Hi All,
I have some IOCTLS in my WDM driver where I need
to access the user buffer. I am using method neither
for these IOCTLS and when I recieve these IOCTLS I
- Allocate the MDL for the user buffer.
- Probe and lock pages for the user buffer.
The question I have is that after this can I directly
touch the user buffer by using the virtual address
provided to me. Can I treat this as a contigious user
buffer available to my driver??
Any help is highly appriciated.
Thanks in advance,
Ajitabh.
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Using METHOD_NEITHER is an extremely bad idea as has been discussed on this
forum several times in the past. You have a ton of work to validate the
buffer is safe. Why are you using METHOD_NEITHER instead of one of the
other methods?
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
http://www.windrvr.com
Remove StopSpam from the email to reply
“Driver Coder” wrote in message news:xxxxx@ntdev…
> Hi All,
> I have some IOCTLS in my WDM driver where I need
> to access the user buffer. I am using method neither
> for these IOCTLS and when I recieve these IOCTLS I
>
> 1. Allocate the MDL for the user buffer.
> 2. Probe and lock pages for the user buffer.
>
>
> The question I have is that after this can I directly
> touch the user buffer by using the virtual address
> provided to me. Can I treat this as a contigious user
> buffer available to my driver??
>
> Any help is highly appriciated.
> Thanks in advance,
> Ajitabh.
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
Unless the user buffer is massively large, you are a lot better off going
with METHOD_BUFFERED. You don’t have to probe & lock, and you can
reliably treat the buffer as a logically contiguous space your driver can
modify at will. If you do have a massively large user buffer, you should
still consider METHOD_IN_DIRECT and/or METHOD_OUT_DIRECT, which will also
provide a buffer you can treat as a logically contiguous space to either
write or read in your driver.
I can’t think of any time METHOD_NEITHER is really the best choice. Even
when you have pointers embedded in a structure, you should use
METHOD_BUFFERED on the structure, and then probe & lock the buffers the
pointers reference. And the only case where this is a compelling
architecture is when you need arbitrarily large IN & OUT buffers at the
same time.
Phil
Philip D. Barila
Seagate Technology LLC
(720) 684-1842
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@yahoo.com
Sent: Wednesday, June 07, 2006 10:19 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Accessnig user buffer with method neither
Hi All,
I have some IOCTLS in my WDM driver where I need
to access the user buffer. I am using method neither
for these IOCTLS and when I recieve these IOCTLS I
- Allocate the MDL for the user buffer.
- Probe and lock pages for the user buffer.
The question I have is that after this can I directly
touch the user buffer by using the virtual address
provided to me. Can I treat this as a contigious user
buffer available to my driver??
Any help is highly appriciated.
Thanks in advance,
Ajitabh.
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
I think I was able to clarify the situation. The IOCTL
itself is method buffered but it has internal pointers
pointing to buffers allocated by my application. I
need to be able to access these buffers from my
driver.
Again the question is after I lock the pages can I
consider these buffers contigious for my driver and
can I access them contigiously.
Thanks again,
— xxxxx@seagate.com wrote:
Unless the user buffer is massively large, you are a
lot better off going
with METHOD_BUFFERED. You don’t have to probe &
lock, and you can
reliably treat the buffer as a logically contiguous
space your driver can
modify at will. If you do have a massively large
user buffer, you should
still consider METHOD_IN_DIRECT and/or
METHOD_OUT_DIRECT, which will also
provide a buffer you can treat as a logically
contiguous space to either
write or read in your driver.
I can’t think of any time METHOD_NEITHER is really
the best choice. Even
when you have pointers embedded in a structure, you
should use
METHOD_BUFFERED on the structure, and then probe &
lock the buffers the
pointers reference. And the only case where this is
a compelling
architecture is when you need arbitrarily large IN &
OUT buffers at the
same time.
Phil
Philip D. Barila
Seagate Technology LLC
(720) 684-1842
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf
Of
xxxxx@yahoo.com
Sent: Wednesday, June 07, 2006 10:19 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Accessnig user buffer with method
neither
Hi All,
I have some IOCTLS in my WDM driver where I
need
to access the user buffer. I am using method neither
for these IOCTLS and when I recieve these IOCTLS I
- Allocate the MDL for the user buffer.
- Probe and lock pages for the user buffer.
The question I have is that after this can I
directly
touch the user buffer by using the virtual address
provided to me. Can I treat this as a contigious
user
buffer available to my driver??
