ZwOpenFile causing hardware reset

OSR_Community_User · September 18, 2003, 12:35am

I am currently having some difficulty in loading some config data from
file, and was hoping the newsgroup could help.

I have a fs filter boot driver (supporting W2K, XP & WS2K3) that needs to
load some config data from file (I cannot use the registry due to size
constraints). I can’t load this in DriverEntry since the file system
drivers would not have loaded yet, and decided I would hijack the first
IRP_MJ_CREATE and load the files then, since at this point the drive
should
be mounted and the fs loaded.

However, my ZwOpenFile() causes a hardware reset (not sure if thats the
right term for it… thats what VMWare calls it), so bad that I can’t even
trap it with SEH or even catch it with WinDbg. I thought perhaps it might
be because it would have a recursive call back into my create() function,
but its seems to die right away without re-entering, and I am not sure
why. The following is the code around the offending line:

RtlInitUnicodeString( &rules_file,
L\systemroot\system32\drivers\etc\app.cfg );

InitializeObjectAttributes( &oa, &rules_file, OBJ_CASE_INSENSITIVE, NULL,
NULL );

log_print( “Attempting to open: %wZ”, &rules_file );

try
{
status = ZwOpenFile( &hFile,
FILE_READ_DATA|SYNCHRONIZE,
&oa, &iosb,
FILE_SHARE_READ,
FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT );

}
except( EXCEPTION_EXECUTE_HANDLER )
{
status = GetExceptionCode();
log_print( “Failed to open "%wZ". Status=%s\n”,
&rules_file,
NTSTATUSToString(status) );

return line;
}

log_print( “Opened %wZ successfully!”, &rules_file );

Does anyone have any suggestions on how I can track down what I am doing
wrong? Is this approach an acceptable way to load conf data from disk? I
was looking at doing it right after a mount but found the IRP_MJ_CREATE
entry to make more sense.

Would love some insight on what the heck I am doing wrong here.

OSR_Community_User · September 18, 2003, 4:40pm

May I suggest loading your configuration inside a work thread and
synchronizing the access if required?
/TomH

-----Original Message-----
From: xxxxx@vulscan.com [mailto:xxxxx@vulscan.com]
Sent: Thursday, September 18, 2003 12:35 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] ZwOpenFile causing hardware reset

I am currently having some difficulty in loading some config data from
file, and was hoping the newsgroup could help.

I have a fs filter boot driver (supporting W2K, XP & WS2K3) that needs
to
load some config data from file (I cannot use the registry due to size
constraints). I can’t load this in DriverEntry since the file system
drivers would not have loaded yet, and decided I would hijack the first
IRP_MJ_CREATE and load the files then, since at this point the drive
should
be mounted and the fs loaded.

However, my ZwOpenFile() causes a hardware reset (not sure if thats the
right term for it… thats what VMWare calls it), so bad that I can’t
even
trap it with SEH or even catch it with WinDbg. I thought perhaps it
might
be because it would have a recursive call back into my create()
function,
but its seems to die right away without re-entering, and I am not sure
why. The following is the code around the offending line:

RtlInitUnicodeString( &rules_file,
L\systemroot\system32\drivers\etc\app.cfg );

InitializeObjectAttributes( &oa, &rules_file, OBJ_CASE_INSENSITIVE,
NULL,
NULL );

log_print( “Attempting to open: %wZ”, &rules_file );

try
{
status = ZwOpenFile( &hFile,
FILE_READ_DATA|SYNCHRONIZE,
&oa, &iosb,
FILE_SHARE_READ,
FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT );

}
except( EXCEPTION_EXECUTE_HANDLER )
{
status = GetExceptionCode();
log_print( “Failed to open "%wZ". Status=%s\n”,
&rules_file,
NTSTATUSToString(status) );

return line;
}

log_print( “Opened %wZ successfully!”, &rules_file );

Does anyone have any suggestions on how I can track down what I am doing
wrong? Is this approach an acceptable way to load conf data from disk? I
was looking at doing it right after a mount but found the IRP_MJ_CREATE
entry to make more sense.

Would love some insight on what the heck I am doing wrong here.

You are currently subscribed to ntfsd as: xxxxx@exagrid.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Alexey_Logachyov · September 18, 2003, 4:54pm

If you can’t catch it with WinDBG it is often means that you damage your
stack. It is very hard to tell if something wrong with your code because you
did not provide any declarations. Try removing suspicious code line by line,
testing your driver after each small change. This way you can find
problematic piece of code.

