Crash observed in sdbus.sys

Minifilter_dev · March 2, 2020, 4:36pm

I am working on one of the minifilter project/driver(mydriver.sys).

it does following things.

==> calculate md5 hash of the file in “process creation callback” inline manner :: fltreadfile in synchronous manner(snippet pasted below).

==> Periodically these hashes are pushed to the user mode using IOCTL interface to the user mode

in one of the scenario/system I am getting crash. (operating system windows 10 64 bit) and still not able to conclude the cause.

Note: if I disable my driver… crash is not observed.

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: ffffb7818dbaf000, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000001, value 0 = read operation, 1 = write operation
Arg4: fffff803634e8759, address which referenced memory

STACK_TEXT:
fffff8036488f3c8 fffff8035e5d30e9 : 000000000000000a ffffb7818dbaf000 0000000000000002 0000000000000001 : nt!KeBugCheckEx
fffff8036488f3d0 fffff8035e5cf42b : 0000000000000000 0000000000000000 0000000000000000 ffffdd884fb052a0 : nt!KiBugCheckDispatch+0x69
fffff8036488f510 fffff803634e8759 : ffffdd884fa85de0 ffffdd884f0dc00f fffff8036488f7a0 ffffdd884f4aeab0 : nt!KiPageFault+0x46b
fffff8036488f6a0 fffff803634e8936 : 0000000000000000 0000000000000000 0000000000000000 ffffdd884fb05000 : sdbus!SdhcReadDataPort+0xf9
fffff8036488f920 fffff803634e97dd : fffff80363509450 ffffdd884fb05470 0000000000000000 0000000000000000 : sdbus!SdhcStartPioTransfer+0x66
fffff8036488f950 fffff803634e0120 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : sdbus!SdhcStartTransfer+0x1d
fffff8036488f980 fffff803634dee7a : 0000000000000020 ffff38a928b22dbf fffff8036488fe01 0000000000000001 : sdbus!SdbusCommandEngineWorker+0xd84
fffff8036488fa40 fffff803634ddf97 : ffffdd884fab01a0 0000000000000000 0000000000000001 ffffdd884fb052a0 : sdbus!SdbusWorker+0xc06
fffff8036488fb00 fffff803634ec46f : 0000000000000020 ffffdd884fab01a0 0000000000000000 fffff8035e46b27b : sdbus!SdbusWorkerDpc+0x1a7
fffff8036488fb70 fffff803634ec16a : ffffdd884fab01a0 fffff8036488fd40 ffffdd884fab0118 0000000000400a02 : sdbus!SdbusProcessInterruptDpc+0x263
fffff8036488fbf0 fffff8035e46ae85 : fffff8035bf1df80 ffffdd884f2cf000 ffffdd88550db4c0 fffff80300000002 : sdbus!SdbusInterruptDpc+0x7a
fffff8036488fc40 fffff8035e46a4df : 000000000000001e 0000000000989680 00000000000001fe 0000000000000016 : nt!KiExecuteAllDpcs+0x305
fffff8036488fd80 fffff8035e5c8265 : 0000000000000000 fffff8035bf1b180 ffffb7818c5b1a00 ffffa00dfc0a5be0 : nt!KiRetireDpcList+0x1ef
fffff8036488ffb0 fffff8035e5c8050 : fffff8035e3766c0 fffff8035e3602ca ffffdd8855858200 0000000000000000 : nt!KxRetireDpcList+0x5
ffffb20608d176c0 fffff8035e5c7905 : ffffa00dfc0a5be0 fffff8035e5c2561 ffffffffffffffff ffffb20608d17780 : nt!KiDispatchInterruptContinue
ffffb20608d176f0 fffff8035e5c2561 : ffffffffffffffff ffffb20608d17780 ffffb7818c5b1a00 ffffdd88558f5b90 : nt!KiDpcInterruptBypass+0x25
ffffb20608d17700 fffff8035e9d19a0 : ffffb20608d17800 ffffffffffffffff 0000017bf3823a90 0000017bf3811838 : nt!KiChainedDispatch+0xb1
ffffb20608d17890 fffff8035e9cfcf5 : ffffdd8855c88c60 0000017b00020000 0000017bf3823a90 0000017bf3811838 : nt!AlpcpProcessSynchronousRequest+0x460
ffffb20608d179d0 fffff8035e5d2b18 : ffffdd8855c85080 ffffb20608d17b80 ffffb20608d17aa8 00007ff9781ffca4 : nt!NtAlpcSendWaitReceivePort+0x205
ffffb20608d17a90 00007ff9786fd1f4 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x28
0000005590dfe888 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x00007ff9`786fd1f4

