IoGetCurrentProcess IRQL requirement

NTDEV
1

According to the latest DDK, IoGetCurrentProcess can be called at any IRQL.
I have found two other sources that indicate that it can only be called at
PASSIVE_LEVEL. One of these sources is here:
http://www.osronline.com/ddkx/kmarch/k104_48c2.htm. The other source is the
latest version of PREfast.

I think the DDK is incorrect. I would like to hear from anyone that thinks
different.

Takin

2

Takin Nili-Esfahani wrote:

According to the latest DDK, IoGetCurrentProcess can be called at any IRQL.
I have found two other sources that indicate that it can only be called at
PASSIVE_LEVEL. One of these sources is here:
http://www.osronline.com/ddkx/kmarch/k104_48c2.htm. The other source is the
latest version of PREfast.

I think the DDK is incorrect. I would like to hear from anyone that thinks
different.

I think the DDK is correct. Common sense needs to rule here.
IoGetCurrentProcess is pulling a single dword from a structure that is
always present. Here is the ENTIRE source code for IoGetCurrentProcess
in XP SP2:

kd> u IoGetCurrentProcess
nt!PsGetCurrentProcess:
804e5e10 64a124010000 mov eax,fs:[00000124]
804e5e16 8b4044 mov eax,[eax+0x44]
804e5e19 c3 ret

It’s hard to imagine how that could ever be unsafe.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

3

The DDK version you have is wrong. The latest DDK has it correctly:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/kmarch/
hh/kmarch/k104_f59c640e-e335-46e0-a6ca-2f672bb6fc35.xml.asp

(beware of wrap)

d

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tim Roberts
Sent: Friday, May 13, 2005 12:24 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] IoGetCurrentProcess IRQL requirement

Takin Nili-Esfahani wrote:

According to the latest DDK, IoGetCurrentProcess can be called at any
IRQL.
I have found two other sources that indicate that it can only be called
at
PASSIVE_LEVEL. One of these sources is here:
http://www.osronline.com/ddkx/kmarch/k104_48c2.htm. The other source
is the
latest version of PREfast.

I think the DDK is incorrect. I would like to hear from anyone that
thinks
different.

I think the DDK is correct. Common sense needs to rule here.
IoGetCurrentProcess is pulling a single dword from a structure that is
always present. Here is the ENTIRE source code for IoGetCurrentProcess
in XP SP2:

kd> u IoGetCurrentProcess
nt!PsGetCurrentProcess:
804e5e10 64a124010000 mov eax,fs:[00000124]
804e5e16 8b4044 mov eax,[eax+0x44]
804e5e19 c3 ret

It’s hard to imagine how that could ever be unsafe.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

4

In some DISPATCH_LEVEL contexts like DPCs and routines called by DPCs
(completion routines, NDIS and TDI receive paths) - the notion of “current
process” is just not valid at all. Trying to get it will return some arbitrary
process.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Takin Nili-Esfahani”
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”
Sent: Friday, May 13, 2005 10:39 PM
Subject: [ntdev] IoGetCurrentProcess IRQL requirement

> According to the latest DDK, IoGetCurrentProcess can be called at any IRQL.
> I have found two other sources that indicate that it can only be called at
> PASSIVE_LEVEL. One of these sources is here:
> http://www.osronline.com/ddkx/kmarch/k104_48c2.htm. The other source is the
> latest version of PREfast.
>
> I think the DDK is incorrect. I would like to hear from anyone that thinks
> different.
>
> Takin
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

5

Maxim S. Shatskih wrote:

In some DISPATCH_LEVEL contexts like DPCs and routines called by DPCs
(completion routines, NDIS and TDI receive paths) - the notion of “current
process” is just not valid at all. Trying to get it will return some arbitrary
process.

You are saying two different things here. Yes, I will get some
arbitrary process, but (barring a system failure) it will always be a
VALID process.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

6

The offending code that PREfast flagged is not in one of those paths. It is
in an IOCTL path called from usermode. However, IoGetCurrentProcess is
being called after a spinlock is acquired. In this situation, it should
return the correct process in a safe manner, no?

