Hi All,
I am accessing members of data structure using a pointer which is IN parameter for my function. But sometimes it produces SYSTEM_SERVICE_EXCEPTION (3b) with Exception code c0000005.
It is possible that the memory I am accessing will become invalid at any time and I don’t have control over it. So what approach I should use…
Thanks & Regards,
Amit.
It all depends on what you’re doing exactly, but could you post an !analyze
-v?
mm
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@yahoo.com
Sent: Monday, May 16, 2011 6:57 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Problem SYSTEM_SERVICE_EXCEPTION
Hi All,
I am accessing members of data structure using a pointer which is IN
parameter for my function. But sometimes it produces
SYSTEM_SERVICE_EXCEPTION (3b) with Exception code c0000005.
It is possible that the memory I am accessing will become invalid at any
time and I don’t have control over it. So what approach I should use…
Thanks & Regards,
Amit.
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
On Mon, May 16, 2011 at 11:57 AM, wrote:
> It is possible that the memory I am accessing will become invalid at any time and I don’t have control over it.
Why? What are you trying to do? And how are you expecting
MmIsAddressValid to work in this case (since memory can become invalid
at any time)?
Kris
The most common solution for this is to map the memory into the kernel
address space using MmProbeAndLockPages.
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“xxxxx@yahoo.com” wrote in
message news:xxxxx@ntdev:
> Hi All,
>
> I am accessing members of data structure using a pointer which is IN parameter for my function. But sometimes it produces SYSTEM_SERVICE_EXCEPTION (3b) with Exception code c0000005.
>
> It is possible that the memory I am accessing will become invalid at any time and I don’t have control over it. So what approach I should use…
>
> 1. Use MmIsAddressValid
> 2. Exception Handling
> 3. Both
> 4. Any other way?
>
> Thanks & Regards,
> Amit.
Here is the output of !analyze -V
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff880081e1778, Address of the exception record for the exception that caused the bugcheck
Arg3: fffff88009b02ed0, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.
FAULTING_MODULE: fffff80002e11000 nt
DEBUG_FLR_IMAGE_TIMESTAMP: 4dbe83b5
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx” referenced memory at “0x%08lx”. The memory could not be “%s”.
FAULTING_IP:
mydrv!CheckFileObject+330 [f:\mydrv\mydrv.c @ 3194]
fffff880`081e1778 66833803 cmp word ptr [rax],3
CONTEXT: fffff88009b02ed0 – (.cxr 0xfffff88009b02ed0)
rax=0000000000000001 rbx=fffffa800b4b9430 rcx=fffff880081e61a0
rdx=0000000000000007 rsi=fffff8a00fa00000 rdi=0000000000000006
rip=fffff880081e1778 rsp=fffff88009b038b0 rbp=0000000000001da8
r8=0000000000000000 r9=00000000ffffffff r10=fffffa8009119070
r11=fffff88009b03760 r12=fffffa800b0be000 r13=fffff8a00fa2c7cc
r14=0000000000000014 r15=fffffa800b0c1c29
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246
mydrv!CheckFileObject+0x330:
fffff880081e1778 66833803 cmp word ptr [rax],3 ds:002b:0000000000000001=???
Resetting default scope
DEFAULT_BUCKET_ID: WRONG_SYMBOLS
BUGCHECK_STR: 0x3B
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from fffff880081e13a8 to fffff880081e1778
STACK_TEXT:
fffff88009b038b0 fffff880081e13a8 : 0000000000000000 fffff880081e6138 000000000000c861 00000000000000b8 : mydrv!CheckFileObject+0x330 [f:\mydrv\mydrv.c @ 3194]
fffff88009b03910 fffff880081decaa : 0000000000000011 0000000000000004 000000000000c861 fffffa800b4b9430 : mydrv!ArIOCTLWIHandler+0xcc [f:\mydrv\mydrv.c @ 2928]
fffff88009b03960 fffff800031abf97 : fffffa800763b2e0 fffff88009b03c60 fffff88009b03c60 fffffa800763b2e0 : mydrv!ArIOCTLHandler+0xce [f:\mydrv\mydrv.c @ 802]
fffff88009b039d0 fffff800031ac7f6 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!NtMapViewOfSection+0x15b7
fffff88009b03b00 fffff80002e908d3 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!NtDeviceIoControlFile+0x56
fffff88009b03b70 0000000076db138a : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KeSynchronizeExecution+0x3a43
000000000220db98 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x76db138a
FOLLOWUP_IP:
mydrv!CheckFileObject+330 [f:\mydrv\mydrv.c @ 3194]
fffff880`081e1778 66833803 cmp word ptr [rax],3
FAULTING_SOURCE_CODE:
3190:
3191: //
3192: // Validate Device object type.
3193: //
3194: if (IO_TYPE_DEVICE != pFileObject->DeviceObject->Type)
3195: {
3196: #if DEBUG_FOR_THIS_FUNCTION_ONLY
3197: MYDRV_KDPRINT((“Device object type is not IO_TYPE_DEVICE.”));
3198: DoTraceMessage(TRACELEVELFOUR, “Device object type is not IO_TYPE_DEVICE.”);
3199: #endif
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: mydrv!CheckFileObject+330
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: mydrv
IMAGE_NAME: mydrv.sys
STACK_COMMAND: .cxr 0xfffff88009b02ed0 ; kb
BUCKET_ID: WRONG_SYMBOLS
Followup: MachineOwner
It looks like you’re failing during the comparison to IO_TYPE_DEVICE (3):
cmp word ptr [rax],3
So, where did you get this: pFileObject->DeviceObject?
mm
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@yahoo.com
Sent: Monday, May 16, 2011 8:41 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Problem SYSTEM_SERVICE_EXCEPTION
Here is the output of !analyze -V
****************************************************************************
***
*
*
* Bugcheck Analysis
*
*
*
****************************************************************************
***
SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff880081e1778, Address of the exception record for the exception
that caused the bugcheck
Arg3: fffff88009b02ed0, Address of the context record for the exception that
caused the bugcheck
Arg4: 0000000000000000, zero.
FAULTING_MODULE: fffff80002e11000 nt
DEBUG_FLR_IMAGE_TIMESTAMP: 4dbe83b5
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx”
referenced memory at “0x%08lx”. The memory could not be “%s”.
FAULTING_IP:
mydrv!CheckFileObject+330 [f:\mydrv\mydrv.c @ 3194]
fffff880`081e1778 66833803 cmp word ptr [rax],3
CONTEXT: fffff88009b02ed0 – (.cxr 0xfffff88009b02ed0)
rax=0000000000000001 rbx=fffffa800b4b9430 rcx=fffff880081e61a0
rdx=0000000000000007 rsi=fffff8a00fa00000 rdi=0000000000000006
rip=fffff880081e1778 rsp=fffff88009b038b0 rbp=0000000000001da8
r8=0000000000000000 r9=00000000ffffffff r10=fffffa8009119070
r11=fffff88009b03760 r12=fffffa800b0be000 r13=fffff8a00fa2c7cc
r14=0000000000000014 r15=fffffa800b0c1c29
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b
efl=00010246
mydrv!CheckFileObject+0x330:
fffff880081e1778 66833803 cmp word ptr [rax],3 ds:002b:0000000000000001=???
