RtlAppendUnicodeStringToString giving BSOD

Mamoon_Ahmed · March 10, 2016, 3:44pm

Code snippet
UNICODE_STRING newLine;
newLine.MaximumLength = pFileObject->FileName.Length + 10;
newLine.Buffer = ExAllocatePool(NonPagedPool, newLine.MaximumLength);
RtlZeroMemory(newLine.Buffer, newLine.MaximumLength);
RtlAppendUnicodeStringToString(&newLine, &pFileObject->FileName);
UNICODE_STRING n;
RtlInitUnicodeString(&n, L"\n");
RtlAppendUnicodeStringToString(&newLine, &n);
STRING str;

status = RtlUnicodeStringToAnsiString(&str, &newLine,TRUE);
if (status == STATUS_SUCCESS)
{
if (!((count + str.Length + 1) > sizeof(arr)))
{
if (arr[0] == '\0')
{
strcpy(&arr, str.Buffer);
}
else
{
strcat(&arr, str.Buffer);
}
count += str.Length;
}
}

RtlFreeAnsiString(&str);
ExFreePool(newLine.Buffer);

crash dump

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: b4beb000, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 82c77c07, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)

Debugging Details:

*** WARNING: Unable to verify timestamp for FsFilter.sys

DUMP_CLASS: 1

DUMP_QUALIFIER: 400

BUILD_VERSION_STRING: 7601.18247.x86fre.win7sp1_gdr.130828-1532

SYSTEM_MANUFACTURER: Dell Inc.

SYSTEM_PRODUCT_NAME: OptiPlex 760

BIOS_VENDOR: Dell Inc.

BIOS_VERSION: A16

BIOS_DATE: 08/06/2013

BASEBOARD_MANUFACTURER: Dell Inc.

BASEBOARD_PRODUCT: 0R230R

BASEBOARD_VERSION: A00

DUMP_TYPE: 2

BUGCHECK_P1: ffffffffb4beb000

BUGCHECK_P2: 0

BUGCHECK_P3: ffffffff82c77c07

BUGCHECK_P4: 0

READ_ADDRESS: GetPointerFromAddress: unable to read from 82b7a84c
Unable to get MmSystemRangeStart
b4beb000

FAULTING_IP:
nt!RtlUnicodeToMultiByteN+da
82c77c07 0fb75818 movzx ebx,word ptr [eax+18h]

MM_INTERNAL_CODE: 0

CPU_COUNT: 4

CPU_MHZ: a64

CPU_VENDOR: GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 17

CPU_STEPPING: a

CPU_MICROCODE: 6,17,a,0 (F,M,S,R) SIG: A0B'00000000 (cache) A0B'00000000 (init)

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: VERIFIER_ENABLED_VISTA_MINIDUMP

BUGCHECK_STR: 0x50

PROCESS_NAME: ekrn.exe

CURRENT_IRQL: 0

ANALYSIS_SESSION_HOST: MAMOONAHMED-PC

ANALYSIS_SESSION_TIME: 03-11-2016 01:37:46.0748

ANALYSIS_VERSION: 10.0.10586.567 x86fre

TRAP_FRAME: b04336b4 -- (.trap 0xffffffffb04336b4)
ErrCode = 00000000
eax=b4beafe8 ebx=0000ba3f ecx=c91214a0 edx=00005b60 esi=88400222 edi=00000010
eip=82c77c07 esp=b0433728 ebp=b0433734 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010286
nt!RtlUnicodeToMultiByteN+0xda:
82c77c07 0fb75818 movzx ebx,word ptr [eax+18h] ds:0023:b4beb000=????
Resetting default scope

LAST_CONTROL_TRANSFER: from 82a51aa8 to 82a9e879

STACK_TEXT:
b043369c 82a51aa8 00000000 b4beb000 00000000 nt!MmAccessFault+0x104
b043369c 82c77c07 00000000 b4beb000 00000000 nt!KiTrap0E+0xdc
b0433734 82c7818f c911f000 00007fff b0433790 nt!RtlUnicodeToMultiByteN+0xda
b0433784 bb2804c0 b04337a8 00007fff 00000001 nt!RtlUnicodeStringToAnsiString+0xa4
b04337f8 82d426c3 b4b0b3c0 bd214e00 b4e62118 FsFilter!FsFilterDispatchCreate+0x170 [c:\users\mamoon ahmed\desktop\fsfilter\fsfilter\irpdispatch.c @ 102]
b043381c 82a47bd5 00000000 bd214e00 b4b0b3c0 nt!IovCallDriver+0x258
b0433830 82c3bbf9 bd214e00 bd214fd8 b4e62118 nt!IofCallDriver+0x1b
b0433850 82c74655 b4b0b3c0 b4e62118 00000001 nt!IopSynchronousServiceTail+0x1f8
b0433988 82a89170 b4e62118 82c56556 86e01ca0 nt!NtReadFile+0x644
b0433990 82c56556 86e01ca0 905bdd48 00000d50 nt!ObfDereferenceObject+0xd
b04339d0 82c5627c 86e01ca0 b16b0aa0 853f87e0 nt!ObpCloseHandleTableEntry+0x21d
b0433a00 82c56616 853f87e0 00000000 b0433aa4 nt!ObpCloseHandle+0x7f
b0433a1c 82a4e8c6 80000d50 b0433c28 82a4c1f9 nt!NtClose+0x4e
b0433a1c 82a4c1f9 80000d50 b0433c28 82a4c1f9 nt!KiSystemServicePostCall
b0433a98 85efc3aa 85eef34a c3ad38c4 95ee7c98 nt!ZwClose+0x11
WARNING: Stack unwind information not available. Following frames may be wrong.
b0433c28 82c3ea08 8fa3b660 00000001 0a66ced0 eamonm+0x263aa
b0433cd0 82c85779 8b95c030 00000000 00000000 nt!IopXxxControlFile+0x2d0
b0433d04 82a4e8c6 0000025c 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
b0433d04 779870f4 0000025c 00000000 00000000 nt!KiSystemServicePostCall
0a66cf2c 00000000 00000000 00000000 00000000 0x779870f4

STACK_COMMAND: kb

THREAD_SHA1_HASH_MOD_FUNC: 20b127413312e6792307d811829a70f807da7154

THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 9c9cff97438645180fe968cce6e7b59b18d55c92

THREAD_SHA1_HASH_MOD: 1fafde03abbd34f13dd2cbe27f457f37fe283ebd

FOLLOWUP_IP:
FsFilter!FsFilterDispatchCreate+170 [c:\users\mamoon ahmed\desktop\fsfilter\fsfilter\irpdispatch.c @ 102]
bb2804c0 ?? ???

FAULTING_SOURCE_LINE: c:\users\mamoon ahmed\desktop\fsfilter\fsfilter\irpdispatch.c

FAULTING_SOURCE_FILE: c:\users\mamoon ahmed\desktop\fsfilter\fsfilter\irpdispatch.c

FAULTING_SOURCE_LINE_NUMBER: 102

FAULTING_SOURCE_CODE:
98: RtlInitUnicodeString(&n, L"\n");
99: RtlAppendUnicodeStringToString(&newLine, &n);
100: STRING str;
101:

102: status = RtlUnicodeStringToAnsiString(&str, &newLine,TRUE);
103: if (status == STATUS_SUCCESS)
104: {
105: if (!((count + str.Length + 1) > sizeof(arr)))
106: {
107: if (arr[0] == '\0')

SYMBOL_STACK_INDEX: 4

SYMBOL_NAME: FsFilter!FsFilterDispatchCreate+170

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: FsFilter

IMAGE_NAME: FsFilter.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 56e1d9c7

