KERNEL_SECURITY_CHECK_FAILURE and Non-Pnp Disk Driver

Yogender_Solanki · January 31, 2016, 7:27am

Hi,

I am working on driver which creates and remove the disk device base on user request that is done using IOCTL.

As it is not PNP device. I am creating device and using following code to report device to PNP manager

NTSTATUS RegisteWithPnpManger(__in PDRIVER_OBJECT DriverObject, __in PDEVICE_OBJECT DeviceObject)
{
PDEVICE_OBJECT pnpDeviceObject = NULL;
NTSTATUS status;
UNICODE_STRING DiskDeviceInterfaceName;
UNICODE_STRING strMountDevGuid;
UNICODE_STRING strDiskGuid;
RtlInitUnicodeString(&strMountDevGuid, L"{53F5630D-B6BF-11D0-94F2-00A0C91EFB8B}“);
RtlInitUnicodeString(&strDiskGuid, L”{53F56307-B6BF-11D0-94F2-00A0C91EFB8B}");

GUID MOUNTDEV_MOUNTED_DEVICE_GUID;
GUID GUID_DEVINTERFACE_DISK;

RtlGUIDFromString(&strMountDevGuid, &MOUNTDEV_MOUNTED_DEVICE_GUID);
RtlGUIDFromString(&strDiskGuid, &GUID_DEVINTERFACE_DISK);

PWUFS_DEVICE_STACK ptrDeviceStack = GetDiskExtension(DeviceObject)->PtrDeviceStack;
status = IoReportDetectedDevice(DriverObject, InterfaceTypeUndefined, 0, 0,
NULL, NULL, FALSE, &pnpDeviceObject);

if (NT_SUCCESS(status)) {
DebugWriteLine(" IoReportDetectedDevice success\n");
}
else {
DebugWriteLine(" IoReportDetectedDevice failed: 0x%x\n", status);
return status;
}

if (IoAttachDeviceToDeviceStack(pnpDeviceObject, DeviceObject) != NULL) {
DebugWriteLine(" IoAttachDeviceToDeviceStack success\n");
}
else {
DebugWriteLine(" IoAttachDeviceToDeviceStack failed\n");
}

status = IoRegisterDeviceInterface(pnpDeviceObject, &GUID_DEVINTERFACE_DISK,
NULL, &ptrDeviceStack->MountingConfig.DiskDeviceInterfaceName);

if (NT_SUCCESS(status)) {
DebugWriteLine(" IoRegisterDeviceInterface success: %wZ\n",
&ptrDeviceStack->MountingConfig.DiskDeviceInterfaceName);

GetDiskExtension(DeviceObject)->PtrDeviceStack->PtrPnPDevice = pnpDeviceObject;
}
else {
RtlInitUnicodeString(&DiskDeviceInterfaceName, NULL);
DebugWriteLine(" IoRegisterDeviceInterface failed: 0x%x\n", status);
return status;
}

status = IoSetDeviceInterfaceState(&ptrDeviceStack->MountingConfig.DiskDeviceInterfaceName, TRUE);

if (NT_SUCCESS(status)) {
DebugWriteLine(" IoSetDeviceInterfaceState success\n");
}
else {
DebugWriteLine(" IoSetDeviceInterfaceState failed: 0x%x\n", status);

}

status =
IoRegisterDeviceInterface(pnpDeviceObject, &MOUNTDEV_MOUNTED_DEVICE_GUID,
NULL, &ptrDeviceStack->MountingConfig.MountDeviceInterfaceName);

if (NT_SUCCESS(status)) {
DebugWriteLine(" IoRegisterDeviceInterface success: %wZ\n",
&ptrDeviceStack->MountingConfig.MountDeviceInterfaceName);
}
else {
DebugWriteLine(" IoRegisterDeviceInterface failed: 0x%x\n", status);
return status;
}

status = IoSetDeviceInterfaceState(&ptrDeviceStack->MountingConfig.MountDeviceInterfaceName, TRUE);

if (NT_SUCCESS(status)) {
DebugWriteLine(" IoSetDeviceInterfaceState success\n");
}
else {
DebugWriteLine(" IoSetDeviceInterfaceState failed: 0x%x\n", status);
}
return status;

}

and to remove i am disabling the device using the IoSetDeviceInterfaceState and IoDeleteDevice.

