USBCCID BSOD

Tibor_Harsszegi · October 8, 2010, 1:54am

Hi,

I am doing a CCID implementation within embedded device. I am running into BSOD
on the XP (SP3) when sending back the ATR from the card.
Can anybody help me what can go wrong here?
Thanks,

BugCheck 50, {aef3c000, 0, b03732f1, 0}

*** ERROR: Module load completed but symbols could not be loaded for USBlyzer.sys
Probably caused by : usbccid.sys ( usbccid!UsbScReadWrite+f9 )

Followup: MachineOwner

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: aef3c000, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: b03732f1, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)

Debugging Details:

READ_ADDRESS: aef3c000

FAULTING_IP:
usbccid!UsbScReadWrite+f9
b03732f1 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]

MM_INTERNAL_CODE: 0

IMAGE_NAME: usbccid.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 448ff89b

MODULE_NAME: usbccid

FAULTING_MODULE: b0372000 usbccid

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x50

PROCESS_NAME: scardsvr.exe

TRAP_FRAME: aef3b920 – (.trap 0xffffffffaef3b920)
ErrCode = 00000000
eax=0f000000 ebx=aef3ba28 ecx=03bffe8d edx=a6380001 esi=aef3bffe edi=8903186c
eip=b03732f1 esp=aef3b994 ebp=aef3b9d4 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
usbccid!UsbScReadWrite+0xf9:
b03732f1 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
Resetting default scope

LAST_CONTROL_TRANSFER: from 805241e0 to 80533846

STACK_TEXT:
aef3b8bc 805241e0 00000050 aef3c000 00000000 nt!KeBugCheckEx+0x1b
aef3b908 804e172b 00000000 aef3c000 00000000 nt!MmAccessFault+0x6f5
aef3b908 b03732f1 00000000 aef3c000 00000000 nt!KiTrap0E+0xcc
aef3b9d4 b0373c11 88de18d0 aef3ba14 aef3ba28 usbccid!UsbScReadWrite+0xf9
aef3ba90 afc850f2 88de18d0 8910a2e8 88de18d0 usbccid!UsbScCardPower+0x17b
aef3baac afc84651 88de18d0 8910a2e8 89824700 SMCLIB!SmartcardDeviceIoControl+0x7ee
aef3bbd8 b037685a 00000003 0110a2e8 00000038 SMCLIB!SmartcardDeviceControl+0x123
aef3bc18 b8e9b682 88de1810 8910a2e8 89232e38 usbccid!ScUtil_DeviceIOControl+0xa0
WARNING: Stack unwind information not available. Following frames may be wrong.
aef3bc34 804e3807 88de1810 88c9ea90 806f02d0 USBlyzer+0x1682
aef3bc44 80567f71 8910a40c 89232e38 8910a2e8 nt!IopfCallDriver+0x31
aef3bc58 8057ac7f 88de1810 8910a2e8 89232e38 nt!IopSynchronousServiceTail+0x70
aef3bd00 805883d4 00000158 000000d8 00000000 nt!IopXxxControlFile+0x611
aef3bd34 804de7ec 00000158 000000d8 00000000 nt!NtDeviceIoControlFile+0x2a
aef3bd34 7c90e514 00000158 000000d8 00000000 nt!KiFastCallEntry+0xf8
006efe08 00000000 00000000 00000000 00000000 0x7c90e514

STACK_COMMAND: kb

FOLLOWUP_IP:
usbccid!UsbScReadWrite+f9
b03732f1 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]

SYMBOL_STACK_INDEX: 3

SYMBOL_NAME: usbccid!UsbScReadWrite+f9

FOLLOWUP_NAME: MachineOwner

FAILURE_BUCKET_ID: 0x50_usbccid!UsbScReadWrite+f9

BUCKET_ID: 0x50_usbccid!UsbScReadWrite+f9

Followup: MachineOwner

Tibor_Harsszegi · October 8, 2010, 3:08am

The ATR is btw:
3b 6d 00 00 80 31 80 65 b0 83 11 40 c8 83 00 90 00

OSR_Community_User · October 8, 2010, 4:10am

The size (in register ecx=03bffe8d) of the memory copy at the faulting
address looks vastly wrong. The failure is occurring as it tries to read
from the source (esi=aef3bffe ) at the beginning of a page boundry. It also
seems a bit odd that it’s doing 4 bytes moves to an address that looks only
2 byte aligned. You should check the parameters to the ioctl and the
buffers passed.