FAILURE_BUCKET_ID: 0x50_VRF_FsFilter!FsFilterDispatchCreate+170

BUCKET_ID: 0x50_VRF_FsFilter!FsFilterDispatchCreate+170

PRIMARY_PROBLEM_CLASS: 0x50_VRF_FsFilter!FsFilterDispatchCreate+170

TARGET_TIME: 2016-03-10T20:32:50.000Z

OSBUILD: 7601

OSSERVICEPACK: 1000

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK: 272

PRODUCT_TYPE: 1

OSPLATFORM_TYPE: x86

OSNAME: Windows 7

OSEDITION: Windows 7 WinNt (Service Pack 1) TerminalServer SingleUserTS

OS_LOCALE:

USER_LCID: 0

OSBUILD_TIMESTAMP: 2013-08-29 05:58:30

BUILDDATESTAMP_STR: 130828-1532

BUILDLAB_STR: win7sp1_gdr

BUILDOSVER_STR: 6.1.7601.18247.x86fre.win7sp1_gdr.130828-1532

ANALYSIS_SESSION_ELAPSED_TIME: 1248

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:0x50_vrf_fsfilter!fsfilterdispatchcreate+170

FAILURE_ID_HASH: {b822c994-2d5d-ba80-7e5e-ce66def3330a}

Followup: MachineOwner

Mamoon_Ahmed · March 10, 2016, 3:58pm

Same driver works fine in Virtual Machine.

OSR_Community_User · March 10, 2016, 4:16pm

You’re not setting newLine.Length=0 before calling the first RtlAppendUnicodeStringToString. You could allocate the buffer first, then use RtlInitEmptyUnicodeString instead of setting the UNICODE_STRING fields manually which is error prone.

You should also check the return values of ExAllocatePool and RtlAppendUnicodeStringToString, and consider replacing the “+ 10” with exactly the size you need.

Tim_Roberts · March 10, 2016, 5:49pm

xxxxx@gmail.com wrote:

Code snippet
UNICODE_STRING newLine;
newLine.MaximumLength = pFileObject->FileName.Length + 10;
newLine.Buffer = ExAllocatePool(NonPagedPool, newLine.MaximumLength);
RtlZeroMemory(newLine.Buffer, newLine.MaximumLength);

You need
newLine.Length = 0;

You’re setting the maximum length, but you’re leaving the current length
as uninitialized memory.

Where did “arr” come from, and what it its type? Your code makes me
suspicious. If “arr” is defined as an array, then you don’t need the &
in your strcpy and strcat calls. If it is defined as a pointer, then
sizeof(arr) is not going to return what you expect.

And if you’re just going to copy the result, why not just set str.Buffer
to point to arr? Just let the Rtl call do the copy for you.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Gabriel_Bercea · March 11, 2016, 3:14am

The STRING str could point to some trash memory since it is not initialized
as well as newline string. Just initialize them to 0 that’s why it appears
to work on other machines . you could have debugged this yourself in the
memory dump by looking at those lengths and see if they make any sense with
the string that what supposed to be in there

Gabriel
On Mar 10, 2016 23:49, “Tim Roberts” wrote:

> xxxxx@gmail.com wrote:
> > Code snippet
> > UNICODE_STRING newLine;
> > newLine.MaximumLength = pFileObject->FileName.Length + 10;
> > newLine.Buffer = ExAllocatePool(NonPagedPool,
> newLine.MaximumLength);
> > RtlZeroMemory(newLine.Buffer, newLine.MaximumLength);
>
> You need
> newLine.Length = 0;
>
> You’re setting the maximum length, but you’re leaving the current length
> as uninitialized memory.
>
> Where did “arr” come from, and what it its type? Your code makes me
> suspicious. If “arr” is defined as an array, then you don’t need the &
> in your strcpy and strcat calls. If it is defined as a pointer, then
> sizeof(arr) is not going to return what you expect.
>
> And if you’re just going to copy the result, why not just set str.Buffer
> to point to arr? Just let the Rtl call do the copy for you.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: <
> http://www.osronline.com/showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
></http:>