It works file upto two add/removal but in third time when it removes(sometime while adding) disk… it got crashed with

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: ffffd00029808710, Address of the trap frame for the exception that caused the bugcheck
Arg3: ffffd00029808668, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved

STACK_TEXT:
ffffd00029807c38 fffff80359beaa46 : 0000000000000000 0000000000000000 ffffd00029807da0 fffff80359a578cc : nt!DbgBreakPointWithStatus
ffffd00029807c40 fffff80359bea357 : 0000000000000003 0000000000000003 fffff80359b6ef80 0000000000000139 : nt!KiBugCheckDebugBreak+0x12
ffffd00029807ca0 fffff80359b610a4 : ffffe00004a59f88 0000000000000000 0000000000000000 0000000000000000 : nt!KeBugCheck2+0x8ab
ffffd000298083b0 fffff80359b6cae9 : 0000000000000139 0000000000000003 ffffd00029808710 ffffd00029808668 : nt!KeBugCheckEx+0x104
ffffd000298083f0 fffff80359b6ce10 : ffffe00005b51880 ffffe00001a0a1c0 ffffe00001a0a1c0 ffffe00001a0a4d0 : nt!KiBugCheckDispatch+0x69
ffffd00029808530 fffff80359b6c034 : 0000000000000000 0000000012c78cc5 0000000000000011 ffffc000f627a240 : nt!KiFastFailDispatch+0xd0
ffffd00029808710 fffff80359b77cdb : ffffd00029808940 ffffe00004a59f88 ffffe00001f8dbc0 0000000000000000 : nt!KiRaiseSecurityCheckFailure+0xf4
ffffd000298088a0 fffff80359a3cbe8 : ffffe00004a59f40 0000000000000001 ffffe00004a59f40 0000000000000001 : nt! ?? ::FNODOBFM::string'+0x682b ffffd000298088d0 fffff80359a3ca63 : 0000000000000000 ffffe00001f8dbc0 0000000000000001 0000000000000000 : nt!CcDeallocateBcb+0x1c ffffd00029808900 fffff80359a3c1ba : ffffe00001f8dbc0 00000000000002fd 0000000000000001 ffffd00029793af8 : nt!CcUnpinFileDataEx+0x3f3 ffffd00029808960 fffff80359a9e120 : 0000000000006573 ffffd00029808a61 0000000000000001 7ffff80359d5a000 : nt!CcReleaseByteRangeFromWrite+0xaa ffffd000298089b0 fffff80359a9e84f : ffffe00001f69350 0000000000000000 ffffe00000000001 ffffd00029808af8 : nt!CcFlushCachePriv+0x4b0 ffffd00029808ac0 fffff80359a60adb : ffffe00001f99660 0000000000000001 ffffd00000000000 ffffe00001f53a20 : nt!CcWriteBehindInternal+0x187 ffffd00029808b50 fffff80359adc794 : ffffe0000151f040 ffffe00005c8d040 ffffe00005c8d040 ffffe00001452900 : nt!ExpWorkerThread+0x293 ffffd00029808c00 fffff80359b675c6 : fffff80359cf3180 ffffe00005c8d040 ffffe0000151f040 0000000000000000 : nt!PspSystemThreadStartup+0x58 ffffd00029808c60 0000000000000000 : ffffd00029809000 ffffd00029803000 0000000000000000 00000000`00000000 : nt!KiStartSystemThread+0x16

As I have not touched any LIST_ENTRY in this process … How it the LINKED_LIST getting curropted and which linked list is this…
Is there any special process to delete Non-Pnp device which is causing this error…?

Jamey_Kirby · January 31, 2016, 8:39am

There is a LIST_ENTRY in the device objects queue. If the device has
already been removed, and you try a second removal, I can see how you might
run into this error. But that would be a red herring. You need to figure
out why you are getting the second removal. A cursory review of your
handler leads me to believe you maybe trying too hard. Since it is a
non-PNP disk, you probably can do away with doing anything in the PNP
handler. I would suggest removing the PNP handler and see the results.

