Memory mapped Paging Writes Zero Data in Encrypted File

Hi,

I am working with an isolation (shadow file object based) encryption filter which allows multiple views, based on logged in user.
I am facing this peculiar issue with memory mapped files.
A user authorized to access plain text (decrypted text) adds some text at the end of a 10 MB text file using notepad.

Then, another user who has encrypted text access, logs into the machine (mstsc) and takes a backup copy of that file.
The first user again adds some more text to the end of the file and saves it.

The encrypt only user again takes backup of this file.
Now, the second backup shows that all the text that has been added at the end of the file are zeros.
These zeros persist till a page boundary and after that normal encrypted text is seen in the file.

In windbg, I saw that the buffer got during paging writes while saving the file, does not have these zeros.
Note-I use FltWriteFile for writing to the lower filesystem.
Any pointers are welcome.

Adding more info:
The buffer I inspected in paging i/o was the encrypted buffer before it is written to the lower file system (NTFS).
If I don’t do a read by the cipher user and keep on adding text to the file, all works well.
The moment I do a read, the next write by the plain text user shows this issue.

Hello,

Are you issuing the writes using FltWriteFile() as paging writes?

Pete


Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com http:</http:>
866.263.9295

------ Original Message ------
From: xxxxx@gmail.com
To: “Windows File Systems Devs Interest List”
Sent: 6/7/2015 10:06:33 PM
Subject: [ntfsd] Memory mapped Paging Writes Zero Data in Encrypted File

>Hi,
>
>I am working with an isolation (shadow file object based) encryption
>filter which allows multiple views, based on logged in user.
>I am facing this peculiar issue with memory mapped files.
>A user authorized to access plain text (decrypted text) adds some text
>at the end of a 10 MB text file using notepad.
>
>Then, another user who has encrypted text access, logs into the machine
>(mstsc) and takes a backup copy of that file.
>The first user again adds some more text to the end of the file and
>saves it.
>
>The encrypt only user again takes backup of this file.
>Now, the second backup shows that all the text that has been added at
>the end of the file are zeros.
>These zeros persist till a page boundary and after that normal
>encrypted text is seen in the file.
>
>In windbg, I saw that the buffer got during paging writes while saving
>the file, does not have these zeros.
>Note-I use FltWriteFile for writing to the lower filesystem.
>Any pointers are welcome.
>
>
>
>
>
>—
>NTFSD is sponsored by OSR
>
>OSR is hiring!! Info at http://www.osr.com/careers
>
>For our schedule of debugging and file system seminars visit:
>http://www.osr.com/seminars
>
>To unsubscribe, visit the List Server section of OSR Online at
>http://www.osronline.com/page.cfm?name=ListServer

Yes, I am using FltWriteFile for paging writes and non cached writes.
For paging writes, FLTFL_IO_OPERATION_PAGING is set in the flags field while calling FltWriteFile().