BugCheck in Fastfat!FatQueryBasicInfo

OSR_Community_User · June 19, 2008, 8:02pm

Hi all,

When my driver is loaded, occasionally bugcheck happens in the fastfat. The stacks are amlost same as below. The difficulty for me is I can not see my driver code in the calling sequence. It looks a queued job by fastfat. I analyzed the stack and know the value of Irp->AssociatedIrp.SystemBuffer is invalid(0348e558), so the exception happens in FatQueryBasicInfo. (some fastfat source pasted as below)

Except for above information, I have no idea how to further link to my driver.

I’d appreciate for any idea how should I carry on the investigation? thanks a lot in advance.

STACK_TEXT:
f896ccb0 f842fb68 821a39f8 e2a453f0 819f69c0 Fastfat!FatQueryBasicInfo+0x11
f896cd14 f84417aa 821a39f8 81a42008 821a39fc Fastfat!FatCommonQueryInformation+0x108
f896cd74 804e57fe 821a39f8 00000000 823ba640 Fastfat!FatFspDispatch+0xe4
f896cdac 8057efed 821a39f8 00000000 00000000 nt!ExpWorkerThread+0x100
f896cddc 804fb477 804e5729 00000000 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

NTSTATUS
FatCommonQueryInformation (
IN PIRP_CONTEXT IrpContext,
IN PIRP Irp
)
{
… …
Length = (LONG)IrpSp->Parameters.QueryFile.Length;
FileInformationClass = IrpSp->Parameters.QueryFile.FileInformationClass;
Buffer = Irp->AssociatedIrp.SystemBuffer;
… …
case FileBasicInformation:

FatQueryBasicInfo( IrpContext, Fcb, FileObject, Buffer, &Length );
break;
}

VOID
FatQueryBasicInfo (
IN PIRP_CONTEXT IrpContext,
IN PFCB Fcb,
IN PFILE_OBJECT FileObject,
IN OUT PFILE_BASIC_INFORMATION Buffer,
IN OUT PLONG Length
)
{
DebugTrace(+1, Dbg, “FatQueryBasicInfo…\n”, 0);

//
// Zero out the output buffer, and set it to indicate that
// the query is a normal file. Later we might overwrite the
// attribute.
//

RtlZeroMemory( Buffer, sizeof(FILE_BASIC_INFORMATION) );

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

FAT_FILE_SYSTEM (23)
If you see FatExceptionFilter on the stack then the 2nd and 3rd
parameters are the exception record and context record. Do a .cxr
on the 3rd parameter and then kb to obtain a more informative stack
trace.
Arguments:
Arg1: 000e0100
Arg2: f896cbe0
Arg3: f896c8dc
Arg4: f843d49e

Debugging Details:

EXCEPTION_RECORD: f896cbe0 – (.exr 0xfffffffff896cbe0)
ExceptionAddress: f843d49e (Fastfat!FatQueryBasicInfo+0x00000011)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 0348e558
Attempt to write to address 0348e558

CONTEXT: f896c8dc – (.cxr 0xfffffffff896c8dc)
eax=00000000 ebx=821a39f8 ecx=0000000a edx=819f69c0 esi=0348e558 edi=0348e558
eip=f843d49e esp=f896cca8 ebp=f896ccb0 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
Fastfat!FatQueryBasicInfo+0x11:
f843d49e f3ab rep stos dword ptr es:[edi] es:0023:0348e558=???
Resetting default scope

CUSTOMER_CRASH_COUNT: 3

DEFAULT_BUCKET_ID: DRIVER_FAULT

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx” referenced memory at “0x%08lx”. The memory could not be “%s”.

WRITE_ADDRESS: 0348e558

BUGCHECK_STR: 0x23

LAST_CONTROL_TRANSFER: from f842fb68 to f843d49e

STACK_TEXT:
f896ccb0 f842fb68 821a39f8 e2a453f0 819f69c0 Fastfat!FatQueryBasicInfo+0x11
f896cd14 f84417aa 821a39f8 81a42008 821a39fc Fastfat!FatCommonQueryInformation+0x108
f896cd74 804e57fe 821a39f8 00000000 823ba640 Fastfat!FatFspDispatch+0xe4
f896cdac 8057efed 821a39f8 00000000 00000000 nt!ExpWorkerThread+0x100
f896cddc 804fb477 804e5729 00000000 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

FOLLOWUP_IP:
Fastfat!FatQueryBasicInfo+11
f843d49e f3ab rep stos dword ptr es:[edi]

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: Fastfat!FatQueryBasicInfo+11

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: Fastfat

IMAGE_NAME: Fastfat.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 41107eb7

STACK_COMMAND: .cxr 0xfffffffff896c8dc ; kb

FAILURE_BUCKET_ID: 0x23_Fastfat!FatQueryBasicInfo+11

BUCKET_ID: 0x23_Fastfat!FatQueryBasicInfo+11

Followup: MachineOwner

rod_widdowson · June 20, 2008, 8:18am

You’ve passed down an invalid buffer (and address in user space) to a an
IRP_MJ_QUERY_INFORMATION. FAT has posted this request.

