Can filter manager APIs crash due to parallel execution

Ok. Then boot with original file, and patch it in memory with “e
fltmgr+0x4F47 49 83 7B 18 00 75 14 CC CC 83 F8 10 0F 85 0F A6 00 00 48 8D
79 58 E9 A7 FE FF FF 49 8B E3 41 5F 41 5E 5F C3 CC” command in windbg.
Replacing of the original time requires time.

> Replacing of the original time requires time.

original file :slight_smile:

I used the command the patch fltmgr in memory and started my copy operation.
My driver has not crashed so far, more testing underway.

Please let me know what exactly the patched filter manager does.

Thanks.

> Please let me know what exactly the patched filter manager does.

We suspect a stack corruption is taking place for you. I get know from dump
you gave that crash occurs while FltGetStreamContext routine is being
executed. I reversed it and i think stack gets corrupted while
GetContextFromStreamList routine is being executed which is called by
FltGetStreamContext.
Therefore the command patches GetContextFromStreamList routine. This patch
adds checking for zero return address. And if the address is zero it’ll
break execution. So now you have to wait and see will you get BSOD or
breakpoint i added.

There was a bug check raised, however the breakpoint in the patched fltmgr.sys was not triggered.

STACK_TEXT:
ffffd00022430b30 ffff2801ab1d5111
ffffd00022430b38 ffffe001564b8900
ffffd00022430b40 ffffe001564b8900
ffffd00022430b48 fffff801895d0691 HPEDpHsmX64!HpArcHsmDeferredReadWriteCompletion+0x101 [f:\svn\storage_optimizer\storage_optimizer\trunk\filterdriver\src\hparchsm.c @ 3917]
ffffd00022430b50 ffffe0015652d760
ffffd00022430b58 ffffe00156e3a040
ffffd00022430b60 ffffe0015ba09070
ffffd00022430b68 0000000000000202
ffffd00022430b70 0000000022430b01
ffffd00022430b78 ffffe0015ba3fe20
ffffd00022430b80 ffffe00156f907c0
ffffd00022430b88 0000000089000000
ffffd00022430b90 0000000000000000
ffffd00022430b98 0000000000000000
ffffd00022430ba0 0000000100000000
ffffd00022430ba8 ffffe00156f13d58

FAULTING_SOURCE_LINE: f:\svn\storage_optimizer\storage_optimizer\trunk\filterdriver\src\hparchsm.c

FAULTING_SOURCE_FILE: f:\svn\storage_optimizer\storage_optimizer\trunk\filterdriver\src\hparchsm.c

FAULTING_SOURCE_LINE_NUMBER: 3917

FAULTING_SOURCE_CODE:
3913: //try
3914: //{
3915:
3916: status = FltGetStreamContext(Instance, Data->Iopb->TargetFileObject,

3917: &pHpArcHsmContext);
3918: //}
3919: //except(BackgroundExceptionFilter1(GetExceptionCode(), GetExceptionInformation()))
3920: //{
3921: // Data->IoStatus.Status = STATUS_DISK_OPERATION_FAILED;//STATUS_ACCESS_DENIED;
3922: // Data->IoStatus.Information = 0;

SYMBOL_NAME: HPEDpHsmX64!HpArcHsmDeferredReadWriteCompletion+101

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: HPEDpHsmX64

IMAGE_NAME: HPEDpHsmX64.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 5837c4d1

BUCKET_ID_FUNC_OFFSET: 101

FAILURE_BUCKET_ID: ACCESS_VIOLATION_NULL_IP_HPEDpHsmX64!HpArcHsmDeferredReadWriteCompletion

BUCKET_ID: ACCESS_VIOLATION_NULL_IP_HPEDpHsmX64!HpArcHsmDeferredReadWriteCompletion

PRIMARY_PROBLEM_CLASS: ACCESS_VIOLATION_NULL_IP_HPEDpHsmX64!HpArcHsmDeferredReadWriteCompletion

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:access_violation_null_ip_hpedphsmx64!hparchsmdeferredreadwritecompletion

FAILURE_ID_HASH: {e1f42df5-5598-3f4c-2aad-37cd6a1e57b6}

Followup: MachineOwner

Can you send this dump to me?

I will send this dump, but let me try again once.
How can I confirm that the fltmgrdbg.sys was patched correctly?

> How can I confirm that the fltmgrdbg.sys was patched correctly?

Do “u fltmgr+0x4F4E” command after patching one. You should see “int 3”
insruction disassembled. For this reason i asked you to send me dump. I
want to be sure.

I will send this dump, but let me try again once.

Ok.

