hi, i am writing an encryption file system filter driver that will write
headers in front of files.

so what i did for IRP_MJ_SET_INFORMATION to set EOF is to add the header
size to the intended size.

currently i have met with a system crash. the dump is attached below.

based on the dump, it seems my driver is the cause but what my driver only
did was add the header size to the intended size and called IoCallDriver.

the system seems to have crashed because CcCopyRead hit an access violation.
i looked at each of the memory location for each of the routines after my
driver called IoCallDriver, and the only suspicious memory contents i can
find is related to CcCopyRead.

starting from IoCallDriver, NtfsFsdSetInformation would have inputs of a
device object and an irp, which are 80e7f108 and ffb5c468 respectively.

then, although i do not have the source to NTFS, based on FAT, i would guess
NtfsCommonSetInformation has two inputs of an irpcontext and an irp, which
are ffbcc7a8 and ffb5c468 respectively.

then, NtfsSetEndOfFileInfo would have several inputs. from fb705a38 i see ok
values. at least any inputs less than 7 are ok.
fb705a38 fb705aa8 fc37bf8b ffbcc7a8 80cf5eb8
fb705a48 ffb5c468 e1030710 e18c7550 fc353301
fb705a58 00000000 fb705ad0 ffb5c468 00000001

then, NtfsPrepareToShrinkFileSize also seems ok from fb705954. at least able
to take in 8 inputs.
fb705954 fb705a38 fc3885b2 ffbcc7a8 80cf5eb8
fb705964 e1030710 00290000 00000000 ffbcc7a8
fb705974 e1030710 00000014 fb7059c4 8057e14e

but CcCopyRead, which i know has 6 inputs, seems not ok for the 5th and 6th
inputs. as the values will be within the call stack clashing with the inputs
for NtfsPrepareToShrinkFileSize.
fb705920 fb705954 fc38c488 ffb41aa0 fb705968
fb705930 00000001 00000001 fb705960 fb70594c
fb705940 00000000 e1030710 00290b26 ffbcc7a8
fb705950 ffbcc7a8 fb705a38 fc3885b2 ffbcc7a8
fb705960 80cf5eb8 e1030710 00290000 00000000

am i debugging correctly? how do i debug the fault?

============================================================================

NTFS_FILE_SYSTEM (24)
If you see NtfsExceptionFilter on the stack then the 2nd and 3rd
parameters are the exception record and context record. Do a .cxr
on the 3rd parameter and then kb to obtain a more informative stack
trace.
Arguments:
Arg1: 001902fa
Arg2: fb7057dc
Arg3: fb7054dc
Arg4: 8058534d

Debugging Details:

EXCEPTION_RECORD: fb7057dc – (.exr fffffffffb7057dc)
ExceptionAddress: 8058534d (nt!CcCopyRead+0x00000047)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000002
Attempt to read from address 00000002

CONTEXT: fb7054dc – (.cxr fffffffffb7054dc)
eax=ffb41aa0 ebx=80d47a58 ecx=00000001 edx=80cc5aa0 esi=00000000
edi=00000000
eip=8058534d esp=fb7058a4 ebp=fb705920 iopl=0 nv up ei pl zr na po
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00000246
nt!CcCopyRead+47:
8058534d f6460202 test byte ptr [esi+0x2],0x2
Resetting default context