Takin

“Maxim S. Shatskih” wrote in message
news:xxxxx@ntdev…
> In some DISPATCH_LEVEL contexts like DPCs and routines called by DPCs
> (completion routines, NDIS and TDI receive paths) - the notion of “current
> process” is just not valid at all. Trying to get it will return some
> arbitrary
> process.
>
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
> ----- Original Message -----
> From: “Takin Nili-Esfahani”
> Newsgroups: ntdev
> To: “Windows System Software Devs Interest List”
> Sent: Friday, May 13, 2005 10:39 PM
> Subject: [ntdev] IoGetCurrentProcess IRQL requirement
>
>
>> According to the latest DDK, IoGetCurrentProcess can be called at any
>> IRQL.
>> I have found two other sources that indicate that it can only be called
>> at
>> PASSIVE_LEVEL. One of these sources is here:
>> http://www.osronline.com/ddkx/kmarch/k104_48c2.htm. The other source is
>> the
>> latest version of PREfast.
>>
>> I think the DDK is incorrect. I would like to hear from anyone that
>> thinks
>> different.
>>
>> Takin
>>
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>

7

The DDK in that link says that IoGetCurrentProcess can be called at any
IRQL.

So are you saying that the DDK is correct and PREfast is wrong?

Takin

“Doron Holan” wrote in message
news:xxxxx@ntdev…
The DDK version you have is wrong. The latest DDK has it correctly:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/kmarch/
hh/kmarch/k104_f59c640e-e335-46e0-a6ca-2f672bb6fc35.xml.asp

(beware of wrap)

d

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tim Roberts
Sent: Friday, May 13, 2005 12:24 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] IoGetCurrentProcess IRQL requirement

Takin Nili-Esfahani wrote:

>According to the latest DDK, IoGetCurrentProcess can be called at any
IRQL.
>I have found two other sources that indicate that it can only be called
at
>PASSIVE_LEVEL. One of these sources is here:
>http://www.osronline.com/ddkx/kmarch/k104_48c2.htm. The other source
is the
>latest version of PREfast.
>
>I think the DDK is incorrect. I would like to hear from anyone that
thinks
>different.
>
>

I think the DDK is correct. Common sense needs to rule here.
IoGetCurrentProcess is pulling a single dword from a structure that is
always present. Here is the ENTIRE source code for IoGetCurrentProcess
in XP SP2:

kd> u IoGetCurrentProcess
nt!PsGetCurrentProcess:
804e5e10 64a124010000 mov eax,fs:[00000124]
804e5e16 8b4044 mov eax,[eax+0x44]
804e5e19 c3 ret

It’s hard to imagine how that could ever be unsafe.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

8

Yes, in this instance.

d

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Takin
Nili-Esfahani
Sent: Friday, May 13, 2005 1:26 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] IoGetCurrentProcess IRQL requirement

The DDK in that link says that IoGetCurrentProcess can be called at any
IRQL.

So are you saying that the DDK is correct and PREfast is wrong?

Takin

“Doron Holan” wrote in message
news:xxxxx@ntdev…
The DDK version you have is wrong. The latest DDK has it correctly:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/kmarch/
hh/kmarch/k104_f59c640e-e335-46e0-a6ca-2f672bb6fc35.xml.asp

(beware of wrap)

d

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tim Roberts
Sent: Friday, May 13, 2005 12:24 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] IoGetCurrentProcess IRQL requirement

Takin Nili-Esfahani wrote:

>According to the latest DDK, IoGetCurrentProcess can be called at any
IRQL.
>I have found two other sources that indicate that it can only be called
at
>PASSIVE_LEVEL. One of these sources is here:
>http://www.osronline.com/ddkx/kmarch/k104_48c2.htm. The other source
is the
>latest version of PREfast.
>
>I think the DDK is incorrect. I would like to hear from anyone that
thinks
>different.
>
>

I think the DDK is correct. Common sense needs to rule here.
IoGetCurrentProcess is pulling a single dword from a structure that is
always present. Here is the ENTIRE source code for IoGetCurrentProcess
in XP SP2:

kd> u IoGetCurrentProcess
nt!PsGetCurrentProcess:
804e5e10 64a124010000 mov eax,fs:[00000124]
804e5e16 8b4044 mov eax,[eax+0x44]
804e5e19 c3 ret

It’s hard to imagine how that could ever be unsafe.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

9

I wouldn’t count on it. Acquiring the spinlock raised IRQL to DISPATCH_LEVEL
which is an arbitrary thread context.


