIRECTORY Before Context %x\n”, file->FsContext2));
LockVDFNotify(vdf);
FsRtlNotifyFullChangeDirectory(vdf->NotifySync,
&vdf->DirNotifyList,
file->FsContext2,
(PSTRING)&file->FileName,
WatchTree,
FALSE,
CompletionFilter,
Irp,
NULL,
NULL);
unLockVDFNotify(vdf);
KdPrintf((“IRP_MN_NOTIFY_CHANGE_DIRECTORY After Context %x\n”, file->FsContext2));
fsc = (PCCB)file->FsContext2;
fsc = vfsValidPointer(vdf, fsc);
if (fsc != NULL)
fsc->evchgdirectory = TRUE;
else
KdPrintf((“IRP_MN_NOTIFY_CHANGE_DIRECTORY Not found fsc\n”));
//Irp->IoStatus.Status=STATUS_SUCCESS; ////effet de bord remove 07092017
status = STATUS_PENDING;
CondiFsRtlExitFileSystem();
goto gty;

}

void LockVDFNotify(PPARAMVDF vdf)
{
ExAcquireResourceExclusiveLite(&vdf->ResourceNextFile, TRUE);
}
void unLockVDFNotify(PPARAMVDF vdf)
{
ExReleaseResourceLite(&vdf->ResourceNextFile);
}

case IOCTL_CMD_FILE_NOTIFY:
{
DWORD si;
KdPrintf((“IOCTL_CMD_FILE_NOTIFY\n”));
si = irps->Parameters.DeviceIoControl.InputBufferLength;
if (si >= sizeof(TNOTIFY))
{
PNOTIFY pn = (PNOTIFY)irp->AssociatedIrp.SystemBuffer;
if (pn != NULL)
{
PPARAMVDF vdf = NULL;
vdf = vdf_GetParamFromID(pn->id);
if (vdf != NULL)
{
if (vdf->hProcessID == hpid)
{
KdPrintf((“IOCTL_CMD_FILE_NOTIFY bon id\n”));
if ((vdf->used == TRUE) && (vdf->parameter == TRUE))
{
if (pn->internalcmd == 1)
{
if (si >= sizeof(TNOTIFY1))
{
UNICODE_STRING strfilename;

PNOTIFY1 pn1 = (PNOTIFY1)pn;
KdPrintfd2((“IOCTL_CMD_FILE_NOTIFY ‘%ws’ filtermatch:%d action:%d\n”, pn1->filename, pn1->filtermatch, pn1->action));
RtlInitUnicodeString(&strfilename, pn1->filename);

LockVDFNotify(vdf);

FsRtlNotifyFullReportChange(
vdf->NotifySync,
&vdf->DirNotifyList,
(PSTRING)&strfilename,
pn1->namaeoffset,
NULL,
NULL,
pn1->filtermatch,
pn1->action,
NULL
);
unLockVDFNotify(vdf);
//RtlFreeUnicodeString(&strfilename);
status = STATUS_SUCCESS;
}
else
{
KdPrintfd2((“IOCTL_CMD_FILE_NOTIFY si < sizeof(TNOTIFY1) %d<%d\n”,si,sizeof(TNOTIFY1)));
status = STATUS_BUFFER_TOO_SMALL;
}

}
else
{
KdPrintfd2((“IOCTL_CMD_FILE_NOTIFY cmd:%d unkown\n”,pn->internalcmd));
status = STATUS_NOT_IMPLEMENTED;
}
}
else
{
KdPrintfd2((“IOCTL_CMD_FILE_NOTIFY device:%d removed\n”, pn->id));
status = STATUS_DEVICE_REMOVED;
}

}
else
{
KdPrintfd2((“IOCTL_CMD_FILE_NOTIFY process is not own\n”, pn->internalcmd));
status = STATUS_ACCESS_DENIED;
}
}
else
{
KdPrintfd2((“IOCTL_CMD_FILE_NOTIFY device:%d invalid\n”, pn->id));
status = STATUS_INVALID_HANDLE;
}
}
else
{

status = STATUS_INTERNAL_ERROR;
}
}
else
{
KdPrintfd2((“IOCTL_CMD_FILE_NOTIFY si < sizeof(TNOTIFY) %d<%d\n”, si, sizeof(TNOTIFY)));
status = STATUS_BUFFER_TOO_SMALL;
}
}
break;

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: ffffe0008f814108, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff801678ec046, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000000, (reserved)

Debugging Details:

DUMP_CLASS: 1

DUMP_QUALIFIER: 401

BUILD_VERSION_STRING: 10240.17443.amd64fre.th1.170602-2340

SYSTEM_MANUFACTURER: innotek GmbH

VIRTUAL_MACHINE: VirtualBox

SYSTEM_PRODUCT_NAME: VirtualBox

SYSTEM_VERSION: 1.2

BIOS_VENDOR: innotek GmbH

BIOS_VERSION: VirtualBox

BIOS_DATE: 12/01/2006

BASEBOARD_MANUFACTURER: Oracle Corporation

BASEBOARD_PRODUCT: VirtualBox

BASEBOARD_VERSION: 1.2

DUMP_TYPE: 1

BUGCHECK_P1: ffffe0008f814108

BUGCHECK_P2: 0

BUGCHECK_P3: fffff801678ec046

BUGCHECK_P4: 0

READ_ADDRESS: ffffe0008f814108 Nonpaged pool

FAULTING_IP:
nt!FsRtlNotifyFilterReportChange+41e
fffff801`678ec046 663938 cmp word ptr [rax],di

MM_INTERNAL_CODE: 0

CPU_COUNT: 2

CPU_MHZ: fa0

CPU_VENDOR: AuthenticAMD

CPU_FAMILY: 15

CPU_MODEL: 2

CPU_STEPPING: 0

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

BUGCHECK_STR: AV

PROCESS_NAME: SampleFileSystem.exe

CURRENT_IRQL: 2

ANALYSIS_SESSION_HOST: DESKTOP-J0KVJ3N

ANALYSIS_SESSION_TIME: 07-19-2018 19:49:39.0356

ANALYSIS_VERSION: 10.0.15063.468 amd64fre

TRAP_FRAME: ffffd0012a2d16d0 – (.trap 0xffffd0012a2d16d0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffe0008f814108 rbx=0000000000000000 rcx=ffffc00071159410
rdx=ffffe0008dbc0d00 rsi=0000000000000000 rdi=0000000000000000
rip=fffff801678ec046 rsp=ffffd0012a2d1860 rbp=ffffd0012a2d3780
r8=0000000000000000 r9=ffffe0008f5fba38 r10=ffffd0012a2d1ff8
r11=ffffd0012a2d1998 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na pe nc
nt!FsRtlNotifyFilterReportChange+0x41e:
fffff801678ec046 663938 cmp word ptr [rax],di ds:ffffe0008f814108=???
Resetting default scope

LAST_CONTROL_TRANSFER: from fffff801675a1714 to fffff801675595f0

STACK_TEXT:
ffffd0012a2d1488 fffff801675a1714 : 0000000000000050 ffffe0008f814108 0000000000000000 ffffd0012a2d16d0 : nt!KeBugCheckEx
ffffd0012a2d1490 fffff8016743eeb6 : 0000000000000000 0000000000000000 ffffd0012a2d16d0 0000000000000000 : nt! ?? ::FNODOBFM::string'+0x39514 ffffd0012a2d1580 fffff801675626bd : 0000000000000000 ffffd0012a2d1860 ffffe0008f780840 0000000000000010 : nt!MmAccessFault+0x696 ffffd0012a2d16d0 fffff801678ec046 : fffff801e8d1bf30 ffffd0012a2d3780 000000000000001d fffff80100000004 : nt!KiPageFault+0x13d ffffd0012a2d1860 fffff80167a70827 : ffffe0008c95e890 ffffe0008dbc0d00 ffffd0012a2d1ff8 ffffd0012a2d0002 : nt!FsRtlNotifyFilterReportChange+0x41e ffffd0012a2d19a0 fffff801e8d154c8 : ffffe0008dbc01c0 ffffcf8187982fe0 000000000000001d fffff801e8d248f4 : nt!FsRtlNotifyFullReportChange+0x4b ffffd0012a2d1a00 fffff801e8d138ce : ffffe0008c1c18a0 ffffcf8186f6aea0 ffffcf8186f6af70 0000000000000007 : vfs_x64!vfums_deviceiocontrol+0x1128 [c:\source\kedac2\vfums\4.0\sys\sys\vfums\vfums\uc.c @ 1294] ffffd0012a2d3640 fffff801e8d137be : ffffe0008c1c18a0 ffffcf8186f6aea0 ffffcf8186f6af70 fffff80167b481ba : vfs_x64!controldispatch+0x9e [c:\source\kedac2\vfums\4.0\sys\sys\vfums\vfums\uc.c @ 3819] ffffd0012a2d3680 fffff801e8d1c007 : ffffe0008c1c18a0 ffffcf8186f6aea0 0000000000000001 0000000000001bae : vfs_x64!_DrvDispatch+0x19e [c:\source\kedac2\vfums\4.0\sys\sys\vfums\vfums\uc.c @ 4986] ffffd0012a2d36e0 fffff801e6c4cd70 : ffffe0008c1c18a0 ffffcf8186f6aea0 ffffcf8186f6afb8 ffffe0008e0f9230 : vfs_x64!DrvDispatch+0xd7 [c:\source\kedac2\vfums\4.0\sys\sys\vfums\vfums\ui.c @ 345] ffffd0012a2d3750 fffff80167b35044 : ffffcf8186f6aea0 0000000000000002 0000000000000000 ffffe00020206f49 : VerifierExt!xdv_IRP_MJ_DEVICE_CONTROL_wrapper+0xe0 ffffd0012a2d37b0 fffff8016741cd42 : 0000000000000001 ffffd0012a2d3b80 ffffe0008c5adf20 ffffe0008e0f9190 : nt!IovCallDriver+0x3d8 ffffd0012a2d3810 fffff80167824f9d : 0000000000000000 ffffd0012a2d3b80 ffffe0008c5adf20 ffffe000000001c8 : nt!IofCallDriver+0x72 ffffd0012a2d3850 fffff80167823d66 : fffff801e6b32d90 0000000000000000 0000000000000000 0000000000000000 : nt!IopXxxControlFile+0x122d ffffd0012a2d3a20 fffff80167563c63 : fffff6fb5ffdd880 0000000000000000 0000000000000000 0000000000000000 : nt!NtDeviceIoControlFile+0x56 ffffd0012a2d3a90 00007ffc815a389a : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x13 0000000004d6d328 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x00007ffc815a389a

