doubt regarding mapping the user and kernel space

Hi Everybody,
I have some doubt regarding mapping the user and kernel space.

I allocated memory space in non-paged pool from a user thread context
(i.e., through DeviceIoControl) and mapped it to the user space, So that
I got a user-space address which had mapped can access kernel mode
memory from user space.

After I had used that memory space I deallocated the allocated non-paged
pool. Now how I could reallocate the mapped user-space? Or What is the
scope of the mapped user-space?

I assume that mapping the allocated kernel-space with user-space will
allocate the same size in user-space and both will get the same copy of
PTEs. Am I right?

If I try to use the mapped user-space memory after I deallocated the
kernel-space, bugcheck occurs with DRIVER_CORRUPTED_EXPOOL code.
Please explain me what will be happening while doing the map.

Thanks & Regards,
Raja

The kernel will keep two sets of PTE’s for this type of memory. You need to
construct the code such that the user-mode applicaiton never can access
this chunk of memory once you’ve decided to de-allocate it. There are
several ways of achieving this. For example, you can have the application
call a “I’m done” IOCTL, where you unmap the chunk from user space and at
the same time de-allocate the memory from kernel space.

If you are not happy with the above suggestion on how to solve the problem,
you’ll probably have to explain a little more about what you’re doing.

Also, beware that mapping kernel memory to user-space can give holes for
“bad programs” to exploit kernel memory accesses. The best way to transfer
data to/from user-mode is to use buffered IOCTL calls. That way, you don’t
have to concern yourself with the possibiltiy of any “bad programs” trying
to exploit your IOCTL’s. Yes, it looses some performance, but it’s a lot
easier for you to handle, and a lot safer…


Mats

xxxxx@lists.osr.com wrote on 04/20/2005 05:02:40 PM:

Hi Everybody,
I have some doubt regarding mapping the user and kernel space.
I allocated memory space in non-paged pool from a user thread
context (i.e., through DeviceIoControl) and mapped it to the user
space, So that I got a user-space address which had mapped can
access kernel mode memory from user space.
After I had used that memory space I deallocated the allocated non-
paged pool. Now how I could reallocate the mapped user-space? Or
What is the scope of the mapped user-space?
I assume that mapping the allocated kernel-space with user-space
will allocate the same size in user-space and both will get the same
copy of PTEs. Am I right?
If I try to use the mapped user-space memory after I deallocated the
kernel-space, bugcheck occurs with DRIVER_CORRUPTED_EXPOOL code.
Please explain me what will be happening while doing the map.
Thanks & Regards,
Raja


Questions? First check the Kernel Driver FAQ at http://www.
osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
ForwardSourceID:NT000110F6

Kannan, Raja wrote:

Hi Everybody,
I have some doubt regarding mapping the user and kernel space.

I allocated memory space in non-paged pool from a user thread context
(i.e., through DeviceIoControl) and mapped it to the user space, So
that I got a user-space address which had mapped can access kernel
mode memory from user space.

A dangerous practice, but that’s a discussion for another day.

After I had used that memory space I deallocated the allocated
non-paged pool. Now how I could reallocate the mapped user-space? Or
What is the scope of the mapped user-space?

YOU need to unmap the user-mode mapping before freeing the non-paged
pool. That is your driver’s responsibility. The operating system does
not track this.

I assume that mapping the allocated kernel-space with user-space will
allocate the same size in user-space and both will get the same copy
of PTEs. Am I right?

Well, there will be two separate sets of PTEs, but both sets will point
to the same physical addresses. When you release the memory back to the
non-paged pool, you are telling the operating system that it is safe to
assign those physical pages for other purposes. It does not know that
you have left around a user-space address that still points to this
memory. When your user-mode process writes to that address, it is
writing on someone else’s memory. Such an action is generally
incompatible with the ongoing peaceful existance of your Windows session.

If I try to use the mapped user-space memory after I deallocated the
kernel-space, bugcheck occurs with DRIVER_CORRUPTED_EXPOOL code.

Exactly. I’m not sure what else you would expect.

Please explain me what will be happening while doing the map.

