Hello Guys. I have a few crash dumps where the BSOD is happening in our Section Sync Pre call. This is a pre-existing implementation where first we are calling FltQueryInformationFile() like so:
FltQueryInformationFile(FltObjects->Instance, FltObjects->FileObject, &fbi, sizeof(fbi), FileBasicInformation, NULL);
This works fine.
We then go onto create another FileObject on the same file using FltCreateFileEx (passing instance as NULL for some reason which will send the request to the top of the FS stack)
We pass the above obtained FileObject to a routine findFileLength which internally again calls FltQueryInformationFile() but this time with this fileobject and this leads to the crash.
!analyze -v output:
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: ffffe58c7bba8030, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff80473769730, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000000, (reserved)
TRAP_FRAME: ffffce81cddce690 -- (.trap 0xffffce81cddce690)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=ffffbe83be3c73f8
rdx=ffffbe83c071b1e0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80473769730 rsp=ffffce81cddce820 rbp=ffffbe83be3c7010
r8=0000000000000005 r9=ffffe58c7bba7f80 r10=0000000000000000
r11=ffffce81cddce9b8 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz ac pe cy
Ntfs!NtfsInitializeIrpContextInternal+0x90:
fffff80473769730 4d39b1b0000000 cmp qword ptr [r9+0B0h],r14 ds:ffffe58c
7bba8030=????????????????
STACK_TEXT:
ffffce81cddce3e8 fffff804
6ee4b203 : 0000000000000050 ffffe58c
7bba8030 0000000000000000 ffffce81
cddce690 : nt!KeBugCheckEx
ffffce81cddce3f0 fffff804
6ec6e7b0 : ffffe58c7d6d8510 00000000
00000000 ffffce81cddce710 00000000
00000000 : nt!MiSystemFault+0x1b2813
ffffce81cddce4f0 fffff804
6ee0bad8 : 0000000000000000 ffffe58c
63bcd170 ffffbe83af467928 fffff804
6ec406cf : nt!MmAccessFault+0x400
ffffce81cddce690 fffff804
73769730 : ffffbe83b7bed6d0 fffff804
6ec20ceb ffffce81cddd0000 fffff804
6ec20ceb : nt!KiPageFault+0x358
ffffce81cddce820 fffff804
7384ce62 : ffffce81cddce9e0 00000000
00000008 0000000000000000 fffff804
6ec265c8 : Ntfs!NtfsInitializeIrpContextInternal+0x90
ffffce81cddce890 fffff804
7384cda0 : ffffce81cddce9e0 ffffbe83
be3c7010 ffffbe83be3c7010 ffffbe83
b1b8f068 : Ntfs!NtfsFsdDispatchSwitch+0xa2
ffffce81cddce9c0 fffff804
6ec11385 : 0000000000000000 ffffce81
cddced18 0000000000000000 00000000
00000000 : Ntfs!NtfsFsdDispatchWait+0x40
ffffce81cddcec60 fffff804
6c7f710f : ffffbe83af1d3010 ffffce81
cddced30 0000000000000000 fffff804
6c7f5f7a : nt!IofCallDriver+0x55
ffffce81cddceca0 fffff804
6c7f879d : ffffce81cddced30 ffffbe83
9c527a28 ffffbe83af1d30f8 ffffbe83
af1d30f8 : FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x28f
ffffce81cddced10 fffff804
6c8293eb : ffffbe83af1d3010 ffffbe83
c071b100 0000000000000005 00000000
00000000 : FLTMGR!FltPerformSynchronousIo+0x3dd
ffffce81cddcedc0 fffff804
76b3e1a7 : ffffbe839c527a20 ffffce81
cddcef70 ffffbe83c071b1e0 ffffce81
cddceed0 : FLTMGR!FltQueryInformationFile+0x7b
ffffce81cddcee00 fffff804
76b3bae6 : ffffbe83b26341f0 ffffce81
cddcef70 ffffbe83b2634268 ffffce81
cddcf078 : myminiflt!findFileLength+0xaf
ffffce81cddcee70 fffff804
6c7f64cc : 0000000000000000 00000000
00000000 0000000000000000 ffffbe83
b3c406e0 : myminiflt!PreAcquireForSectionSync+0x336
ffffce81cddcefe0 fffff804
6c7f2844 : 0000000000000000 00000000
000000ff ffffce81cddcf200 ffffce81
00000000 : FLTMGR!FltpPerformPreCallbacksWorker+0x36c
ffffce81cddcf100 fffff804
6eca00a7 : ffffce81cddd0000 00000000
00000000 ffffce81cddc9000 ffffe58c
6f4e4050 : FLTMGR!FltpPreFsFilterOperation+0x184
ffffce81cddcf1b0 fffff804
6f080861 : fffff8046c7f8eb0 00000000
00000001 ffffe58c6f4e4050 fffff804
6c7f26c0 : nt!FsFilterPerformCallbacks+0xe7
ffffce81cddcf220 fffff804
6f0804cb : 0000000000000000 ffffbe83
b3c407c8 be83c071be30ffff 00000000
00120089 : nt!FsRtlAcquireFileExclusiveCommon+0x121
ffffce81cddcf510 fffff804
6f0803a7 : ffffbe839c572da0 fffff804
6ec9fa30 ffffbe83746c6644 ffffce81
cddcf600 : nt!FsRtlAcquireToCreateMappedSection+0x5b
ffffce81cddcf590 fffff804
6f0800ad : ffffce8100000000 ffffbe83
00000000 0000000000000000 00000000
00000000 : nt!MiCallCreateSectionFilters+0x37
ffffce81cddcf5d0 fffff804
6f07f894 : 0000000000000000 00000000
00000000 ffffbe83c071be60 00000000
00000000 : nt!MiCreateImageOrDataSection+0x13d
ffffce81cddcf6c0 fffff804
6f07f677 : 0000000008000000 ffffce81
cddcfa80 0000000000000001 00000000
00000002 : nt!MiCreateSection+0xf4
ffffce81cddcf840 fffff804
6f07f45c : 000000f8c5df9710 00000000
000f0005 000000f8c5df9728 ffffce81
cddcfa80 : nt!MiCreateSectionCommon+0x207
ffffce81cddcf920 fffff804
6ee0f7f5 : 0000000000001508 ffffbe83
b7bed080 000000f8c5df96c8 ffffce81
00000018 : nt!NtCreateSection+0x5c
ffffce81cddcf990 00007fff
a28cd9f4 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : nt!KiSystemServiceCopyEnd+0x25
000000f8c5df96b8 00000000
00000000 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : 0x00007fff`a28cd9f4
My analysis lead me to finding that the crash is happening in NTFS trying to access FCB beyond it's size and the FCB addresses in FltObjects->FileObject and the FileObject created by us are different.
