Two questions

NTFSD
1

Hi all

I have two questions to ask you nice guys for help:

  1. I use ExAllocatePoolWithTag to allocate a buffer, which is then used as
    the parameter of ZwReadFile.

After reading the content of the file successfully, I use ExFreePool to free
the memory pool. However,

verifier.exe gave me a blue screen, and WinDbg showed me messages below:

SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION (c1)
Special pool has detected memory corruption. Typically the current thread’s
stack backtrace will reveal the guilty party.
Arguments:
Arg1: 83322fd8, address trying to free
Arg2: 83322ffc, address where bits are corrupted
Arg3: 00154024, (reserved)
Arg4: 00000024, caller is freeing an address where bytes after the end of
the allocation have been overwritten

How did the problem comes out? Does it mean that the buffer should not be
freed?

  1. I called IoCreateFileSpecifyDeviceObjectHint in the context of an
    IRP_MJ_CREATE operation. How should I deal with the
    FILE_COMPLETE_IF_OPLOCKED flag set in the IRP?
    I’ve asked this question several days before and Tony Mason replied that
    this flag should
    also be set while calling IoCreateFileSpecifyDeviceObjectHint, is this all
    that I need to do?

Thanks all

2

Your read size is > allocated buffer size. This is the first possibility.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Xiong Weiwei”
To: “Windows File Systems Devs Interest List”
Sent: Saturday, May 13, 2006 10:37 PM
Subject: [ntfsd] Two questions

Hi all

I have two questions to ask you nice guys for help:

1. I use ExAllocatePoolWithTag to allocate a buffer, which is then used as
the parameter of ZwReadFile.

After reading the content of the file successfully, I use ExFreePool to free
the memory pool. However,

verifier.exe gave me a blue screen, and WinDbg showed me messages below:

SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION (c1)
Special pool has detected memory corruption. Typically the current thread’s
stack backtrace will reveal the guilty party.
Arguments:
Arg1: 83322fd8, address trying to free
Arg2: 83322ffc, address where bits are corrupted
Arg3: 00154024, (reserved)
Arg4: 00000024, caller is freeing an address where bytes after the end of
the allocation have been overwritten

How did the problem comes out? Does it mean that the buffer should not be
freed?

2. I called IoCreateFileSpecifyDeviceObjectHint in the context of an
IRP_MJ_CREATE operation. How should I deal with the
FILE_COMPLETE_IF_OPLOCKED flag set in the IRP?
I’ve asked this question several days before and Tony Mason replied that
this flag should
also be set while calling IoCreateFileSpecifyDeviceObjectHint, is this all
that I need to do?

Thanks all


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

3

Do you mean read size parameter of ZwReadFile or the file size?

I set the read length the same size as the size of the read buffer,

read once and then free the buffer, with code below:
/*::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::*/
readNameBuffer = ExAllocatePoolWithTag(
NonPagedPool,
AR_PATH_MAX_SIZE,
AR_POOL_TAG);
if ( NULL == readNameBuffer )
{
//
// Allocation must have failed.
//
ZwClose( fileHandle );
return STATUS_INSUFFICIENT_RESOURCES;
}
byteOffset.QuadPart = 0;
status = ZwReadFile(fileHandle,
NULL,
NULL,
NULL,
&iosb,
readNameBuffer,
AR_PATH_MAX_SIZE,
&byteOffset,
NULL
);

ExFreePoolWithTag( readNameBuffer, AR_POOL_TAG );
ZwClose( fileHandle );
/*::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::*/

Thanks!
On 5/14/06, Maxim S. Shatskih wrote:
>
> Your read size is > allocated buffer size. This is the first
> possibility.
>
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
> ----- Original Message -----
> From: “Xiong Weiwei”
> To: “Windows File Systems Devs Interest List”
> Sent: Saturday, May 13, 2006 10:37 PM
> Subject: [ntfsd] Two questions
>
>
> Hi all
>
> I have two questions to ask you nice guys for help:
>
> 1. I use ExAllocatePoolWithTag to allocate a buffer, which is then used as
> the parameter of ZwReadFile.
>
> After reading the content of the file successfully, I use ExFreePool to
> free
> the memory pool. However,
>
> verifier.exe gave me a blue screen, and WinDbg showed me messages below:
>
> SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION (c1)
> Special pool has detected memory corruption. Typically the current
> thread’s
> stack backtrace will reveal the guilty party.
> Arguments:
> Arg1: 83322fd8, address trying to free
> Arg2: 83322ffc, address where bits are corrupted
> Arg3: 00154024, (reserved)
> Arg4: 00000024, caller is freeing an address where bytes after the end of
> the allocation have been overwritten
>
> How did the problem comes out? Does it mean that the buffer should not be
> freed?
>
> 2. I called IoCreateFileSpecifyDeviceObjectHint in the context of an
> IRP_MJ_CREATE operation. How should I deal with the
> FILE_COMPLETE_IF_OPLOCKED flag set in the IRP?
> I’ve asked this question several days before and Tony Mason replied
> that
> this flag should
> also be set while calling IoCreateFileSpecifyDeviceObjectHint, is this all
> that I need to do?
>
> Thanks all
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@gmail.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