I think you described it. The operating system creates a new set of
PTEs in the user-mode space that point to your existing physical
address. It does not allocate any memory for this, nor does it track
that there are two mappings to this address. That is YOUR responsibility.

> several ways of achieving this. For example, you can have the application

call a “I’m done” IOCTL, where you unmap the chunk from user space and at
the same time de-allocate the memory from kernel space.

MJ_CLEANUP path is also a good idea.

Also, beware that mapping kernel memory to user-space can give holes for
“bad programs” to exploit kernel memory accesses. The best way to transfer

Yes. So, at least this region must be page-aligned => allocated with Size >= 1
page.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

Thanks for your response.

It is my mistake…Yes I didn’t call MmUnmapLockedPages(…).
You are telling that mapping doesn’t allocate any memory in user space.
But after I de-allocated kernel memory and unmapped user memory, I have
still able to access the user space memory. I anticipated some user mode
exception. Now I am not getting any kind of bugcheck.

Raja

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tim Roberts
Sent: Wednesday, April 20, 2005 10:04 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] doubt regarding mapping the user and kernel space

Kannan, Raja wrote:

Hi Everybody,
I have some doubt regarding mapping the user and kernel space.

I allocated memory space in non-paged pool from a user thread context
(i.e., through DeviceIoControl) and mapped it to the user space, So
that I got a user-space address which had mapped can access kernel
mode memory from user space.

A dangerous practice, but that’s a discussion for another day.

After I had used that memory space I deallocated the allocated
non-paged pool. Now how I could reallocate the mapped user-space? Or
What is the scope of the mapped user-space?

YOU need to unmap the user-mode mapping before freeing the non-paged
pool. That is your driver’s responsibility. The operating system does
not track this.

I assume that mapping the allocated kernel-space with user-space will
allocate the same size in user-space and both will get the same copy
of PTEs. Am I right?

Well, there will be two separate sets of PTEs, but both sets will point
to the same physical addresses. When you release the memory back to the
non-paged pool, you are telling the operating system that it is safe to
assign those physical pages for other purposes. It does not know that
you have left around a user-space address that still points to this
memory. When your user-mode process writes to that address, it is
writing on someone else’s memory. Such an action is generally
incompatible with the ongoing peaceful existance of your Windows
session.

If I try to use the mapped user-space memory after I deallocated the
kernel-space, bugcheck occurs with DRIVER_CORRUPTED_EXPOOL code.

Exactly. I’m not sure what else you would expect.

Please explain me what will be happening while doing the map.

I think you described it. The operating system creates a new set of
PTEs in the user-mode space that point to your existing physical
address. It does not allocate any memory for this, nor does it track
that there are two mappings to this address. That is YOUR
responsibility.


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@networkgeneral.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

> Thanks for your response.

It is my mistake…Yes I didn’t call MmUnmapLockedPages(…).
You are telling that mapping doesn’t allocate any memory in user space.
But after I de-allocated kernel memory and unmapped user memory, I have
still able to access the user space memory. I anticipated some user mode
exception. Now I am not getting any kind of bugcheck.

Yes, you would still be able to access the memory, since the PTE’s created
for the user-space page-table are still available. Since the user-space
page-tables still contain the “valid” bit, you don’t get any exception.
That, however, doesn’t mean that it’s a good thing to access these pages.
Let’s say you allocate one page of kernel memory in non-paged pool, that
page is at 0x4000000 physical address. Then map it to user memory, giving
it a virtual address of 0x12340000. Now we de-allocate the kernel memory.
0x4000000 physical page is now “unused” according to the OS. Next the OS
decides that it needs a page of memory for the file-system. It gets our
page at 0x4000000, and fills it with some directory data to be written to
the disk. Now your user-mode app goes and writes to the memory, filling it
with it’s data. Then the file-system writes it’s directory data. Guess
what: Your file-system is now corrupt. You won’t get a blue-screen at this
time [some time later, maybe, but not now].

Since there are two page-tables, both pointing at the same physical memory,
there is no way to determine that one of them points to memory that has
previously been de-allocated (the OS doesn’t keep track of user-mode
mappings against kernel memory, it’s your task to do that correctly). As
long as the page-table for user-mode contains valid data, which it will do
“forever” when it comes to non-paged pool, as it’s never being paged out,
you can access that memory from the user-mode app. It won’t contain the
kernel-mode data that you expect it to contain, and any write to that
memory will cause horrible things to happen. In your case, pool-corruption,
which probably means that you were allocating a small portion of memory,
and when you write to that memory after the kernel driver has freed it,
it’s causing an overwrite of the kernel’s pool tracking, which causes your
bug-check. In a different scenario, you may get random bug-checks in a
different driver (say for instance that there is a pointer stored in a
data-structure owned by the network driver, and you overwrite that pointer
with some value that isn’t a good pointer, the network driver would get a
page-fault in an unexpected region).


Mats

Raja

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tim Roberts
Sent: Wednesday, April 20, 2005 10:04 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] doubt regarding mapping the user and kernel space

Kannan, Raja wrote:

> Hi Everybody,
> I have some doubt regarding mapping the user and kernel space.
>
> I allocated memory space in non-paged pool from a user thread context
> (i.e., through DeviceIoControl) and mapped it to the user space, So
> that I got a user-space address which had mapped can access kernel
> mode memory from user space.
>

A dangerous practice, but that’s a discussion for another day.

> After I had used that memory space I deallocated the allocated
> non-paged pool. Now how I could reallocate the mapped user-space? Or
> What is the scope of the mapped user-space?
>

YOU need to unmap the user-mode mapping before freeing the non-paged
pool. That is your driver’s responsibility. The operating system does
not track this.

> I assume that mapping the allocated kernel-space with user-space will
> allocate the same size in user-space and both will get the same copy
> of PTEs. Am I right?
>

Well, there will be two separate sets of PTEs, but both sets will point
to the same physical addresses. When you release the memory back to the
non-paged pool, you are telling the operating system that it is safe to
assign those physical pages for other purposes. It does not know that
you have left around a user-space address that still points to this
memory. When your user-mode process writes to that address, it is
writing on someone else’s memory. Such an action is generally
incompatible with the ongoing peaceful existance of your Windows
session.

> If I try to use the mapped user-space memory after I deallocated the
> kernel-space, bugcheck occurs with DRIVER_CORRUPTED_EXPOOL code.
>

Exactly. I’m not sure what else you would expect.

> Please explain me what will be happening while doing the map.
>

I think you described it. The operating system creates a new set of
PTEs in the user-mode space that point to your existing physical
address. It does not allocate any memory for this, nor does it track
that there are two mappings to this address. That is YOUR
responsibility.


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@networkgeneral.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at http://www.
osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

ForwardSourceID:NT00011222

I am sorry for the late reply.

I aggree your point but I had unmap the mapped-user address space.
Pls let me to explain my senario.

  1. While mapping the kernel virtual Space with user virtual Space, I had
    put KdPrint((…)) to print the physical address of Kernel and User
    virtual spaces using MmGetPhysicalAddress(…). I got the same physical
    addresses, say 1A920C0064x.

PhysicalAddress = MmGetPhysicalAddress(
pDevExt->pDeviceBuffer );
KdPrint((“\nPhysical Address of Allocated KernelMemory :
%16X64x”, PhysicalAddress.QuadPart));

PhysicalAddress = MmGetPhysicalAddress(
pDevExt->pMappedUserSpace );
KdPrint((“\nPhysical Address of Allocated KernelMemory :
%16X64x”, PhysicalAddress.QuadPart));

  1. After unmap the user virtual address, I printed the physical address
    of user address, now the value was different, say 064x.

MmUnmapLockedPages(
pDevExt->pMappedUserSpace,
pDevExt->pMappingMdl
);
IoFreeMdl( pDevExt->pMappingMdl );

PhysicalAddress = MmGetPhysicalAddress(
pDevExt->pMappedUserSpace );
KdPrint((“\nPhysical Address of Allocated KernelMemory :
%16X64x”, PhysicalAddress.QuadPart));

  1. This time I didn’t get nay crash for long time.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Mats PETERSSON
Sent: Thursday, April 21, 2005 2:09 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] doubt regarding mapping the user and kernel space

Thanks for your response.