I have uploaded the dumps at https://drive.google.com/file/d/0B59FSVYGDOVCZUhHcmYwc2lVVVk/view

Ok. How it’s going?

even after patching - still FltGetStreamContext shows access violation. it seems that the patched fltmgr int 3 is not being executed.

STACK_COMMAND: dps ffffd000caeddb50-0x20 ; kb

STACK_TEXT:
ffffd000caeddb30 ffff280105d9c22b
ffffd000caeddb38 ffffe0002c822900
ffffd000caeddb40 ffffe0002c822900
ffffd000caeddb48 fffff801cf33b691 HPEDpHsmX64!HpArcHsmDeferredReadWriteCompletion+0x101 [f:\svn\storage_optimizer\storage_optimizer\trunk\filterdriver\src\hparchsm.c @ 3917]
ffffd000caeddb50 ffffe00031cb7470
ffffd000caeddb58 ffffe0002d38d880
ffffd000caeddb60 ffffe0002ca14070
ffffd000caeddb68 0000000000000202
ffffd000caeddb70 000000002d38d801
ffffd000caeddb78 ffffe0002d6a4b00
ffffd000caeddb80 ffffe0002d3ad7e0
ffffd000caeddb88 00000000cf000000
ffffd000caeddb90 0000000000000000
ffffd000caeddb98 0000000000000000
ffffd000caeddba0 0000000100000000
ffffd000caeddba8 ffffe00032115ac8

FAULTING_SOURCE_LINE: f:\svn\storage_optimizer\storage_optimizer\trunk\filterdriver\src\hparchsm.c

FAULTING_SOURCE_FILE: f:\svn\storage_optimizer\storage_optimizer\trunk\filterdriver\src\hparchsm.c

FAULTING_SOURCE_LINE_NUMBER: 3917

FAULTING_SOURCE_CODE:
3913: //try
3914: //{
3915:
3916: status = FltGetStreamContext(Instance, Data->Iopb->TargetFileObject,

3917: &pHpArcHsmContext);
3918: //}
3919: //except(BackgroundExceptionFilter1(GetExceptionCode(), GetExceptionInformation()))
3920: //{
3921: // Data->IoStatus.Status = STATUS_DISK_OPERATION_FAILED;//STATUS_ACCESS_DENIED;
3922: // Data->IoStatus.Information = 0;

SYMBOL_NAME: HPEDpHsmX64!HpArcHsmDeferredReadWriteCompletion+101

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: HPEDpHsmX64

IMAGE_NAME: HPEDpHsmX64.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 5837c4d1

BUCKET_ID_FUNC_OFFSET: 101

FAILURE_BUCKET_ID: ACCESS_VIOLATION_NULL_IP_HPEDpHsmX64!HpArcHsmDeferredReadWriteCompletion

BUCKET_ID: ACCESS_VIOLATION_NULL_IP_HPEDpHsmX64!HpArcHsmDeferredReadWriteCompletion

PRIMARY_PROBLEM_CLASS: ACCESS_VIOLATION_NULL_IP_HPEDpHsmX64!HpArcHsmDeferredReadWriteCompletion

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:access_violation_null_ip_hpedphsmx64!hparchsmdeferredreadwritecompletion

FAILURE_ID_HASH: {e1f42df5-5598-3f4c-2aad-37cd6a1e57b6}

Followup: MachineOwner

It’s ok. When I get my pc I’ll make next patch.

ok thanks. I will check it after I am back online.

Try these commands:

e fltmgr+0x4F47 49 83 7B 18 00 75 14 CC CC 83 F8 10 0F 85 0F A6 00 00 48 8D
79 58 E9 A7 FE FF FF 49 8B E3 41 5F 41 5E 5F C3 CC;

e fltmgr+0x1640 48 83 7C 24 28 00 75 19 CC CC CC CC 48 8D 8B 08 05 00 00 FF
15 EF 6A 01 00 FF 15 31 6B 01 00 EB DB 48 83 C4 40 41 5F 41 5E 5F 5E 5B C3
CC 90 90;

e fltmgr+0x14180 48 83 C4 68 48 83 3C 24 00 75 01 CC C3 CC;

e fltmgr+0x14119 E9 62 00 00 00;

e fltmgr+0x62C0 E9 0C 00 00 00 CC FF 43 20 48 8B CF FF 53 38 EB EA 48 83 C4
20 5F 48 83 3C 24 00 75 01 CC C3 CC;

e fltmgr+0xF4B4 90 90 90 90 90 90;

After patching I am hitting int 3 continously

in xxxxx@FltpGetStreamListCtrl

and it is triggered from my drivers PreClose.
I will post the windbg output

Do you mean breakpoint occurs right away after patching?

