Win 2003 Sp 1 and mapping kernel memory into user mode process

Hi All,

I am running into a problem with mapping kernel memory into a user mode
process.

This is being done in the normal way (as per the OSR article - “Sharing
Memory between Drivers and Applications”).

I allocate a block of nonpaged pool memory of variable size and less
than
a page (< 4096) bytes.
IoAllocateMdl returns the MDL and it is passed into
MmBuildMdlForNonPagedPool

So far so good, the problem arises in mapping the pages.
MmMapLockedPagesSpecifyCache(Mdl, UserMode, MmNonCached, NULL, FALSE,
NormalPagePriority)

gives me an exception 0xC000141L - STATUS_INVALID_ADDRESS

MmMapLockedPagesSpecifyCache calls MmProtectMdlSystemAddress and in here
it loads in the first ULONG after the MDL (published) data structure
and compares it with 0xffffffff. A call is made to NtFreeVirtualMemory
which returns 0x1 and then the code drops into the ExRaiseStatus with
the above exception code.

I modified the MmNonCached to MmCached and now this exception does not
get
raised. Things seem to work.

I would like to know what the problem is with passing MmNonCached as
there
does not seem to be anything mentioned about it. Also I am not using the

ultra-latest DDK but 3790 which should be okay but maybe missing some
explanation details.

Thanks for any help with this.
Steve

> I allocate a block of nonpaged pool memory of variable size and less

than
a page (< 4096) bytes.

You’re opening a security hole.

The reason is that mapping to user can be done page-aligned only, so, if you
will map your memory block, then the whole page will be mapped. The rest of the
page can contain the sensitive data.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

Since you allocated memory from the nonpaged pool it is already in the
kernel address space in Cached mode. You can’t map the same physical page
with different caching parameters.
By the way, why do you need MmNonCached mapping? You need this mode to set
mapping for device memory to avoid caching IO by processor.

Alexei.

“Steve Goddard” wrote in message
news:xxxxx@ntfsd…
Hi All,

I am running into a problem with mapping kernel memory into a user mode
process.

This is being done in the normal way (as per the OSR article - “Sharing
Memory between Drivers and Applications”).

I allocate a block of nonpaged pool memory of variable size and less
than
a page (< 4096) bytes.
IoAllocateMdl returns the MDL and it is passed into
MmBuildMdlForNonPagedPool

So far so good, the problem arises in mapping the pages.
MmMapLockedPagesSpecifyCache(Mdl, UserMode, MmNonCached, NULL, FALSE,
NormalPagePriority)

gives me an exception 0xC000141L - STATUS_INVALID_ADDRESS

MmMapLockedPagesSpecifyCache calls MmProtectMdlSystemAddress and in here
it loads in the first ULONG after the MDL (published) data structure
and compares it with 0xffffffff. A call is made to NtFreeVirtualMemory
which returns 0x1 and then the code drops into the ExRaiseStatus with
the above exception code.

I modified the MmNonCached to MmCached and now this exception does not
get
raised. Things seem to work.

I would like to know what the problem is with passing MmNonCached as
there
does not seem to be anything mentioned about it. Also I am not using the

ultra-latest DDK but 3790 which should be okay but maybe missing some
explanation details.

Thanks for any help with this.
Steve

Thanks for the responses guys.

I was suspicious about the caching and assumption about PAGE_SIZE
granularity, which is precisely the reason I mention both factors
in my original email.

To answer your question, why was it done that way, who knows, is the
only answer I can give you. I inherited the code, it was already
written with that parameter as originally stated, and as per usual
levels of documentation, there are no comments to give me any clues
as to why.
Since that is the case, I feel free to go ahead and change the code
to be MmCached, and I will try and fix the code to work without the
security hole that Maxim mentioned.

Currently I am trying to correct lots of issues and bad assumptions like
this.

Thanks
Steve

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Alexei Jelvis
Sent: Thursday, November 04, 2004 11:47 PM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] Win 2003 Sp 1 and mapping kernel memory into user
mode process

Since you allocated memory from the nonpaged pool it is already in the
kernel address space in Cached mode. You can’t map the same physical
page
with different caching parameters.
By the way, why do you need MmNonCached mapping? You need this mode to
set
mapping for device memory to avoid caching IO by processor.

Alexei.

“Steve Goddard” wrote in message
news:xxxxx@ntfsd…
Hi All,

I am running into a problem with mapping kernel memory into a user mode
process.

This is being done in the normal way (as per the OSR article - “Sharing
Memory between Drivers and Applications”).

I allocate a block of nonpaged pool memory of variable size and less
than
a page (< 4096) bytes.
IoAllocateMdl returns the MDL and it is passed into
MmBuildMdlForNonPagedPool

So far so good, the problem arises in mapping the pages.
MmMapLockedPagesSpecifyCache(Mdl, UserMode, MmNonCached, NULL, FALSE,
NormalPagePriority)

gives me an exception 0xC000141L - STATUS_INVALID_ADDRESS

MmMapLockedPagesSpecifyCache calls MmProtectMdlSystemAddress and in here
it loads in the first ULONG after the MDL (published) data structure
and compares it with 0xffffffff. A call is made to NtFreeVirtualMemory
which returns 0x1 and then the code drops into the ExRaiseStatus with
the above exception code.

I modified the MmNonCached to MmCached and now this exception does not
get
raised. Things seem to work.

I would like to know what the problem is with passing MmNonCached as
there
does not seem to be anything mentioned about it. Also I am not using the

ultra-latest DDK but 3790 which should be okay but maybe missing some
explanation details.

Thanks for any help with this.
Steve


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@appstream.com
To unsubscribe send a blank email to xxxxx@lists.osr.com