Quality of kernel drivers of well-known vendors like VMWare, McAfee, Juniper. Why does it suck so mu

Ken_Johnson · October 28, 2010, 10:27pm

I would pull up the MSDN page for ExAllocatePoolWithTag and use the feedback link to make a note of this, that will get this over to the right folks who can make the doc change.

S

-----Original Message-----
From: Bill Wandel
Sent: Thursday, October 28, 2010 19:22
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Quality of kernel drivers of well-known vendors like VMWare, McAfee, Juniper. Why does it suck so much?

Thanks. This is not in the WDK documentation.

Bill Wandel

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Skywing
Sent: Thursday, October 28, 2010 10:02 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Quality of kernel drivers of well-known vendors like
VMWare, McAfee, Juniper. Why does it suck so much?

From ntddk.h:

//
// If high order bit in Pool tag is set, then must use ExFreePoolWithTag to
free //

#define PROTECTED_POOL 0x80000000

- S

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Bill Wandel
Sent: Thursday, October 28, 2010 6:53 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Quality of kernel drivers of well-known vendors like
VMWare, McAfee, Juniper. Why does it suck so much?

Don,

What is the PROTECTED_POOL flag?

Bill Wandel

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Thursday, October 28, 2010 7:16 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Quality of kernel drivers of well-known vendors like
VMWare, McAfee, Juniper. Why does it suck so much?

Do you use ExFreePoolWithTag and the PROTECTED_POOL flag on the tag? I
forgot this on my previous list, but this is an excellent model for being
sure the memory you free is what you think you are freeing.

Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

“Volodymyr M. Shcherbyna” wrote in message
news:xxxxx@ntdev:

> Yes, this is maybe a question of taste …
>
> I usually deploy checked version in the my office and catch BSOD’s if any.
> Some friendly colleges always live with debug driver + verifier … In
> checked build I also have self diagnostics, so I can poll machines to
> see if I have problems somewhere (by running helper application on
> those machine which ioctls driver for statistics).
>
> Btw, noone mentioned here pooltags. I always use unique tags and
> always check them.
>
> –
> Volodymyr
>
> “Maxim S. Shatskih” a ?crit dans le message
> de groupe de discussion : xxxxx@ntdev…
> >> I would also add to this several things:
> >>
> >> 1. making asserts in #ifdef DBG
> >
> > I would disagree.
> >
> > First of all, extensive test suites of checked build are IMHO not
> > worth the time spent. The customers run the free build, this is what
> > must go through the full QA matrix. I personally only build the
> > checked version to catch some particular hard bug.
> >
> > Second, classic asserts are just plain evil much better way is to
> > check for condition even in release code, and, on failure, abort the
> > code path gently and log an event log message of “Internal error 1000”
or such.
> >
> > A matter of taste though, we are just sharing approaches.
> >
> > For me, /W4 is used always, PREFast is used on each source control
> > commit, and testing with Verifier (includes the checks for memory
> > leaks) and checked build (on the latest OS at least, which is now
> > 2008 R2) - on each more-or-less serious milestone (other then minor
> > feature addition or a small bug fix).
> >
> > –
> > Maxim S. Shatskih
> > Windows DDK MVP
> > xxxxx@storagecraft.com
> > http://www.storagecraft.com
> >
> >

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Peter_Viscarola_OSR · October 28, 2010, 10:35pm

*I* would submit it via the bug bash, and get free stuff as part of the process!

Peter
OSR

Doron_Holan · October 28, 2010, 11:06pm

Bug bash bug?

d

dent from a phpne with no keynoard

-----Original Message-----
From: Bill Wandel
Sent: October 28, 2010 7:22 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Quality of kernel drivers of well-known vendors like VMWare, McAfee, Juniper. Why does it suck so much?

Thanks. This is not in the WDK documentation.

Bill Wandel

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Skywing
Sent: Thursday, October 28, 2010 10:02 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Quality of kernel drivers of well-known vendors like
VMWare, McAfee, Juniper. Why does it suck so much?

From ntddk.h:

//
// If high order bit in Pool tag is set, then must use ExFreePoolWithTag to
free //

#define PROTECTED_POOL 0x80000000

- S

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Bill Wandel
Sent: Thursday, October 28, 2010 6:53 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Quality of kernel drivers of well-known vendors like
VMWare, McAfee, Juniper. Why does it suck so much?

