Kernel bug on XP Windows. Not tesed on Windows 7

Hi
I found a bug in Windows kernel.
This address memory “Buffer” is bad !!! there is a blue screen !

Excuse me - but I would like to report the bug to Microsoft.
Can you give me their (leur) @ mail:

The variable buffer is to be supposed to be good, I’m just like the driver “FastFAT”

Driver offering manage virtual file system by user process.

typedef struct {
BOOLEAN used;
BOOLEAN parameter;
WCHAR _namedriver[256];
WCHAR _namedos[256];
KEVENT waitbegindeviceiocontrol;
KEVENT waitenddeviceiocontrol;
HANDLE hProcessID;
WORD command;
NTSTATUS error;
WORD secdeviceiocontrol;
WORD secwaituser;
//KSPIN_LOCK lock;
KEVENT request_event;
BOOLEAN terminate_thread;
LIST_ENTRY list_head;
KSPIN_LOCK list_lock;
void* bufferstruct;
void* bufferdata;
void* bufferforwrite;
int sizebufferstruct;
int sizebufferdata;
int sizebufferforwrite;
//VARIABLE FOR DEBUGGING CRASH BLUE SCREEN
int _bg1,_bg2,_bg3,_bg4;
char *_bgb1;
char *_bgb2;
//
}TPARAMVDF,*PPARAMVDF;

PVOID
FatMapUserBuffer (
IN OUT PIRP Irp
)

/*++

Routine Description:

This routine conditionally maps the user buffer for the current I/O
request in the specified mode. If the buffer is already mapped, it
just returns its address.

Note that this is the *input/output* buffer.

Arguments:

Irp - Pointer to the Irp for the request.

Return Value:

Mapped address

–*/

{

PAGED_CODE();

//
// If there is no Mdl, then we must be in the Fsd, and we can simply
// return the UserBuffer field from the Irp.
//

if (Irp->MdlAddress == NULL) {

return Irp->UserBuffer;

} else {

PVOID Address = MmGetSystemAddressForMdlSafe( Irp->MdlAddress, NormalPagePriority );

if (Address == NULL) {

ExRaiseStatus( STATUS_INSUFFICIENT_RESOURCES );
}

return Address;
}
}

NTSTATUS FatQueryDirectory(PDEVICE_OBJECT DeviceObject,PIRP irp,PIO_STACK_LOCATION irps)
{
ULONG NextEntry;
ULONG LastEntry;
BOOLEAN sort;

PFILE_DIRECTORY_INFORMATION DirInfo;
PFILE_FULL_DIR_INFORMATION FullDirInfo;
PFILE_BOTH_DIR_INFORMATION BothDirInfo;
PFILE_ID_FULL_DIR_INFORMATION IdFullDirInfo;
PFILE_ID_BOTH_DIR_INFORMATION IdBothDirInfo;
PFILE_NAMES_INFORMATION NamesInfo;
FILE_INFORMATION_CLASS FileInformationClass;

PUCHAR Buffer;
ULONG32 CurrentVbo = 0;

PUNICODE_STRING UniArgFileName;
//WCHAR LongFileNameBuffer[4096];
UNICODE_STRING LongFileName;
ULONG BaseLength;
ULONG Length;

ULONG FileIndex;
BOOLEAN RestartScan;
BOOLEAN ReturnSingleEntry;
BOOLEAN IndexSpecified;
PPARAMVDF vdf;
int pos;
vdf=vdf_GetParam(DeviceObject);
if (vdf==NULL)
{
KdPrintf((“FatQueryDirectory : vdf==NULL”));
return STATUS_INVALID_HANDLE;

}

KdPrintf((“FatQueryDirectory…\n”));
// DebugTrace( 0, Dbg, " Wait = %08lx\n", FlagOn(IrpContext->Flags, IRP_CONTEXT_FLAG_WAIT));
KdPrintf((" Irp = %x\n", (int)irp));
KdPrintf((" ->Length = %08lx\n", irps->Parameters.QueryDirectory.Length));
KdPrintf((" ->FileName = %08lx\n", irps->Parameters.QueryDirectory.FileName));
KdPrintf((" ->FileInformationClass = %08lx\n", irps->Parameters.QueryDirectory.FileInformationClass));
KdPrintf((" ->FileIndex = %08lx\n", irps->Parameters.QueryDirectory.FileIndex));
KdPrintf((" ->UserBuffer = %08lx\n", irp->AssociatedIrp.SystemBuffer));
KdPrintf((" ->RestartScan = %08lx\n", FlagOn( irps->Flags, SL_RESTART_SCAN )));
KdPrintf((" ->ReturnSingleEntry = %08lx\n", FlagOn( irps->Flags, SL_RETURN_SINGLE_ENTRY )));
KdPrintf((" ->IndexSpecified = %08lx\n", FlagOn( irps->Flags, SL_INDEX_SPECIFIED )));

