ExAllocatePoolWithTag/ExFreePool

Ashish_Goyal · September 9, 2009, 2:26am

Hi,
I allocate memory using ExAllocatePoolWithTag. Some driver holds the
reference to this memory and tries to access it after I have called
ExFreePool, then will it fail ALWAYS or it will succeed sometime and will
fail sometime.

Does ExfreePool unmaps the Physical Memory backed by that Virtual Memory
Address.
!fpsearch shows freed special pool for a specified address. How it works.
Does OS keeps track of freed address.

Thanks
Ashish

Aditya_Shrivastava · September 9, 2009, 4:02am

>> I allocate memory using ExAllocatePoolWithTag. Some driver holds the reference to this memory and tries to access it after I have called ExFreePool, then will it fail ALWAYS or it will succeed sometime and will fail sometime.

It depends, at first place why some driver will access memory allocated by you, now if that some driver is your’s second driver and is accessing the memory which is freed by your first driver than the most probable result is a immediate BSOD.

Other possible (hypothetical) scenario could be that after you free it, some other driver allocated it and get same pointer, now if you try to access that memory than it may not BSOD immediately but will surely create problem in your driver and in the driver which actually holds that memory. So in short if this is the design, it is flawed.

>1) Does ExfreePool unmaps the Physical Memory backed by that Virtual Memory Address.
Don’t you just want to ask whether it will free the memory or not. Why at all physical memory need to be backed by virtual memory. in fact a virtual memory address is backed by a page section or locked in RAM. I think the question is not clear.(Atleast I am not able to decode it)

Thanks
Aditya

OSR_Community_User · September 9, 2009, 4:16pm

>tries to access it after I have called ExFreePool, then will it fail ALWAYS or it will succeed sometime

and will fail sometime.

It will BSOD sometimes.

To catch this bug, run a heavy test suite with Driver Verifier Special Pool on.

Does ExfreePool unmaps the Physical Memory backed by that Virtual Memory Address.

Sometimes.

!fpsearch shows freed special pool for a specified address. How it works. Does OS keeps track of
freed address.

I think this only works with Verifier on.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com