IOCTL_STORAGE_QUERY_PROPERTY processing blue screen

OSR_Community_User · May 19, 2011, 7:08am

Hi,

I have found “IOCTL_STORAGE_QUERY_PROPERTY” in IRP_MJ_DEVICE_CONTROL routine, for the PDO.
In the former, I didn’t return any thing for this IOCTL, so after driver pnp start, following pnp remove appear.
So I want to return the data structure "STORAGE_DEVICE_DESCRIPTOR ", to avoid the pnp remove appear.
At first, I using the tool spti to fetching the "STORAGE_DEVICE_DESCRIPTOR " for a USB mass storage device.
Then in the IRP_MJ_DEVICE_CONTROL routin, I allocate a heap, for the "STORAGE_DEVICE_DESCRIPTOR ", and then copy this data into Irp->AssociatedIrp.SystemBuffer,
but it always blue screen.
Can anybody told me, where the resaon is?
Or is any debugging command of Windbg I can use for this issue?
And does this method for processing IOCTL_STORAGE_QUERY_PROPERTY right?
thank you,

///////////////////////////////////////////////////////////////////////////////////////
{
irpStack = IoGetCurrentIrpStackLocation (Irp);
buffer = Irp->AssociatedIrp.SystemBuffer;
//outBuffer = Irp->UserBuffer;
outBuffer = Irp->AssociatedIrp.SystemBuffer;
pStorQuery = buffer;
inlen = irpStack->Parameters.DeviceIoControl.InputBufferLength;
outlen = irpStack->Parameters.DeviceIoControl.OutputBufferLength;
dwControlCode = irpStack->Parameters.DeviceIoControl.IoControlCode;
switch(dwControlCode)
{
case IOCTL_STORAGE_QUERY_PROPERTY:
Bus_KdPrint_Def (BUS_DBG_SS_TRACE,(“Bus_IoCtl: IOCTL_STORAGE_QUERY_PROPERTY!\n”));

if(pStorQuery->PropertyId == StorageDeviceProperty)
{

if(outlen < sizeof(STORAGE_DEVICE_DESCRIPTOR))
{
Bus_KdPrint_Def (BUS_DBG_SS_TRACE,(“Bus_IoCtl: Device buffer too small\n”));
Irp->IoStatus.Status = status = STATUS_INVALID_DEVICE_REQUEST;
IoCompleteRequest (Irp, IO_NO_INCREMENT);
return status;
}
pStorDevDesc = ExAllocatePoolWithTag(NonPagedPool, sizeof(PSTORAGE_DEVICE_DESCRIPTOR), BUSENUM_POOL_TAG);
if(!pStorDevDesc)
{
Irp->IoStatus.Status = status = STATUS_INSUFFICIENT_RESOURCES;
IoCompleteRequest (Irp, IO_NO_INCREMENT);
return status;
}
else{

RtlCopyMemory(outBuffer,pStorDevDesc,outlen);
status = STATUS_SUCCESS;
}
ExFreePool(pStorDevDesc);
//Irp->IoStatus.Information = sizeof(STORAGE_DEVICE_DESCRIPTOR); -------------------->exist or not, will lead to blue screen
}// if the upper code do not exists, windbg said that this code lead to blue screen
}
break;
default:
break;
}
Irp->IoStatus.Status = status;
IoCompleteRequest (Irp, IO_NO_INCREMENT);
return status;
}

Tim_Roberts · May 19, 2011, 12:54pm

workingmailing wrote:

I have found “IOCTL_STORAGE_QUERY_PROPERTY” in IRP_MJ_DEVICE_CONTROL
routine, for the PDO.
In the former, I didn’t return any thing for this IOCTL, so after
driver pnp start, following pnp remove appear.
So I want to return the data structure "STORAGE_DEVICE_DESCRIPTOR ",
to avoid the pnp remove appear.
At first, I using the tool spti to fetching the
"STORAGE_DEVICE_DESCRIPTOR " for a USB mass storage device.
Then in the IRP_MJ_DEVICE_CONTROL routin, I allocate a heap, for the
"STORAGE_DEVICE_DESCRIPTOR ", and then copy this data into
Irp->AssociatedIrp.SystemBuffer,
but it always blue screen.
Can anybody told me, where the resaon is?