Length = irps->Parameters.QueryDirectory.Length;
FileIndex = irps->Parameters.QueryDirectory.FileIndex;

UniArgFileName = irps->Parameters.QueryDirectory.FileName;
FileInformationClass = irps->Parameters.QueryDirectory.FileInformationClass;

RestartScan = BooleanFlagOn(irps->Flags, SL_RESTART_SCAN);
ReturnSingleEntry = BooleanFlagOn(irps->Flags, SL_RETURN_SINGLE_ENTRY);
IndexSpecified = BooleanFlagOn(irps->Flags, SL_INDEX_SPECIFIED);

// Buffer = irp->UserBuffer;
Buffer = FatMapUserBuffer(irp);
vdf->_bgb1=(char*)Buffer;
vdf->_bg1=Length;
vdf->_bg2=FileIndex;
vdf->_bg4=FileInformationClass;
if (Buffer==NULL)
{
KdPrintf((“Buffer==NULL\n”));
return STATUS_INTERNAL_ERROR;
}
else
{
CurrentVbo = FileIndex;
switch (FileInformationClass) {

case FileDirectoryInformation:

BaseLength = FIELD_OFFSET( FILE_DIRECTORY_INFORMATION,
FileName[0] );
break;

case FileFullDirectoryInformation:

BaseLength = FIELD_OFFSET( FILE_FULL_DIR_INFORMATION,
FileName[0] );
break;

case FileIdFullDirectoryInformation:

BaseLength = FIELD_OFFSET( FILE_ID_FULL_DIR_INFORMATION,
FileName[0] );
break;

case FileNamesInformation:

BaseLength = FIELD_OFFSET( FILE_NAMES_INFORMATION,
FileName[0] );
break;

case FileBothDirectoryInformation:

BaseLength = FIELD_OFFSET( FILE_BOTH_DIR_INFORMATION,
FileName[0] );
break;

case FileIdBothDirectoryInformation:

BaseLength = FIELD_OFFSET( FILE_ID_BOTH_DIR_INFORMATION,
FileName[0] );
break;

default:

//CdCompleteRequest( IrpContext, Irp, STATUS_INVALID_INFO_CLASS );
return STATUS_INVALID_INFO_CLASS;
}
}
sort=FALSE;
pos=0;
//irps->
while (sort==FALSE)
{
NTSTATUS error;
TENUMDIR enumdir;
enumdir.FileIndex=FileIndex;
enumdir.infoclass=FileInformationClass;
error=0;
KdPrintf((“enum Fileindex = %x\n”,FileIndex));
CallUser(vdf,CMD_ENUM,sizeof (TENUMDIR),&enumdir,0,NULL,&error);
KdPrintf((“Queryfatinformation CallUser return error = %x”,error));
if (error==STATUS_SUCCESS)
{
int sizebuf=vdf->sizebufferstruct;
KdPrintf((“Return size %d\n”,sizebuf));
if (pos+sizebuf>(int)Length)
{
return STATUS_BUFFER_OVERFLOW;
}
vdf->_bg3=pos;
vdf->_bgb2=vdf->bufferstruct;

>HERE CRASH memcpy(Buffer+pos,vdf->bufferstruct,sizebuf);
pos+=QuadAlign(sizebuf);
if (pos>=(int)Length)
sort=TRUE;

}
else
{
if (error==STATUS_TIMEOUT)
return STATUS_DEVICE_NOT_READY;
else
return error;
}

}
irp->IoStatus.Information=pos;
return STATUS_SUCCESS;

}

NTSTATUS vdfdispatch(PDEVICE_OBJECT DeviceObject,PIRP irp,PIO_STACK_LOCATION irps)
{

NTSTATUS status;
status=STATUS_INVALID_HANDLE;
switch (irps->MajorFunction)
{
case IRP_MJ_CREATE:
KdPrintf((“IRP_MJ_CREATE irp:%x irps:%x\n”,irp,irps));
status = FatCommonCreate( DeviceObject,irp,irps );
break;
case IRP_MJ_READ:
KdPrintf((“IRP_MJ_READ irp:%x irps:%x\n”,irp,irps));
status = FatCommonRead( DeviceObject,irp,irps );
break;
case IRP_MJ_WRITE:
KdPrintf((“IRP_MJ_WRITE irp:%x irps:%x\n”,irp,irps));
status = FatCommonWrite( DeviceObject,irp,irps );
break;
case IRP_MJ_CLOSE:
KdPrintf((“IRP_MJ_CLOSE irp:%x irps:%x\n”,irp,irps));
status = FatCommonClose( DeviceObject,irp,irps);
break;
case IRP_MJ_DEVICE_CONTROL:
KdPrintf((“IRP_MJ_DEVICE_CONTROL irp:%x irps:%x\n”,irp,irps));
//status=FatQueryInformation(DeviceObject,irp,irps);
return STATUS_NOT_IMPLEMENTED;
break;
case IRP_MJ_QUERY_INFORMATION:
KdPrintf((“IRP_MJ_QUERY_INFORMATION irp:%x irps:%x\n”,irp,irps));
//status=FatQueryInformation(DeviceObject,irp,irps);
return STATUS_NOT_IMPLEMENTED;
break;
case IRP_MJ_FILE_SYSTEM_CONTROL:
{
KdPrintf((“IRP_MJ_FILE_SYSTEM_CONTROL irp:%x irps:%x\n”,irp,irps));
return STATUS_NOT_IMPLEMENTED;
}
break;
case IRP_MJ_QUERY_VOLUME_INFORMATION:
{
KdPrintf((“IRP_MJ_QUERY_VOLUME_INFORMATION irp:%x irps:%x\n”,irp,irps));
//FILE_FS_VOLUME_INFORMATION
status=FatQueryVolumeInformation(DeviceObject,irp,irps);
}
break;
case IRP_MJ_DIRECTORY_CONTROL:
{
KdPrintf((“IRP_MJ_DIRECTORY_CONTROL irp:%x irps:%x\n”,irp,irps));
switch (irps->MinorFunction)
{
case IRP_MN_NOTIFY_CHANGE_DIRECTORY:
{
KdPrintf((“IRP_MN_NOTIFY_CHANGE_DIRECTORY irp:%x irps:%x\n”,irp,irps));
return STATUS_INVALID_PARAMETER;
}
break;
case IRP_MN_QUERY_DIRECTORY:
KdPrintf((“IRP_MN_NOTIFY_CHANGE_DIRECTORY irp:%x irps:%x\n”,irp,irps));
status=FatQueryDirectory(DeviceObject,irp,irps);

break;
}
}
break;
}
return status;
}

there are functions not implemented “STATUS_NOT_IMPLEMENTED” , but later !

Thank You.

i 'm modify my code :
CallUser(vdf,CMD_ENUM,sizeof (TENUMDIR),&enumdir,0,NULL,&error);
KdPrintf((“Queryfatinformation CallUser return error = %x”,error));
if (error==STATUS_SUCCESS)
{
int sizebuf=vdf->sizebufferstruct;
KdPrintf((“Return size %d\n”,sizebuf));
if (pos+sizebuf>(int)Length)
{
sort=TRUE;
}
if (sort==FALSE)
{
vdf->_bg3=pos;
vdf->_bgb2=vdf->bufferstruct;
memcpy(Buffer+pos,vdf->bufferstruct,sizebuf);
pos+=QuadAlign(sizebuf);
if (pos>=(int)Length)
sort=TRUE;
}
}
else
{

eliminate status_buffer_overflow.

Always blue screen in buffer variable

Bug in kernel is always a possibility, but I don’t think you’ve done
anything other than invented a faulty driver.

Any chance that you’ve run this under the debugger and examined the
variables at the point of the crash?