Don,

What is the PROTECTED_POOL flag?

Bill Wandel

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Thursday, October 28, 2010 7:16 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Quality of kernel drivers of well-known vendors like
VMWare, McAfee, Juniper. Why does it suck so much?

Do you use ExFreePoolWithTag and the PROTECTED_POOL flag on the tag? I
forgot this on my previous list, but this is an excellent model for being
sure the memory you free is what you think you are freeing.

Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

“Volodymyr M. Shcherbyna” wrote in message
news:xxxxx@ntdev:

> Yes, this is maybe a question of taste …
>
> I usually deploy checked version in the my office and catch BSOD’s if any.
> Some friendly colleges always live with debug driver + verifier … In
> checked build I also have self diagnostics, so I can poll machines to
> see if I have problems somewhere (by running helper application on
> those machine which ioctls driver for statistics).
>
> Btw, noone mentioned here pooltags. I always use unique tags and
> always check them.
>
> –
> Volodymyr
>
> “Maxim S. Shatskih” a ?crit dans le message
> de groupe de discussion : xxxxx@ntdev…
> >> I would also add to this several things:
> >>
> >> 1. making asserts in #ifdef DBG
> >
> > I would disagree.
> >
> > First of all, extensive test suites of checked build are IMHO not
> > worth the time spent. The customers run the free build, this is what
> > must go through the full QA matrix. I personally only build the
> > checked version to catch some particular hard bug.
> >
> > Second, classic asserts are just plain evil much better way is to
> > check for condition even in release code, and, on failure, abort the
> > code path gently and log an event log message of “Internal error 1000”
or such.
> >
> > A matter of taste though, we are just sharing approaches.
> >
> > For me, /W4 is used always, PREFast is used on each source control
> > commit, and testing with Verifier (includes the checks for memory
> > leaks) and checked build (on the latest OS at least, which is now
> > 2008 R2) - on each more-or-less serious milestone (other then minor
> > feature addition or a small bug fix).
> >
> > –
> > Maxim S. Shatskih
> > Windows DDK MVP
> > xxxxx@storagecraft.com
> > http://www.storagecraft.com
> >
> >

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Rossetoecioccolato · October 28, 2010, 11:27pm

Don,

PROTECTED_POOL <

Thanks for bringing this to my attention. Shame it isn’t documented.

Regards,

George.

Volodymyr_M_Shcherbyna-2 · October 29, 2010, 2:21am

No at the moment. But I do not use at all ExFreePool. I use only
ExFreePoolWithTag in all my projects.

What I miss now is making automated alerts when particular tag increases:
i.e. to write an automated application which will query counters for tags
and see the tendency. Now this is done manually.

–
Volodymyr

“Don Burn” a écrit dans le message de groupe de discussion :
xxxxx@ntdev…
> Do you use ExFreePoolWithTag and the PROTECTED_POOL flag on the tag? I
> forgot this on my previous list, but this is an excellent model for being
> sure the memory you free is what you think you are freeing.
>
>
> Don Burn (MVP, Windows DKD)
> Windows Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/WinDrvr
>
>
>
>
> “Volodymyr M. Shcherbyna” wrote in message
> news:xxxxx@ntdev:
>
>> Yes, this is maybe a question of taste …
>>
>> I usually deploy checked version in the my office and catch BSOD’s if
>> any.
>> Some friendly colleges always live with debug driver + verifier … In
>> checked build I also have self diagnostics, so I can poll machines to see
>> if
>> I have problems somewhere (by running helper application on those machine
>> which ioctls driver for statistics).
>>
>> Btw, noone mentioned here pooltags. I always use unique tags and always
>> check them.
>>
>> –
>> Volodymyr
>>
>> “Maxim S. Shatskih” a écrit dans le message de
>> groupe de discussion : xxxxx@ntdev…
>> >> I would also add to this several things:
>> >>
>> >> 1. making asserts in #ifdef DBG
>> >
>> > I would disagree.
>> >
>> > First of all, extensive test suites of checked build are IMHO not worth
>> > the time spent. The customers run the free build, this is what must go
>> > through the full QA matrix. I personally only build the checked version
>> > to
>> > catch some particular hard bug.
>> >
>> > Second, classic asserts are just plain evil much better way is to
>> > check
>> > for condition even in release code, and, on failure, abort the code
>> > path
>> > gently and log an event log message of “Internal error 1000” or such.
>> >
>> > A matter of taste though, we are just sharing approaches.
>> >
>> > For me, /W4 is used always, PREFast is used on each source control
>> > commit,
>> > and testing with Verifier (includes the checks for memory leaks) and
>> > checked build (on the latest OS at least, which is now 2008 R2) - on
>> > each
>> > more-or-less serious milestone (other then minor feature addition or a
>> > small bug fix).
>> >
>> > –
>> > Maxim S. Shatskih
>> > Windows DDK MVP
>> > xxxxx@storagecraft.com
>> > http://www.storagecraft.com
>> >
>> >
>
>

Maxim_S_Shatskih · October 29, 2010, 8:48am

> Btw, noone mentioned here pooltags. I always use unique tags and always

check them.

Yes, surely.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

Peter_Viscarola_OSR · October 29, 2010, 9:41am

The PoolTag utility at http://www.osronline.com/article.cfm?article=98 does SOME of that now. You can limit the tags that are shown to just those that you want to monitor, and then take a “baseline” set of tag numbers… the output will show the CHANGE from that baseline.

We could pretty easily add some sort of alerts to this. What kind of alert would you suggest? How would it be specified (number of allocations, total size, percentage of something)??

Peter
OSR

Volodymyr_M_Shcherbyna-2 · October 29, 2010, 10:22am

>>We could pretty easily add some sort of alerts to this. What kind of alert would you suggest? How would it be specified (number of allocations, total size, percentage of something)?? <<

The best alert for me is bug check. Having memory dump I can peer inside my call stacks for threads and analyze my tables, etc. But having as alerts files on remote smb share could also work. Asking for emails I guess is too much

Speaking about format of data, the best will be to pass templates for tags, for example,

X%d assuming structure of tags is X001, X002, … X00N

or

Just a txt file with all templates separated with new line, i.e.

X001
U003
P004
etc

As for criteria for alerts. I would make several directions:

a. Reaching some threashold in terms of bytes for tag , i.e. conditon like:

for each tag
if (size of allocs with this tag ) >= MaxLimitPerTag
{
assert();
}

b. Reaching some increase (i.e. delta between two values at time t1 and t2):

for each tag
if (delta (t2 - t1) >= MaxLimitPerTagInTimeSlice) (of course react only if delta is positive)
{
assert();
}

where delta in time is configurable as well

c. Reaching overall pool usage by driver to some limit. For example, currently I use 960 kb of memory (both paged and non-paged), as I track connections per process I have some limits on my side and I should never cross some line in terms of memory usage, therefore I am interested to know if all my allocs are crossing some boundary):

if (sum_of_all_tags >= MaxLimitPerDriver)
{
assert();
}

d. Checking tendency for particular tags on time frame. For example, if tag hits constantly increases and never decreases, assert:

for each tag
if (current_tag_allocs_count > previous_tag_allocs_count)
{
assert_if_constnatly_grows(current_tag_allocs_count);
}

Volodymyr_M_Shcherbyna-2 · October 29, 2010, 7:00pm

Speaking about Trend Micro drivers. It took today approx 10 minutes to BSOD:
http://www.shcherbyna.com/?p=1042

–
Volodymyr

“Volodymyr M. Shcherbyna” a ecrit dans le message
de groupe de discussion : xxxxx@ntdev…
> Hello everyone,
>
> Just want to share some feedback I have regarding third party drivers I
> met sometimes during my tests. Interesting to know, is it only happening
> to me ? Or you also saw something simular when dealing with them?
>
> Before releasing my code I always do heavy stress testing with
> antiviruses/fws and I set verifier to verify mine and av/fw driver with
> maximum checks. Mine driver is a typical TDI filter with some additional
> functionality (I set PsLoadImageNotify callbacks to track process creation
> events). (please, no need to point that TDI is depricated, I know that, I
> am already taking care of it. This is not the purpose of this post)
>
> So, testing with firewalls I always get BSODs with McAfee, Trend Micro
> (with Trend Micro I have less problems, though) in their TDI filters. Even
> if I do tests on clean machine (i.e., clean install of XP or Vista and
> there is NO my driver) McAfee BSOD’s with pool corruption assert within 10
> minutes of stress testing.
>
> (I was also troubleshooting issues with Juniper VPN client which is btw a
> TDI filter. You enable verifier, run it, and you got immidiate BSOD. IIRC
> it was related to not marking IRP pending, or something simular.)
>
> Mine stress test tools are simple: create a lot of processes and make a
> lot of connections, and it just dies :). I’ve sent request to McAfee about
> this problem, but they never actually resolved it. But this is not the
> point, I am interested to know your opinion about quality of those guys.
>
> Today I was experimenting with my VmWare Workstation at home in Windows 7
> x64 and I got a BSOD when doing verification of vmx86.sys driver. The test
> case is very simple:
>
> 1. Fire verifier and set maximum checks for vmx86.sys
>
> 2. Reboot
>
> 3. Start any x86 virtual machine, and voila, you have the following:
>
> DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
> A device driver attempting to corrupt the system has been caught. This is
> because the driver was specified in the registry as being suspect (by the
> administrator) and the kernel has enabled substantial checking of this
> driver.
> If the driver attempts to corrupt the system, bugchecks 0xC4, 0xC1 and 0xA
> will
> be among the most commonly seen crashes.
> Arguments:
> Arg1: 00000000000000f6, Referencing user handle as KernelMode.
> Arg2: 00000000000002e0, Handle value being referenced.
> Arg3: fffffa8005b9fb30, Address of the current process.
> Arg4: fffff880062da398, Address inside the driver that is performing the
> incorrect reference.
>
> Debugging Details:
> ------------------
>
>
> BUGCHECK_STR: 0xc4_f6
>
> CUSTOMER_CRASH_COUNT: 1
>
> DEFAULT_BUCKET_ID: VERIFIER_ENABLED_VISTA_MINIDUMP
>
> PROCESS_NAME: vmware-vmx.exe
>
> CURRENT_IRQL: 0
>
> LAST_CONTROL_TRANSFER: from fffff800035493dc to fffff800030bf740
>
> STACK_TEXT:
> fffff88007953f48 fffff800035493dc : 00000000000000c4 00000000000000f6
> 00000000000002e0 fffffa8005b9fb30 : nt!KeBugCheckEx
> fffff88007953f50 fffff8000355eae4 : 00000000000002e0 fffffa8005b9fb30
> 0000000000000007 fffff78000001000 :
> nt!VerifierBugCheckIfAppropriate+0x3c
> fffff88007953f90 fffff8000331ab40 : fffff6fc00019ae8 fffff880079541f0
> fffffa8004619500 fffffa800c0a2cc8 : nt!VfCheckUserHandle+0x1b4
> fffff88007954070 fffff800033b8ab5 : 0000000000000000 0000000000000000
> 0000000000000000 0000007fffffff00 : nt! ?? ::NNGAKEGL::string'+0x20e2e > fffff88007954140 fffff800033bde4d : fffffa800c0a2b10 fffff880079542a0 > fffff6fb00000040 fffffa8004619510 : nt!ObpLookupObjectName+0x1b5 > fffff88007954240 fffff8000335d654 : fffff880079544c8 0000000000000000 > fffff88007954300 fffff800030bd93d : nt!ObOpenObjectByName+0x1cd > fffff880079542f0 fffff8000335d72e : fffff88007954760 fffff880000f003f > fffff88007954780 fffff8000335d700 : nt!CmCreateKey+0x2e1 > fffff88007954460 fffff800030be993 : 0000000000000000 0000000000000000 > 0000000000000000 0000000000000000 : nt!NtCreateKey+0x2e > fffff880079544b0 fffff800030baf30 : fffff8000354fb49 fffff88007954780 > fffff880079548a0 0000000000261b00 : nt!KiSystemServiceCopyEnd+0x13 > fffff880079546b8 fffff8000354fb49 : fffff88007954780 fffff880079548a0 > 0000000000261b00 fffff880062e5590 : nt!KiServiceLinkage > fffff880079546c0 fffff880062da398 : 0000000000000000 fffff880062e5590 > 0000000000261b00 fffff880079548a0 : nt!VfZwCreateKey+0x99 > fffff88007954720 0000000000000000 : fffff880062e5590 0000000000261b00 > fffff880079548a0 0000000000000000 : vmx86+0x3398 > > > STACK_COMMAND: kb > > FOLLOWUP_IP: > vmx86+3398 > fffff880062da398 413bc4 cmp eax,r12d
>
> SYMBOL_STACK_INDEX: b
>
> SYMBOL_NAME: vmx86+3398
>
> FOLLOWUP_NAME: MachineOwner
>
> MODULE_NAME: vmx86
>
> IMAGE_NAME: vmx86.sys
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 4a85fa8c
>
> FAILURE_BUCKET_ID: X64_0xc4_f6_VRF_vmx86+3398
>
> BUCKET_ID: X64_0xc4_f6_VRF_vmx86+3398
>
> Followup: MachineOwner
> ---------
>
> This is not the first bug check I have, I also had something related to
> memory corruption.
>
> Is it a fault of verifier? I doubt. On the other hand, these companies
> (McAfee, VmWare, Juniper) earn millions and spend millions on R&D teams,
> how is it possible that they just never do Driver Verifier tests? (At
> least) …
>
> Hope to hear some feedback on this : )
>
> –
> Volodymyr
>

David_R_Cattley · October 29, 2010, 11:03pm

You had me at the fancy French words …

Cheers,
Dave Cattley

David_R_Cattley · October 29, 2010, 11:08pm

And that trance beat, very cool. Is that “Infected Mushroom” or your own
mix?

Dave Cattley

Volodymyr_M_Shcherbyna-2 · October 30, 2010, 5:06am

It is Koan - “Dance of Nereids” from the “Album When The Silence Is
Speaking” (2009).

–
Volodymyr

“David R. Cattley” a ecrit dans le message de groupe de
discussion : xxxxx@ntdev…
> And that trance beat, very cool. Is that “Infected Mushroom” or your own
> mix?
>
>
> Dave Cattley
>
>

Volodymyr_M_Shcherbyna-2 · October 30, 2010, 7:51am

I finished research on Trend Micro.

Seems like Trend Micro had a bsod due to corruption of the logging string
(UNICODE_STRING structure). It is quite strange to try to log something in
release, though … I understand this during debug cycle, but in release I
don’t.

http://www.shcherbyna.com/?p=1042

–
Volodymyr

“Volodymyr M. Shcherbyna” a ecrit dans le message
de groupe de discussion : xxxxx@ntdev…
> Speaking about Trend Micro drivers. It took today approx 10 minutes to
> BSOD: http://www.shcherbyna.com/?p=1042
>
> –
> Volodymyr
>
> “Volodymyr M. Shcherbyna” a ecrit dans le
> message de groupe de discussion : xxxxx@ntdev…
>> Hello everyone,
>>
>> Just want to share some feedback I have regarding third party drivers I
>> met sometimes during my tests. Interesting to know, is it only happening
>> to me ? Or you also saw something simular when dealing with them?
>>
>> Before releasing my code I always do heavy stress testing with
>> antiviruses/fws and I set verifier to verify mine and av/fw driver with
>> maximum checks. Mine driver is a typical TDI filter with some additional
>> functionality (I set PsLoadImageNotify callbacks to track process
>> creation events). (please, no need to point that TDI is depricated, I
>> know that, I am already taking care of it. This is not the purpose of
>> this post)
>>
>> So, testing with firewalls I always get BSODs with McAfee, Trend Micro
>> (with Trend Micro I have less problems, though) in their TDI filters.
>> Even if I do tests on clean machine (i.e., clean install of XP or Vista
>> and there is NO my driver) McAfee BSOD’s with pool corruption assert
>> within 10 minutes of stress testing.
>>
>> (I was also troubleshooting issues with Juniper VPN client which is btw a
>> TDI filter. You enable verifier, run it, and you got immidiate BSOD. IIRC
>> it was related to not marking IRP pending, or something simular.)
>>
>> Mine stress test tools are simple: create a lot of processes and make a
>> lot of connections, and it just dies :). I’ve sent request to McAfee
>> about this problem, but they never actually resolved it. But this is not
>> the point, I am interested to know your opinion about quality of those
>> guys.
>>
>> Today I was experimenting with my VmWare Workstation at home in Windows 7
>> x64 and I got a BSOD when doing verification of vmx86.sys driver. The
>> test case is very simple:
>>
>> 1. Fire verifier and set maximum checks for vmx86.sys
>>
>> 2. Reboot
>>
>> 3. Start any x86 virtual machine, and voila, you have the following:
>>
>> DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
>> A device driver attempting to corrupt the system has been caught. This
>> is