Any help is highly appriciated.
Thanks in advance,
Ajitabh.
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam
protection around
http://mail.yahoo.com
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR
Online at
http://www.osronline.com/page.cfm?name=ListServer
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR
Online at
http://www.osronline.com/page.cfm?name=ListServer
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Hi Don,
My IOCTLS actually are buffered but it has
internal pointers which I need to access. So I need to
lock the pages and access them in my driver.
These buffers are huge buffers [say for Firmware
download and some data transfer operations].
Again my question is that weather I can treat these
buffers as contigious after locking them.
Thanks,
— Don Burn wrote:
> Using METHOD_NEITHER is an extremely bad idea as has
> been discussed on this
> forum several times in the past. You have a ton of
> work to validate the
> buffer is safe. Why are you using METHOD_NEITHER
> instead of one of the
> other methods?
>
>
> –
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> http://www.windrvr.com
> Remove StopSpam from the email to reply
>
>
>
> “Driver Coder” wrote in
> message news:xxxxx@ntdev…
> > Hi All,
> > I have some IOCTLS in my WDM driver where I
> need
> > to access the user buffer. I am using method
> neither
> > for these IOCTLS and when I recieve these IOCTLS I
> >
> > 1. Allocate the MDL for the user buffer.
> > 2. Probe and lock pages for the user buffer.
> >
> >
> > The question I have is that after this can I
> directly
> > touch the user buffer by using the virtual address
> > provided to me. Can I treat this as a contigious
> user
> > buffer available to my driver??
> >
> > Any help is highly appriciated.
> > Thanks in advance,
> > Ajitabh.
> >
> >
> > Do You Yahoo!?
> > Tired of spam? Yahoo! Mail has the best spam
> protection around
> > http://mail.yahoo.com
> >
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR
> Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
First unless we are talking mutiple 100MB buffers consider using a different
approach. I have reviewed a number of METHOD_NEITHER or pointer in buffer
calls in existing drivers, and no one got the security checks right the
first time. The other big problem with this is you are going to have to
support two IOCTL’s and all the related coding headaches of getting two sets
of checks correct, when you consider 64-bit support.
If you do go ahead with the approach, lock them down get a system address
and treat is a contiguous virtual space (note, the virtual, the physical
pages are not contiguous if you need DMA).
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
http://www.windrvr.com
Remove StopSpam from the email to reply
“Driver Coder” wrote in message news:xxxxx@ntdev…
> Hi Don,
> My IOCTLS actually are buffered but it has
> internal pointers which I need to access. So I need to
> lock the pages and access them in my driver.
>
> These buffers are huge buffers [say for Firmware
> download and some data transfer operations].
> Again my question is that weather I can treat these
> buffers as contigious after locking them.
> Thanks,
> - DC.
>
> — Don Burn wrote:
>
>> Using METHOD_NEITHER is an extremely bad idea as has
>> been discussed on this
>> forum several times in the past. You have a ton of
>> work to validate the
>> buffer is safe. Why are you using METHOD_NEITHER
>> instead of one of the
>> other methods?
>>
>>
>> –
>> Don Burn (MVP, Windows DDK)
>> Windows 2k/XP/2k3 Filesystem and Driver Consulting
>> http://www.windrvr.com
>> Remove StopSpam from the email to reply
>>
>>
>>
>> “Driver Coder” wrote in
>> message news:xxxxx@ntdev…
>> > Hi All,
>> > I have some IOCTLS in my WDM driver where I
>> need
>> > to access the user buffer. I am using method
>> neither
>> > for these IOCTLS and when I recieve these IOCTLS I
>> >
>> > 1. Allocate the MDL for the user buffer.
>> > 2. Probe and lock pages for the user buffer.
>> >
>> >
>> > The question I have is that after this can I
>> directly
>> > touch the user buffer by using the virtual address
>> > provided to me. Can I treat this as a contigious
>> user
>> > buffer available to my driver??
>> >
>> > Any help is highly appriciated.
>> > Thanks in advance,
>> > Ajitabh.
>> >
>> >
>> > Do You Yahoo!?
>> > Tired of spam? Yahoo! Mail has the best spam
>> protection around
>> > http://mail.yahoo.com
>> >
>>
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> To unsubscribe, visit the List Server section of OSR
>> Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>
>
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
Not so fast… I realize that you probably just want a simple answer to what seems like a simple question. But, on this list, we’re much more likely to help you meet the OVERALL goal of what you’re trying to accomplish in a reliable, sound, way.