On Sun, Jan 31, 2016 at 7:26 AM wrote:

> Hi,
>
> I am working on driver which creates and remove the disk device base on
> user request that is done using IOCTL.
>
> As it is not PNP device. I am creating device and using following code to
> report device to PNP manager
>
>
> NTSTATUS RegisteWithPnpManger( in PDRIVER_OBJECT DriverObject, in
> PDEVICE_OBJECT DeviceObject)
> {
> PDEVICE_OBJECT pnpDeviceObject = NULL;
> NTSTATUS status;
> UNICODE_STRING DiskDeviceInterfaceName;
> UNICODE_STRING strMountDevGuid;
> UNICODE_STRING strDiskGuid;
> RtlInitUnicodeString(&strMountDevGuid,
> L"{53F5630D-B6BF-11D0-94F2-00A0C91EFB8B}“);
> RtlInitUnicodeString(&strDiskGuid,
> L”{53F56307-B6BF-11D0-94F2-00A0C91EFB8B}“);
>
> GUID MOUNTDEV_MOUNTED_DEVICE_GUID;
> GUID GUID_DEVINTERFACE_DISK;
>
> RtlGUIDFromString(&strMountDevGuid, &MOUNTDEV_MOUNTED_DEVICE_GUID);
> RtlGUIDFromString(&strDiskGuid, &GUID_DEVINTERFACE_DISK);
>
> PWUFS_DEVICE_STACK ptrDeviceStack =
> GetDiskExtension(DeviceObject)->PtrDeviceStack;
> status = IoReportDetectedDevice(DriverObject,
> InterfaceTypeUndefined, 0, 0,
> NULL, NULL, FALSE, &pnpDeviceObject);
>
> if (NT_SUCCESS(status)) {
> DebugWriteLine(” IoReportDetectedDevice success\n");
> }
> else {
> DebugWriteLine(" IoReportDetectedDevice failed: 0x%x\n",
> status);
> return status;
> }
>
> if (IoAttachDeviceToDeviceStack(pnpDeviceObject, DeviceObject) !=
> NULL) {
> DebugWriteLine(" IoAttachDeviceToDeviceStack success\n");
> }
> else {
> DebugWriteLine(" IoAttachDeviceToDeviceStack failed\n");
> }
>
> status = IoRegisterDeviceInterface(pnpDeviceObject,
> &GUID_DEVINTERFACE_DISK,
> NULL,
> &ptrDeviceStack->MountingConfig.DiskDeviceInterfaceName);
>
> if (NT_SUCCESS(status)) {
> DebugWriteLine(" IoRegisterDeviceInterface success:
> %wZ\n",
>
> &ptrDeviceStack->MountingConfig.DiskDeviceInterfaceName);
>
>
> GetDiskExtension(DeviceObject)->PtrDeviceStack->PtrPnPDevice =
> pnpDeviceObject;
> }
> else {
> RtlInitUnicodeString(&DiskDeviceInterfaceName, NULL);
> DebugWriteLine(" IoRegisterDeviceInterface failed:
> 0x%x\n", status);
> return status;
> }
>
> status =
> IoSetDeviceInterfaceState(&ptrDeviceStack->MountingConfig.DiskDeviceInterfaceName,
> TRUE);
>
> if (NT_SUCCESS(status)) {
> DebugWriteLine(" IoSetDeviceInterfaceState success\n");
> }
> else {
> DebugWriteLine(" IoSetDeviceInterfaceState failed:
> 0x%x\n", status);
>
> }
>
> status =
> IoRegisterDeviceInterface(pnpDeviceObject,
> &MOUNTDEV_MOUNTED_DEVICE_GUID,
> NULL,
> &ptrDeviceStack->MountingConfig.MountDeviceInterfaceName);
>
> if (NT_SUCCESS(status)) {
> DebugWriteLine(" IoRegisterDeviceInterface success:
> %wZ\n",
>
> &ptrDeviceStack->MountingConfig.MountDeviceInterfaceName);
> }
> else {
> DebugWriteLine(" IoRegisterDeviceInterface failed:
> 0x%x\n", status);
> return status;
> }
>
> status =
> IoSetDeviceInterfaceState(&ptrDeviceStack->MountingConfig.MountDeviceInterfaceName,
> TRUE);
>
> if (NT_SUCCESS(status)) {
> DebugWriteLine(" IoSetDeviceInterfaceState success\n");
> }
> else {
> DebugWriteLine(" IoSetDeviceInterfaceState failed:
> 0x%x\n", status);
> }
> return status;
>
> }
>
>
> and to remove i am disabling the device using the
> IoSetDeviceInterfaceState and IoDeleteDevice.
>
>
> It works file upto two add/removal but in third time when it
> removes(sometime while adding) disk… it got crashed with
>