The personal opinion of
Gary G. Little

“Takin Nili-Esfahani” wrote in message
news:xxxxx@ntdev…
> The offending code that PREfast flagged is not in one of those paths. It
> is in an IOCTL path called from usermode. However, IoGetCurrentProcess is
> being called after a spinlock is acquired. In this situation, it should
> return the correct process in a safe manner, no?
>
> Takin
>
> “Maxim S. Shatskih” wrote in message
> news:xxxxx@ntdev…
>> In some DISPATCH_LEVEL contexts like DPCs and routines called by DPCs
>> (completion routines, NDIS and TDI receive paths) - the notion of
>> “current
>> process” is just not valid at all. Trying to get it will return some
>> arbitrary
>> process.
>>
>> Maxim Shatskih, Windows DDK MVP
>> StorageCraft Corporation
>> xxxxx@storagecraft.com
>> http://www.storagecraft.com
>>
>> ----- Original Message -----
>> From: “Takin Nili-Esfahani”
>> Newsgroups: ntdev
>> To: “Windows System Software Devs Interest List”
>> Sent: Friday, May 13, 2005 10:39 PM
>> Subject: [ntdev] IoGetCurrentProcess IRQL requirement
>>
>>
>>> According to the latest DDK, IoGetCurrentProcess can be called at any
>>> IRQL.
>>> I have found two other sources that indicate that it can only be called
>>> at
>>> PASSIVE_LEVEL. One of these sources is here:
>>> http://www.osronline.com/ddkx/kmarch/k104_48c2.htm. The other source is
>>> the
>>> latest version of PREfast.
>>>
>>> I think the DDK is incorrect. I would like to hear from anyone that
>>> thinks
>>> different.
>>>
>>> Takin
>>>
>>>
>>>
>>> —
>>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>>
>>> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
>>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>>
>
>
>

10

If the spinlock is acquired in the context of the calling application,
that will not change context and IoGetCurrentProcess will still return
the calling process.

d

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Gary G. Little
Sent: Friday, May 13, 2005 2:56 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] IoGetCurrentProcess IRQL requirement

I wouldn’t count on it. Acquiring the spinlock raised IRQL to
DISPATCH_LEVEL
which is an arbitrary thread context.


The personal opinion of
Gary G. Little

“Takin Nili-Esfahani” wrote in message
news:xxxxx@ntdev…
> The offending code that PREfast flagged is not in one of those paths.
It
> is in an IOCTL path called from usermode. However,
IoGetCurrentProcess is
> being called after a spinlock is acquired. In this situation, it
should
> return the correct process in a safe manner, no?
>
> Takin
>
> “Maxim S. Shatskih” wrote in message
> news:xxxxx@ntdev…
>> In some DISPATCH_LEVEL contexts like DPCs and routines called by
DPCs
>> (completion routines, NDIS and TDI receive paths) - the notion of
>> “current
>> process” is just not valid at all. Trying to get it will return some
>> arbitrary
>> process.
>>
>> Maxim Shatskih, Windows DDK MVP
>> StorageCraft Corporation
>> xxxxx@storagecraft.com
>> http://www.storagecraft.com
>>
>> ----- Original Message -----
>> From: “Takin Nili-Esfahani”
>> Newsgroups: ntdev
>> To: “Windows System Software Devs Interest List”

>> Sent: Friday, May 13, 2005 10:39 PM
>> Subject: [ntdev] IoGetCurrentProcess IRQL requirement
>>
>>
>>> According to the latest DDK, IoGetCurrentProcess can be called at
any
>>> IRQL.
>>> I have found two other sources that indicate that it can only be
called
>>> at
>>> PASSIVE_LEVEL. One of these sources is here:
>>> http://www.osronline.com/ddkx/kmarch/k104_48c2.htm. The other
source is
>>> the
>>> latest version of PREfast.
>>>
>>> I think the DDK is incorrect. I would like to hear from anyone that

>>> thinks
>>> different.
>>>
>>> Takin
>>>
>>>
>>>
>>> —
>>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>>
>>> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
>>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>>
>
>
>


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

11

Is that really the case? Just acquiring a spinlock in the current thread
will change the thread context by itself where u cannot get the current
process and it becomes arbitrary thread context? Doesn’t sound right.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Gary G. Little
Sent: Friday, May 13, 2005 2:56 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] IoGetCurrentProcess IRQL requirement

I wouldn’t count on it. Acquiring the spinlock raised IRQL to
DISPATCH_LEVEL
which is an arbitrary thread context.


The personal opinion of
Gary G. Little

“Takin Nili-Esfahani” wrote in message
news:xxxxx@ntdev…
> The offending code that PREfast flagged is not in one of those paths.
It
> is in an IOCTL path called from usermode. However,
IoGetCurrentProcess is
> being called after a spinlock is acquired. In this situation, it
should
> return the correct process in a safe manner, no?
>
> Takin
>
> “Maxim S. Shatskih” wrote in message
> news:xxxxx@ntdev…
>> In some DISPATCH_LEVEL contexts like DPCs and routines called by
DPCs
>> (completion routines, NDIS and TDI receive paths) - the notion of
>> “current
>> process” is just not valid at all. Trying to get it will return some
>> arbitrary
>> process.
>>
>> Maxim Shatskih, Windows DDK MVP
>> StorageCraft Corporation
>> xxxxx@storagecraft.com
>> http://www.storagecraft.com
>>
>> ----- Original Message -----
>> From: “Takin Nili-Esfahani”
>> Newsgroups: ntdev
>> To: “Windows System Software Devs Interest List”