STACK_COMMAND: kb

THREAD_SHA1_HASH_MOD_FUNC: 13e6c9bc8044d0731fcd499ce3dc691a54a2990e

THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 421722234584b59c8f1f49e2e3ea5230e98ae2a2

THREAD_SHA1_HASH_MOD: 8c264e8de88b25cb7e9e676820d23d3abe940b7a

FOLLOWUP_IP:
vfs_x64!vfums_deviceiocontrol+1128 [c:\source\kedac2\vfums\4.0\sys\sys\vfums\vfums\uc.c @ 1294]
fffff801`e8d154c8 488b8c2438010000 mov rcx,qword ptr [rsp+138h]

FAULT_INSTR_CODE: 248c8b48

FAULTING_SOURCE_LINE: c:\source\kedac2\vfums\4.0\sys\sys\vfums\vfums\uc.c

FAULTING_SOURCE_FILE: c:\source\kedac2\vfums\4.0\sys\sys\vfums\vfums\uc.c

FAULTING_SOURCE_LINE_NUMBER: 1294

FAULTING_SOURCE_CODE:
1290: pn1->filtermatch,
1291: pn1->action,
1292: NULL
1293: );

1294: unLockVDFNotify(vdf);
1295: //RtlFreeUnicodeString(&strfilename);
1296: status = STATUS_SUCCESS;
1297: }
1298: else
1299: {

What is this memory address (0xffffe0008f814108)?
I am unable to debug it.

Help please !!!

Scott_Noone_OSR · July 25, 2018, 12:15pm

You need to debug your code…

nt!FsRtlNotifyFilterReportChange+0x41e:
fffff801678ec046 663938 cmp word ptr [rax],di ds:ffffe0008f814108=???

RAX has a bad value. You need to figure out where RAX came from and work
that back to your arguments. TH1 is ancient and I don’t have it installed,
but it looks like this is probably the same sequence from RS4:

nt!FsRtlNotifyFilterReportChange+0x409:
fffff8018f9af189 mov rcx,qword ptr [rdi+88h] fffff8018f9af190 cmp word ptr [rcx],si

In this case RCX comes from RDI+88. So, RDI is probably a data structure and
there’s a field that’s bad. Presumably this is all derived from your inputs
to the function, so keep working backwards like this until you trace it back
to your arguments.

-scott
OSR
@OSRDrivers

Gova_Gimer · July 26, 2018, 3:25am

I don’t understand
How find this data structure allegedly bad ???

Gova_Gimer · July 26, 2018, 2:30pm

Indebuggable !!
because I haven’t source of this function FsRtlNotifyFullReportChange !!!

Scott_Noone_OSR · July 27, 2018, 5:11pm

Welcome to Windows kernel mode development! Debugging crashes in functions
that you don’t have the source code to is your life now.

If you don’t want to try to work backwards, then step into the function and
watch where your arguments go through the disassembly. You’re on the x64, so
your arguments will be in:

Arg1 - RCX
Arg2 - RDX
Arg3 - R8
Arg5 - R9
Arg6 - [RSP+28h]
Arg7 - [RSP+30h]
Arg8 - [RSP+38h]
Arg9 - [RSP+40h]

Looks like the only pointer arguments that you supply are for Arg1-3, so you
probably don’t need to watch too many.

If this is the first time you’ve had to do something like this it will be
painful, but consider it a learning exercise. Things only get worse from
here! (Here’s my current problem I’m debugging: an encrypted Excel document
becomes corrupted on the Nth iteration of saving the file, where N changes
on each run…Oh, and it only happens if you’re simultaneously syncing the
raw view of the file to Dropbox, which also happens to simultaneously cause
an A/V scan of the file. Suffice it to say I don’t have access to any of
this code and I’m not sure it would even help me if I did…)

-scott
OSR
@OSRDrivers