I know that’s what most of us would do before saying that we’d found a bug
in the kernel…

Thomas F. Divine
http://www.pcausa.com


From:
Sent: Monday, September 06, 2010 1:23 PM
To: “Windows System Software Devs Interest List”
Subject: RE:[ntdev] Kernel bug on XP Windows. Not tesed on Windows 7

> i 'm modify my code :
> CallUser(vdf,CMD_ENUM,sizeof (TENUMDIR),&enumdir,0,NULL,&error);
> KdPrintf((“Queryfatinformation CallUser return error = %x”,error));
> if (error==STATUS_SUCCESS)
> {
> int sizebuf=vdf->sizebufferstruct;
> KdPrintf((“Return size %d\n”,sizebuf));
> if (pos+sizebuf>(int)Length)
> {
> sort=TRUE;
> }
> if (sort==FALSE)
> {
> vdf->_bg3=pos;
> vdf->_bgb2=vdf->bufferstruct;
> memcpy(Buffer+pos,vdf->bufferstruct,sizebuf);
> pos+=QuadAlign(sizebuf);
> if (pos>=(int)Length)
> sort=TRUE;
> }
> }
> else
> {
>
> eliminate status_buffer_overflow.
>
> Always blue screen in buffer variable
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

There are some hits you should check.
How do you call a driver? Check a buffer length variable which an user application uses during creating a request. Do you always wait when a driver finished request? You should be very careful if you use NEITHER_IO request. It could be happen that the user application frees memory before the driver has access to it.

Igor Sharovar

No, that’s totally normal. The kernel is running at a privileged level and
does not tolerate bugs. It blue screens as soon as an error is detected. The
blue screen will help you break into the debugger and find the problem in
your code. That is if you have a debugger connect and set up your symbols
properly.

Like many people have told you and if you want to be taken serious, it’s
really time to learn how to set up your symbols so you can learn how to use
the debugger. You got a lot of replies to your previous queries, people have
been trying to assist you with that. Now you really have to listen to what
they told you, if not you are really wasting everyones time.