> KERNEL_SECURITY_CHECK_FAILURE (139)
> A kernel component has corrupted a critical data structure. The corruption
> could potentially allow a malicious user to gain control of this machine.
> Arguments:
> Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double
> remove).
> Arg2: ffffd00029808710, Address of the trap frame for the exception that
> caused the bugcheck
> Arg3: ffffd00029808668, Address of the exception record for the exception
> that caused the bugcheck
> Arg4: 0000000000000000, Reserved
>
> STACK_TEXT:
> ffffd00029807c38 fffff80359beaa46 : 0000000000000000 0000000000000000
> ffffd00029807da0 fffff80359a578cc : nt!DbgBreakPointWithStatus
> ffffd00029807c40 fffff80359bea357 : 0000000000000003 0000000000000003
> fffff80359b6ef80 0000000000000139 : nt!KiBugCheckDebugBreak+0x12
> ffffd00029807ca0 fffff80359b610a4 : ffffe00004a59f88 0000000000000000
> 0000000000000000 0000000000000000 : nt!KeBugCheck2+0x8ab
> ffffd000298083b0 fffff80359b6cae9 : 0000000000000139 0000000000000003
> ffffd00029808710 ffffd00029808668 : nt!KeBugCheckEx+0x104
> ffffd000298083f0 fffff80359b6ce10 : ffffe00005b51880 ffffe00001a0a1c0
> ffffe00001a0a1c0 ffffe00001a0a4d0 : nt!KiBugCheckDispatch+0x69
> ffffd00029808530 fffff80359b6c034 : 0000000000000000 0000000012c78cc5
> 0000000000000011 ffffc000f627a240 : nt!KiFastFailDispatch+0xd0
> ffffd00029808710 fffff80359b77cdb : ffffd00029808940 ffffe00004a59f88
> ffffe00001f8dbc0 0000000000000000 : nt!KiRaiseSecurityCheckFailure+0xf4
> ffffd000298088a0 fffff80359a3cbe8 : ffffe00004a59f40 0000000000000001
> ffffe00004a59f40 0000000000000001 : nt! ?? ::FNODOBFM::string'+0x682b > ffffd000298088d0 fffff80359a3ca63 : 0000000000000000 ffffe00001f8dbc0 > 0000000000000001 0000000000000000 : nt!CcDeallocateBcb+0x1c > ffffd00029808900 fffff80359a3c1ba : ffffe00001f8dbc0 00000000000002fd > 0000000000000001 ffffd00029793af8 : nt!CcUnpinFileDataEx+0x3f3 > ffffd00029808960 fffff80359a9e120 : 0000000000006573 ffffd00029808a61 > 0000000000000001 7ffff80359d5a000 : nt!CcReleaseByteRangeFromWrite+0xaa > ffffd000298089b0 fffff80359a9e84f : ffffe00001f69350 0000000000000000 > ffffe00000000001 ffffd00029808af8 : nt!CcFlushCachePriv+0x4b0 > ffffd00029808ac0 fffff80359a60adb : ffffe00001f99660 0000000000000001 > ffffd00000000000 ffffe00001f53a20 : nt!CcWriteBehindInternal+0x187 > ffffd00029808b50 fffff80359adc794 : ffffe0000151f040 ffffe00005c8d040 > ffffe00005c8d040 ffffe00001452900 : nt!ExpWorkerThread+0x293 > ffffd00029808c00 fffff80359b675c6 : fffff80359cf3180 ffffe00005c8d040 > ffffe0000151f040 0000000000000000 : nt!PspSystemThreadStartup+0x58 > ffffd00029808c60 0000000000000000 : ffffd00029809000 ffffd00029803000 > 0000000000000000 00000000`00000000 : nt!KiStartSystemThread+0x16
>
>
> As I have not touched any LIST_ENTRY in this process … How it the
> LINKED_LIST getting curropted and which linked list is this…
> Is there any special process to delete Non-Pnp device which is causing
> this error…?
>
> —
> NTFSD is sponsored by OSR
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
></http:>

OSR_Community_User · January 31, 2016, 2:36pm

> As it is not PNP device. I am creating device and using following code to report device to PNP

manager

This is absolutely impossible.

Write a root-enumerated parent and a bus driver using KMDF.

–
Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com