Jan

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-427180-
xxxxx@lists.osr.com] On Behalf Of xxxxx@chello.hu
Sent: Thursday, October 07, 2010 10:52 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] USBCCID BSOD

Hi,

I am doing a CCID implementation within embedded device. I am running
into BSOD on the XP (SP3) when sending back the ATR from the card.
Can anybody help me what can go wrong here?
Thanks,

BugCheck 50, {aef3c000, 0, b03732f1, 0}

*** ERROR: Module load completed but symbols could not be loaded for
USBlyzer.sys Probably caused by : usbccid.sys ( usbccid!UsbScReadWrite+f9
)

Followup: MachineOwner

kd> !analyze -v
**********************************************************
*********************
*
*
* Bugcheck Analysis
*
*
*
**********************************************************
*********************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-
except, it must be protected by a Probe. Typically the address is just
plain
bad or it is pointing at freed memory.
Arguments:
Arg1: aef3c000, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: b03732f1, If non-zero, the instruction address which referenced the
bad memory
address.
Arg4: 00000000, (reserved)

Debugging Details:

READ_ADDRESS: aef3c000

FAULTING_IP:
usbccid!UsbScReadWrite+f9
b03732f1 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]

MM_INTERNAL_CODE: 0

IMAGE_NAME: usbccid.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 448ff89b

MODULE_NAME: usbccid

FAULTING_MODULE: b0372000 usbccid

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x50

PROCESS_NAME: scardsvr.exe

TRAP_FRAME: aef3b920 – (.trap 0xffffffffaef3b920) ErrCode = 00000000
eax=0f000000 ebx=aef3ba28 ecx=03bffe8d edx=a6380001 esi=aef3bffe
edi=8903186c
eip=b03732f1 esp=aef3b994 ebp=aef3b9d4 iopl=0 nv up ei pl nz na pe
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010206
usbccid!UsbScReadWrite+0xf9:
b03732f1 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
Resetting default scope

LAST_CONTROL_TRANSFER: from 805241e0 to 80533846

STACK_TEXT:
aef3b8bc 805241e0 00000050 aef3c000 00000000 nt!KeBugCheckEx+0x1b
aef3b908 804e172b 00000000 aef3c000 00000000 nt!MmAccessFault+0x6f5
aef3b908 b03732f1 00000000 aef3c000 00000000 nt!KiTrap0E+0xcc
aef3b9d4 b0373c11 88de18d0 aef3ba14 aef3ba28
usbccid!UsbScReadWrite+0xf9
aef3ba90 afc850f2 88de18d0 8910a2e8 88de18d0
usbccid!UsbScCardPower+0x17b aef3baac afc84651 88de18d0 8910a2e8
89824700 SMCLIB!SmartcardDeviceIoControl+0x7ee
aef3bbd8 b037685a 00000003 0110a2e8 00000038
SMCLIB!SmartcardDeviceControl+0x123
aef3bc18 b8e9b682 88de1810 8910a2e8 89232e38
usbccid!ScUtil_DeviceIOControl+0xa0
WARNING: Stack unwind information not available. Following frames may be
wrong.
aef3bc34 804e3807 88de1810 88c9ea90 806f02d0 USBlyzer+0x1682
aef3bc44 80567f71 8910a40c 89232e38 8910a2e8 nt!IopfCallDriver+0x31
aef3bc58 8057ac7f 88de1810 8910a2e8 89232e38
nt!IopSynchronousServiceTail+0x70
aef3bd00 805883d4 00000158 000000d8 00000000 nt!IopXxxControlFile+0x611
aef3bd34 804de7ec 00000158 000000d8 00000000
nt!NtDeviceIoControlFile+0x2a
aef3bd34 7c90e514 00000158 000000d8 00000000 nt!KiFastCallEntry+0xf8
006efe08 00000000 00000000 00000000 00000000 0x7c90e514

STACK_COMMAND: kb

FOLLOWUP_IP:
usbccid!UsbScReadWrite+f9
b03732f1 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]

SYMBOL_STACK_INDEX: 3

SYMBOL_NAME: usbccid!UsbScReadWrite+f9

FOLLOWUP_NAME: MachineOwner

FAILURE_BUCKET_ID: 0x50_usbccid!UsbScReadWrite+f9

BUCKET_ID: 0x50_usbccid!UsbScReadWrite+f9

Followup: MachineOwner

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · October 8, 2010, 4:24am

usbccid.sys is a MS inbox driver, so Tibor has no control over the IOCTL parameters.