I’d suggest that you pass the data (firmware or whatever) that you need in the buffer. If you need control information, pass a data structure in the buffer (starting at offset 0) with that control information and the OFFSET from the start of the buffer to the data (again, the firmware image or whatever you need to pass in).
Pass the entire buffer using METHOD_IN_DIRECT. Call MmGetSystemAddressForMdlSafe on the passed-in MDL (after being sure the actual buffer length is not zero).
Would that, perhaps, solve your problem?
Stay away from the idea of passing User Virtual Addresses (UVAs) from your app to your driver. As Don warned you, it’s tough to validate these buffers properly yourself, and what you’ll probably wind-up doing is unintentionally introducing a security vulnerability.
Peter
OSR
Driver Coder wrote:
I think I was able to clarify the situation. The IOCTL
itself is method buffered but it has internal pointers
pointing to buffers allocated by my application. I
need to be able to access these buffers from my
driver.
Again the question is after I lock the pages can I
consider these buffers contigious for my driver and
can I access them contigiously.
IF you are still in the ioctl handler, which runs in the context of the
user process, and IF the user process is blocked so that it isn’t
freeing that memory, and IF there is no malicious code injection attack
freeing the buffer out from under you, then yes, the user-mode virtual
address will remain valid.
However, that’s a lot of “ifs”, considering that after you lock the
pages you will have a kernel virtual address that is known good which
will not evaporate.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
‘treat them as contiguous’ - if you get a system address for the MDL you
constructed to control the user data buffer that system address will be
one contiguous virtual address space. If on the other hand you expect
the physical addresses to be contiguous you are going to be
disappointed.
However ‘firmware download’ is not a good justification for using
embedded pointers in your user data. Generally the timing requirements
for firmware download require a rather low transfer speed that the
application can easily provide by feeding the driver with blocks of
METHOD_BUFFERED data. The download image might be large, but it is also
generally transferred to the device in relatively small blocks.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Driver Coder
Sent: Wednesday, June 07, 2006 12:45 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Accessnig user buffer with method neither
Hi Don,
My IOCTLS actually are buffered but it has
internal pointers which I need to access. So I need to
lock the pages and access them in my driver.
These buffers are huge buffers [say for Firmware
download and some data transfer operations].
Again my question is that weather I can treat these
buffers as contigious after locking them.
Thanks,
— Don Burn wrote:
> Using METHOD_NEITHER is an extremely bad idea as has
> been discussed on this
> forum several times in the past. You have a ton of
> work to validate the
> buffer is safe. Why are you using METHOD_NEITHER
> instead of one of the
> other methods?
>
>
> –
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> http://www.windrvr.com
> Remove StopSpam from the email to reply
>
>
>
> “Driver Coder” wrote in
> message news:xxxxx@ntdev…
> > Hi All,
> > I have some IOCTLS in my WDM driver where I
> need
> > to access the user buffer. I am using method
> neither
> > for these IOCTLS and when I recieve these IOCTLS I
> >
> > 1. Allocate the MDL for the user buffer.
> > 2. Probe and lock pages for the user buffer.
> >
> >
> > The question I have is that after this can I
> directly
> > touch the user buffer by using the virtual address
> > provided to me. Can I treat this as a contigious
> user
> > buffer available to my driver??
> >
> > Any help is highly appriciated.
> > Thanks in advance,
> > Ajitabh.
> >
> >
> > Do You Yahoo!?
> > Tired of spam? Yahoo! Mail has the best spam
> protection around
> > http://mail.yahoo.com
> >
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR
> Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
So this is still a bad idea. You increase your attack surface for every
pointer you have to capture, and you ensure that you’ll never be able to
run anyplace but the kernel.
In any event, you cannot touch a user-mode address without wrapping it
in a try/except, and you can’t touch a user-mode address at all if
you’re at raised IRQL. If you want to touch the buffer at raised IRQL
(or outside of a try/except) then you need to get a system address from
the MDL and use that.
I’m not sure you understand what contiguous means.
-p
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Driver Coder
Sent: Wednesday, June 07, 2006 9:45 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Accessnig user buffer with method neither
Hi Don,
My IOCTLS actually are buffered but it has internal pointers which I
need to access. So I need to lock the pages and access them in my
driver.
These buffers are huge buffers [say for Firmware download and some data
transfer operations].
Again my question is that weather I can treat these buffers as
contigious after locking them.
Thanks,
— Don Burn wrote:
> Using METHOD_NEITHER is an extremely bad idea as has been discussed on
> this forum several times in the past. You have a ton of work to
> validate the
> buffer is safe. Why are you using METHOD_NEITHER
> instead of one of the
> other methods?
>
>
> –
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> http://www.windrvr.com
> Remove StopSpam from the email to reply
>
>
>
> “Driver Coder” wrote in
> message news:xxxxx@ntdev…
> > Hi All,
> > I have some IOCTLS in my WDM driver where I
> need
> > to access the user buffer. I am using method
> neither
> > for these IOCTLS and when I recieve these IOCTLS I
> >
> > 1. Allocate the MDL for the user buffer.
> > 2. Probe and lock pages for the user buffer.
> >
> >
> > The question I have is that after this can I
> directly
> > touch the user buffer by using the virtual address
> > provided to me. Can I treat this as a contigious
> user
> > buffer available to my driver??
> >
> > Any help is highly appriciated.
> > Thanks in advance,
> > Ajitabh.
> >
> >
> > Do You Yahoo!?
> > Tired of spam? Yahoo! Mail has the best spam
> protection around
> > http://mail.yahoo.com
> >
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR
> Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
I understand the point of security problems associated
with this approach and I have been actively working
to remove all the pointers from my IOCTL code.Promise
you guys that I Will not have them 
Other points are:
- NOT doing DMA on these buffers.
- Not accessing them at elevated IRQLs.
- By contigious means “virtually contigious”. No body
can expect them to be physically contigious.
Thanks to all for great help here.
This is one hell of a great list
— Peter Wieland
wrote:
> So this is still a bad idea. You increase your
> attack surface for every
> pointer you have to capture, and you ensure that
> you’ll never be able to
> run anyplace but the kernel.
>
> In any event, you cannot touch a user-mode address
> without wrapping it
> in a try/except, and you can’t touch a user-mode
> address at all if
> you’re at raised IRQL. If you want to touch the
> buffer at raised IRQL
> (or outside of a try/except) then you need to get a
> system address from
> the MDL and use that.
>
> I’m not sure you understand what contiguous means.
>
> -p
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf
> Of Driver Coder
> Sent: Wednesday, June 07, 2006 9:45 AM
> To: Windows System Software Devs Interest List
> Subject: Re:[ntdev] Accessnig user buffer with
> method neither
>
> Hi Don,
> My IOCTLS actually are buffered but it has
> internal pointers which I
> need to access. So I need to lock the pages and
> access them in my
> driver.
>
> These buffers are huge buffers [say for Firmware
> download and some data
> transfer operations].
> Again my question is that weather I can treat these
> buffers as
> contigious after locking them.
> Thanks,
> - DC.
>
> — Don Burn wrote:
>
> > Using METHOD_NEITHER is an extremely bad idea as
> has been discussed on
>
> > this forum several times in the past. You have a
> ton of work to
> > validate the
> > buffer is safe. Why are you using METHOD_NEITHER
> > instead of one of the
> > other methods?
> >
> >
> > –
> > Don Burn (MVP, Windows DDK)
> > Windows 2k/XP/2k3 Filesystem and Driver Consulting
> > http://www.windrvr.com
> > Remove StopSpam from the email to reply
> >
> >
> >
> > “Driver Coder” wrote in
> > message news:xxxxx@ntdev…
> > > Hi All,
> > > I have some IOCTLS in my WDM driver where I
> > need
> > > to access the user buffer. I am using method
> > neither
> > > for these IOCTLS and when I recieve these IOCTLS
> I
> > >
> > > 1. Allocate the MDL for the user buffer.
> > > 2. Probe and lock pages for the user buffer.
> > >
> > >
> > > The question I have is that after this can I
> > directly
> > > touch the user buffer by using the virtual
> address
> > > provided to me. Can I treat this as a contigious
> > user
> > > buffer available to my driver??
> > >
> > > Any help is highly appriciated.
> > > Thanks in advance,
> > > Ajitabh.
> > >
> > >
>
> > > Do You Yahoo!?
> > > Tired of spam? Yahoo! Mail has the best spam
> > protection around
> > > http://mail.yahoo.com
> > >
> >
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > To unsubscribe, visit the List Server section of
> OSR
> > Online at
> > http://www.osronline.com/page.cfm?name=ListServer
> >
>
>
>
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam
> protection around
> http://mail.yahoo.com
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR
> Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR
> Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
I wanna ask a related question to this thread.
If we use METHOD_IN_DIRECT, Irp->AssociatedIrp.SystemBuffer point to the
input buffer, and Irp->MdlAddress point to the input buffer, either.
What’s the benefit of using this features? Does the Kernel also try to
allocate a space to complete the IOCTL operations or it just put the
address returned by MmGetSystemAddressFromMdl(Irp->MdlAddress) in the
SystemBuffer?
I guess the advantage is that we can use the Mdl in Irp->MdlAddress to
complete the DMA operations, can’t we?
Best Regards,
hanzhu
Roddy, Mark дµÀ:
‘treat them as contiguous’ - if you get a system address for the MDL you
constructed to control the user data buffer that system address will be
one contiguous virtual address space. If on the other hand you expect
the physical addresses to be contiguous you are going to be
disappointed.
However ‘firmware download’ is not a good justification for using
embedded pointers in your user data. Generally the timing requirements
for firmware download require a rather low transfer speed that the
application can easily provide by feeding the driver with blocks of
METHOD_BUFFERED data. The download image might be large, but it is also
generally transferred to the device in relatively small blocks.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Driver Coder
Sent: Wednesday, June 07, 2006 12:45 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Accessnig user buffer with method neither
Hi Don,
My IOCTLS actually are buffered but it has
internal pointers which I need to access. So I need to
lock the pages and access them in my driver.
These buffers are huge buffers [say for Firmware
download and some data transfer operations].
Again my question is that weather I can treat these
buffers as contigious after locking them.
Thanks,
— Don Burn wrote:
>
>> Using METHOD_NEITHER is an extremely bad idea as has
>> been discussed on this
>> forum several times in the past. You have a ton of
>> work to validate the
>> buffer is safe. Why are you using METHOD_NEITHER
>> instead of one of the
>> other methods?
>>
>>
>> –
>> Don Burn (MVP, Windows DDK)
>> Windows 2k/XP/2k3 Filesystem and Driver Consulting
>> http://www.windrvr.com
>> Remove StopSpam from the email to reply
>>
>>
>>
>> “Driver Coder” wrote in
>> message news:xxxxx@ntdev…
>>> Hi All,
>>> I have some IOCTLS in my WDM driver where I
>> need
>>> to access the user buffer. I am using method
>> neither
>>> for these IOCTLS and when I recieve these IOCTLS I
>>>
>>> 1. Allocate the MDL for the user buffer.
>>> 2. Probe and lock pages for the user buffer.
>>>
>>>
>>> The question I have is that after this can I
>> directly
>>> touch the user buffer by using the virtual address
>>> provided to me. Can I treat this as a contigious
>> user
>>> buffer available to my driver??
>>>
>>> Any help is highly appriciated.
>>> Thanks in advance,
>>> Ajitabh.
>>>
>>>
>>> Do You Yahoo!?
>>> Tired of spam? Yahoo! Mail has the best spam
>> protection around
>>> http://mail.yahoo.com
>>>
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> To unsubscribe, visit the List Server section of OSR
>> Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>
>
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
If you use METHOD_IN_DIRECT then SystemBuffer points to “Input Buffer” and MdlAddress points to the **output buffer**.
Lets say you wanted to send a command to your device to write firmware to firmware block X. You’d need control data (to tell the device which block X was) and you’d need data (the actual firmware data to transfer).
-p
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of hanzhu
Sent: Wednesday, June 07, 2006 8:36 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Accessnig user buffer with method neither
I wanna ask a related question to this thread.
If we use METHOD_IN_DIRECT, Irp->AssociatedIrp.SystemBuffer point to the input buffer, and Irp->MdlAddress point to the input buffer, either.
What’s the benefit of using this features? Does the Kernel also try to allocate a space to complete the IOCTL operations or it just put the address returned by MmGetSystemAddressFromMdl(Irp->MdlAddress) in the SystemBuffer?
I guess the advantage is that we can use the Mdl in Irp->MdlAddress to complete the DMA operations, can’t we?
Best Regards,
hanzhu
Roddy, Mark $B> ‘treat them as contiguous’ - if you get a system address for the MDL
> you constructed to control the user data buffer that system address
> will be one contiguous virtual address space. If on the other hand you
> expect the physical addresses to be contiguous you are going to be
> disappointed.
>
> However ‘firmware download’ is not a good justification for using
> embedded pointers in your user data. Generally the timing requirements
> for firmware download require a rather low transfer speed that the
> application can easily provide by feeding the driver with blocks of
> METHOD_BUFFERED data. The download image might be large, but it is
> also generally transferred to the device in relatively small blocks.
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Driver Coder
> Sent: Wednesday, June 07, 2006 12:45 PM
> To: Windows System Software Devs Interest List
> Subject: Re:[ntdev] Accessnig user buffer with method neither
>
> Hi Don,
> My IOCTLS actually are buffered but it has internal pointers which
> I need to access. So I need to lock the pages and access them in my
> driver.
>
> These buffers are huge buffers [say for Firmware download and some
> data transfer operations].
> Again my question is that weather I can treat these buffers as
> contigious after locking them.
> Thanks,
> - DC.
>
> — Don Burn wrote:
>
>> Using METHOD_NEITHER is an extremely bad idea as has been discussed
>> on this forum several times in the past. You have a ton of work to
>> validate the
>> buffer is safe. Why are you using METHOD_NEITHER
>> instead of one of the
>> other methods?
>>
>>
>> –
>> Don Burn (MVP, Windows DDK)
>> Windows 2k/XP/2k3 Filesystem and Driver Consulting
>> http://www.windrvr.com Remove StopSpam from the email to reply
>>
>>
>>
>> “Driver Coder” wrote in
>> message news:xxxxx@ntdev…
>>> Hi All,
>>> I have some IOCTLS in my WDM driver where I
>> need
>>> to access the user buffer. I am using method
>> neither
>>> for these IOCTLS and when I recieve these IOCTLS I
>>>
>>> 1. Allocate the MDL for the user buffer.
>>> 2. Probe and lock pages for the user buffer.
>>>
>>>
>>> The question I have is that after this can I
>> directly
>>> touch the user buffer by using the virtual address
>>> provided to me. Can I treat this as a contigious
>> user
>>> buffer available to my driver??
>>>
>>> Any help is highly appriciated.
>>> Thanks in advance,
>>> Ajitabh.
>>>
>>>
>>> Do You Yahoo!?
>>> Tired of spam? Yahoo! Mail has the best spam
>> protection around
>>> http://mail.yahoo.com
>>>
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> To unsubscribe, visit the List Server section of OSR
>> Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>
>
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
—
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
> The question I have is that after this can I directly
touch the user buffer by using the virtual address
provided to me. Can I treat this as a contigious user
No you cannot. The pages will not go away, but the PTEs - still can.
You can only touch such a buffer under __try/__except, or map the locked MDL to
the kernel space and touch it there.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
> If we use METHOD_IN_DIRECT, Irp-
AssociatedIrp.SystemBuffer point to the
input buffer, and Irp->MdlAddress point to the input
buffer, either.
What’s the benefit of using this features? Does the
Kernel also try to
allocate a space to complete the IOCTL operations or
it just put the
address returned by MmGetSystemAddressFromMdl(Irp-
MdlAddress) in the
SystemBuffer?
No, SystemBuffer and MdlAddress are mutually exclusive. With SystemBuffer, IO
manager uses memcpy back and forth between user buffer and specially
allocated SystemBuffer.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
Peter,
According to your information, is the only difference between
METHOD_IN_DIRECT and METHOD_OUT_DIRECT lies in the fact that the user
space thread has different access right for the buffer? I suppose the
MdlAddress always points to the “output buffer” in DeviceIoControl for
METHOD_IN_DIRECT and METHOD_OUT_DIRECT.
However, the ddk docs makes me confused:
"METHOD_IN_DIRECT is specified if the driver that handles the IRP
receives data in the buffer when it is called. The MDL describes an
***input buffer***, and specifying METHOD_IN_DIRECT ensures that the
executing thread has read-access to the buffer. "
Should the docs explain this a bit clear?
Best Regards,
hanzhu
Peter Wieland дµÀ:
If you use METHOD_IN_DIRECT then SystemBuffer points to “Input Buffer” and MdlAddress points to the **output buffer**.
Lets say you wanted to send a command to your device to write firmware to firmware block X. You’d need control data (to tell the device which block X was) and you’d need data (the actual firmware data to transfer).
-p
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of hanzhu
Sent: Wednesday, June 07, 2006 8:36 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Accessnig user buffer with method neither
I wanna ask a related question to this thread.
