I remember hearing this from Landy. I don’t remember the details
though. I’ll check.
You’ve shown how to compute the size of an MDL from its contents. And
IoBuildPartialMdl returns VOID, so it’s not going to be doing any
validity checking anyway (except, perhaps, if the verifier is enabled).
-p
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tony Mason
Sent: Monday, April 03, 2006 9:34 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] User data buffer copy in the kernel - Query
Then the published header files (ntddk.h and ntifs.h) are at best
misleading. From W2K3SP1 kit:
#define MmInitializeMdl(MemoryDescriptorList, BaseVa, Length) { \
(MemoryDescriptorList)->Next = (PMDL) NULL; \
(MemoryDescriptorList)->Size = (CSHORT)(sizeof(MDL) + \
(sizeof(PFN_NUMBER) *
ADDRESS_AND_SIZE_TO_SPAN_PAGES((BaseVa), (Length)))); \
(MemoryDescriptorList)->MdlFlags = 0; \
(MemoryDescriptorList)->StartVa = (PVOID) PAGE_ALIGN((BaseVa)); \
(MemoryDescriptorList)->ByteOffset = BYTE_OFFSET((BaseVa)); \
(MemoryDescriptorList)->ByteCount = (ULONG)(Length); \
}
This clearly does set the size field of the MDL based upon the number of
pages being described. It is certainly possible that Mm no longer cares
about this field, but in that case it might be wise to at least change
this macro so that it indicates “don’t care” in some meaningful way
(e.g., I’d suggest setting it to zero, or any value < sizeof(MDL) since
those would be below any previously legal range.) It is also possible
that this is one of the myriad of changes that are present in an as yet
unreleased version of Windows (and thus subject to change) - in which
case the OP probably still needs to worry about this for the next 5-10
years while Windows XP and W2K3 continue to be viable platforms.
Also, I’m curious how MmBuildPartialMdl works in a world where Mm has no
idea how large the MDL is - the DDK documentation says “The MDL must be
large enough to map the subrange specified by VirtualAddress and Length”
which to me means someone must know how big the MDL is. If I’m
constructing a driver that re-uses MDLs it would seem this now requires
a superstructure containing my MDL + the OS MDL so I can keep track of
the size (or I could just allocate everything to be “as big as I might
ever need” which in the world from whence I come would mean “big enough
to describe a 4GB buffer…”) Absent the ability to validate this
information, it would seem this is an invitation to buffer overrun bugs.
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Peter Wieland
Sent: Monday, April 03, 2006 12:14 PM
To: ntdev redirect
Subject: RE: [ntdev] User data buffer copy in the kernel - Query
I don’t believe the 16-bit size field in the MDL header affects the
maximum size of the MDL anymore.
-p
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Roddy, Mark
Sent: Monday, April 03, 2006 7:55 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] User data buffer copy in the kernel - Query
Good question. I have no idea what the answer is. Perhaps somebody else
will volunteer. The 16bit limit of the size field in the MDL has always
been a bit of an odd design decision. Enforcement a maximum MDL
descriptor policy should use a more abstract mechanism.
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jan Bottorff
Sent: Monday, April 03, 2006 9:32 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] User data buffer copy in the kernel - Query
Hi Mark,
Perhaps you could answer something that has puzzled me. The ‘little less
than 64MB’ you mentioned I assume is because of the size limit on MDL’s.
The thing that puzzles me is on 64-bit Windows, the SIZE field in an MDL
is still 16-bits, and since each PFN value is now 64-bits wide instead
of 32-bits wide, a 64-bit Windows MDL can only have half as many pages
as a Win32 MDL. On x64 Win64, pages are still 4k, so a Win64 MDL can
only describe about 32 MB. Am I just not reading the ddk headers
correctly, or is the transfer size limit on Win64 half the size as on
Win32? I just can’t believe this is so.
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Mark Roddy
Sent: Monday, April 03, 2006 4:31 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] User data buffer copy in the kernel - Query
Re-read the IOCTL documentation. ‘OutBuffer’ can represent direct IO
transfers in either direction. The transfer size is limited to ‘a little
less than 64MB’. If your ‘huge’ transfers are greater than ~64MB then
you need to look into the alternate methods discussed in this thread.
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer