It seems there is a problem with this approach at XP. Last week I
encountered something similar with VMware parallel driver which access
caused random data overwrite. It seemed as the problem caused my driver I’m
working on so I investigated the problem and found OS tried to access data
before security descriptor for this driver device. The descriptor was
created the way you describe; they create new one and change
DeviceObject->SecurityDescriptor to its address. They don’t free the old one
and I presume it is because it caused the same problem as you have.
I guess device security descriptor at XP are objects and OS expects object
header prepended to memory pointed with DeviceObject->SecurityDescriptor. It
would explain why ExFreePool fails: the real allocation starts several bytes
before. Please note I only guess; I’d appreciate if somebody can confirm or
disprove this observation or give any more info about XP device SDs.
Also please note above described approach (ignore problem and don’t free
original descriptor) is plain wrong and can cause BSODs or worse, random
data overwrite. You can try different approach: change original SD contents
instead. It is usable way if all you need is to change an ACE mask. I used
it at w2k with no problem.
Best regards,
Michal Vodicka
STMicroelectronics Design and Application s.r.o.
[michal.vodicka@st.com, http:://www.st.com]
From: Barry.Kierstein@HP.Com[SMTP:Barry.Kierstein@HP.Com]
Reply To: xxxxx@lists.osr.com
Sent: Monday, March 03, 2003 6:42 PM
To: xxxxx@lists.osr.com
Subject: [ntdev] RE: Device driver object security settings to enable
non-priv’d user accessAll,
Thanks for your great suggestions. I have followed the SysInternals
example in modifying the security descriptor in the device object. There
is one remaining oddity.Basically, the SysInternals example does the following:
- gets the security descriptor from the device object
(it is in relative format),- creates an empty absolute format security descriptor,
- reads the device object security descriptor for various attributes
and sets these in the absolute security descriptor,- converts the absolute security descriptor to relative format security
descriptor,- frees the device object’s security descriptor using ExFreePool, and
- sets the device object’s security descriptor pointer to the new
relative format security descriptor.This works fine on Windows 2000. On Windows XP, it bugchecks when
trying to execute the ExFreePool call with a stop code of 0xC2.BAD_POOL_CALLER (c2)
The current thread is making a bad pool request.
Typically this is at a bad IRQL level or double freeing the same
allocation, etc.
Arguments:
Arg1: 00000007, Attempt to free pool which was already freed
Arg2: 00000cd4, (reserved)
Arg3: 00000027, Memory contents of the pool block
Arg4: e13f5318, Pointer to pool headerAny ideas why this is happening? Thanks…
Barry Kierstein
You are currently subscribed to ntdev as: michal.vodicka@st.com
To unsubscribe send a blank email to xxxxx@lists.osr.com