locked
Crash in NETIO.SYS after FwpsStreamInjectAsync0 RRS feed

  • Question

  • Hi All,

    I'm working on a wfp callout that operates at the FWPM_LAYER_STREAM_V4 layer. This is a "block all and reinject oob" type filter.

    Everything works just fine for cloned and reinjected NBLs, but I'm facing a problem that escapes my understanding when trying to inject a modified payload through FwpsStreamInjectAsync0. Here are the details of the crash :

    IRQL_NOT_LESS_OR_EQUAL (a)
    An attempt was made to access a pageable (or completely invalid) address at an
    interrupt request level (IRQL) that is too high.  This is usually
    caused by drivers using improper addresses.
    If a kernel debugger is available get the stack backtrace.
    Arguments:
    Arg1: 89506000, memory referenced
    Arg2: 00000002, IRQL
    Arg3: 00000000, bitfield :
    	bit 0 : value 0 = read operation, 1 = write operation
    	bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
    Arg4: 82870853, address which referenced memory
    
    Debugging Details:
    ------------------
    
    
    READ_ADDRESS: GetPointerFromAddress: unable to read from 829a0848
    Unable to read MiSystemVaType memory at 8297fe20
     89506000 
    
    CURRENT_IRQL:  2
    
    FAULTING_IP: 
    nt!memcpy+33
    82870853 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
    
    CUSTOMER_CRASH_COUNT:  1
    
    DEFAULT_BUCKET_ID:  INTEL_CPU_MICROCODE_ZERO
    
    BUGCHECK_STR:  0xA
    
    PROCESS_NAME:  wget.exe
    
    LAST_CONTROL_TRANSFER:  from 846cc86d to 82870853
    
    STACK_TEXT:  
    95bb8a3c 846cc86d 8f1b9b38 89506000 000001ff nt!memcpy+0x33
    95bb8a6c 8b8b6301 89506000 00000000 8f1b9b38 NETIO!RtlCopyMdlToMdl+0xe2
    95bb8a90 8b8bdcbf 88627858 00000000 841d94b0 afd!AfdCopyMdlChainToMdlChain+0x22
    95bb8b30 8b8be4f2 86d422d8 86d423b4 000000a0 afd!AfdBReceive+0x24c
    95bb8bcc 8b8b62bc 8948a818 86d422d8 95bb8c00 afd!AfdReceive+0x2c1
    95bb8bdc 82b686c3 887574a0 86d422d8 81fb0720 afd!AfdDispatchDeviceControl+0x3b
    95bb8c00 8286e575 00000000 86d422d8 887574a0 nt!IovCallDriver+0x258
    95bb8c14 82a61b09 81fb0720 86d422d8 86d423b4 nt!IofCallDriver+0x1b
    95bb8c34 82a64cdb 887574a0 81fb0720 00000000 nt!IopSynchronousServiceTail+0x1f8
    95bb8cd0 82aab61b 887574a0 86d422d8 00000000 nt!IopXxxControlFile+0x6aa
    95bb8d04 8287527a 00000110 0000008c 00000000 nt!NtDeviceIoControlFile+0x2a
    95bb8d04 77367094 00000110 0000008c 00000000 nt!KiFastCallEntry+0x12a
    WARNING: Frame IP not in any known module. Following frames may be wrong.
    0022f6b0 00000000 00000000 00000000 00000000 0x77367094
    
    
    STACK_COMMAND:  kb
    
    FOLLOWUP_IP: 
    NETIO!RtlCopyMdlToMdl+e2
    846cc86d 83c40c          add     esp,0Ch
    
    SYMBOL_STACK_INDEX:  1
    
    SYMBOL_NAME:  NETIO!RtlCopyMdlToMdl+e2
    
    FOLLOWUP_NAME:  MachineOwner
    
    MODULE_NAME: NETIO
    
    IMAGE_NAME:  NETIO.SYS
    
    DEBUG_FLR_IMAGE_TIMESTAMP:  5034f1ea
    
    FAILURE_BUCKET_ID:  0xA_NETIO!RtlCopyMdlToMdl+e2
    
    BUCKET_ID:  0xA_NETIO!RtlCopyMdlToMdl+e2
    

    Please note that when injecting small data (say ~600 bytes), everything seems fine, but the above happens with bigger data (~12Kb).

    What could cause such a behavior ? I would understand it if I was freeing MDLs somewhere in the code, but currently there is no call to IoFreeMdl() in the filter.

    Any hint would be greatly appreciated.

    Thank you

    Saturday, September 22, 2012 5:20 PM

Answers

  • Have you validated that you are not corrupting memory, you mapped the memory properly, and that the memory being copied is what you expect.  Can you send a mini dump to DHarper @AT@ Microsoft .DOT. com.

    Thanks,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    • Marked as answer by Bplaa Yai Sunday, September 23, 2012 2:51 PM
    Saturday, September 22, 2012 6:02 PM
    Moderator

All replies

  • Have you validated that you are not corrupting memory, you mapped the memory properly, and that the memory being copied is what you expect.  Can you send a mini dump to DHarper @AT@ Microsoft .DOT. com.

    Thanks,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    • Marked as answer by Bplaa Yai Sunday, September 23, 2012 2:51 PM
    Saturday, September 22, 2012 6:02 PM
    Moderator
  • Thank you for your suggestions Dusty.

    Indeed, I was corrupting memory by releasing the buffer described by the MDLs too early (I was misunderstanding how MDLs works, thinking that they were holding their own copy of the datas). Everything works fine now.

    Thanks again.

    Sunday, September 23, 2012 2:51 PM