If I remember correctly, usbccid.sys issues a PC_to_RDR_IccPowerOn request once it detects the card has been plugged into the reader slot. Is this the point at which the BSOD occurs?

If so, then I’m guessing that your response data block in RDR_to_PC_DataBlock is tripping up some sloppy code in usbccid.sys and causing a BSOD. It would be instructive to see the contents of this block, to check its correctness. Do you have a USB analyzer to capture this command/response pair?

Tibor_Harsszegi · October 8, 2010, 5:39am

yes, the IccPowerOn hits my device, I wake the card up and send the ATR back, after sending it
back BSOD hits the screen, thus no more request comes from the CCID.

Well I have an USB analyzer and will try to hook it up with another laptop to the PC, as -
because of the BSOD - I can’t trace the traffic

OSR_Community_User · October 8, 2010, 5:48am

Are you sending this ATR back in a correctly formatted RDR_to_PC_DataBlock? I suspect if this is not correctly formatted this could BSOD the driver.

Nick Clarke
www.redsosftsys.com

Tibor_Harsszegi · October 8, 2010, 12:23pm

Yeah, I can’t think of anything else, will check the URB

Tim_Roberts · October 8, 2010, 12:57pm

xxxxx@chello.hu wrote:

I am doing a CCID implementation within embedded device. I am running into BSOD
on the XP (SP3) when sending back the ATR from the card.
Can anybody help me what can go wrong here?

The crash is doing a memcpy with a HUGE byte count (64 megabytes). My
guess, off the top of my head, is that you have a buffer size specified
incorrectly in some spot. Is there some descriptor in a CCID card that
includes the length? Is it possible you have an endian-mismatch in the
length?

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Tibor_Harsszegi · October 11, 2010, 1:00am

Hi Tim,

bingo. it was endiannes issue.
Thanks!

Tibor_Harsszegi · October 11, 2010, 7:11am

One another issue with PC_TO_RDR_SETDATARATEANDCLOCKFREQUENCY.
I get the following URB from CCID:

73 08 00 00 00 00 0C 00 00 00 00 00 00 00 00 00 00 00

This indicates that the desired (what CCID wishes to set) clockfrequency and datarate
is 0/0. How come? According the specs there is no “default” values for the CCID
command. Why does CCID set the rates to zero?

Tibor_Harsszegi · October 11, 2010, 8:01am

And does anybody know what does CCID check when receiving the response to
73? (I am sending back the default values of the hw of
84 08 00 00 00 00 0C 00 00 00 FC 0D 00 00 80 25 00 00 and it is not accepted by CCID)

OSR_Community_User · October 11, 2010, 12:03pm

Hi Tibor

I’m assuming that usbccid.sys is using PC_to_RDR_SetDataRateAndClockFrequency to retrieve the Active Data rate and clock frequency, as detailed in the CCID spec section 6.1.14, when automatic features are activated and multiple clocks are supported by the reader. This would explain why the values are set to 0.

I checked an old firmware implementation of ours and we just returned bmCommandStatus = 1 and bError =0, indicating that we do not support this command. usbccid.sys was happy with this.

Looking at your response above, it looks like you are sending dwClockFrequency = 3580kHz, dwDataRate = 9600bps. Everything else looks ok, so I presume that it is these numbers that are causing the problem with usbccid.sys.

Nick Clarke
www.redsoftsys.com

Tibor_Harsszegi · October 11, 2010, 1:59pm

Hmm strange, thanks Nick, will try to return “unsupported” then, because the thing is that
I not even set multiple clocks/datarates!
Thanks!

Tibor_Harsszegi · October 12, 2010, 12:03am

Hi, changed bNumDataRatesSupported+bNumClockSupported and implemented
properly GET_CLOCK_FREQUENCIES + GET_DATA_RATES as according to Microsoft’s web page:

"USB CCID readers should implement the GET_CLOCK_FREQUENCIES and GET_DATA_RATES properties, even if bit 20h in dwFeatures is set. The values of the bNumDataRatesSupported and bNumClockSupported functions should also be non-zero accordingly. "

And right now it works perfectly.
Thanks guys!