//Daniel

wrote in message news:xxxxx@ntdev…
> Hi
> I found a bug in Windows kernel.
> This address memory “Buffer” is bad !!! there is a blue screen !
>
> Excuse me - but I would like to report the bug to Microsoft.
> Can you give me their (leur) @ mail:
>
> The variable buffer is to be supposed to be good, I’m just like the driver
> “FastFAT”
>
> Driver offering manage virtual file system by user process.
>
> typedef struct {
> BOOLEAN used;
> BOOLEAN parameter;
> WCHAR _namedriver[256];
> WCHAR _namedos[256];
> KEVENT waitbegindeviceiocontrol;
> KEVENT waitenddeviceiocontrol;
> HANDLE hProcessID;
> WORD command;
> NTSTATUS error;
> WORD secdeviceiocontrol;
> WORD secwaituser;
> //KSPIN_LOCK lock;
> KEVENT request_event;
> BOOLEAN terminate_thread;
> LIST_ENTRY list_head;
> KSPIN_LOCK list_lock;
> void* bufferstruct;
> void* bufferdata;
> void* bufferforwrite;
> int sizebufferstruct;
> int sizebufferdata;
> int sizebufferforwrite;
> //VARIABLE FOR DEBUGGING CRASH BLUE SCREEN
> int _bg1,_bg2,_bg3,_bg4;
> char _bgb1;
> char _bgb2;
> //
> }TPARAMVDF,PPARAMVDF;
>
>
> PVOID
> FatMapUserBuffer (
> IN OUT PIRP Irp
> )
>
> /
++
>
> Routine Description:
>
> This routine conditionally maps the user buffer for the current I/O
> request in the specified mode. If the buffer is already mapped, it
> just returns its address.
>
> Note that this is the input/output buffer.
>
> Arguments:
>
> Irp - Pointer to the Irp for the request.
>
> Return Value:
>
> Mapped address
>
> –
/
>
> {
>
>
> PAGED_CODE();
>
> //
> // If there is no Mdl, then we must be in the Fsd, and we can simply
> // return the UserBuffer field from the Irp.
> //
>
> if (Irp->MdlAddress == NULL) {
>
> return Irp->UserBuffer;
>
> } else {
>
> PVOID Address = MmGetSystemAddressForMdlSafe( Irp->MdlAddress,
> NormalPagePriority );
>
> if (Address == NULL) {
>
> ExRaiseStatus( STATUS_INSUFFICIENT_RESOURCES );
> }
>
> return Address;
> }
> }
>
> NTSTATUS FatQueryDirectory(PDEVICE_OBJECT DeviceObject,PIRP
> irp,PIO_STACK_LOCATION irps)
> {
> ULONG NextEntry;
> ULONG LastEntry;
> BOOLEAN sort;
>
> PFILE_DIRECTORY_INFORMATION DirInfo;
> PFILE_FULL_DIR_INFORMATION FullDirInfo;
> PFILE_BOTH_DIR_INFORMATION BothDirInfo;
> PFILE_ID_FULL_DIR_INFORMATION IdFullDirInfo;
> PFILE_ID_BOTH_DIR_INFORMATION IdBothDirInfo;
> PFILE_NAMES_INFORMATION NamesInfo;
> FILE_INFORMATION_CLASS FileInformationClass;
>
> PUCHAR Buffer;
> ULONG32 CurrentVbo = 0;
>
> PUNICODE_STRING UniArgFileName;
> //WCHAR LongFileNameBuffer[4096];
> UNICODE_STRING LongFileName;
> ULONG BaseLength;
> ULONG Length;
>
> ULONG FileIndex;
> BOOLEAN RestartScan;
> BOOLEAN ReturnSingleEntry;
> BOOLEAN IndexSpecified;
> PPARAMVDF vdf;
> int pos;
> vdf=vdf_GetParam(DeviceObject);
> if (vdf==NULL)
> {
> KdPrintf((“FatQueryDirectory : vdf==NULL”));
> return STATUS_INVALID_HANDLE;
>
> }
>
>
>
> KdPrintf((“FatQueryDirectory…\n”));
> // DebugTrace( 0, Dbg, " Wait = %08lx\n",
> FlagOn(IrpContext->Flags, IRP_CONTEXT_FLAG_WAIT));
> KdPrintf((" Irp = %x\n", (int)irp));
> KdPrintf((" ->Length = %08lx\n",
> irps->Parameters.QueryDirectory.Length));
> KdPrintf((" ->FileName = %08lx\n",
> irps->Parameters.QueryDirectory.FileName));
> KdPrintf((" ->FileInformationClass = %08lx\n",
> irps->Parameters.QueryDirectory.FileInformationClass));
> KdPrintf((" ->FileIndex = %08lx\n",
> irps->Parameters.QueryDirectory.FileIndex));
> KdPrintf((" ->UserBuffer = %08lx\n",
> irp->AssociatedIrp.SystemBuffer));
> KdPrintf((" ->RestartScan = %08lx\n", FlagOn( irps->Flags,
> SL_RESTART_SCAN )));
> KdPrintf((" ->ReturnSingleEntry = %08lx\n", FlagOn( irps->Flags,
> SL_RETURN_SINGLE_ENTRY )));
> KdPrintf((" ->IndexSpecified = %08lx\n", FlagOn( irps->Flags,
> SL_INDEX_SPECIFIED )));
>
>
>
> Length = irps->Parameters.QueryDirectory.Length;
> FileIndex = irps->Parameters.QueryDirectory.FileIndex;
>
> UniArgFileName = irps->Parameters.QueryDirectory.FileName;
> FileInformationClass =
> irps->Parameters.QueryDirectory.FileInformationClass;
>
> RestartScan = BooleanFlagOn(irps->Flags, SL_RESTART_SCAN);
> ReturnSingleEntry = BooleanFlagOn(irps->Flags, SL_RETURN_SINGLE_ENTRY);
> IndexSpecified = BooleanFlagOn(irps->Flags, SL_INDEX_SPECIFIED);
>
> // Buffer = irp->UserBuffer;
