BSOD with FltGetFileNameInformation

Hi, guys!

I’ve got a BSOD on my customer’s computer (windows xp sp3).
It was happened when I called FltGetFileNameInformation.

Here is the dump analysis:

KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but …
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 8054cfd2, The address that the exception occurred at
Arg3: a7e43110, Trap Frame
Arg4: 00000000

ADDITIONAL_DEBUG_TEXT:
Use ‘!findthebuild’ command to search for the target build information.
If the build information is available, run ‘!findthebuild -s ; .reload’ to set symbol path and load symbols.

FAULTING_MODULE: 804d8000 nt

DEBUG_FLR_IMAGE_TIMESTAMP: 4ae7a1b0

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - 0x%08lx

FAULTING_IP:
nt+74fd2
8054cfd2 894804 mov dword ptr [eax+4],ecx

TRAP_FRAME: a7e43110 – (.trap 0xffffffffa7e43110)
ErrCode = 00000002
eax=00000000 ebx=89c56028 ecx=89c563c8 edx=00000065 esi=00410042 edi=000001ff
eip=8054cfd2 esp=a7e43184 ebp=a7e431d8 iopl=0 nv up ei pl nz ac po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010213
nt+0x74fd2:
8054cfd2 894804 mov dword ptr [eax+4],ecx ds:0023:00000004=???
Resetting default scope

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x8E

LAST_CONTROL_TRANSFER: from 804ff817 to 804faf33

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
a7e42cd8 804ff817 0000008e c0000005 8054cfd2 nt+0x22f33
a7e430a0 80543085 a7e430bc 00000000 a7e43110 nt+0x27817
a7e4318c a8d6eb5c e148f730 89130800 893c8008 nt+0x6b085
a7e431d8 b9ec0fd7 00000001 00000001 6e664d46 Ntfs+0xb5c
a7e431f4 b9ec1903 8927dee8 0000031c 00000000 fltMgr+0x15fd7
a7e4321c b9ec2091 89298780 89298780 a7e43248 fltMgr+0x16903
a7e4322c b9ebfc79 89298780 88c01864 89298780 fltMgr+0x17091
a7e43248 b9ec029a 89298780 88c01864 89298780 fltMgr+0x14c79
a7e43260 b9eb0ce3 80555000 00000000 89298780 fltMgr+0x1529a
a7e4327c b9eb0e48 89232a80 88c0186c 00000000 fltMgr+0x5ce3
a7e432a8 b9eb1366 c00000bb 00000000 a7e43360 fltMgr+0x5e48
a7e432d0 a8bcdb51 00c0186c 00000102 a7e432f4 fltMgr+0x6366
a7e43318 a8bcdd16 88c0186c a7e43360 0f5978c6 HeiFs!QueryFullPath+0x3d [z:\Hei\sys\HeiFs\utility.c @ 1615]
a7e43390 a8bce069 88c0186c a7e433b0 0f597882 HeiFs!QueryRelatedLongPath+0x5e [z:\Hei\sys\HeiFs\utility.c @ 1741]
a7e433d4 a8bc67f9 88c0186c 89173bc8 89173bc8 HeiFs!QueryPathInformation+0x47 [z:\Hei\sys\HeiFs\utility.c @ 1991]
a7e433ec a8bc7e1f 88c0186c 89173bc8 0f597f06 HeiFs!GetPathInformation+0x33 [z:\Hei\sys\HeiFs\main.c @ 1250]
a7e43450 a8bd67c8 88c0186c a7e4346c 88c01810 HeiFs!UrPreCreate+0xd3 [z:\Hei\sys\HeiFs\main.c @ 2915]
a7e43464 b9eac888 00000000 a7e43484 a7e434b4 HeiFs!FltPreOperationCallback+0x92 [z:\Hei\sys\HeiFs\main.c @ 4806]
a7e434c4 b9eae2a0 00e43508 88c01810 88c665e8 fltMgr+0x1888
a7e434d8 b9ebb217 a7e43508 b9eb96aa 00000000 fltMgr+0x32a0
a7e434f0 b9ebb742 a7e43508 88c117d8 88c66468 fltMgr+0x10217
a7e43524 804f018f 8927d218 88c66458 88c66458 fltMgr+0x10742
a7e43614 805c0444 89c26030 00000000 88c89f30 nt+0x1818f
a7e4368c 805bc9d0 00000000 a7e436cc 00000040 nt+0xe8444
a7e436e0 80577033 00000000 00000000 c117d801 nt+0xe49d0
a7e4375c 805779aa 0011f818 00100100 0011f7d4 nt+0x9f033
a7e437b8 8057b1a9 0011f818 00100100 0011f7d4 nt+0x9f9aa
a7e437f8 b9f80c2b 0011f818 00100100 0011f7d4 nt+0xa31a9
a7e43830 8054261c 00000000 00000000 a7e43824 a347bus+0x1c2b
a7e43844 8054261c 0011f818 00100100 0011f7d4 nt+0x6a61c
a7e43848 0011f818 00100100 0011f7d4 0011f7f8 nt+0x6a61c
a7e4384c 00100100 0011f7d4 0011f7f8 00000007 0x11f818
a7e43850 0011f7d4 0011f7f8 00000007 00204020 0x100100
a7e43854 0011f7f8 00000007 00204020 0011f810 0x11f7d4
a7e43858 00000000 00204020 0011f810 7c92e4f4 0x11f7f8