-htfv

----- Original Message -----
From:
To: “Windows File Systems Devs Interest List”
Sent: Thursday, September 18, 2003 7:35 AM
Subject: [ntfsd] ZwOpenFile causing hardware reset

> I am currently having some difficulty in loading some config data from
> file, and was hoping the newsgroup could help.
>
> I have a fs filter boot driver (supporting W2K, XP & WS2K3) that needs to
> load some config data from file (I cannot use the registry due to size
> constraints). I can’t load this in DriverEntry since the file system
> drivers would not have loaded yet, and decided I would hijack the first
> IRP_MJ_CREATE and load the files then, since at this point the drive
> should
> be mounted and the fs loaded.
>
> However, my ZwOpenFile() causes a hardware reset (not sure if thats the
> right term for it… thats what VMWare calls it), so bad that I can’t even
> trap it with SEH or even catch it with WinDbg. I thought perhaps it might
> be because it would have a recursive call back into my create() function,
> but its seems to die right away without re-entering, and I am not sure
> why. The following is the code around the offending line:
>
> RtlInitUnicodeString( &rules_file,
> L\systemroot\system32\drivers\etc\app.cfg );
>
>
> InitializeObjectAttributes( &oa, &rules_file, OBJ_CASE_INSENSITIVE, NULL,
> NULL );
>
> log_print( “Attempting to open: %wZ”, &rules_file );
>
>
> try
> {
> status = ZwOpenFile( &hFile,
> FILE_READ_DATA|SYNCHRONIZE,
> &oa, &iosb,
> FILE_SHARE_READ,
> FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT );
>
> }
> except( EXCEPTION_EXECUTE_HANDLER )
> {
> status = GetExceptionCode();
> log_print( “Failed to open "%wZ". Status=%s\n”,
> &rules_file,
> NTSTATUSToString(status) );
>
> return line;
> }
>
> log_print( “Opened %wZ successfully!”, &rules_file );
>
> Does anyone have any suggestions on how I can track down what I am doing
> wrong? Is this approach an acceptable way to load conf data from disk? I
> was looking at doing it right after a mount but found the IRP_MJ_CREATE
> entry to make more sense.
>
> Would love some insight on what the heck I am doing wrong here.
>
> —
> You are currently subscribed to ntfsd as: xxxxx@vba.com.by
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>

OSR_Community_User · September 21, 2003, 6:23pm

The exact line that is failing is the ZwOpenFile(). If I remove that line,
then everything works fine… except I cannot load the config.

If you can’t catch it with WinDBG it is often means that you damage your
stack. It is very hard to tell if something wrong with your code because you
did not provide any declarations. Try removing suspicious code line by line,
testing your driver after each small change. This way you can find
problematic piece of code.

-htfv

----- Original Message -----
From:
> To: “Windows File Systems Devs Interest List”
> Sent: Thursday, September 18, 2003 7:35 AM
> Subject: [ntfsd] ZwOpenFile causing hardware reset
>
>
> > I am currently having some difficulty in loading some config data from
> > file, and was hoping the newsgroup could help.
> >
> > I have a fs filter boot driver (supporting W2K, XP & WS2K3) that needs to
> > load some config data from file (I cannot use the registry due to size
> > constraints). I can’t load this in DriverEntry since the file system
> > drivers would not have loaded yet, and decided I would hijack the first
> > IRP_MJ_CREATE and load the files then, since at this point the drive
> > should
> > be mounted and the fs loaded.
> >
> > However, my ZwOpenFile() causes a hardware reset (not sure if thats the
> > right term for it… thats what VMWare calls it), so bad that I can’t even
> > trap it with SEH or even catch it with WinDbg. I thought perhaps it might
> > be because it would have a recursive call back into my create() function,
> > but its seems to die right away without re-entering, and I am not sure
> > why. The following is the code around the offending line:
> >
> > RtlInitUnicodeString( &rules_file,
> > L\systemroot\system32\drivers\etc\app.cfg );
> >
> >
> > InitializeObjectAttributes( &oa, &rules_file, OBJ_CASE_INSENSITIVE, NULL,
> > NULL );
> >
> > log_print( “Attempting to open: %wZ”, &rules_file );
> >
> >
> > try
> > {
> > status = ZwOpenFile( &hFile,
> > FILE_READ_DATA|SYNCHRONIZE,
> > &oa, &iosb,
> > FILE_SHARE_READ,
> > FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT );
> >
> > }
> > except( EXCEPTION_EXECUTE_HANDLER )
> > {
> > status = GetExceptionCode();
> > log_print( “Failed to open "%wZ". Status=%s\n”,
> > &rules_file,
> > NTSTATUSToString(status) );
> >
> > return line;
> > }
> >
> > log_print( “Opened %wZ successfully!”, &rules_file );
> >
> > Does anyone have any suggestions on how I can track down what I am doing
> > wrong? Is this approach an acceptable way to load conf data from disk? I
> > was looking at doing it right after a mount but found the IRP_MJ_CREATE
> > entry to make more sense.
> >
> > Would love some insight on what the heck I am doing wrong here.
> >
> > —
> > You are currently subscribed to ntfsd as: xxxxx@vba.com.by
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
> >