> Buffer = FatMapUserBuffer(irp);
> vdf->_bgb1=(char
)Buffer;
> vdf->_bg1=Length;
> vdf->_bg2=FileIndex;
> vdf->_bg4=FileInformationClass;
> if (Buffer==NULL)
> {
> KdPrintf((“Buffer==NULL\n”));
> return STATUS_INTERNAL_ERROR;
> }
> else
> {
> CurrentVbo = FileIndex;
> switch (FileInformationClass) {
>
> case FileDirectoryInformation:
>
> BaseLength = FIELD_OFFSET( FILE_DIRECTORY_INFORMATION,
> FileName[0] );
> break;
>
> case FileFullDirectoryInformation:
>
> BaseLength = FIELD_OFFSET( FILE_FULL_DIR_INFORMATION,
> FileName[0] );
> break;
>
> case FileIdFullDirectoryInformation:
>
> BaseLength = FIELD_OFFSET( FILE_ID_FULL_DIR_INFORMATION,
> FileName[0] );
> break;
>
> case FileNamesInformation:
>
> BaseLength = FIELD_OFFSET( FILE_NAMES_INFORMATION,
> FileName[0] );
> break;
>
> case FileBothDirectoryInformation:
>
> BaseLength = FIELD_OFFSET( FILE_BOTH_DIR_INFORMATION,
> FileName[0] );
> break;
>
> case FileIdBothDirectoryInformation:
>
> BaseLength = FIELD_OFFSET( FILE_ID_BOTH_DIR_INFORMATION,
> FileName[0] );
> break;
>
> default:
>
> //CdCompleteRequest( IrpContext, Irp, STATUS_INVALID_INFO_CLASS );
> return STATUS_INVALID_INFO_CLASS;
> }
> }
> sort=FALSE;
> pos=0;
> //irps->
> while (sort==FALSE)
> {
> NTSTATUS error;
> TENUMDIR enumdir;
> enumdir.FileIndex=FileIndex;
> enumdir.infoclass=FileInformationClass;
> error=0;
> KdPrintf((“enum Fileindex = %x\n”,FileIndex));
> CallUser(vdf,CMD_ENUM,sizeof (TENUMDIR),&enumdir,0,NULL,&error);
> KdPrintf((“Queryfatinformation CallUser return error = %x”,error));
> if (error==STATUS_SUCCESS)
> {
> int sizebuf=vdf->sizebufferstruct;
> KdPrintf((“Return size %d\n”,sizebuf));
> if (pos+sizebuf>(int)Length)
> {
> return STATUS_BUFFER_OVERFLOW;
> }
> vdf->_bg3=pos;
> vdf->_bgb2=vdf->bufferstruct;
>>>HERE CRASH memcpy(Buffer+pos,vdf->bufferstruct,sizebuf);
> pos+=QuadAlign(sizebuf);
> if (pos>=(int)Length)
> sort=TRUE;
>
> }
> else
> {
> if (error==STATUS_TIMEOUT)
> return STATUS_DEVICE_NOT_READY;
> else
> return error;
> }
>
> }
> irp->IoStatus.Information=pos;
> return STATUS_SUCCESS;
>
>
>
>
>
>
> }
>
> NTSTATUS vdfdispatch(PDEVICE_OBJECT DeviceObject,PIRP
> irp,PIO_STACK_LOCATION irps)
> {
>
> NTSTATUS status;
> status=STATUS_INVALID_HANDLE;
> switch (irps->MajorFunction)
> {
> case IRP_MJ_CREATE:
> KdPrintf((“IRP_MJ_CREATE irp:%x irps:%x\n”,irp,irps));
> status = FatCommonCreate( DeviceObject,irp,irps );
> break;
> case IRP_MJ_READ:
> KdPrintf((“IRP_MJ_READ irp:%x irps:%x\n”,irp,irps));
> status = FatCommonRead( DeviceObject,irp,irps );
> break;
> case IRP_MJ_WRITE:
> KdPrintf((“IRP_MJ_WRITE irp:%x irps:%x\n”,irp,irps));
> status = FatCommonWrite( DeviceObject,irp,irps );
> break;
> case IRP_MJ_CLOSE:
> KdPrintf((“IRP_MJ_CLOSE irp:%x irps:%x\n”,irp,irps));
> status = FatCommonClose( DeviceObject,irp,irps);
> break;
> case IRP_MJ_DEVICE_CONTROL:
> KdPrintf((“IRP_MJ_DEVICE_CONTROL irp:%x irps:%x\n”,irp,irps));
> //status=FatQueryInformation(DeviceObject,irp,irps);
> return STATUS_NOT_IMPLEMENTED;
> break;
> case IRP_MJ_QUERY_INFORMATION:
> KdPrintf((“IRP_MJ_QUERY_INFORMATION irp:%x irps:%x\n”,irp,irps));
> //status=FatQueryInformation(DeviceObject,irp,irps);
> return STATUS_NOT_IMPLEMENTED;
> break;
> case IRP_MJ_FILE_SYSTEM_CONTROL:
> {
> KdPrintf((“IRP_MJ_FILE_SYSTEM_CONTROL irp:%x irps:%x\n”,irp,irps));
> return STATUS_NOT_IMPLEMENTED;
> }
> break;
> case IRP_MJ_QUERY_VOLUME_INFORMATION:
> {
> KdPrintf((“IRP_MJ_QUERY_VOLUME_INFORMATION irp:%x irps:%x\n”,irp,irps));
> //FILE_FS_VOLUME_INFORMATION
> status=FatQueryVolumeInformation(DeviceObject,irp,irps);
> }
> break;
> case IRP_MJ_DIRECTORY_CONTROL:
> {
> KdPrintf((“IRP_MJ_DIRECTORY_CONTROL irp:%x irps:%x\n”,irp,irps));
> switch (irps->MinorFunction)
> {
> case IRP_MN_NOTIFY_CHANGE_DIRECTORY:
> {
> KdPrintf((“IRP_MN_NOTIFY_CHANGE_DIRECTORY irp:%x irps:%x\n”,irp,irps));
> return STATUS_INVALID_PARAMETER;
> }
> break;
> case IRP_MN_QUERY_DIRECTORY:
> KdPrintf((“IRP_MN_NOTIFY_CHANGE_DIRECTORY irp:%x irps:%x\n”,irp,irps));
> status=FatQueryDirectory(DeviceObject,irp,irps);
>
> break;
> }
> }
> break;
> }
> return status;
> }
>
> there are functions not implemented “STATUS_NOT_IMPLEMENTED” , but later !
>
> Thank You.
>

