Memmory mapped file via filter causing NTFS crash

NTFSD
1

Hi folks,

I’ve written a filter driver that sits above the NTFS file system to
encrypt data. On receiving a create/open request for an encrypted file, my
driver processes the IRP and handles all further operations for the file.
The filtered file system never receives requests for these files. This
works fine for normal file access.

However, when opening the file for memory mapped access, I get an access
violation in NTFS (details below). This occurs during the processing of
CreateFileMapping. What is worrying is that my driver never receives an IRP
or FastIO call to process this function, the processing goes straight to
NTFS, which knows nothing about my FILE_OBJECT. The exception is caused
when NTFS tries to read its FsContext structure, which is smaller than in
my driver, hitting unallocated memory.

Has anyone seen anything like this before? Do you know how I can stop NTFS
from receiving this processing request?

Many thanks,
Andy

The windbg stack dump is as follows:

Windows 2000 Professional Checked
813d95e8 00000000 f70fccbc Ntfs!NtfsDeleteFile+0x429
813d95e8 00000000 80063418 ntoskrnl!VdmSkipNpxInstruction+0x68
f70fcd10 000f0005 00000000 ntoskrnl!IoWMISystemControl+0x425
0012f804 000f0005 00000000 ntoskrnl!CmGetSystemControlValues+0x94
badb0d00 0012f7b0 12345678 ntoskrnl!MmFlushVirtualMemory+0x94
00000054 00000000 00000002 NTDLL!RtlpStatusTable+0x3e3
fe0000c6 563074ff dd2f0868 Win32 Test Harness+0x2016
00000000 00000000 00000000 0xf70c758b

Windows 2000 Professional Free
814fd488 08000000 f74b1cc8 Ntfs!NtfsAcquireForCreateSection+0x11
814fd488 00000000 00000000 ntoskrnl!FsRtlAcquireFileExclusive+0x32
f74b1d1c 000f0005 00000000 ntoskrnl!MmCreateSection+0x238
0012f810 000f0005 00000000 ntoskrnl!NtCreateSection+0x129
0012f810 000f0005 00000000 ntoskrnl!KiSystemService+0xc4
00000058 00000000 00000002 ntdll!ZwCreateSection+0xb
00000058 00000000 00000002 0x402016
fe0000c6 42850fff 8b0002ae 0x402016
00000000 00000000 00000000 0xf70c758b

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

2

You own the SCB - so you would need to hook everything the file-system
hooks, to manage it.
You need to hook all the Cc & Mm callbacks into the file system - (in
the below specific case, it’s the
AcquireFileForCreateSection & corresponding release).

In XP, you can hook these cleanly via an FsRtl registration, that is
doc’ed.

For previous versions, you will have to resort to ugly hacks - and it’s
easy to get this wrong so that interoperability is compromised.

Let me know which version of the OS you need this to work

Ravi

-----Original Message-----
From: xxxxx@ArmourSoft.com [mailto:xxxxx@ArmourSoft.com]
Sent: Wednesday, August 22, 2001 6:00 PM
To: File Systems Developers
Subject: [ntfsd] Memmory mapped file via filter causing NTFS crash

Hi folks,

I’ve written a filter driver that sits above the NTFS file system to
encrypt data. On receiving a create/open request for an encrypted file,
my
driver processes the IRP and handles all further operations for the
file.
The filtered file system never receives requests for these files. This
works fine for normal file access.

However, when opening the file for memory mapped access, I get an access

violation in NTFS (details below). This occurs during the processing of
CreateFileMapping. What is worrying is that my driver never receives an
IRP
or FastIO call to process this function, the processing goes straight to

NTFS, which knows nothing about my FILE_OBJECT. The exception is caused
when NTFS tries to read its FsContext structure, which is smaller than
in
my driver, hitting unallocated memory.

Has anyone seen anything like this before? Do you know how I can stop
NTFS
from receiving this processing request?

