Reference current process in the close path

Hi, All,

I send this message to NTDEV list this morning but didn’t see any reply.
I guess maybe it is better to post it here.

I have a FS filter driver in which I need to monitor the IRP_MJ_CLOSE.
When I decide that the file need further process, I have to get the user
SID. In order to do that, in some point I call ZwOpenProcessToken using
the follow code:

if( KeGetCurrentIrql() < DISPATCH_LEVEL)
{
Status=ZwOpenProcessToken(NtCurrentProcess(),TOKEN_READ,&TokenHandle);

}

In very rare situation, my driver got Access Violation inside
ZwOpenProcessToken. So my question is: is it safe to reference
the current process in file close path? If not, what’s the reason?
(process terminate before the close?) And how can I get the user
SID in close path?

Thanks a lot.

Chendong


Get free email and a permanent address at http://www.netaddress.com/?N=1


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Chendong,

An access violation would indicate the address of the invalid memory
location. When this happens, can you observe anything interesting on the
stack? For example, are you in a process termination path or something
equally interesting?

I’m assuming you can confirm that TokenHandle is a valid memory location,
right?

And by “access violation” is it reported as a status code of 0xC0000005? Or
is it reported as a bugcheck (KMODE_EXCEPTION_NOT_HANDLED with the exception
being 0xC0000005?)

The last thing I would note is that you may have a fundamental design flaw
here, if you believe that IRP_MJ_CLOSE (and the process token) is going to
have anything to do with the process that opened and/or operated on the
file.

Regards,

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: Chendong Shan [mailto:xxxxx@usa.net]
Sent: Tuesday, April 10, 2001 6:45 PM
To: File Systems Developers
Subject: [ntfsd] Reference current process in the close path

Hi, All,

I send this message to NTDEV list this morning but didn’t see any reply.
I guess maybe it is better to post it here.

I have a FS filter driver in which I need to monitor the IRP_MJ_CLOSE.
When I decide that the file need further process, I have to get the user
SID. In order to do that, in some point I call ZwOpenProcessToken using
the follow code:

if( KeGetCurrentIrql() < DISPATCH_LEVEL)
{
Status=ZwOpenProcessToken(NtCurrentProcess(),TOKEN_READ,&TokenHandle);

}

In very rare situation, my driver got Access Violation inside
ZwOpenProcessToken. So my question is: is it safe to reference
the current process in file close path? If not, what’s the reason?
(process terminate before the close?) And how can I get the user
SID in close path?

Thanks a lot.

Chendong


Get free email and a permanent address at http://www.netaddress.com/?N=1


You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Tony,

Thank you for your quick reply.

The cases I observed were all happened during process termination (and
file close then). That’s why I suspected that in close path, it maybe
unsafe to reference current process handle.

And yes, the TokenHandle is in valid memory address. So it must be
ZwOpenProcessToken cause the access violation.

It is the second case (KMODE_EXCEPTION_NOT_HANDLED with the exception
0xC0000005).

Your note is correct. I guess we have to reconsider the algorithm
on CLOSE.

So, return to my original question. It is unsafe to reference the
current process handle in IRP_MJ_CLOSE path, right? Looks like in some
(very rare) situation, there maybe close file handle call at the end of
process dereference handler.

Chendong

Tony Mason wrote:
Chendong,

An access violation would indicate the address of the invalid memory
location. When this happens, can you observe anything interesting on the
stack? For example, are you in a process termination path or something
equally interesting?

I’m assuming you can confirm that TokenHandle is a valid memory location,
right?

And by “access violation” is it reported as a status code of 0xC0000005? Or
is it reported as a bugcheck (KMODE_EXCEPTION_NOT_HANDLED with the exception
being 0xC0000005?)

The last thing I would note is that you may have a fundamental design flaw
here, if you believe that IRP_MJ_CLOSE (and the process token) is going to
have anything to do with the process that opened and/or operated on the
file.

Regards,

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: Chendong Shan [mailto:xxxxx@usa.net]
Sent: Tuesday, April 10, 2001 6:45 PM
To: File Systems Developers
Subject: [ntfsd] Reference current process in the close path

Hi, All,

I send this message to NTDEV list this morning but didn’t see any reply.
I guess maybe it is better to post it here.

I have a FS filter driver in which I need to monitor the IRP_MJ_CLOSE.
When I decide that the file need further process, I have to get the user
SID. In order to do that, in some point I call ZwOpenProcessToken using
the follow code:

if( KeGetCurrentIrql() < DISPATCH_LEVEL)
{
Status=ZwOpenProcessToken(NtCurrentProcess(),TOKEN_READ,&TokenHandle);

}

In very rare situation, my driver got Access Violation inside
ZwOpenProcessToken. So my question is: is it safe to reference
the current process in file close path? If not, what’s the reason?
(process terminate before the close?) And how can I get the user
SID in close path?

Thanks a lot.

Chendong

____________________________________________________________________
Get free email and a permanent address at http://www.netaddress.com/?N=1


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com