4

Are you opening the file for non-cached I/O? Have you set an access
breakpoint on the byte immediately following the end of your buffer so
you can find when it is overwritten? Is the buffer being overwritten
the same that you allocated originally?

If this is the same buffer that you allocated, then there is a memory
overwrite. It must not be very large since you aren’t running past the
end of page (ergo, the overwrite < 8 bytes.) You seem to believe it is
in the ZwReadFile. If you stop in the debugger just before the call and
look at your buffer and then look at the buffer after it returns, do you
see the corruption at the end of the buffer? If not, then your looking
in the other place. An access breakpoint will at least stop at the
point of the corruption.

Regards,

Tony

Tony Mason

Consulting Partner

OSR Open Systems Resources, Inc.

http://www.osr.com

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Xiong Weiwei
Sent: Saturday, May 13, 2006 10:25 PM
To: ntfsd redirect
Subject: Re: [ntfsd] Two questions

Do you mean read size parameter of ZwReadFile or the file size?

I set the read length the same size as the size of the read buffer,

read once and then free the buffer, with code below:
/*::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::::::::::::::::::::::::::::::::::::::::::::::::::::*/
readNameBuffer = ExAllocatePoolWithTag(
NonPagedPool,
AR_PATH_MAX_SIZE,
AR_POOL_TAG);
if ( NULL == readNameBuffer )
{
//
// Allocation must have failed.
//
ZwClose( fileHandle );
return STATUS_INSUFFICIENT_RESOURCES;
}
byteOffset.QuadPart = 0;

status = ZwReadFile(fileHandle,
NULL,
NULL,
NULL,
&iosb,
readNameBuffer,
AR_PATH_MAX_SIZE,
&byteOffset,
NULL
);

ExFreePoolWithTag( readNameBuffer, AR_POOL_TAG );
ZwClose( fileHandle );
/*::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::::::::::::::::::::::::::::::::::::::::::::::::::::*/

Thanks!

On 5/14/06, Maxim S. Shatskih wrote:

Your read size is > allocated buffer size. This is the first
possibility.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Xiong Weiwei”
To: “Windows File Systems Devs Interest List” < xxxxx@lists.osr.com>
Sent: Saturday, May 13, 2006 10:37 PM
Subject: [ntfsd] Two questions

Hi all

I have two questions to ask you nice guys for help:

1. I use ExAllocatePoolWithTag to allocate a buffer, which is then used
as
the parameter of ZwReadFile.

After reading the content of the file successfully, I use ExFreePool to
free
the memory pool. However,

verifier.exe gave me a blue screen, and WinDbg showed me messages below:

SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION (c1)
Special pool has detected memory corruption. Typically the current
thread’s
stack backtrace will reveal the guilty party.
Arguments:
Arg1: 83322fd8, address trying to free
Arg2: 83322ffc, address where bits are corrupted
Arg3: 00154024, (reserved)
Arg4: 00000024, caller is freeing an address where bytes after the end
of
the allocation have been overwritten

How did the problem comes out? Does it mean that the buffer should not
be
freed?

2. I called IoCreateFileSpecifyDeviceObjectHint in the context of an
IRP_MJ_CREATE operation. How should I deal with the
FILE_COMPLETE_IF_OPLOCKED flag set in the IRP?
I’ve asked this question several days before and Tony Mason replied
that
this flag should
also be set while calling IoCreateFileSpecifyDeviceObjectHint, is this
all
that I need to do?

Thanks all


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@gmail.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

— Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17 You are currently subscribed
to ntfsd as: unknown lmsubst tag argument: ‘’ To unsubscribe send a
blank email to xxxxx@lists.osr.com