The reason is that you are adding random code snippets without the
slightest idea of what you are doing. You allocated empty memory, and
then copied that memory to the ioctl’s output buffer. What do you think
that memory contained? It contained garbage. Some of the fields in
that structure are offsets to other things in the structure. You just
returned garbage information in those fields. When the client went to
use those offsets, it computed a bad address and exploded.

You are receiving this ioctl because you, as a disk driver, told the
operating system that you are driving a disk. Some client wants to know
about the disk you are driving. It is your responsibility to FILL IN
that structure with legitimate data that actually describes your disk.
You need to fill in the device type, and the vendor and product id, and
the string offsets, and the other various properties. YOU have to do
that. As a disk driver, you must KNOW this information.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

OSR_Community_User · May 19, 2011, 9:22pm

Thank you Tim first.

In fact, I using spti.exe fetching the STORAGE_DEVICE_DESCRIPTOR" for a USB storage device first.
There for all these data are correct.
Then allocate a memory, copy this spti.exe getted data into this memory.
Then copy this memory into system buffer.

BTW, as WDK said, offset could be set NULL. For easy, all the offset member, I set to 0.

//////////////////////////////////////////////////////////////////
if(!pStorDevDesc)
{
Irp->IoStatus.Status = status = STATUS_INSUFFICIENT_RESOURCES;
IoCompleteRequest (Irp, IO_NO_INCREMENT);
return status;
}
else
{
pStorDevDesc->Version = 28;
pStorDevDesc->Size =sizeof(STORAGE_DEVICE_DESCRIPTOR);//32;//67;
pStorDevDesc->DeviceType = 0x0;
pStorDevDesc->DeviceTypeModifier = 0x0;
pStorDevDesc->RemovableMedia = TRUE;
pStorDevDesc->CommandQueueing = FALSE;
pStorDevDesc->VendorIdOffset = 0;//0x08;
pStorDevDesc->ProductIdOffset = 0;//0x10;
pStorDevDesc->ProductRevisionOffset = 0;//NULL;
pStorDevDesc->SerialNumberOffset = 0;//NULL;
pStorDevDesc->BusType = BusTypeUsb;
pStorDevDesc->RawPropertiesLength = 0;//0x24;
pStorDevDesc->RawDeviceProperties[0] = 0;//NULL;

RtlCopyMemory(outBuffer,pStorDevDesc,outlen);
status = STATUS_SUCCESS;
}
ExFreePool(pStorDevDesc);
//Irp->IoStatus.Information = sizeof(STORAGE_DEVICE_DESCRIPTOR);----->exist or not, will lead to blue screen
}// if the upper code do not exists, windbg said that this code lead to blue screen

Doron_Holan · May 19, 2011, 10:07pm

what size are you allocating for pStorDevDesc? your previous snippet was sizeof(PSTORAGE_DEVICE_DESCRIPTOR), should be sizeof(STORAGE_DEVICE_DESCRIPTOR)
you don’t need to allocate memory, just do this

PSTORAGE_DEVICE_DESCRIPTOR pStorDevDesc = (PSTORAGE_DEVICE_DESCRIPTOR) outBuffer;

Irp->IoStatus.Information = sizeof(*pStorDevDesc);

3) turn on driver verifier, i am sure this is not the only bug you have

d

OSR_Community_User · May 20, 2011, 5:11am

Thank you Holan.

As what you said, now the disk.sys driver successfully loaded, and started.

The next step maybe, translate the SRBs in IRP_MJ_SCSI routin into URBs then forward it to USBD.sys.

thank you very much.

Tim_Roberts · May 20, 2011, 1:54pm

workingmailing@163.com wrote:

In fact, I using spti.exe fetching the STORAGE_DEVICE_DESCRIPTOR" for a USB storage device first.
There for all these data are correct.
Then allocate a memory, copy this spti.exe getted data into this memory.
Then copy this memory into system buffer.

What this tells me is that you haven’t been showing us your real code,
because the code you showed us wasn’t filling in that structure.

Only you can do the “!analyze -v” and see where the crash really
happens. Only you can then back up to figure out how you triggered that
crash. We can’t do desk-checking for you, because we don’t have your
source code. You keep showing us edited extracts, but I hope it is
clear that it’s impossible to debug anything in an edited extract.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.