Hi, I encounter a problem while developing a driver based on minifilter.
It is the BAD_POOL_HEADER after my driver called ExFreePool, I have read some articles about this ERROR but have no idea.
In fact, I called ExAllocatePool to get a NonPaged buf and do an IRP_MJ_READ operation on my own(IRP->Flags = IRP_READ_OPERATION | IRP_NOCACHE | IRP_PAGING_IO), after finishing the read operation, I’m ready to free the buf and this Error occured.
The following are my codes:
buf = ExAllocatePoolWithTag(NonPagedPool, 20, ‘csim’);
status = IrpReadFile(…)
ExFreePool(buf);
And the following is the result of !pool:
kd> !pool 0x89498eb8
Pool page 89498eb8 region is Nonpaged pool
89498000 size: 278 previous size: 0 (Allocated) Thre (Protected)
89498278 size: 8 previous size: 278 (Free) …
89498280 size: 40 previous size: 8 (Allocated) Ntfr
894982c0 size: 10 previous size: 40 (Free) kswc
894982d0 size: 28 previous size: 10 (Allocated) NtFs
894982f8 size: 38 previous size: 28 (Allocated) Sema (Protected)
89498330 size: 8 previous size: 38 (Free) `I.
89498338 size: 20 previous size: 8 (Allocated) ReTa
89498358 size: 68 previous size: 20 (Allocated) MmCa
894983c0 size: 28 previous size: 68 (Allocated) NtFs
894983e8 size: 20 previous size: 28 (Free) CcSc
89498408 size: 38 previous size: 20 (Allocated) Sema (Protected)
89498440 size: 118 previous size: 38 (Allocated) Ntfi
89498558 size: 10 previous size: 118 (Free) misc
89498568 size: 30 previous size: 10 (Allocated) Vad
89498598 size: 30 previous size: 30 (Allocated) Vad
894985c8 size: 18 previous size: 30 (Free) Irp
894985e0 size: 98 previous size: 18 (Allocated) File (Protected)
89498678 size: 8 previous size: 98 (Free) FMic
89498680 size: 30 previous size: 8 (Allocated) Even (Protected)
894986b0 size: 30 previous size: 30 (Allocated) Even (Protected)
894986e0 size: 30 previous size: 30 (Allocated) Even (Protected)
89498710 size: 30 previous size: 30 (Allocated) Even (Protected)
89498740 size: 40 previous size: 30 (Allocated) Ntfr
89498780 size: 8 previous size: 40 (Free) kswc
89498788 size: 30 previous size: 8 (Allocated) Even (Protected)
894987b8 size: 8 previous size: 30 (Free) H…
894987c0 size: 20 previous size: 8 (Allocated) Port
894987e0 size: 28 previous size: 20 (Allocated) NtFs
89498808 size: 88 previous size: 28 (Allocated) CcBc
89498890 size: 20 previous size: 88 (Free) CcSc
894988b0 size: 28 previous size: 20 (Allocated) NtFs
894988d8 size: 20 previous size: 28 (Free) FMic
894988f8 size: 30 previous size: 20 (Allocated) Even (Protected)
89498928 size: 30 previous size: 30 (Allocated) Even (Protected)
89498958 size: 20 previous size: 30 (Free) CcBc
89498978 size: 28 previous size: 20 (Allocated) FSfm
894989a0 size: 40 previous size: 28 (Allocated) Ntfr
894989e0 size: 18 previous size: 40 (Free) misc
894989f8 size: 20 previous size: 18 (Allocated) ReSe
89498a18 size: 20 previous size: 20 (Free) 0…
89498a38 size: 38 previous size: 20 (Free ) Process: 891526b0
89498a70 size: 98 previous size: 38 (Allocated) File (Protected)
89498b08 size: 10 previous size: 98 (Free) CcSc
89498b18 size: 20 previous size: 10 (Allocated) ReSe
89498b38 size: 8 previous size: 20 (Free) FMic
89498b40 size: 98 previous size: 8 (Allocated) File (Protected)
89498bd8 size: 68 previous size: 98 (Allocated) MmCa
89498c40 size: 40 previous size: 68 (Allocated) Ntfr
89498c80 size: 8 previous size: 40 (Free) FMic
89498c88 size: 118 previous size: 8 (Allocated) Ntfi
89498da0 size: 8 previous size: 118 (Free) None
89498da8 size: 30 previous size: 8 (Allocated) Even (Protected)
89498dd8 size: 18 previous size: 30 (Free) H…
89498df0 size: 30 previous size: 18 (Allocated) Even (Protected)
89498e20 size: 20 previous size: 30 (Free) CcBc
89498e40 size: 68 previous size: 20 (Allocated) MmCa
89498ea8 size: 8 previous size: 68 (Free) Wait
*89498eb0 size: 20 previous size: 8 (Allocated) *misc
Owning component : Unknown (update pooltag.txt)
89498ed0 is not a valid small pool allocation, checking large pool…
unable to get pool big page table - either wrong symbols or pool tagging is disabled
89498ed0 is freed (or corrupt) pool
Bad allocation size @89498ed0, zero is invalid
I need some help, any help will be appreciated!
Post !analyze -v. and use !for_each_frame s-a @#Base @#End “csim”.
It may points to your allocated tag.
Yes, I have get the position of the bug code.
But I do not know how could this error occured, as I have mentioned my driver just allocate a NonPagedPool, use it for read operation(NO_CACHE & PAGING_IO) and free it.
But this error occured when my driver try to call ExFreePool.
> But this error occured when my driver try to call ExFreePool.
Buffer overrun/underrun. Something has tramped on memory it doesn’t own, by
the sound of it it is buffer underrun (i.e. overwriting memory behind of
your bit of pool)
If you are not running with verifier, to so since it may help. You may want
to play with the GFLAGS settings to make the allocator allocate from the
start of the protected page rather that at the end.
/R
And the bug is obvious from the combination of your code and the description of the flags.
You cannot use a 20 byte buffer to do paging I/O on a file. Paging I/O has specific requirements, one of which is that the FSD can copy beyond the EOF for at least the amount of the sector (in fact, sector size is a requirement for non-cached).
Change this to:
Buf = ExAllocatePoolWithTag(NonPagedPool, PAGE_SIZE, ‘csim’);
And the problem will be gone. Further, if you do something like:
memset(buf,0x6a,PAGE_SIZE);
and then look at the buffer after the read, you’ll notice that more than what you read has been overwritten.
Oh, I do hope you removed the code to check for an allocation failure. If not, you really need to be using the code analysis tool in Visual Studio, because it will flag errors of this type.
Tony
OSR
Thanks, Tony. Your are right.
Now my driver works fine.