BSOD BAD_POOL_HEADER with ExFreePool

Amit_Kulkarni-2 · June 2, 2011, 1:43am

Hi All,

I am allocating memory from PagedPool using ExAllocatePoolWithTag in an IOCTL and free it in second subsequent call to same IOCTL using ExFreePool.

It works fine except Windows 7 64 bit where call to ExFreePool gives BSOD with bugcheck BAD_POOL_HEADER with following information…
Arguments:
Arg1: 0000000000000022,
Arg2: fffff8a00e000000
Arg3: 0000000000000001
Arg4: 0000000000000000

Is there any issue with Windows 7 64 bit? Or what I should look for in the code?

Thanks & Regards,
Amit.

Doron_Holan · June 2, 2011, 3:10am

!analyze -v is a nice start

d

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@yahoo.com
Sent: Wednesday, June 01, 2011 10:44 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] BSOD BAD_POOL_HEADER with ExFreePool

Hi All,

I am allocating memory from PagedPool using ExAllocatePoolWithTag in an IOCTL and free it in second subsequent call to same IOCTL using ExFreePool.

It works fine except Windows 7 64 bit where call to ExFreePool gives BSOD with bugcheck BAD_POOL_HEADER with following information…
Arguments:
Arg1: 0000000000000022,
Arg2: fffff8a00e000000
Arg3: 0000000000000001
Arg4: 0000000000000000

Is there any issue with Windows 7 64 bit? Or what I should look for in the code?

Thanks & Regards,
Amit.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Mark_Roddy · June 2, 2011, 9:17am

On Thu, Jun 2, 2011 at 1:43 AM, wrote:
>
> Is there any issue with Windows 7 64 bit? Or what I should look for in the code?
>

yes of course ExFreePool in Win7x64 is totally busted. The odd thing
is that despite the millions of deployed systems, nobody else has run
into this glaring bug.

Or…

I personally would look for a bug in heap allocation/usage and buffer
boundary management.

In my code.

Mark Roddy

Tim_Roberts · June 2, 2011, 12:44pm

xxxxx@yahoo.com wrote:

I am allocating memory from PagedPool using ExAllocatePoolWithTag in an IOCTL and free it in second subsequent call to same IOCTL using ExFreePool.

Are you passing the address up to user mode, and then trusting the
application to hand the correct address back to you in the second ioctl?
Or are you storing the address internally? What’s happening to the
buffer in between?

It works fine except Windows 7 64 bit where call to ExFreePool gives BSOD with bugcheck BAD_POOL_HEADER with following information…
Arguments:
Arg1: 0000000000000022,
Arg2: fffff8a00e000000
Arg3: 0000000000000001
Arg4: 0000000000000000

Is there any issue with Windows 7 64 bit?

That isn’t really your first thought when you encounter a crash like
this, is it?

Or what I should look for in the code?

Look for cases where you store a pointer in an unsigned int or unsigned
long. If you’re sharing the memory, look for cases where the
application and the driver have different notions of structure padding
or element sizes. If you showed us some code, perhaps we could point
out something.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Maxim_S_Shatskih · June 2, 2011, 1:17pm

> It works fine except Windows 7 64 bit where call to ExFreePool gives BSOD with bugcheck

BAD_POOL_HEADER

Verifier’s Special Pool can be helpful.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com