===========================================================================================
mydriver stack

00 fffff8035e43c77d : ffffb78100000001 0000000000000009 ffffdd88ffffffff 0000000000000002 : nt!KiSwapContext+0x76 01 fffff8035e43b604 : ffffdd8855a26080 0000010000000000 ffffdd884fb2c680 0000000f00000000 : nt!KiSwapThread+0xbfd
02 fffff8035e43ada5 : 000000000000007b ffffdd8800000000 0000000000000000 0000000000000000 : nt!KiCommitThreadWait+0x144 03 fffff8036371e113 : ffffdd88525b34d0 ffffdd8800000000 0000000000018000 0000000000010000 : nt!KeWaitForSingleObject+0x255
04 fffff80363724bc8 : ffffb206088c0730 0000000000008000 0000000000000001 ffffdd88524a48a0 : Ntfs!NtfsNonCachedIo+0x4d3 05 fffff8036372418c : ffffb206088c0740 ffffdd88524a48a0 ffffb206088c0740 ffffdd884fca8d78 : Ntfs!NtfsCommonRead+0x828
06 fffff8035e431f39 : ffffdd8854ce1010 ffffdd88524a48a0 ffffdd88524a4cd0 ffffdd884fde1390 : Ntfs!NtfsFsdRead+0x20c 07 fffff80362d155de : 0000000000000020 0000000000000000 ffffdd8854ce10f8 ffffb206088c0b10 : nt!IofCallDriver+0x59
08 fffff80362d12bee : ffffb206088c08a0 ffffdd884fd378a8 0000000000000001 ffffdd8854ce10f8 : FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x15e 09 fffff80362d285fe : ffffdd8854ce1010 0000000000010000 ffffb206088c09c1 0000000000000000 : FLTMGR!FltPerformSynchronousIo+0x2ee
0a fffff80362d28151 : 00000108b841d233 fffff80376956b6d 0001202444c70000 00000040b9410000 : FLTMGR!FltReadFileEx+0x49e 0b fffff803769571ed : ffffdd8855187000 ffffdd88551870ec ffffdd8855bf8f10 0000000000000000 : FLTMGR!FltReadFile+0x51
0c fffff80376957fd1 : ffffdd8855a9dc18 ffffdd884fd378a0 ffffdd8800000000 0000000000010000 : mydriver!CalculateFileHash+0x9d 0d fffff80376958196 : ffffdd8855a9dc18 ffffb206088c0b70 ffffdd8855a9dd08 0000000000000000 : mydriver!PerformFileHash+0x129
0e fffff8037695c39f : ffffdd8855c1b5d0 ffffdd8855ab1380 ffffdd884fd378a0 ffffdd884fd3a900 : mydriver!PerformGetFileInfo+0x15e 0f fffff8037695b85d : ffffb206088c0c60 ffffb206088c0c89 ffffdd884fa4c680 00000000000007f0 : mydriver!ProcessCreateHandler+0xc7
10 fffff8035e9cd7a6 : ffffb206088c0c60 ffffb206088c0c60 ffffdd8855cd1480 0000000000000000 : mydriver!CreateProcessCallbackEx+0x69 11 fffff8035ea5d58c : ffffffff00000000 ffffb206088c1a10 ffffb206088c1301 ffffdd8855c1b5d0 : nt!PspCallProcessNotifyRoutines+0x212
12 fffff8035ea2f0b4 : ffffdd8855c7f0c0 ffffdd8855cd1480 ffffb206088c14b0 ffffb206088c1370 : nt!PspInsertThread+0x5e8 13 fffff8035e5d2b18 : 0000000000000002 0000000000000000 0000000000000000 0000000000000001 : nt!NtCreateUserProcess+0x964
14 00007ff9786fd934 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x28 15 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x00007ff9`786fd934

