Generating BSOD on demand

Shachar_Weinstein · March 25, 2010, 6:01am

Hi,
I’ve a laptop with windows 7 which I can’t debug (no com, firewire or pcmcia port and syser crashes the system).
I’ve a crash there I allocate some memory allocate an MDL with 0 offset pass it on and someone (don’t know who, couldn’t catch it with the verifier) writes some data before the beginning of the buffer and when I get it back and try to free it, it crashes.

I had an idea of allocating 2 pages, writing my buffer at the beginning of the second page and somehow lock (or mark invalid) the first page, then when someone tries to write before my buffer (on the first page) it will generate a crash and I’ll be able to see who it is from the dump.

My question is, how can I mark a page as un-writable? or do you have any other creative idea on how to debug the issue?

thanks in advance,
Shachar Weinstein

OSR_Community_User · March 25, 2010, 6:30am

On 25/03/2010 10:00, xxxxx@nana.co.il wrote:

I’ve a laptop with windows 7 which I can’t debug (no com, firewire or pcmcia port and syser crashes the system).
I’ve a crash there I allocate some memory allocate an MDL with 0 offset pass it on and someone (don’t know who, couldn’t catch it with the verifier) writes some data before the beginning of the buffer and when I get it back and try to free it, it crashes.

Did you try with driver verifier’s special pool verify start option
enabled. It essentially does what you describe below for every
allocation. See:

http://msdn.microsoft.com/en-us/library/ms792863.aspx.

I had an idea of allocating 2 pages, writing my buffer at the beginning of the second page and somehow lock (or mark invalid) the first page, then when someone tries to write before my buffer (on the first page) it will generate a crash and I’ll be able to see who it is from the dump.

My question is, how can I mark a page as un-writable? or do you have any other creative idea on how to debug the issue?

Best regards,

Andrew

–
Andrew Lee Solarflare Communications
mailto:xxxxx@solarflare.com http://www.solarflare.com/

Shachar_Weinstein · March 25, 2010, 6:53am

I run the verifier on with the standard setting which include the special pool option,
I’ve activated the verifier on all the drivers in the stack that I know of both my and microsoft’s, but it’s probably some other driver I didn’t think of.

OSR_Community_User · March 25, 2010, 9:50am

On 25/03/2010 10:53, xxxxx@nana.co.il wrote:

I run the verifier on with the standard setting which include the special pool option,

Verifier’s default special pool setting is “verify end” to look out for
buffer overflows. You mentioned you are sufferring from a buffer
underrun, so you need to configure verifier to “verify start” special
pool alignment to look out for buffer underruns, it can’t look out for
both overflows and underflows at the same time. The link I gave you
mentions this in detail:

http://msdn.microsoft.com/en-us/library/ms792863.aspx

That link also says how to set “Verify Start” alignment:

“Note To activate the Special Pool feature by pool tag or
allocation size, or to set the Verify Start (detect underruns) and
Verify End (detect overruns) alignments, use the Global Flags
utility; these alignment settings apply to all special pool
allocations.”

The global flags utility is discussed here:

http://msdn.microsoft.com/en-us/library/ms792858.aspx

“Verify Start” is on the system registry page in the kernel special pool
tag group.

NOTE: Although this utility comes with the debugging tools, you need to
run it on the target machine *not* the machine running kd/windbg. And
if I remember correctly you need to reboot for changes to take effect.

Best regards,

Andrew

–
Andrew Lee Solarflare Communications
mailto:xxxxx@solarflare.com http://www.solarflare.com/

OSR_Community_User · March 25, 2010, 10:35am

On 25/03/2010 10:53, xxxxx@nana.co.il wrote:

I run the verifier on with the standard setting which include the special pool option,
I’ve activated the verifier on all the drivers in the stack that I know of both my and microsoft’s, but it’s probably some other driver I didn’t think of.
Also if you are sure it is your driver allocating the memory then
activating driver for your driver only will be sufficient. Special pool
is limited once it is exhausted allocated suceed as normal using the
normal pools, to maximise the chance that your buffers get allocated
from special pool is is better to select just your driver. Verifier will
still catch bad accesses the the buffer even if they are in a driver
that hasn’t been explicitly enabled.