the bug is that I am a return STATUS_PENDING with IoMarkIrpPending from a thread system called
and I get poplist irp on another thread (function void InThread(VOID * param)).
As a variable UserBuffer becomes incorrect.

I’ll try later to lock with :
PMDL mdl = IoAllocateMdl(Irp->UserBuffer, irps->Parameters.QueryDirectory.Length, FALSE, FALSE, Irp);
__try {
MmProbeAndLockPages(Irp->MdlAddress, Irp->RequestorMode, IoWriteAccess);

} __except (EXCEPTION_EXECUTE_HANDLER) {
KdPrintf((" MmProveAndLockPages error\n"));
IoFreeMdl(Irp->MdlAddress);
Irp->MdlAddress = NULL;
return STATUS_INSUFFICIENT_RESOURCES;
}

At the end the thread i call function IoCompleteRequest.

Do you think that it’s more likely that you’ve found a bug in an 8 year old operating system, or that there’s some problem with your code?

So you try to reference a user buffer when not in the context of the
user process. This is a common mistake by inexperienced developers,
I.E. people who should not be messing with file systems. THIS IS NOT A
KERNEL BUG, IT IS YOURS.

Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

xxxxx@sivaller.no-ip.org” wrote in
message news:xxxxx@ntdev:

> the bug is that I am a return STATUS_PENDING with IoMarkIrpPending from a thread system called
> and I get poplist irp on another thread (function void InThread(VOID * param)).
> As a variable UserBuffer becomes incorrect.
>
> I’ll try later to lock with :
> PMDL mdl = IoAllocateMdl(Irp->UserBuffer, irps->Parameters.QueryDirectory.Length, FALSE, FALSE, Irp);
> __try {
> MmProbeAndLockPages(Irp->MdlAddress, Irp->RequestorMode, IoWriteAccess);
>
> }__except (EXCEPTION_EXECUTE_HANDLER) {
> KdPrintf((" MmProveAndLockPages error\n"));
> IoFreeMdl(Irp->MdlAddress);
> Irp->MdlAddress = NULL;
> return STATUS_INSUFFICIENT_RESOURCES;
> }
>
> At the end the thread i call function IoCompleteRequest.

> As a variable UserBuffer becomes incorrect.

This is absolutely by design.

Look at FASTFAT sample - it does FatLockUserBuffer before offloading the IRP to a worker thread. You should do the same.


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com