>> because the driver was specified in the registry as being suspect (by the
>> administrator) and the kernel has enabled substantial checking of this
>> driver.
>> If the driver attempts to corrupt the system, bugchecks 0xC4, 0xC1 and
>> 0xA will
>> be among the most commonly seen crashes.
>> Arguments:
>> Arg1: 00000000000000f6, Referencing user handle as KernelMode.
>> Arg2: 00000000000002e0, Handle value being referenced.
>> Arg3: fffffa8005b9fb30, Address of the current process.
>> Arg4: fffff880062da398, Address inside the driver that is performing the
>> incorrect reference.
>>
>> Debugging Details:
>> ------------------
>>
>>
>> BUGCHECK_STR: 0xc4_f6
>>
>> CUSTOMER_CRASH_COUNT: 1
>>
>> DEFAULT_BUCKET_ID: VERIFIER_ENABLED_VISTA_MINIDUMP
>>
>> PROCESS_NAME: vmware-vmx.exe
>>
>> CURRENT_IRQL: 0
>>
>> LAST_CONTROL_TRANSFER: from fffff800035493dc to fffff800030bf740
>>
>> STACK_TEXT:
>> fffff88007953f48 fffff800035493dc : 00000000000000c4 00000000000000f6
>> 00000000000002e0 fffffa8005b9fb30 : nt!KeBugCheckEx
>> fffff88007953f50 fffff8000355eae4 : 00000000000002e0 fffffa8005b9fb30
>> 0000000000000007 fffff78000001000 :
>> nt!VerifierBugCheckIfAppropriate+0x3c
>> fffff88007953f90 fffff8000331ab40 : fffff6fc00019ae8 fffff880079541f0
>> fffffa8004619500 fffffa800c0a2cc8 : nt!VfCheckUserHandle+0x1b4
>> fffff88007954070 fffff800033b8ab5 : 0000000000000000 0000000000000000
>> 0000000000000000 0000007fffffff00 : nt! ?? ::NNGAKEGL::string'+0x20e2e >> fffff88007954140 fffff800033bde4d : fffffa800c0a2b10 fffff880079542a0 >> fffff6fb00000040 fffffa8004619510 : nt!ObpLookupObjectName+0x1b5 >> fffff88007954240 fffff8000335d654 : fffff880079544c8 0000000000000000 >> fffff88007954300 fffff800030bd93d : nt!ObOpenObjectByName+0x1cd >> fffff880079542f0 fffff8000335d72e : fffff88007954760 fffff880000f003f >> fffff88007954780 fffff8000335d700 : nt!CmCreateKey+0x2e1 >> fffff88007954460 fffff800030be993 : 0000000000000000 0000000000000000 >> 0000000000000000 0000000000000000 : nt!NtCreateKey+0x2e >> fffff880079544b0 fffff800030baf30 : fffff8000354fb49 fffff88007954780 >> fffff880079548a0 0000000000261b00 : nt!KiSystemServiceCopyEnd+0x13 >> fffff880079546b8 fffff8000354fb49 : fffff88007954780 fffff880079548a0 >> 0000000000261b00 fffff880062e5590 : nt!KiServiceLinkage >> fffff880079546c0 fffff880062da398 : 0000000000000000 fffff880062e5590 >> 0000000000261b00 fffff880079548a0 : nt!VfZwCreateKey+0x99 >> fffff88007954720 0000000000000000 : fffff880062e5590 0000000000261b00 >> fffff880079548a0 0000000000000000 : vmx86+0x3398 >> >> >> STACK_COMMAND: kb >> >> FOLLOWUP_IP: >> vmx86+3398 >> fffff880062da398 413bc4 cmp eax,r12d
>>
>> SYMBOL_STACK_INDEX: b
>>
>> SYMBOL_NAME: vmx86+3398
>>
>> FOLLOWUP_NAME: MachineOwner
>>
>> MODULE_NAME: vmx86
>>
>> IMAGE_NAME: vmx86.sys
>>
>> DEBUG_FLR_IMAGE_TIMESTAMP: 4a85fa8c
>>
>> FAILURE_BUCKET_ID: X64_0xc4_f6_VRF_vmx86+3398
>>
>> BUCKET_ID: X64_0xc4_f6_VRF_vmx86+3398
>>
>> Followup: MachineOwner
>> ---------
>>
>> This is not the first bug check I have, I also had something related to
>> memory corruption.
>>
>> Is it a fault of verifier? I doubt. On the other hand, these companies
>> (McAfee, VmWare, Juniper) earn millions and spend millions on R&D teams,
>> how is it possible that they just never do Driver Verifier tests? (At
>> least) …
>>
>> Hope to hear some feedback on this : )
>>
>> –
>> Volodymyr
>>
>