Resetting default scope
DEFAULT_BUCKET_ID: WRONG_SYMBOLS
BUGCHECK_STR: 0x3B
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from fffff880081e13a8 to fffff880081e1778
STACK_TEXT:
fffff88009b038b0 fffff880081e13a8 : 0000000000000000 fffff880081e6138
000000000000c861 00000000000000b8 : mydrv!CheckFileObject+0x330
[f:\mydrv\mydrv.c @ 3194]
fffff88009b03910 fffff880081decaa : 0000000000000011 0000000000000004
000000000000c861 fffffa800b4b9430 : mydrv!ArIOCTLWIHandler+0xcc
[f:\mydrv\mydrv.c @ 2928]
fffff88009b03960 fffff800031abf97 : fffffa800763b2e0 fffff88009b03c60
fffff88009b03c60 fffffa800763b2e0 : mydrv!ArIOCTLHandler+0xce
[f:\mydrv\mydrv.c @ 802]
fffff88009b039d0 fffff800031ac7f6 : 0000000000000000 0000000000000000
0000000000000000 0000000000000000 : nt!NtMapViewOfSection+0x15b7
fffff88009b03b00 fffff80002e908d3 : 0000000000000000 0000000000000000
0000000000000000 0000000000000000 : nt!NtDeviceIoControlFile+0x56
fffff88009b03b70 0000000076db138a : 0000000000000000 0000000000000000
0000000000000000 0000000000000000 : nt!KeSynchronizeExecution+0x3a43
000000000220db98 0000000000000000 : 0000000000000000 0000000000000000
0000000000000000 0000000000000000 : 0x76db138a
FOLLOWUP_IP:
mydrv!CheckFileObject+330 [f:\mydrv\mydrv.c @ 3194]
fffff880`081e1778 66833803 cmp word ptr [rax],3
FAULTING_SOURCE_CODE:
3190:
3191: //
3192: // Validate Device object type.
3193: //
3194: if (IO_TYPE_DEVICE !=
pFileObject->DeviceObject->Type)
3195: {
3196: #if DEBUG_FOR_THIS_FUNCTION_ONLY
3197: MYDRV_KDPRINT((“Device object type is not
IO_TYPE_DEVICE.”));
3198: DoTraceMessage(TRACELEVELFOUR, “Device
object type is not IO_TYPE_DEVICE.”);
3199: #endif
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: mydrv!CheckFileObject+330
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: mydrv
IMAGE_NAME: mydrv.sys
STACK_COMMAND: .cxr 0xfffff88009b02ed0 ; kb
BUCKET_ID: WRONG_SYMBOLS
Followup: MachineOwner
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
From ZwQuerySystemInformation with SystemHandleInfo
How about the code.
mm
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@yahoo.com
Sent: Monday, May 16, 2011 9:03 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Problem SYSTEM_SERVICE_EXCEPTION
From ZwQuerySystemInformation with SystemHandleInfo
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Hi mm,
Thanks for the quick replies.
The code works fine in most of the cases. This exception (I think) is because of some file object becomes invalid as all of its references are closed and ZwQuerySystemInformation does not increment the reference count so they remain intact. So I just want to know how I can handle that situation.
I can use MmIsAddressValid but it does not guaranty that exception will not occur.
Exception Handling can work fine.
Exception Handling with MmIsAddressValid will be more appropriate.
What do you think?
You’re calling undocumented APIs here, what are you trying to accomplish?
Why can’t you just use any of the utilities out there that already do this?
(oh.exe, handle.exe, Process Explorer, etc.)
I can use MmIsAddressValid but it does not guaranty that exception will not
occur.
Right. MmIsAddressValid is essentially useless, think of it as,
“MmWasAddressValidWhenICalledThis”. You can’t guarantee that the address
won’t go bad between the time the function returns and you dereference the
pointer.
Exception Handling can work fine.
No, it can’t. Exceptions aren’t raised when you dereference invalid kernel
memory, the system just crashes. So, exception handling is only useful when
you are working with user mode pointers.
-scott
–
Scott Noone
Consulting Associate and Chief System Problem Analyst
OSR Open Systems Resources, Inc.
http://www.osronline.com
So this may return you information that exists at the time you call ZwQuerySystemInformation because the OS uses the appropriate locks to these resources but that does not mean they are valid anytime thereafter. This may be why this function and information class are undocumented. Also, handle tables are allocated from paged pool so you should not be able to call MmIsAddressValid on them which only takes only non paged address as input.
//Daniel
wrote in message news:xxxxx@ntdev…
Hi mm,
Thanks for the quick replies.
The code works fine in most of the cases. This exception (I think) is because of some file object becomes invalid as all of its references are closed and ZwQuerySystemInformation does not increment the reference count so they remain intact. So I just want to know how I can handle that situation.
I can use MmIsAddressValid but it does not guaranty that exception will not occur.
Exception Handling can work fine.
Exception Handling with MmIsAddressValid will be more appropriate.
What do you think?
MmIsAddressValid doesn’t mean you’ve got a pointer to a valid object.