STACK_COMMAND: kb

FOLLOWUP_IP:
HeiFs!QueryFullPath+3d [z:\Hei\sys\HeiFs\utility.c @ 1615]
a8bcdb51 8945e4 mov dword ptr [ebp-1Ch],eax

SYMBOL_STACK_INDEX: c

SYMBOL_NAME: HeiFs!QueryFullPath+3d

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: HeiFs

IMAGE_NAME: HeiFs.sys

BUCKET_ID: WRONG_SYMBOLS

Followup: MachineOwner

Here is snippet of my funcion ‘QueryFullPath’ :

1601 NTSTATUS QueryFullPath(
1602 IN PFLT_CALLBACK_DATA Data,
1603 OUT PUNICODE_STRING pusRelatedPath
1604 )
1605 {
1606 NTSTATUS Status = STATUS_SUCCESS;
1607 PFLT_FILE_NAME_INFORMATION pFileNameInformation = NULL;

1608 ASSERT(Data);
1609 ASSERT(pusRelatedPath);

1611 __try {
1612 RtlZeroMemory(pusRelatedPath->Buffer, pusRelatedPath->MaximumLength);
1613 Status = FltGetFileNameInformation(Data,
1614 FLT_FILE_NAME_OPENED | FLT_FILE_NAME_QUERY_DEFAULT,
1615 &pFileNameInformation);
1616 if (NT_SUCCESS(Status)) {
…

I have checked the pass-in parameter ‘Data’:

0: kd> dt _FLT_CALLBACK_DATA 88c0186c
XiaobaiFs!_FLT_CALLBACK_DATA
+0x000 Flags : 9 (FLTFL_CALLBACK_DATA_SYSTEM_BUFFER|FLTFL_CALLBACK_DATA_IRP_OPERATION)
+0x004 Thread : 0x88ce6358 _KTHREAD
+0x008 Iopb : 0x88c01898 _FLT_IO_PARAMETER_BLOCK
+0x00c IoStatus : _IO_STATUS_BLOCK
+0x014 TagData : (null)
+0x018 QueueLinks : _LIST_ENTRY [0x0 - 0x0]
+0x020 QueueContext : [2] (null)
+0x018 FilterContext : [4] (null)
+0x028 RequestorMode : 1 ‘’
0: kd> dt _FLT_IO_PARAMETER_BLOCK 0x88c01898
XiaobaiFs!_FLT_IO_PARAMETER_BLOCK
+0x000 IrpFlags : 0x884 (IRP_SYNCHRONOUS_API|IRP_CREATE_OPERATION|IRP_DEFER_IO_COMPLETION)
+0x004 MajorFunction : 0 ‘’
+0x005 MinorFunction : 0 ‘’
+0x006 OperationFlags : 0 ‘’
+0x007 Reserved : 0 ‘’
+0x008 TargetFileObject : 0x88c117d8 _FILE_OBJECT
+0x00c TargetInstance : 0x8927bb30 _FLT_INSTANCE
+0x010 Parameters : _FLT_PARAMETERS