In the register dump above, r9 has the offending address which is the FCB address of the fileobject we created.
FCB for FltObjects->FileObject:
12: kd> dt _FSRTL_ADVANCED_FCB_HEADER 0xffffe58c63bcd170 FLTMGR!_FSRTL_ADVANCED_FCB_HEADER +0x000 NodeTypeCode : 0n1797 +0x002 NodeByteSize : 0n624 +0x004 Flags : 0x60 '
'
+0x005 IsFastIoPossible : 0x2 ''
+0x006 Flags2 : 0x2 ''
+0x007 Reserved : 0y0000
+0x007 Version : 0y0011
+0x008 Resource : 0xffffbe83af467960 _ERESOURCE +0x010 PagingIoResource : 0xffffbe83
af467a10 _ERESOURCE
+0x018 AllocationSize : _LARGE_INTEGER 0x71000
+0x020 FileSize : _LARGE_INTEGER 0x70580
+0x028 ValidDataLength : _LARGE_INTEGER 0x70580
+0x030 FastMutex : 0xffffbe83af467928 _FAST_MUTEX +0x038 FilterContexts : _LIST_ENTRY [ 0xffffbe83
b3a570a8 - 0xffffbe83b3a570a8 ] +0x048 PushLock : 0 +0x050 FileContextSupportPointer : 0xffffe58c
63bcd158 -> (null)
+0x058 Oplock : (null)
+0x058 ReservedForRemote : (null)
+0x060 ReservedContext : (null)
FCB for our created FileObject:
12: kd> dt _FSRTL_ADVANCED_FCB_HEADER 0xffffe58c7bba7f80 FLTMGR!_FSRTL_ADVANCED_FCB_HEADER +0x000 NodeTypeCode :0n25649 +0x002 NodeByteSize : 0n120 +0x004 Flags : 0x60 '
'
+0x005 IsFastIoPossible : 0x2 ''
+0x006 Flags2 : 0x2 ''
+0x007 Reserved : 0y0000
+0x007 Version : 0y0011
+0x008 Resource : 0xffffbe83af467960 _ERESOURCE +0x010 PagingIoResource : 0xffffbe83
af467a10 _ERESOURCE
+0x018 AllocationSize : _LARGE_INTEGER 0x71000
+0x020 FileSize : _LARGE_INTEGER 0x70580
+0x028 ValidDataLength : _LARGE_INTEGER 0x70580
+0x030 FastMutex : 0xffffbe83c18d7a80 _FAST_MUTEX +0x038 FilterContexts : _LIST_ENTRY [ 0xffffbe83
b1b8f028 - 0xffffbe83`b1b8f028 ]
+0x048 PushLock : 0
+0x050 FileContextSupportPointer : (null)
+0x058 Oplock : (null)
+0x058 ReservedForRemote : (null)
+0x060 ReservedContext : (null)
The NodeTypeCode value in Fcb for our fileobject is very peculiar which I couldn't find anywhere. It's node size is 120 and NTFS is trying to access well beyond it causing the crash.
Also this FCB's pooltag is 'BFpc' which looks like a tag used by bindflt.sys. The pool tag for FCB in FltObjects->FileObject is 'Ntff' which is from NTFS.sys which makes sense.
The filename in both fileobjects is the same and it's a local ntfs volume.
All this lead to me suspect bindflt.sys and I used bindlink to configure bindflt.sys with a virtual path mapped to a remote path to reproduce the issue. I hooked up windbg to the setup.
Only once did I see the FCBs differ but that time too there wasn't any crash in the above call stack. Rest of the time FCB addresses were exactly the same for both FltObjects->FileObject and our created FileObject.
II am stumped about what could be causing two different FCBs and what file system is NodeTypeCode :0n25649 representing and what's the exact reason for this BSOD.
Will appreciate any help
Thank you