Calvin_Guan-3 · October 31, 2010, 2:21am

Son, there are occasions ExFreePool is the only option. Heck, maybe this is
a good interview question to ask when ExFreePoolWithTag can’t be used.

Volodymyr_M_Shcherbyna-2 · October 31, 2010, 6:36am

Let’s take a look at how things are implemented in ntoskrnl (Windows 7 x64):

00000001401A3E80 ; void __stdcall ExFreePool(PVOID P)
00000001401A3E80 xor edx, edx
00000001401A3E82 jmp ExFreePoolWithTag
00000001401A3E82 ExFreePool endp

… and …

00000001400BB6A4 ; PVOID __stdcall ExAllocatePool(POOL_TYPE PoolType, SIZE_T
NumberOfBytes)
00000001400BB6A4 mov r8d, 656E6F4Eh
:00000001400BB6AA jmp ExAllocatePoolWithTag
00000001400BB6AA ExAllocatePool endp

It seems quite obvious that if you can call ExFreePool you can also call
ExFreePoolWithTag (technically).

–
Volodymyr (http://www.shcherbyna.com/)

“Calvin Guan” a écrit dans le message de groupe
de discussion : xxxxx@ntdev…
> [quote]
> But I do not use at all ExFreePool. I use only
> ExFreePoolWithTag in all my projects.
> [/quote]
>
> Son, there are occasions ExFreePool is the only option. Heck, maybe this
> is
> a good interview question to ask when ExFreePoolWithTag can’t be used.
>
>
>
>

anton_bassov · October 31, 2010, 9:32am

> Son, there are occasions ExFreePool is the only option. Heck, maybe this is a good interview question

to ask when ExFreePoolWithTag can’t be used.

You never change, do you - again, the same arrogant tone while making a statement that is…let’s say
“not-so-well-founded”, from the technical standpoint…

In any case, please let me know when you give your next class on ExFreePool() and ExFreePoolWithTag() usage - I would like to attend it so that I will know in which situation ExFreePoolWithTag can’t be used. For the time being I cannot think of any, because documentation on the subject says the following:

Furthermore, as it follows from the code excerpt provided by Vladimir, ExAllocatePool() is just a call to ExAllocatePoolWithTag() where tag is named “None”.

Therefore, I am intrigued…

Anton Bassov

Don_Burn_1 · October 31, 2010, 10:33am

I won’t say it is the only option, but it is the only intelligent
option. There are cases where the contract between Windows and the
driver is such that the kernel allocates the memory and the driver
free’s it, or vice versa. If ExFreePoolWithTag had been around since
day one, it would have been nice if the contract specified the tag for
the memory (personally I would have liked it with the PROTECTED_POOL
option). But we don’t have that and it is confusing if nothing else to
use ExFreePoolWithTag or for that matter ExAllocatePoolWithTag for
memory you will not be freeing.

As far as the ‘None’ tag this is only semi-documented since it is in the
include file but not the WDK documentation. So you are entering the
grey area to assume that this is guaranteed forever. More importantly,
the person who reads your driver next may not know that ‘None’ is the
default tag, which means they could think they could change it. When I
first discovered PROTECTED_POOL the company I was at went crazy with
using it, unfortunately a couple of those cases where we allocated the
memory and Windows free’d it with the inevitable BSOD.

ExAllocatePool and ExFreePool both have valid uses, but the number of
cases is now limited.

Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

“xxxxx@hotmail.com” wrote in message
news:xxxxx@ntdev:

> > Son, there are occasions ExFreePool is the only option. Heck, maybe this is a good interview question
> > to ask when ExFreePoolWithTag can’t be used.
>
>
> You never change, do you - again, the same arrogant tone while making a statement that is…let’s say
> “not-so-well-founded”, from the technical standpoint…
>
>
> In any case, please let me know when you give your next class on ExFreePool() and ExFreePoolWithTag() usage - I would like to attend it so that I will know in which situation ExFreePoolWithTag can’t be used. For the time being I cannot think of any, because documentation on the subject says the following:
>
>
>

>
> Furthermore, as it follows from the code excerpt provided by Vladimir, ExAllocatePool() is just a call to ExAllocatePoolWithTag() where tag is named “None”.
>
> Therefore, I am intrigued…
>
>
>
> Anton Bassov

Volodymyr_M_Shcherbyna-2 · October 31, 2010, 10:44am

Yes, obviously, if Windows allocates memory (or you are using some third
party library in kernel) for you, you will have to use ExFreePool(…)
instead of ExFreePoolWithTag(…) to release it. But this is just following
contract …

I thought Calvin was talking about some technical limitations with
ExFreePoolWithTag(…).

–
Volodymyr (http://www.shcherbyna.com/)

“Don Burn” a écrit dans le message de groupe de discussion :
xxxxx@ntdev…
> I won’t say it is the only option, but it is the only intelligent option.
> There are cases where the contract between Windows and the driver is such
> that the kernel allocates the memory and the driver free’s it, or vice
> versa. If ExFreePoolWithTag had been around since day one, it would have
> been nice if the contract specified the tag for the memory (personally I
> would have liked it with the PROTECTED_POOL option). But we don’t have
> that and it is confusing if nothing else to use ExFreePoolWithTag or for
> that matter ExAllocatePoolWithTag for memory you will not be freeing.
>
> As far as the ‘None’ tag this is only semi-documented since it is in the
> include file but not the WDK documentation. So you are entering the grey
> area to assume that this is guaranteed forever. More importantly, the
> person who reads your driver next may not know that ‘None’ is the default
> tag, which means they could think they could change it. When I first
> discovered PROTECTED_POOL the company I was at went crazy with using it,
> unfortunately a couple of those cases where we allocated the memory and
> Windows free’d it with the inevitable BSOD.
>
> ExAllocatePool and ExFreePool both have valid uses, but the number of
> cases is now limited.
>
>
> Don Burn (MVP, Windows DKD)
> Windows Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/WinDrvr
>
>
>
> “xxxxx@hotmail.com” wrote in message
> news:xxxxx@ntdev:
>
>> > Son, there are occasions ExFreePool is the only option. Heck, maybe
>> > this is a good interview question
>> > to ask when ExFreePoolWithTag can’t be used.
>>
>>
>> You never change, do you - again, the same arrogant tone while making a
>> statement that is…let’s say
>> “not-so-well-founded”, from the technical standpoint…
>>
>>
>> In any case, please let me know when you give your next class on
>> ExFreePool() and ExFreePoolWithTag() usage - I would like to attend it
>> so that I will know in which situation ExFreePoolWithTag can’t be used.
>> For the time being I cannot think of any, because documentation on the
>> subject says the following:
>>
>>
>>

>>
>> Furthermore, as it follows from the code excerpt provided by Vladimir,
>> ExAllocatePool() is just a call to ExAllocatePoolWithTag() where tag is
>> named “None”.
>>
>> Therefore, I am intrigued…
>>
>>
>>
>> Anton Bassov
>
>

Maxim_S_Shatskih · October 31, 2010, 11:20am

> Son, there are occasions ExFreePool is the only option. Heck, maybe this is

a good interview question to ask when ExFreePoolWithTag can’t be used.

When the structure is allocated by Windows itself or by another driver, and the contract is “ExFreePool must be called on it”.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

anton_bassov · October 31, 2010, 1:21pm

> When the structure is allocated by Windows itself or by another driver, and the contract is "ExFreePool

must be called on it".

Sorry, but this is exactly the same thing as saying “you cannot open a file if you don’t know its name”, i.e. something that is so plainly obvious that is not even worth mentioning. Here is exactly the same situation - you cannot call ExFreePoolWithTag() if you haven’t got ‘tag’ parameter for this call so that ExFreePool() is your only available option.

Judging from the way Calvin expressed his thought this is NOT the kind of thing he was talking about…

Anton Bassov