Is given memory from kernel address space readable? How to check?

Hello!

I’m working on adding a check for input buffers supplied by another
kernel-mode component but not a user-level process.

In user mode I can to do something like this:

__try {

memcpy(tmp_buf, input_buffer, size);

} __except(EXCEPTION_EXECUTE_HANDLER) {

}

or check for some magic values in input_buffer inside __try {}.

But in kernel-mode __try {} seems to be doesn’t work as I wish. I’m on
PASSIVE_LEVEL by the way and I think the problem related with the
input_buffer from PagedPool address space.

The question is is there’s a way to check by pointer and size is memory in
kernel address space readable?

Vlad

Hi Vlad

__try {
//…
}
__except(EXCEPTION_EXECUTE_HANDLER) {
DWORD dwErr = GetExceptionCode();
//…
}

works Ok in Kernel Mode
GetExceptionCode() returns exception code.

Nikolay

“Vladislav Goncharov” wrote in message
news:xxxxx@ntdev…
> Hello!
>
> I’m working on adding a check for input buffers supplied by another
> kernel-mode component but not a user-level process.
>
> In user mode I can to do something like this:
>
> __try {
>
> memcpy(tmp_buf, input_buffer, size);
>
> }__except(EXCEPTION_EXECUTE_HANDLER) {
>
> …
>
> }
>
> or check for some magic values in input_buffer inside try {}.
>
> But in kernel-mode
try {} seems to be doesn’t work as I wish. I’m on
> PASSIVE_LEVEL by the way and I think the problem related with the
> input_buffer from PagedPool address space.
>
> The question is is there’s a way to check by pointer and size is memory in
> kernel address space readable?
>
> Vlad
>
>
>

There’s no good way to test the validity of a kernel-mode buffer. If
another driver hands you a bad kernel buffer then there’s a bug in that
driver.

-p

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
Vladislav Goncharov
Sent: Wednesday, October 27, 2004 3:12 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Is given memory from kernel address space
readable? How to check?

Hello!

I’m working on adding a check for input buffers supplied by
another kernel-mode component but not a user-level process.

In user mode I can to do something like this:

__try {

memcpy(tmp_buf, input_buffer, size);

} __except(EXCEPTION_EXECUTE_HANDLER) {

}

or check for some magic values in input_buffer inside __try {}.

But in kernel-mode __try {} seems to be doesn’t work as I
wish. I’m on PASSIVE_LEVEL by the way and I think the problem
related with the input_buffer from PagedPool address space.

The question is is there’s a way to check by pointer and size
is memory in kernel address space readable?

Vlad


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as:
xxxxx@windows.microsoft.com To unsubscribe send a blank
email to xxxxx@lists.osr.com

> I’m working on adding a check for input buffers supplied by another

kernel-mode component but not a user-level process.

Usually there is no such checks for inside the kernel. If the caller provides
bad address - then the machine will BSOD due to caller’s fault.

ProbeForWrite cannot work for kernel addresses.

Also - at least for some boot configurations - there is no such thing as
“read-only memory” for kernel mode (Ring 0) code.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com