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x24

LAST_CONTROL_TRANSFER: from fc38c488 to 8058534d

STACK_TEXT:
fb705920 fc38c488 ffb41aa0 fb705968 00000001 nt!CcCopyRead+0x47
fb705954 fc3885b2 ffbcc7a8 80cf5eb8 e1030710
Ntfs!NtfsPrepareToShrinkFileSize+0xa1
fb705a38 fc37bf8b ffbcc7a8 80cf5eb8 ffb5c468 Ntfs!NtfsSetEndOfFileInfo+0x144
fb705aa8 fc35748e ffbcc7a8 ffb5c468 ffb5c5f0
Ntfs!NtfsCommonSetInformation+0x44a
fb705b10 804e8a36 80e7f108 ffb5c468 00290b26 Ntfs!NtfsFsdSetInformation+0xa3
fb705b20 fc4254dd ffb5c468 80e4f988 8053e7dc nt!IopfCallDriver+0x31
fb705c64 804e8a36 80e2cc08 ffb5c468 ffb5c5f8 myDriver!MySetInformation+0xe58
<========== my driver calls IoCallDriver here
fb705c74 fc3fe101 ffb5c5f8 80e4d240 ffb5c468 nt!IopfCallDriver+0x31
fb705c88 804e8a36 80e7fb88 e1b4c360 ffb5c478 sr!SrSetInformation+0x177
fb705c98 80571634 fb705d64 019ffaa8 8058e589 nt!IopfCallDriver+0x31
fb705d48 804d6140 000003d0 019ffab0 019ffac0 nt!NtSetInformationFile+0x53f
fb705d48 7ffe0304 000003d0 019ffab0 019ffac0 nt!KiSystemService+0xc4
019ffa88 77f7645b 77e6c67d 000003d0 019ffab0
SharedUserData!SystemCallStub+0x4
019ffa8c 77e6c67d 000003d0 019ffab0 019ffac0 ntdll!NtSetInformationFile+0xc
WARNING: Stack unwind information not available. Following frames may be
wrong.
019ffad0 70abe497 000003d0 00000030 00000000 kernel32!SetEndOfFile+0x57
019ffafc 774f188f 0012dee8 0028fb26 00000000 SHLWAPI!Ordinal317+0xe1
019fff88 774a6b83 00000000 000b5d08 000b5d08 SHELL32!Ordinal7+0x3fe
019fffa0 774a7018 00000000 00000000 000b5d08 SHELL32!Ordinal146+0x1e7
019fffec 00000000 774a6fac 000b5d08 00000000 SHELL32!Ordinal53+0x388

FOLLOWUP_IP:
myDriver!MySetInformation+e58
fc4254dd 8945b0 mov [ebp-0x50],eax

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: myDriver!MySetInformation+e58

MODULE_NAME: myDriver

IMAGE_NAME: myDriver.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 3e759ac4

STACK_COMMAND: .cxr fffffffffb7054dc ; kb

BUCKET_ID: 0x24_myDriver!MySetInformation+e58

Followup: MachineOwner

=========

Ampsi

hi, could someone help me? i wish to know if i am looking at the dump
correctly.

Ampsi

----- Original Message -----
From: “Ampsi”
To: “File Systems Developers”
Sent: Monday, March 17, 2003 19:42
Subject: [ntfsd] system crash my driver’s fault? how to identify?

hi, i am writing an encryption file system filter driver that will write
headers in front of files.

so what i did for IRP_MJ_SET_INFORMATION to set EOF is to add the header
size to the intended size.

currently i have met with a system crash. the dump is attached below.

based on the dump, it seems my driver is the cause but what my driver only
did was add the header size to the intended size and called IoCallDriver.

the system seems to have crashed because CcCopyRead hit an access violation.
i looked at each of the memory location for each of the routines after my
driver called IoCallDriver, and the only suspicious memory contents i can
find is related to CcCopyRead.

starting from IoCallDriver, NtfsFsdSetInformation would have inputs of a
device object and an irp, which are 80e7f108 and ffb5c468 respectively.

then, although i do not have the source to NTFS, based on FAT, i would guess
NtfsCommonSetInformation has two inputs of an irpcontext and an irp, which
are ffbcc7a8 and ffb5c468 respectively.

then, NtfsSetEndOfFileInfo would have several inputs. from fb705a38 i see ok
values. at least any inputs less than 7 are ok.
fb705a38 fb705aa8 fc37bf8b ffbcc7a8 80cf5eb8
fb705a48 ffb5c468 e1030710 e18c7550 fc353301
fb705a58 00000000 fb705ad0 ffb5c468 00000001

then, NtfsPrepareToShrinkFileSize also seems ok from fb705954. at least able
to take in 8 inputs.
fb705954 fb705a38 fc3885b2 ffbcc7a8 80cf5eb8
fb705964 e1030710 00290000 00000000 ffbcc7a8
fb705974 e1030710 00000014 fb7059c4 8057e14e

but CcCopyRead, which i know has 6 inputs, seems not ok for the 5th and 6th
inputs. as the values will be within the call stack clashing with the inputs
for NtfsPrepareToShrinkFileSize.
fb705920 fb705954 fc38c488 ffb41aa0 fb705968
fb705930 00000001 00000001 fb705960 fb70594c
fb705940 00000000 e1030710 00290b26 ffbcc7a8
fb705950 ffbcc7a8 fb705a38 fc3885b2 ffbcc7a8
fb705960 80cf5eb8 e1030710 00290000 00000000

am i debugging correctly? how do i debug the fault?

============================================================================
==
NTFS_FILE_SYSTEM (24)
If you see NtfsExceptionFilter on the stack then the 2nd and 3rd
parameters are the exception record and context record. Do a .cxr
on the 3rd parameter and then kb to obtain a more informative stack
trace.
Arguments:
Arg1: 001902fa
Arg2: fb7057dc
Arg3: fb7054dc
Arg4: 8058534d

Debugging Details:
------------------

EXCEPTION_RECORD: fb7057dc – (.exr fffffffffb7057dc)
ExceptionAddress: 8058534d (nt!CcCopyRead+0x00000047)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000002
Attempt to read from address 00000002

CONTEXT: fb7054dc – (.cxr fffffffffb7054dc)
eax=ffb41aa0 ebx=80d47a58 ecx=00000001 edx=80cc5aa0 esi=00000000
edi=00000000
eip=8058534d esp=fb7058a4 ebp=fb705920 iopl=0 nv up ei pl zr na po
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00000246
nt!CcCopyRead+47:
8058534d f6460202 test byte ptr [esi+0x2],0x2
Resetting default context

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x24

LAST_CONTROL_TRANSFER: from fc38c488 to 8058534d

STACK_TEXT:
fb705920 fc38c488 ffb41aa0 fb705968 00000001 nt!CcCopyRead+0x47
fb705954 fc3885b2 ffbcc7a8 80cf5eb8 e1030710
Ntfs!NtfsPrepareToShrinkFileSize+0xa1
fb705a38 fc37bf8b ffbcc7a8 80cf5eb8 ffb5c468 Ntfs!NtfsSetEndOfFileInfo+0x144
fb705aa8 fc35748e ffbcc7a8 ffb5c468 ffb5c5f0
Ntfs!NtfsCommonSetInformation+0x44a
fb705b10 804e8a36 80e7f108 ffb5c468 00290b26 Ntfs!NtfsFsdSetInformation+0xa3
fb705b20 fc4254dd ffb5c468 80e4f988 8053e7dc nt!IopfCallDriver+0x31
fb705c64 804e8a36 80e2cc08 ffb5c468 ffb5c5f8 myDriver!MySetInformation+0xe58
<========== my driver calls IoCallDriver here
fb705c74 fc3fe101 ffb5c5f8 80e4d240 ffb5c468 nt!IopfCallDriver+0x31
fb705c88 804e8a36 80e7fb88 e1b4c360 ffb5c478 sr!SrSetInformation+0x177
fb705c98 80571634 fb705d64 019ffaa8 8058e589 nt!IopfCallDriver+0x31
fb705d48 804d6140 000003d0 019ffab0 019ffac0 nt!NtSetInformationFile+0x53f
fb705d48 7ffe0304 000003d0 019ffab0 019ffac0 nt!KiSystemService+0xc4
019ffa88 77f7645b 77e6c67d 000003d0 019ffab0
SharedUserData!SystemCallStub+0x4
019ffa8c 77e6c67d 000003d0 019ffab0 019ffac0 ntdll!NtSetInformationFile+0xc
WARNING: Stack unwind information not available. Following frames may be
wrong.
019ffad0 70abe497 000003d0 00000030 00000000 kernel32!SetEndOfFile+0x57
019ffafc 774f188f 0012dee8 0028fb26 00000000 SHLWAPI!Ordinal317+0xe1
019fff88 774a6b83 00000000 000b5d08 000b5d08 SHELL32!Ordinal7+0x3fe
019fffa0 774a7018 00000000 00000000 000b5d08 SHELL32!Ordinal146+0x1e7
019fffec 00000000 774a6fac 000b5d08 00000000 SHELL32!Ordinal53+0x388

FOLLOWUP_IP:
myDriver!MySetInformation+e58
fc4254dd 8945b0 mov [ebp-0x50],eax

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: myDriver!MySetInformation+e58

MODULE_NAME: myDriver

IMAGE_NAME: myDriver.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 3e759ac4

STACK_COMMAND: .cxr fffffffffb7054dc ; kb

BUCKET_ID: 0x24_myDriver!MySetInformation+e58

Followup: MachineOwner
============================================================================
=========

Ampsi

—
You are currently subscribed to ntfsd as: xxxxx@pmail.ntu.edu.sg
To unsubscribe send a blank email to xxxxx@lists.osr.com