OSR_Community_User · September 21, 2003, 6:29pm

Hmmm, I have not considered this, mostly because access to the actual data
(ie: When loading the config into a linked list) it is already spinlocked.
I will have to look into this. Thanks for the suggestion.

I am not sure how there could be a sync issue here, but I appreciate the
feedback.

May I suggest loading your configuration inside a work thread and
synchronizing the access if required?
/TomH

OSR_Community_User · September 22, 2003, 4:10am

Intel CPUs have a feature called “HW reset at triple fault”. So if you are
facing an unexpected HW reset (without our BSOD friend information), it is
very likely that “triple fault” is the case. You can find more info on this
in archives of this list as well as on Internet. I would also suggest you to
use Verifier support to trace your filter driver behavior. WBR Primoz

-----Original Message-----
From: xxxxx@vulscan.com [mailto:xxxxx@vulscan.com]
Sent: Thursday, September 18, 2003 6:35 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] ZwOpenFile causing hardware reset

I am currently having some difficulty in loading some config
data from file, and was hoping the newsgroup could help.

I have a fs filter boot driver (supporting W2K, XP & WS2K3)
that needs to load some config data from file (I cannot use
the registry due to size constraints). I can’t load this in
DriverEntry since the file system drivers would not have
loaded yet, and decided I would hijack the first
IRP_MJ_CREATE and load the files then, since at this point
the drive should be mounted and the fs loaded.

However, my ZwOpenFile() causes a hardware reset (not sure if
thats the right term for it… thats what VMWare calls it), so
bad that I can’t even trap it with SEH or even catch it with
WinDbg. I thought perhaps it might be because it would have a
recursive call back into my create() function, but its seems
to die right away without re-entering, and I am not sure why.
The following is the code around the offending line:

RtlInitUnicodeString( &rules_file,
L\systemroot\system32\drivers\etc\app.cfg );

InitializeObjectAttributes( &oa, &rules_file,
OBJ_CASE_INSENSITIVE, NULL, NULL );

log_print( “Attempting to open: %wZ”, &rules_file );

try
{
status = ZwOpenFile( &hFile,
FILE_READ_DATA|SYNCHRONIZE,
&oa, &iosb,
FILE_SHARE_READ,

FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT );

}
except( EXCEPTION_EXECUTE_HANDLER )
{
status = GetExceptionCode();
log_print( “Failed to open "%wZ". Status=%s\n”,
&rules_file,
NTSTATUSToString(status) );

return line;
}

log_print( “Opened %wZ successfully!”, &rules_file );

Does anyone have any suggestions on how I can track down what
I am doing wrong? Is this approach an acceptable way to load
conf data from disk? I was looking at doing it right after a
mount but found the IRP_MJ_CREATE entry to make more sense.

Would love some insight on what the heck I am doing wrong here.

You are currently subscribed to ntfsd as:
xxxxx@hermes.si To unsubscribe send a blank email to
xxxxx@lists.osr.com

OSR_Community_User · September 22, 2003, 10:37am

Thanks for the feedback. Nick Ryan was able to point me in the right
direction, which ended up being a combination of:

I was using VMWare 3.x, which will not catch double/triple faults.
Upgraded to 4.02, and WinDbg was able to catch it as a double fault.
The double fault was easily found to be a stack overflow. Seems a
#define that was set up to store a value for an array size was increased,
which increased the local var on the stack, triggering the fault.
I refactored the code to use paged pool resources and dynamically
allocate the space, and all is fine now.

Again, I appreciate everyones suggestions. Thanks!

Intel CPUs have a feature called “HW reset at triple fault”. So if you are
facing an unexpected HW reset (without our BSOD friend information), it is
very likely that “triple fault” is the case. You can find more info on this
in archives of this list as well as on Internet. I would also suggest you to
use Verifier support to trace your filter driver behavior. WBR Primoz