Hi,
I have written a WDM based driver. It shares a event handle with a user mode application such that:
- Application creates the event using “CreateEvent”.
- Application passes this handle to driver using IOCTL.
- IOCTL validates and increases reference count to event object using ObReferenceObjectByHandle.
- Driver code de-references above handle when it is done with handle.
This code was working fine until I tested it on Windows 7 X64 under driver verifier using standard settings. It BSODs with bug check code 0xc4 and first parameter value : f6. This means that a driver is accessing a user mode handle.
Now I am a little puzzled because I am not sure how to share user mode event in kernel mode. I read documentation and my code looks in sync to the documentation.
Any direction/help is appreciated.
cheers, Neetu.
(Aside: I wonder why you’re writing a WDM driver and not a WDF driver???)
Weeeeelllll… Historically, there have been a lot of drivers that create user-mode handles and don’t even realize what they’re doing. AND there have been tons of drivers that referenced user-mode handles incorrectly. This opened them up to various serious security vulnerabilities. The Driver Verifier checks are trying to prevent some of these.
Are you manipulating the Event by POINTER? Are you getting that pointer with ObReferenceObjectByHandle, using an AccessMode of User Mode??
It’s important to do BOTH of these,
Peter
OSR
Post the driver code that references the handle and where you set/clear the event
d
dent from a phine with no keynoard
-----Original Message-----
From: xxxxx@gmail.com
Sent: Friday, March 04, 2011 5:48 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Event Sharing between user and kernel mode
Hi,
I have written a WDM based driver. It shares a event handle with a user mode application such that:
- Application creates the event using “CreateEvent”.
- Application passes this handle to driver using IOCTL.
- IOCTL validates and increases reference count to event object using ObReferenceObjectByHandle.
- Driver code de-references above handle when it is done with handle.
This code was working fine until I tested it on Windows 7 X64 under driver verifier using standard settings. It BSODs with bug check code 0xc4 and first parameter value : f6. This means that a driver is accessing a user mode handle.
Now I am a little puzzled because I am not sure how to share user mode event in kernel mode. I read documentation and my code looks in sync to the documentation.
Any direction/help is appreciated.
cheers, Neetu.
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Thanks Peter and Doron for your prompt reply. I really appreciate it.
Peter -
Its and old driver so that’s why it is written using WDM. While testing under driver verifier on win 7 we saw this bug. On earlier versions of windows driver verifier does not have this bug check.
Thanks for your clear hints - I was getting the pointer using ObReferenceObjectByHandle and AccessMode was also UserMode but I was not using this pointer properly in my call to a function which lead to BSOD. I checked the pointer passed to that function and realized that I am not passing a pointer to pointer which was required in that call.
cheers, Neetu.