If we use METHOD_IN_DIRECT, Irp->AssociatedIrp.SystemBuffer point to the input buffer, and Irp->MdlAddress point to the input buffer, either.
What’s the benefit of using this features? Does the Kernel also try to allocate a space to complete the IOCTL operations or it just put the address returned by MmGetSystemAddressFromMdl(Irp->MdlAddress) in the SystemBuffer?
I guess the advantage is that we can use the Mdl in Irp->MdlAddress to complete the DMA operations, can’t we?
Best Regards,
hanzhu
Roddy, Mark $B>> ‘treat them as contiguous’ - if you get a system address for the MDL
>> you constructed to control the user data buffer that system address
>> will be one contiguous virtual address space. If on the other hand you
>> expect the physical addresses to be contiguous you are going to be
>> disappointed.
>>
>> However ‘firmware download’ is not a good justification for using
>> embedded pointers in your user data. Generally the timing requirements
>> for firmware download require a rather low transfer speed that the
>> application can easily provide by feeding the driver with blocks of
>> METHOD_BUFFERED data. The download image might be large, but it is
>> also generally transferred to the device in relatively small blocks.
>>
>> -----Original Message-----
>> From: xxxxx@lists.osr.com
>> [mailto:xxxxx@lists.osr.com] On Behalf Of Driver Coder
>> Sent: Wednesday, June 07, 2006 12:45 PM
>> To: Windows System Software Devs Interest List
>> Subject: Re:[ntdev] Accessnig user buffer with method neither
>>
>> Hi Don,
>> My IOCTLS actually are buffered but it has internal pointers which
>> I need to access. So I need to lock the pages and access them in my
>> driver.
>>
>> These buffers are huge buffers [say for Firmware download and some
>> data transfer operations].
>> Again my question is that weather I can treat these buffers as
>> contigious after locking them.
>> Thanks,
>> - DC.
>>
>> — Don Burn wrote:
>>
>>> Using METHOD_NEITHER is an extremely bad idea as has been discussed
>>> on this forum several times in the past. You have a ton of work to
>>> validate the
>>> buffer is safe. Why are you using METHOD_NEITHER
>>> instead of one of the
>>> other methods?
>>>
>>>
>>> –
>>> Don Burn (MVP, Windows DDK)
>>> Windows 2k/XP/2k3 Filesystem and Driver Consulting
>>> http://www.windrvr.com Remove StopSpam from the email to reply
>>>
>>>
>>>
>>> “Driver Coder” wrote in
>>> message news:xxxxx@ntdev…
>>>> Hi All,
>>>> I have some IOCTLS in my WDM driver where I
>>> need
>>>> to access the user buffer. I am using method
>>> neither
>>>> for these IOCTLS and when I recieve these IOCTLS I
>>>>
>>>> 1. Allocate the MDL for the user buffer.
>>>> 2. Probe and lock pages for the user buffer.
>>>>
>>>>
>>>> The question I have is that after this can I
>>> directly
>>>> touch the user buffer by using the virtual address
>>>> provided to me. Can I treat this as a contigious
>>> user
>>>> buffer available to my driver??
>>>>
>>>> Any help is highly appriciated.
>>>> Thanks in advance,
>>>> Ajitabh.
>>>>
>>>>
>>>> Do You Yahoo!?
>>>> Tired of spam? Yahoo! Mail has the best spam
>>> protection around
>>>> http://mail.yahoo.com
>>>>
>>>
>>> —
>>> Questions? First check the Kernel Driver FAQ at
>>> http://www.osronline.com/article.cfm?id=256
>>>
>>> To unsubscribe, visit the List Server section of OSR
>>> Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>
>>
>> Do You Yahoo!?
>> Tired of spam? Yahoo! Mail has the best spam protection around
>> http://mail.yahoo.com
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>> —
>> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>>
>> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>>
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
> Peter,
According to your information, is the only difference
between
METHOD_IN_DIRECT and METHOD_OUT_DIRECT lies in the
fact that the user
space thread has different access right for the
buffer? I suppose the
MdlAddress always points to the “output buffer” in
DeviceIoControl for
METHOD_IN_DIRECT and METHOD_OUT_DIRECT.
Yes, and the only difference is in flags to MmProbeAndLockPages which is called
in IO manager while preparing the IRP and the buffers.
One of these cases allows your driver to update the output buffer, another does
not - it uses the output buffer as the data payload part of the write, and the
IOCTL semantics is “write with additional info”.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com