==================================
using following code snippet to read the file (i.e. igfxCUIService.exe)
All the memory is from Non-Paged pool for reading the file(i.e pContext->byBuffer)

==================================

ntStatus = FltReadFile(
pInstance,
pFileObject,
&liFileOffset,
sizeof(pContext->byBuffer),
pContext->byBuffer,
FLTFL_IO_OPERATION_NON_CACHED | FLTFL_IO_OPERATION_DO_NOT_UPDATE_BYTE_OFFSET,
&ulReadCount,
NULL,
NULL
);

following file is being read.

kd> dt 0xffffdd88`55c1b5d0 _FILE_OBJECT

nt!_FILE_OBJECT
+0x000 Type : 0n5
+0x002 Size : 0n216
+0x008 DeviceObject : 0xffffdd884fbceb50 _DEVICE_OBJECT +0x010 Vpb : 0xffffdd884fdb1500 _VPB
+0x018 FsContext : 0xffffa00dfc119170 Void +0x020 FsContext2 : 0xffffa00dfc0877f0 Void
+0x028 SectionObjectPointer : 0xffffdd8855bcb7e8 _SECTION_OBJECT_POINTERS +0x030 PrivateCacheMap : (null) +0x038 FinalStatus : 0n0 +0x040 RelatedFileObject : (null) +0x048 LockOperation : 0 '' +0x049 DeletePending : 0 '' +0x04a ReadAccess : 0x1 '' +0x04b WriteAccess : 0 '' +0x04c DeleteAccess : 0 '' +0x04d SharedRead : 0x1 '' +0x04e SharedWrite : 0 '' +0x04f SharedDelete : 0x1 '' +0x050 Flags : 0xc0042 +0x058 FileName : _UNICODE_STRING "\Windows\System32\DriverStore\FileRepository\cui_component.inf_amd64_df4f60b1cae9b14a\igfxCUIService.exe" +0x068 CurrentByteOffset : _LARGE_INTEGER 0x0 +0x070 Waiters : 0 +0x074 Busy : 0 +0x078 LastLock : (null) +0x080 Lock : _KEVENT +0x098 Event : _KEVENT +0x0b0 CompletionContext : (null) +0x0b8 IrpListLock : 0 +0x0c0 IrpList : _LIST_ENTRY [ 0xffffdd8855c1b690 - 0xffffdd88`55c1b690 ]
+0x0d0 FileObjectExtension : (null)

Any inputs would be appreciated ??

Scott_Noone_OSR · March 4, 2020, 8:41pm

Enable Driver Verifier for your driver and FltMgr.sys

Minifilter_dev · March 6, 2020, 10:43am

Thanks.
Issue is resolved by providing the “aligned” buffer for FltReadFile API.

FltAllocatePoolAlignedWithTag

Crash observed in sdbus.sys

=========================================================================================== mydriver stack

ntStatus = FltReadFile( pInstance, pFileObject, &liFileOffset, sizeof(pContext->byBuffer), pContext->byBuffer, FLTFL_IO_OPERATION_NON_CACHED | FLTFL_IO_OPERATION_DO_NOT_UPDATE_BYTE_OFFSET, &ulReadCount, NULL, NULL );

===========================================================================================
mydriver stack

ntStatus = FltReadFile(
pInstance,
pFileObject,
&liFileOffset,
sizeof(pContext->byBuffer),
pContext->byBuffer,
FLTFL_IO_OPERATION_NON_CACHED | FLTFL_IO_OPERATION_DO_NOT_UPDATE_BYTE_OFFSET,
&ulReadCount,
NULL,
NULL
);