yes

5: kd> g
Break instruction exception - code 80000003 (first chance)
fltmgr!FltpGetStreamListCtrl+0x38b:
fffff800`2835c64b cc int 3
5: kd> kb

RetAddr : Args to Child : Call Site

00 fffff800283638e1 : ffffe001fb270010 ffffe001ff90e010 0000000000000000 ffffe001ff90e018 : fltmgr!FltpGetStreamListCtrl+0x38b 01 fffff800286cdb8c : ffffe001ff90e010 ffffe001ffdc93f0 0000000010000004 0000000000000000 : fltmgr!FltGetStreamContext+0x21
02 fffff8002835d28a : ffffe001fff13cd8 ffffd0002275b6f0 ffffd0002275b6d8 ffffe001ff90e018 : HPEDpHsmX64!HpArcHsmPreClose+0x3c [f:\svn\storage_optimizer\storage_optimizer\trunk\filterdriver\src\hparchsm.c @ 1740] 03 fffff8002835e7bc : ffffd0002275b880 0000000000000000 0000000000000000 ffffe001ffdc9302 : fltmgr!FltpPerformPreCallbacks+0x31a
04 fffff8002835c92e : ffffe001fff13c00 0000000000680727 ffffd0002275b6f0 0000000000000002 : fltmgr!FltpPassThroughInternal+0x8c 05 fffff8002835c09e : ffffe001fb26fd70 ffffe001ff8989d0 ffffe001ff8989d0 ffffe001fab32f20 : fltmgr!FltpPassThrough+0x2be
06 fffff801c89f48bc : ffffe001ffdc93f0 ffffe001faa56030 ffffe001ff8989d0 0000000000000001 : fltmgr!FltpDispatch+0x9e 07 fffff801c8a16004 : 0000000000000000 ffffe001ffdc93f0 ffffe001fab32f20 ffffe001ffdc93c0 : nt!IopDeleteFile+0x128
08 fffff801c8668b8f : 0000000000000000 ffffd0002275ba99 ffffe001ffdc93f0 ffffe001fab32f20 : nt!ObpRemoveObjectRoutine+0x64 09 fffff801c89f3c24 : ffffe001ffdc93c0 00000000ffff8001 ffffd0002275ba99 0000000000007fff : nt!ObfDereferenceObjectWithTag+0x8f
0a fffff801c87617b3 : ffffe001ffe37880 000000000109f1b0 00000000011f1d50 0000000000000000 : nt!NtClose+0x204 0b 00007ffbd832ac7a : 00007ffbd582500b 00000000c000000f 0000000000000000 0000000000000001 : nt!KiSystemServiceCopyEnd+0x13
0c 00007ffbd582500b : 00000000c000000f 0000000000000000 0000000000000001 0000003200000026 : ntdll!NtClose+0xa 0d 00000000c000000f : 0000000000000000 0000000000000001 0000003200000026 000000000109ee38 : 0x00007ffbd582500b 0e 0000000000000000 : 0000000000000001 0000003200000026 000000000109ee38 000000000109ee50 : 0xc000000f

Ok. Try these ones:

e fltmgr+0x4F47 49 83 7B 18 00 75 14 CC CC 83 F8 10 0F 85 0F A6 00 00 48 8D
79 58 E9 A7 FE FF FF 49 8B E3 41 5F 41 5E 5F C3 CC;

e fltmgr+0x1640 48 83 7C 24 68 00 75 19 CC CC CC CC 48 8D 8B 08 05 00 00 FF
15 EF 6A 01 00 FF 15 31 6B 01 00 EB DB 48 83 C4 40 41 5F 41 5E 5F 5E 5B C3
CC 90 90;

e fltmgr+0x14180 48 83 C4 68 48 83 3C 24 00 75 01 CC C3 CC;

e fltmgr+0x14119 E9 62 00 00 00;

e fltmgr+0x62C0 E9 0C 00 00 00 CC FF 43 20 48 8B CF FF 53 38 EB EA 48 83 C4
20 5F 48 83 3C 24 00 75 01 CC C3 CC;

e fltmgr+0xF4B4 90 90 90 90 90 90;

Now a break point was triggered correctly after the operation was started.

Break instruction exception - code 80000003 (first chance)
0: kd> kb

RetAddr : Args to Child : Call Site

00 0000000000000000 : ffffe001976647f0 ffffe0019ba6e180 0000000000000000 ffffe001`9ba6e188 : fltmgr!FltpGetStreamListCtrl+0x388

please note that there is nothing on stack except FltpGetStreamListCtrl