>> Sent: Friday, May 13, 2005 10:39 PM
>> Subject: [ntdev] IoGetCurrentProcess IRQL requirement
>>
>>
>>> According to the latest DDK, IoGetCurrentProcess can be called at
any
>>> IRQL.
>>> I have found two other sources that indicate that it can only be
called
>>> at
>>> PASSIVE_LEVEL. One of these sources is here:
>>> http://www.osronline.com/ddkx/kmarch/k104_48c2.htm. The other
source is
>>> the
>>> latest version of PREfast.
>>>
>>> I think the DDK is incorrect. I would like to hear from anyone that

>>> thinks
>>> different.
>>>
>>> Takin
>>>
>>>
>>>
>>> —
>>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>>
>>> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
>>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>>
>
>
>


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@troikanetworks.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

12

Mukul Kotwani wrote:

Is that really the case? Just acquiring a spinlock in the current thread
will change the thread context by itself where u cannot get the current
process and it becomes arbitrary thread context? Doesn’t sound right.

No. Doron just said that this ISN’T correct.

To reiterate: Acquiring a spinlock can raise the current IRQL. Anytime
the IRQL is raised to IRQL DISPATCH_LEVEL or above, the current thread
becomes non pre-emptable, and that CPU is in a non dispatchable state.
Thus, the current thread context is preserved at least until the IRQL is
lowered below IRQL DISPATCH_LEVEL.

Peter
OSR

13

I think the idea here is one of discretion. No, acquiring a spinlock will
not of itself change the thread context, though it will raise IRQL to
DISPATCH_LEVEL. Doing anything that requires a specific thread context at
DISPATCH_LEVEL is unwise, since by definition thread context is arbitrary.
It may work for thousands of times, and crash once simply because the
tiniest of windows occurred to allow a thread context you were not
expecting.

Gary

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Mukul Kotwani
Sent: Friday, May 13, 2005 5:36 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] IoGetCurrentProcess IRQL requirement

Is that really the case? Just acquiring a spinlock in the current thread
will change the thread context by itself where u cannot get the current
process and it becomes arbitrary thread context? Doesn’t sound right.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Gary G. Little
Sent: Friday, May 13, 2005 2:56 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] IoGetCurrentProcess IRQL requirement

I wouldn’t count on it. Acquiring the spinlock raised IRQL to
DISPATCH_LEVEL
which is an arbitrary thread context.


The personal opinion of
Gary G. Little

“Takin Nili-Esfahani” wrote in message
news:xxxxx@ntdev…
> The offending code that PREfast flagged is not in one of those paths.
It
> is in an IOCTL path called from usermode. However,
IoGetCurrentProcess is
> being called after a spinlock is acquired. In this situation, it
should
> return the correct process in a safe manner, no?
>
> Takin
>
> “Maxim S. Shatskih” wrote in message
> news:xxxxx@ntdev…
>> In some DISPATCH_LEVEL contexts like DPCs and routines called by
DPCs
>> (completion routines, NDIS and TDI receive paths) - the notion of
>> “current
>> process” is just not valid at all. Trying to get it will return some
>> arbitrary
>> process.
>>
>> Maxim Shatskih, Windows DDK MVP
>> StorageCraft Corporation
>> xxxxx@storagecraft.com
>> http://www.storagecraft.com
>>
>> ----- Original Message -----
>> From: “Takin Nili-Esfahani”
>> Newsgroups: ntdev
>> To: “Windows System Software Devs Interest List”

>> Sent: Friday, May 13, 2005 10:39 PM
>> Subject: [ntdev] IoGetCurrentProcess IRQL requirement
>>
>>
>>> According to the latest DDK, IoGetCurrentProcess can be called at
any
>>> IRQL.
>>> I have found two other sources that indicate that it can only be
called
>>> at
>>> PASSIVE_LEVEL. One of these sources is here:
>>> http://www.osronline.com/ddkx/kmarch/k104_48c2.htm. The other
source is
>>> the
>>> latest version of PREfast.
>>>
>>> I think the DDK is incorrect. I would like to hear from anyone that

>>> thinks
>>> different.
>>>
>>> Takin
>>>
>>>
>>>
>>> —
>>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>>
>>> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
>>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>>
>
>
>


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@troikanetworks.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

NOD32 1.1095 (20050513) Information

This message was checked by NOD32 antivirus system.
http://www.nod32.com