Best regards,

Andrew

–
Andrew Lee Solarflare Communications
mailto:xxxxx@solarflare.com http://www.solarflare.com/

Gary_Little-3 · March 25, 2010, 10:38am

Have you explored writing an entry in the event log? Tracing, discussed here
MANY times?

Gary G. Little
H (952) 223-1349
C (952) 454-4629
xxxxx@comcast.net

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@nana.co.il
Sent: Thursday, March 25, 2010 5:01 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Generating BSOD on demand

Hi,
I’ve a laptop with windows 7 which I can’t debug (no com, firewire or pcmcia
port and syser crashes the system).
I’ve a crash there I allocate some memory allocate an MDL with 0 offset pass
it on and someone (don’t know who, couldn’t catch it with the verifier)
writes some data before the beginning of the buffer and when I get it back
and try to free it, it crashes.

I had an idea of allocating 2 pages, writing my buffer at the beginning of
the second page and somehow lock (or mark invalid) the first page, then when
someone tries to write before my buffer (on the first page) it will generate
a crash and I’ll be able to see who it is from the dump.

My question is, how can I mark a page as un-writable? or do you have any
other creative idea on how to debug the issue?

thanks in advance,
Shachar Weinstein

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

__________ Information from ESET Smart Security, version of virus signature
database 4973 (20100325) __________

The message was checked by ESET Smart Security.

http://www.eset.com

__________ Information from ESET Smart Security, version of virus signature
database 4973 (20100325) __________

The message was checked by ESET Smart Security.

http://www.eset.com

Shachar_Weinstein · March 25, 2010, 10:48am

Thanks Andrew it worked,
I guess you learn something new everyday.

Thanks again,
Shachar

Maxim_S_Shatskih · March 25, 2010, 4:02pm

KeBugCheckEx

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

wrote in message news:xxxxx@ntdev…
> Hi,
> I’ve a laptop with windows 7 which I can’t debug (no com, firewire or pcmcia port and syser crashes the system).
> I’ve a crash there I allocate some memory allocate an MDL with 0 offset pass it on and someone (don’t know who, couldn’t catch it with the verifier) writes some data before the beginning of the buffer and when I get it back and try to free it, it crashes.
>
> I had an idea of allocating 2 pages, writing my buffer at the beginning of the second page and somehow lock (or mark invalid) the first page, then when someone tries to write before my buffer (on the first page) it will generate a crash and I’ll be able to see who it is from the dump.
>
> My question is, how can I mark a page as un-writable? or do you have any other creative idea on how to debug the issue?
>
> thanks in advance,
> Shachar Weinstein
>

Lijun_Wang · March 26, 2010, 2:30am

The problem is the OP does not know when to call the bug check. He wants to catch it at the offender writes to the buffer.

I think he can use the verifer’s special pool with Verify Start. Verify end is the default. Please double check if it is enabled fr verify start as the beginning of the pool is overwritten. On windows 7, they support verifying memory allocated by IoAllocateMdl?too.

Lijun

From: Maxim S. Shatskih
To: Windows System Software Devs Interest List
Sent: Thu, March 25, 2010 4:02:06 PM
Subject: Re:[ntdev] Generating BSOD on demand

? ? KeBugCheckEx

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

wrote in message news:xxxxx@ntdev…
> Hi,
> I’ve a laptop with windows 7 which I can’t debug (no com, firewire or pcmcia port and syser crashes the system).
> I’ve a crash there I allocate some memory allocate an MDL with 0 offset pass it on and someone (don’t know who, couldn’t catch it with the verifier) writes some data before the beginning of the buffer and when I get it back and try to free it, it crashes.
>
> I had an idea of allocating 2 pages, writing my buffer at the beginning of the second page and somehow lock (or mark invalid) the first page, then when someone tries to write before my buffer (on the first page) it will generate a crash and I’ll be able to see who it is from the dump.
>
> My question is, how can I mark a page as un-writable? or do you have any other creative idea on how to debug the issue?
>
> thanks in advance,
> Shachar Weinstein
>

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer