IoCreateStreamFileObject vs. MS Netware redirector

Hi,

I found an interesting bugcheck which occirs in combination
of an antivirus software ad MS Netware redirector
(nwrdr.sys).

It seems that the nwrdr.sys’s cleanup handler
incorectly processes the file objects that have been created
by IoCreateStreamFileObject.

See the following scenario:

  1. A file open request comes to the Antivirus (AV).
  2. The AV creates a new file object,
    using IoCreateStreamFileObject.
  3. When IoCreateStreamFileObject creates the
    file object, it inserts it into the object table
    (using ObInsertObject) and then closes the obtained handle
    using NtClose.
  4. The NtClose creates a cleanup request on the file object.
    The file object have the FsContext and FsContext2 set to NULL.
  5. When this file object comes to nwrdr.sys, it crashes.

Here is the call stack from the crash dump:

STACK_TEXT:
f2ccd768 f2b4d1eb ffae0038 f2ccd78c f2ccd790 nwrdr!NwDecodeFileObject+0x18
f2ccd7b0 f2b4d286 8115c430 ffa87a00 ffa33750 nwrdr!NwCommonCleanup+0x29
f2ccd7f0 804e3d77 ffb5ba58 ffa87a00 8131f520 nwrdr!NwFsdCleanup+0x36
f2ccd800 f9efd99d 804e3d77 ffa93590 ffa87a00 nt!IopfCallDriver+0x31
f2ccd804 804e3d77 ffa93590 ffa87a00 00000100 OurFilter!FilterPassThrough+0x3
f2ccd814 fa24ddc2 ffae0038 ffa1e750 ffa87a10 nt!IopfCallDriver+0x31
WARNING: Stack unwind information not available. Following frames may be
wrong.
f2ccd82c fa24cff1 ffb4bb88 ffb4bc40 804e3d77 Antivirus+0x1dc2
f2ccd890 80567391 8131c020 ffb51a38 00000001 Antivirus+0xff1
f2ccd8c0 8056753b 8131c020 ffae0038 8133fad0
nt!ObpDecrementHandleCount+0x119
f2ccd8e8 805675ac e1000cf0 ffae0038 000004a0
nt!ObpCloseHandleTableEntry+0x14d
f2ccd930 8056a914 000004a0 00000000 00000001 nt!ObpCloseHandle+0x87
f2ccd944 8052d8dc 800004a0 00000000 ffae1808 nt!ObCloseHandle+0x12
f2ccd978 80615497 ffae0038 800004a0 00000000
nt!IoCreateStreamFileObjectEx+0x109
f2ccd98c fa24d8b9 ffae1808 00000000 ffb0d828
nt!IoCreateStreamFileObject+0x12
f2ccd9e8 fa24dcd8 ffae1808 ffb0d828 ffa93590 Antivirus+0x18b9
f2ccda10 fa24cff1 ffb4bb88 ffb4bc40 804e3d77 Antivirus+0x1cd8
f2ccdb20 f9efcd52 ffb5ba58 00000000 ff9e94e8 Antivirus+0xff1
f2ccdb50 8056386c ffb5ba58 00000000 ff9e94e8
OurFilter!FilterParseDevice+0x14
f2ccdbd8 80567c63 00000000 f2ccdc18 00000040 nt!ObpLookupObjectName+0x56a
f2ccdc2c 80571477 00000000 00000000 642d5501 nt!ObOpenObjectByName+0xeb
f2ccdca8 80571546 011cf6d0 00100001 011cf528 nt!IopCreateFile+0x407
f2ccdd04 8057160e 011cf6d0 00100001 011cf528 nt!IoCreateFile+0x8e
f2ccdd44 804df06b 011cf6d0 00100001 011cf528 nt!NtOpenFile+0x27
f2ccdd44 7c90eb94 011cf6d0 00100001 011cf528 nt!KiFastCallEntry+0xf8
011cf0e4 00000000 00000000 00000000 00000000 0x7c90eb94

If I looked at the code into nwrdr!NwDecodeFileObject there is :

nwrdr!NwDecodeFileObject:
f2b51204 55 push ebp
f2b51205 8bec mov ebp,esp
f2b51207 8b4508 mov eax,[ebp+0x8] ; The file object
f2b5120a 8b480c mov ecx,[eax+0xc]
f2b5120d 8b550c mov edx,[ebp+0xc]
f2b51210 890a mov [edx],ecx
f2b51212 8b4010 mov eax,[eax+0x10] ; FileObject->FsContext2 (NULL)
f2b51215 8b4d10 mov ecx,[ebp+0x10]
f2b51218 8901 mov [ecx],eax
f2b5121a 668b00 mov ax,[eax] ; Here is the crash

AFAIK the rule say that a FSD should expect a cleanup on a file object
which have been previously unseen.
What do you think ?

L.

Ladislav,

I looked at the source to the MS version of the NetWare redirector and
your analysis is correct. The code is wrongly assuming that FsContext
and FsContext2 should already be setup. The fix is easy and straight
forward.

Unfortunately I can not simply go out and fix this in down-level OS’s.
If this is an issue for I would contact your Microsoft Support Person
and request a fix. No one actually owns this driver anymore but you can
tell them that I would be willing to make the fix.

Neal Christiansen
Microsoft File System Filter Group Lead
This posting is provided “AS IS” with no warranties, and confers no
rights

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ladislav Zezula
Sent: Wednesday, November 17, 2004 10:45 PM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] IoCreateStreamFileObject vs. MS Netware redirector

Hi,

I found an interesting bugcheck which occirs in combination
of an antivirus software ad MS Netware redirector
(nwrdr.sys).

It seems that the nwrdr.sys’s cleanup handler
incorectly processes the file objects that have been created
by IoCreateStreamFileObject.

See the following scenario:

  1. A file open request comes to the Antivirus (AV).
  2. The AV creates a new file object,
    using IoCreateStreamFileObject.
  3. When IoCreateStreamFileObject creates the
    file object, it inserts it into the object table
    (using ObInsertObject) and then closes the obtained handle
    using NtClose.
  4. The NtClose creates a cleanup request on the file object.
    The file object have the FsContext and FsContext2 set to NULL.
  5. When this file object comes to nwrdr.sys, it crashes.

Here is the call stack from the crash dump:

STACK_TEXT:
f2ccd768 f2b4d1eb ffae0038 f2ccd78c f2ccd790
nwrdr!NwDecodeFileObject+0x18
f2ccd7b0 f2b4d286 8115c430 ffa87a00 ffa33750 nwrdr!NwCommonCleanup+0x29
f2ccd7f0 804e3d77 ffb5ba58 ffa87a00 8131f520 nwrdr!NwFsdCleanup+0x36
f2ccd800 f9efd99d 804e3d77 ffa93590 ffa87a00 nt!IopfCallDriver+0x31
f2ccd804 804e3d77 ffa93590 ffa87a00 00000100
OurFilter!FilterPassThrough+0x3
f2ccd814 fa24ddc2 ffae0038 ffa1e750 ffa87a10 nt!IopfCallDriver+0x31
WARNING: Stack unwind information not available. Following frames may be

wrong.
f2ccd82c fa24cff1 ffb4bb88 ffb4bc40 804e3d77 Antivirus+0x1dc2
f2ccd890 80567391 8131c020 ffb51a38 00000001 Antivirus+0xff1
f2ccd8c0 8056753b 8131c020 ffae0038 8133fad0
nt!ObpDecrementHandleCount+0x119
f2ccd8e8 805675ac e1000cf0 ffae0038 000004a0
nt!ObpCloseHandleTableEntry+0x14d
f2ccd930 8056a914 000004a0 00000000 00000001 nt!ObpCloseHandle+0x87
f2ccd944 8052d8dc 800004a0 00000000 ffae1808 nt!ObCloseHandle+0x12
f2ccd978 80615497 ffae0038 800004a0 00000000
nt!IoCreateStreamFileObjectEx+0x109
f2ccd98c fa24d8b9 ffae1808 00000000 ffb0d828
nt!IoCreateStreamFileObject+0x12
f2ccd9e8 fa24dcd8 ffae1808 ffb0d828 ffa93590 Antivirus+0x18b9
f2ccda10 fa24cff1 ffb4bb88 ffb4bc40 804e3d77 Antivirus+0x1cd8
f2ccdb20 f9efcd52 ffb5ba58 00000000 ff9e94e8 Antivirus+0xff1
f2ccdb50 8056386c ffb5ba58 00000000 ff9e94e8
OurFilter!FilterParseDevice+0x14
f2ccdbd8 80567c63 00000000 f2ccdc18 00000040
nt!ObpLookupObjectName+0x56a
f2ccdc2c 80571477 00000000 00000000 642d5501 nt!ObOpenObjectByName+0xeb
f2ccdca8 80571546 011cf6d0 00100001 011cf528 nt!IopCreateFile+0x407
f2ccdd04 8057160e 011cf6d0 00100001 011cf528 nt!IoCreateFile+0x8e
f2ccdd44 804df06b 011cf6d0 00100001 011cf528 nt!NtOpenFile+0x27
f2ccdd44 7c90eb94 011cf6d0 00100001 011cf528 nt!KiFastCallEntry+0xf8
011cf0e4 00000000 00000000 00000000 00000000 0x7c90eb94

If I looked at the code into nwrdr!NwDecodeFileObject there is :

nwrdr!NwDecodeFileObject:
f2b51204 55 push ebp
f2b51205 8bec mov ebp,esp
f2b51207 8b4508 mov eax,[ebp+0x8] ; The file object
f2b5120a 8b480c mov ecx,[eax+0xc]
f2b5120d 8b550c mov edx,[ebp+0xc]
f2b51210 890a mov [edx],ecx
f2b51212 8b4010 mov eax,[eax+0x10] ; FileObject->FsContext2 (NULL)
f2b51215 8b4d10 mov ecx,[ebp+0x10]
f2b51218 8901 mov [ecx],eax
f2b5121a 668b00 mov ax,[eax] ; Here is the crash

AFAIK the rule say that a FSD should expect a cleanup on a file object
which have been previously unseen.
What do you think ?

L.


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

> I looked at the source to the MS version of the NetWare redirector and

your analysis is correct. The code is wrongly assuming that FsContext
and FsContext2 should already be setup. The fix is easy and straight
forward.

Maybe now the customer seeing the problem will
stop blaming our filter :-))

AFAIK the similar problems occured earlier on some
NT 4.0 MS redirectors (maybe not in the latest service pack).
Maybe driver writers who use this function should
consider adding something like

NTSTATUS FilterCleanup(DeviceObject, Irp)
{
FileObject = IoGetCurrentIrpStackLocation(Irp)->FileObject;

if(IKnowThatIFilterThisDevice &&
MyFilterUsesIoCreateStreamFileObject &&
FileObject->FsContext == NULL &&
FileObject->FsContext2 == NULL)
{
// Complete the request with STATUS_SUCCESS
}
}

The same for close requests.

L.