What you are seeing is an access violation when the thread it posted the
request as it clears the buffer. You will be able to confirm this by
looking at the IRP. If you are setting a user address into
Irp->AssociatedIrp.SystemBuffer this is wrong at all sorts of levels…

wrote in message news:xxxxx@ntfsd…
> Hi all,
>
> When my driver is loaded, occasionally bugcheck happens in the fastfat.
> The stacks are amlost same as below. The difficulty for me is I can not
> see my driver code in the calling sequence. It looks a queued job by
> fastfat. I analyzed the stack and know the value of
> Irp->AssociatedIrp.SystemBuffer is invalid(0348e558), so the exception
> happens in FatQueryBasicInfo. (some fastfat source pasted as below)
>
> Except for above information, I have no idea how to further link to my
> driver.
>
> I’d appreciate for any idea how should I carry on the investigation?
> thanks a lot in advance.
>
> STACK_TEXT:
> f896ccb0 f842fb68 821a39f8 e2a453f0 819f69c0
> Fastfat!FatQueryBasicInfo+0x11
> f896cd14 f84417aa 821a39f8 81a42008 821a39fc
> Fastfat!FatCommonQueryInformation+0x108
> f896cd74 804e57fe 821a39f8 00000000 823ba640 Fastfat!FatFspDispatch+0xe4
> f896cdac 8057efed 821a39f8 00000000 00000000 nt!ExpWorkerThread+0x100
> f896cddc 804fb477 804e5729 00000000 00000000
> nt!PspSystemThreadStartup+0x34
> 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
>
>
>
>
> NTSTATUS
> FatCommonQueryInformation (
> IN PIRP_CONTEXT IrpContext,
> IN PIRP Irp
> )
> {
> … …
> Length = (LONG)IrpSp->Parameters.QueryFile.Length;
> FileInformationClass =
> IrpSp->Parameters.QueryFile.FileInformationClass;
> Buffer = Irp->AssociatedIrp.SystemBuffer;
> … …
> case FileBasicInformation:
>
> FatQueryBasicInfo( IrpContext, Fcb, FileObject, Buffer,
> &Length );
> break;
> }
>
> VOID
> FatQueryBasicInfo (
> IN PIRP_CONTEXT IrpContext,
> IN PFCB Fcb,
> IN PFILE_OBJECT FileObject,
> IN OUT PFILE_BASIC_INFORMATION Buffer,
> IN OUT PLONG Length
> )
> {
> DebugTrace(+1, Dbg, “FatQueryBasicInfo…\n”, 0);
>
> //
> // Zero out the output buffer, and set it to indicate that
> // the query is a normal file. Later we might overwrite the
> // attribute.
> //
>
> RtlZeroMemory( Buffer, sizeof(FILE_BASIC_INFORMATION) );
>
>
>
> kd> !analyze -v
> ***
> *
>
> * Bugcheck Analysis
>
> *
>
>
>
> FAT_FILE_SYSTEM (23)
> If you see FatExceptionFilter on the stack then the 2nd and 3rd
> parameters are the exception record and context record. Do a .cxr
> on the 3rd parameter and then kb to obtain a more informative stack
> trace.
> Arguments:
> Arg1: 000e0100
> Arg2: f896cbe0
> Arg3: f896c8dc
> Arg4: f843d49e
>
> Debugging Details:
> ------------------
>
>
> EXCEPTION_RECORD: f896cbe0 – (.exr 0xfffffffff896cbe0)
> ExceptionAddress: f843d49e (Fastfat!FatQueryBasicInfo+0x00000011)
> ExceptionCode: c0000005 (Access violation)
> ExceptionFlags: 00000000
> NumberParameters: 2
> Parameter[0]: 00000001
> Parameter[1]: 0348e558
> Attempt to write to address 0348e558
>
> CONTEXT: f896c8dc – (.cxr 0xfffffffff896c8dc)
> eax=00000000 ebx=821a39f8 ecx=0000000a edx=819f69c0 esi=0348e558
> edi=0348e558
> eip=f843d49e esp=f896cca8 ebp=f896ccb0 iopl=0 nv up ei pl zr na pe
> nc
> cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
> efl=00010246
> Fastfat!FatQueryBasicInfo+0x11:
> f843d49e f3ab rep stos dword ptr es:[edi]
> es:0023:0348e558=???
> Resetting default scope
>
> CUSTOMER_CRASH_COUNT: 3
>
> DEFAULT_BUCKET_ID: DRIVER_FAULT
>
> ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx”
> referenced memory at “0x%08lx”. The memory could not be “%s”.
>
> WRITE_ADDRESS: 0348e558
>
> BUGCHECK_STR: 0x23
>
> LAST_CONTROL_TRANSFER: from f842fb68 to f843d49e
>
> STACK_TEXT:
> f896ccb0 f842fb68 821a39f8 e2a453f0 819f69c0
> Fastfat!FatQueryBasicInfo+0x11
> f896cd14 f84417aa 821a39f8 81a42008 821a39fc
> Fastfat!FatCommonQueryInformation+0x108
> f896cd74 804e57fe 821a39f8 00000000 823ba640 Fastfat!FatFspDispatch+0xe4
> f896cdac 8057efed 821a39f8 00000000 00000000 nt!ExpWorkerThread+0x100
> f896cddc 804fb477 804e5729 00000000 00000000
> nt!PspSystemThreadStartup+0x34
> 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
>
>
> FOLLOWUP_IP:
> Fastfat!FatQueryBasicInfo+11
> f843d49e f3ab rep stos dword ptr es:[edi]
>
> SYMBOL_STACK_INDEX: 0
>
> SYMBOL_NAME: Fastfat!FatQueryBasicInfo+11
>
> FOLLOWUP_NAME: MachineOwner
>
> MODULE_NAME: Fastfat
>
> IMAGE_NAME: Fastfat.sys
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 41107eb7
>
> STACK_COMMAND: .cxr 0xfffffffff896c8dc ; kb
>
> FAILURE_BUCKET_ID: 0x23_Fastfat!FatQueryBasicInfo+11
>
> BUCKET_ID: 0x23_Fastfat!FatQueryBasicInfo+11
>
> Followup: MachineOwner
> ---------
>