And the TargetFileObject:
0: kd> dt _FILE_OBJECT 0x88c117d8
XiaobaiFs!_FILE_OBJECT
+0x000 Type : 5
+0x002 Size : 112
+0x004 DeviceObject : 0x89c26030 _DEVICE_OBJECT
+0x008 Vpb : (null)
+0x00c FsContext : (null)
+0x010 FsContext2 : (null)
+0x014 SectionObjectPointer : (null)
+0x018 PrivateCacheMap : (null)
+0x01c FinalStatus : 0
+0x020 RelatedFileObject : (null)
+0x024 LockOperation : 0 ‘’
+0x025 DeletePending : 0 ‘’
+0x026 ReadAccess : 0 ‘’
+0x027 WriteAccess : 0 ‘’
+0x028 DeleteAccess : 0 ‘’
+0x029 SharedRead : 0 ‘’
+0x02a SharedWrite : 0 ‘’
+0x02b SharedDelete : 0 ‘’
+0x02c Flags : 2 (FO_SYNCHRONOUS_IO)
+0x030 FileName : _UNICODE_STRING “\HeiCache\Documents and Settings\All Users??????\BitTorrent\Uninstall.lnk”
+0x038 CurrentByteOffset : _LARGE_INTEGER 0x0
+0x040 Waiters : 0
+0x044 Busy : 0
+0x048 LastLock : (null)
+0x04c Lock : _KEVENT
+0x05c Event : _KEVENT
+0x06c CompletionContext : (null)
+0x070 IrpListLock : 0x20d0013
+0x074 IrpList : _LIST_ENTRY [0x704f6f49 - 0x88c1b2e8]
+0x07c FileObjectExtension : 0x88c23820

And the instructions around the bsod:

0: kd> u 8054cfd2-100 8054cfd2+10
nt+0x74ed2:
8054ced2 23cf and ecx,edi
8054ced4 837d0c00 cmp dword ptr [ebp+0Ch],0
8054ced8 66894dc6 mov word ptr [ebp-3Ah],cx
8054cedc 668945c4 mov word ptr [ebp-3Ch],ax
8054cee0 7534 jne nt+0x74f16 (8054cf16)
8054cee2 33c0 xor eax,eax
8054cee4 40 inc eax
8054cee5 3945e4 cmp dword ptr [ebp-1Ch],eax
8054cee8 89450c mov dword ptr [ebp+0Ch],eax
8054ceeb 751d jne nt+0x74f0a (8054cf0a)
8054ceed 3945e8 cmp dword ptr [ebp-18h],eax
8054cef0 750e jne nt+0x74f00 (8054cf00)
8054cef2 8b0d745c5680 mov ecx,dword ptr [nt+0x8dc74 (80565c74)]
8054cef8 ff1518914d80 call dword ptr [nt+0x1118 (804d9118)]
8054cefe eb16 jmp nt+0x74f16 (8054cf16)
8054cf00 a1686d5680 mov eax,dword ptr [nt+0x8ed68 (80566d68)]
8054cf05 8b481c mov ecx,dword ptr [eax+1Ch]
8054cf08 ebee jmp nt+0x74ef8 (8054cef8)
8054cf0a 6a06 push 6
8054cf0c 59 pop ecx
8054cf0d ff1528914d80 call dword ptr [nt+0x1128 (804d9128)]
8054cf13 8845c0 mov byte ptr [ebp-40h],al
8054cf16 6a00 push 0
8054cf18 be00100000 mov esi,1000h
8054cf1d 56 push esi
8054cf1e ff75d8 push dword ptr [ebp-28h]
8054cf21 e8e0c0ffff call nt+0x71006 (80549006)
8054cf26 837de401 cmp dword ptr [ebp-1Ch],1
8054cf2a 8945e0 mov dword ptr [ebp-20h],eax
8054cf2d 7514 jne nt+0x74f43 (8054cf43)
8054cf2f 837de801 cmp dword ptr [ebp-18h],1
8054cf33 752d jne nt+0x74f62 (8054cf62)
8054cf35 8b0d745c5680 mov ecx,dword ptr [nt+0x8dc74 (80565c74)]
8054cf3b ff151c914d80 call dword ptr [nt+0x111c (804d911c)]
8054cf41 eb1b jmp nt+0x74f5e (8054cf5e)
8054cf43 837de400 cmp dword ptr [ebp-1Ch],0
8054cf47 7519 jne nt+0x74f62 (8054cf62)
8054cf49 833db832558001 cmp dword ptr [nt+0x7b2b8 (805532b8)],1
8054cf50 7610 jbe nt+0x74f62 (8054cf62)
8054cf52 8a55c0 mov dl,byte ptr [ebp-40h]
8054cf55 6a06 push 6
8054cf57 59 pop ecx
8054cf58 ff1530914d80 call dword ptr [nt+0x1130 (804d9130)]
8054cf5e 83650c00 and dword ptr [ebp+0Ch],0
8054cf62 837de000 cmp dword ptr [ebp-20h],0
8054cf66 0f8552020000 jne nt+0x751be (8054d1be)
8054cf6c 837d0c01 cmp dword ptr [ebp+0Ch],1
8054cf70 752b jne nt+0x74f9d (8054cf9d)
8054cf72 837de400 cmp dword ptr [ebp-1Ch],0
8054cf76 7517 jne nt+0x74f8f (8054cf8f)
8054cf78 833db832558001 cmp dword ptr [nt+0x7b2b8 (805532b8)],1
8054cf7f 771c ja nt+0x74f9d (8054cf9d)
8054cf81 8a55c0 mov dl,byte ptr [ebp-40h]
8054cf84 6a06 push 6
8054cf86 59 pop ecx
8054cf87 ff1530914d80 call dword ptr [nt+0x1130 (804d9130)]
8054cf8d eb0e jmp nt+0x74f9d (8054cf9d)
8054cf8f a1686d5680 mov eax,dword ptr [nt+0x8ed68 (80566d68)]
8054cf94 8b481c mov ecx,dword ptr [eax+1Ch]
8054cf97 ff151c914d80 call dword ptr [nt+0x111c (804d911c)]
8054cf9d ff45ec inc dword ptr [ebp-14h]
8054cfa0 837dec01 cmp dword ptr [ebp-14h],1
8054cfa4 a180a05580 mov eax,dword ptr [nt+0x82080 (8055a080)]
8054cfa9 0f85c9010000 jne nt+0x75178 (8054d178)
8054cfaf f6c402 test ah,2
8054cfb2 0f84c0010000 je nt+0x75178 (8054d178)
8054cfb8 53 push ebx
8054cfb9 e848f0ffff call nt+0x74006 (8054c006)
8054cfbe 8b75f8 mov esi,dword ptr [ebp-8]
8054cfc1 e91efeffff jmp nt+0x74de4 (8054cde4)
8054cfc6 8b4de0 mov ecx,dword ptr [ebp-20h]
8054cfc9 8b31 mov esi,dword ptr [ecx]
8054cfcb 8b06 mov eax,dword ptr [esi]
8054cfcd 8b55f8 mov edx,dword ptr [ebp-8]
8054cfd0 8901 mov dword ptr [ecx],eax
8054cfd2 894804 mov dword ptr [eax+4],ecx << BOSD!!! eax = 0x0
8054cfd5 33c9 xor ecx,ecx
8054cfd7 668b4efa mov cx,word ptr [esi-6]
8054cfdb 83c6f8 add esi,0FFFFFFF8h
8054cfde 8bc1 mov eax,ecx
8054cfe0 23c7 and eax,edi

Any help will be appreciated!

Alex

you need to fix OS symbols too, to get something out of it. looking at crash assembly only reveals that some local pointer passed to some nt function is null though it shouldn’t be.

>>Correction to “some local pointer passed to some nt function is null though it shouldn’t be.”

some local pointer inside some nt function is null though it shouldn’t be.

you can actually check following related instructions after you correct OS symbols.

8054cf00 a1686d5680 mov eax,dword ptr [nt+0x8ed68 (80566d68)]
8054cf2a 8945e0 mov dword ptr [ebp-20h],eax
8054cf62 837de000 cmp dword ptr [ebp-20h],0
8054cf66 0f8552020000 jne nt+0x751be (8054d1be)

Thanks adi.

It happend on my customer’s computer, so I cannot do debugging on that
machine and fix symbols.

So did your customer sent you all these details in some text format or how come you post output of dt and u commands?

adi.

He sended me a full-content memory dump

On Mon, Nov 2, 2009 at 7:12 PM, wrote:

> So did your customer sent you all these details in some text format or how
> come you post output of dt and u commands?
>
>
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Than while you are analyzing that dump, fix the OS symbols, where is the confusion than ?

Er… My head must be frozone…

Here is the call stack:

a7e42cd8 804ff817 0000008e c0000005 8054cfd2 nt!KeBugCheckEx+0x1b
a7e430a0 80543085 a7e430bc 00000000 a7e43110 nt!KiDispatchException+0x3b1
a7e43108 80543036 a7e431d8 8054cfd2 badb0d00 nt!CommonDispatchException+0x4d
a7e4318c a8d6eb5c e148f730 89130800 893c8008 nt!KiExceptionExit+0x18a
a7e431d8 b9ec0fd7 00000001 00000001 6e664d46 Ntfs!NtfsLookupAllocation+0x58b
a7e431f4 b9ec1903 8927dee8 0000031c 00000000
fltMgr!FltpReallocNameControl+0x21
a7e4321c b9ec2091 89298780 89298780 a7e43248
fltMgr!FltpGetFileNameFromFileObject+0x157
a7e4322c b9ebfc79 89298780 88c01864 89298780
fltMgr!FltpGetOpenedFileName+0x47
a7e43248 b9ec029a 89298780 88c01864 89298780
fltMgr!FltpCallOpenedFileNameHandler+0x7f
a7e43260 b9eb0ce3 80555000 00000000 89298780
fltMgr!FltpCreateFileNameInformation+0x7c
a7e4327c b9eb0e48 89232a80 88c0186c 00000000
fltMgr!HandleStreamListNotSupported+0xf5
a7e432a8 b9eb1366 c00000bb 00000000 a7e43360
fltMgr!FltpGetFileNameInformation+0xe8
a7e432d0 a8bcdb51 00c0186c 00000102 a7e432f4
fltMgr!FltGetFileNameInformation+0x114
a7e43318 a8bcdd16 88c0186c a7e43360 0f5978c6 HeiFs!QueryFullPath+0x3d
[z:\Hei\sys\Heifs\utility.c @ 1615]
a7e43390 a8bce069 88c0186c a7e433b0 0f597882 HeiFs!QueryRelatedLongPath+0x5e
[z:\Hei\sys\Heifs\utility.c @ 1741]
a7e433d4 a8bc67f9 88c0186c 89173bc8 89173bc8 HeiFs!QueryPathInformation+0x47
[z:\Hei\sys\Heifs\utility.c @ 1991]
a7e433ec a8bc7e1f 88c0186c 89173bc8 0f597f06 HeiFs!GetPathInformation+0x33
[z:\Hei\sys\Heifs\main.c @ 1250]
a7e43450 a8bd67c8 88c0186c a7e4346c 88c01810 HeiFs!UrPreCreate+0xd3
[z:\Hei\sys\Heifs\main.c @ 2915]
a7e43464 b9eac888 00000000 a7e43484 a7e434b4
HeiFs!FltPreOperationCallback+0x92 [z:\Hei\sys\Heifs\main.c @ 4806]
a7e434c4 b9eae2a0 00e43508 88c01810 88c665e8
fltMgr!FltpPerformPreCallbacks+0x2d4
a7e434d8 b9ebb217 a7e43508 b9eb96aa 00000000
fltMgr!FltpPassThroughInternal+0x32
a7e434f0 b9ebb742 a7e43508 88c117d8 88c66468 fltMgr!FltpCreateInternal+0x63
a7e43524 804f018f 8927d218 88c66458 88c66458 fltMgr!FltpCreate+0x258
a7e43534 805841fa 89c26018 88c89fd4 a7e436cc nt!IopfCallDriver+0x31
a7e43614 805c0444 89c26030 00000000 88c89f30 nt!IopParseDevice+0xa12
a7e4368c 805bc9d0 00000000 a7e436cc 00000040 nt!ObpLookupObjectName+0x53c
a7e436e0 80577033 00000000 00000000 c117d801 nt!ObOpenObjectByName+0xea
a7e4375c 805779aa 0011f818 00100100 0011f7d4 nt!IopCreateFile+0x407
a7e437b8 8057b1a9 0011f818 00100100 0011f7d4 nt!IoCreateFile+0x8e
a7e437f8 b9f80c2b 0011f818 00100100 0011f7d4 nt!NtOpenFile+0x27
WARNING: Stack unwind information not available. Following frames may be
wrong.
a7e43830 8054261c 00000000 00000000 a7e43824 a347bus+0x1c2b
a7e43830 3bffffed 00000000 00000000 a7e43824 nt!KiFastCallEntry+0xfc
53e44589 00000000 00000000 00000000 00000000 0x3bffffed

Based on my debugging experience, only option for you is totally subjective.

It is to check the flow of this problem at your end. i.e. attach debugger to the target machine and put a breakpoint in QueryFullPath and proceed with assembly of windows module.

Now the point is, it will not crash in your machine, so you actually have to check the point where it differ from the flow mentioned by the client call stack. when you get that, check the cause of that difference and track it back to parameters your function passed. I assume that this module is tested well and this bug is not a memory corruption issue caused by your driver itself.

Good Luck
Aditya

Thanks adi.
I’m following your suggestion

On Tue, Nov 3, 2009 at 3:42 PM, wrote:

> Based on my debugging experience, only option for you is totally
> subjective.
>
> It is to check the flow of this problem at your end. i.e. attach debugger
> to the target machine and put a breakpoint in QueryFullPath and proceed with
> assembly of windows module.
>
> Now the point is, it will not crash in your machine, so you actually have
> to check the point where it differ from the flow mentioned by the client
> call stack. when you get that, check the cause of that difference and track
> it back to parameters your function passed. I assume that this module is
> tested well and this bug is not a memory corruption issue caused by your
> driver itself.
>
> Good Luck
> Aditya
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>