Many thanks,
Andy

The windbg stack dump is as follows:

Windows 2000 Professional Checked
813d95e8 00000000 f70fccbc Ntfs!NtfsDeleteFile+0x429
813d95e8 00000000 80063418 ntoskrnl!VdmSkipNpxInstruction+0x68
f70fcd10 000f0005 00000000 ntoskrnl!IoWMISystemControl+0x425 0012f804
000f0005 00000000 ntoskrnl!CmGetSystemControlValues+0x94
badb0d00 0012f7b0 12345678 ntoskrnl!MmFlushVirtualMemory+0x94
00000054 00000000 00000002 NTDLL!RtlpStatusTable+0x3e3
fe0000c6 563074ff dd2f0868 Win32 Test Harness+0x2016
00000000 00000000 00000000 0xf70c758b

Windows 2000 Professional Free
814fd488 08000000 f74b1cc8 Ntfs!NtfsAcquireForCreateSection+0x11
814fd488 00000000 00000000 ntoskrnl!FsRtlAcquireFileExclusive+0x32
f74b1d1c 000f0005 00000000 ntoskrnl!MmCreateSection+0x238 0012f810
000f0005 00000000 ntoskrnl!NtCreateSection+0x129 0012f810 000f0005
00000000 ntoskrnl!KiSystemService+0xc4 00000058 00000000 00000002
ntdll!ZwCreateSection+0xb 00000058 00000000 00000002 0x402016 fe0000c6
42850fff 8b0002ae 0x402016 00000000 00000000 00000000 0xf70c758b

You are currently subscribed to ntfsd as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

3

Andy,

There are six fast I/O calls used in the FsRtl package that bypass a file
system filter driver. These are the six calls related to VM-level locking
(AcquireFile, ReleaseFile, AcquireForModWrite, ReleaseForModWrite,
AcquireForCcFlush, ReleaseForCcFlush.)

You can use FsRtlRegisterFileSystemFilterCallbacks to register for these six
fast I/O operations, but only on Windows XP.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@ArmourSoft.com [mailto:xxxxx@ArmourSoft.com]
Sent: Wednesday, August 22, 2001 9:00 PM
To: File Systems Developers
Subject: [ntfsd] Memmory mapped file via filter causing NTFS crash

Hi folks,

I’ve written a filter driver that sits above the NTFS file system to
encrypt data. On receiving a create/open request for an encrypted file, my
driver processes the IRP and handles all further operations for the file.
The filtered file system never receives requests for these files. This
works fine for normal file access.

However, when opening the file for memory mapped access, I get an access
violation in NTFS (details below). This occurs during the processing of
CreateFileMapping. What is worrying is that my driver never receives an IRP
or FastIO call to process this function, the processing goes straight to
NTFS, which knows nothing about my FILE_OBJECT. The exception is caused
when NTFS tries to read its FsContext structure, which is smaller than in
my driver, hitting unallocated memory.

Has anyone seen anything like this before? Do you know how I can stop NTFS
from receiving this processing request?

Many thanks,
Andy

The windbg stack dump is as follows:

Windows 2000 Professional Checked
813d95e8 00000000 f70fccbc Ntfs!NtfsDeleteFile+0x429
813d95e8 00000000 80063418 ntoskrnl!VdmSkipNpxInstruction+0x68
f70fcd10 000f0005 00000000 ntoskrnl!IoWMISystemControl+0x425
0012f804 000f0005 00000000 ntoskrnl!CmGetSystemControlValues+0x94
badb0d00 0012f7b0 12345678 ntoskrnl!MmFlushVirtualMemory+0x94
00000054 00000000 00000002 NTDLL!RtlpStatusTable+0x3e3
fe0000c6 563074ff dd2f0868 Win32 Test Harness+0x2016
00000000 00000000 00000000 0xf70c758b

Windows 2000 Professional Free
814fd488 08000000 f74b1cc8 Ntfs!NtfsAcquireForCreateSection+0x11
814fd488 00000000 00000000 ntoskrnl!FsRtlAcquireFileExclusive+0x32
f74b1d1c 000f0005 00000000 ntoskrnl!MmCreateSection+0x238
0012f810 000f0005 00000000 ntoskrnl!NtCreateSection+0x129
0012f810 000f0005 00000000 ntoskrnl!KiSystemService+0xc4
00000058 00000000 00000002 ntdll!ZwCreateSection+0xb
00000058 00000000 00000002 0x402016
fe0000c6 42850fff 8b0002ae 0x402016
00000000 00000000 00000000 0xf70c758b

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

4

Thanks for the replies guys,

I’m starting to regret ever suggesting this project :wink:
The more I get into it, the more complex it seems to get.

We are supporting 2000 Pro/Server and XP only.

Does anyone have any code to demonstrate the callback hooking
in 2000?

  • Andy

You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com