There are many reasons an application buffer might become invalid that have
nothing to do with malicious intent, or even stupidity.
For example, an application might be using some form of exception handling.
An innocent enough piece of code uses a stack-based buffer; the thread is
then thrown an exception which it traps, but of course it also unwinds its
stack. NOW the buffer contents change.
Or perhaps the process terminates and its address space is torn down. The
region of the addresses for the buffer are no longer valid.
There are many things that can go wrong in an application that can result in
this behavior. Rob is absolutely right that one must be cautious when
accessing any user buffer within a kernel driver.
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
See the new NTFSD FAQ on the OSR Web Site!
-----Original Message-----
From: Dejan Maksimovic [mailto:xxxxx@alfasp.com]
Sent: Wednesday, October 17, 2001 2:53 PM
To: File Systems Developers
Subject: [ntfsd] Re: Change the Irp->UserBuffer.
> For Probe, yes.
> But, for the purpose of filtering directory entries, one would not
> access the buffer before it is filled by the file system, and
> only if the
> call was successful.
> Thus, the buffer won’t be touched unless it is valid.
There is a race here. The caller’s process could make that buffer
invalid between the file system accessing the user’s buffer and you
touching it. Thus, you should always protect access to the buffer.
Paranoia is the key to writing robust kernel code.
The caller needs the buffer to be valid after the filter processes it,
so making it invalid during a call would make it invalid after the call - or
make the unwanted results.
If the user is John-Doe-Brainless, paranoia is not enough. If he wants
to crash the system he doesn’t need weakness in a 3rd party driver, you
know:-)
> BTW, the ProbeForRead that I saw in the headers doesn’t
> really check the
> validity of the address, rather it just checks the alignment.
> Am I missing
> something?
Yes. Notice that it checks to make sure the address is a user-mode
address. That is the comparison against MM_USER_PROBE_ADDRESS. This
prevents blue screens such as PAGE_FAULT_IN_NONPAGED_AREA when you try to
access the buffer inside your _try/_except construct. The
_try/_except will catch the attempt to use an invalid user pointer.
ProbeForRead is responsible for catching the errors that _try/_except
cannot.
Interesting. I thought trying to touch invalid user mode address would
also give PAGE_FAULT_IN_NON_PAGED_AREA bsod.
–
Kind regards, Dejan M. CEO Alfa Co. www.alfasp.com
E-mail: xxxxx@alfasp.com
ICQ#: 56570367
Alfa File Monitor - File monitoring system for Win32 developers.
Alfa File Protector - File protection and hiding system for Win32
developers.
You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com