It is my mistake…Yes I didn’t call MmUnmapLockedPages(…).
You are telling that mapping doesn’t allocate any memory in user
space.
But after I de-allocated kernel memory and unmapped user memory, I
have still able to access the user space memory. I anticipated some
user mode exception. Now I am not getting any kind of bugcheck.

Yes, you would still be able to access the memory, since the PTE’s
created for the user-space page-table are still available. Since the
user-space page-tables still contain the “valid” bit, you don’t get any
exception.
That, however, doesn’t mean that it’s a good thing to access these
pages.
Let’s say you allocate one page of kernel memory in non-paged pool, that
page is at 0x4000000 physical address. Then map it to user memory,
giving it a virtual address of 0x12340000. Now we de-allocate the kernel
memory.
0x4000000 physical page is now “unused” according to the OS. Next the OS
decides that it needs a page of memory for the file-system. It gets our
page at 0x4000000, and fills it with some directory data to be written
to the disk. Now your user-mode app goes and writes to the memory,
filling it with it’s data. Then the file-system writes it’s directory
data. Guess
what: Your file-system is now corrupt. You won’t get a blue-screen at
this time [some time later, maybe, but not now].

Since there are two page-tables, both pointing at the same physical
memory, there is no way to determine that one of them points to memory
that has previously been de-allocated (the OS doesn’t keep track of
user-mode mappings against kernel memory, it’s your task to do that
correctly). As long as the page-table for user-mode contains valid data,
which it will do “forever” when it comes to non-paged pool, as it’s
never being paged out, you can access that memory from the user-mode
app. It won’t contain the kernel-mode data that you expect it to
contain, and any write to that memory will cause horrible things to
happen. In your case, pool-corruption, which probably means that you
were allocating a small portion of memory, and when you write to that
memory after the kernel driver has freed it, it’s causing an overwrite
of the kernel’s pool tracking, which causes your bug-check. In a
different scenario, you may get random bug-checks in a different driver
(say for instance that there is a pointer stored in a data-structure
owned by the network driver, and you overwrite that pointer with some
value that isn’t a good pointer, the network driver would get a
page-fault in an unexpected region).


Mats

Raja

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tim Roberts
Sent: Wednesday, April 20, 2005 10:04 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] doubt regarding mapping the user and kernel space

Kannan, Raja wrote:

> Hi Everybody,
> I have some doubt regarding mapping the user and kernel space.
>
> I allocated memory space in non-paged pool from a user thread
> context (i.e., through DeviceIoControl) and mapped it to the user
> space, So that I got a user-space address which had mapped can
> access kernel mode memory from user space.
>

A dangerous practice, but that’s a discussion for another day.

> After I had used that memory space I deallocated the allocated
> non-paged pool. Now how I could reallocate the mapped user-space? Or

> What is the scope of the mapped user-space?
>

YOU need to unmap the user-mode mapping before freeing the non-paged
pool. That is your driver’s responsibility. The operating system
does not track this.

> I assume that mapping the allocated kernel-space with user-space
> will allocate the same size in user-space and both will get the same

> copy of PTEs. Am I right?
>

Well, there will be two separate sets of PTEs, but both sets will
point to the same physical addresses. When you release the memory
back to the non-paged pool, you are telling the operating system that
it is safe to assign those physical pages for other purposes. It does

not know that you have left around a user-space address that still
points to this memory. When your user-mode process writes to that
address, it is writing on someone else’s memory. Such an action is
generally incompatible with the ongoing peaceful existance of your
Windows session.

> If I try to use the mapped user-space memory after I deallocated the

> kernel-space, bugcheck occurs with DRIVER_CORRUPTED_EXPOOL code.
>

Exactly. I’m not sure what else you would expect.

> Please explain me what will be happening while doing the map.
>

I think you described it. The operating system creates a new set of
PTEs in the user-mode space that point to your existing physical
address. It does not allocate any memory for this, nor does it track
that there are two mappings to this address. That is YOUR
responsibility.


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as:
xxxxx@networkgeneral.com To unsubscribe send a blank email to
xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at http://www.
osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag
argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

ForwardSourceID:NT00011222


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@networkgeneral.com
To unsubscribe send a blank email to xxxxx@lists.osr.com