none
wdfrequest neither cancelable nor forwardable to manual queue RRS feed

  • Question

  • I have an IOCTL request (wdfrequest) which could be in a pending status for sometime in my driver.

    When the application exits , I want the request to be cancelled.

    For this I tried 2 methods .1)marking it cancelable and 2)forwarding it to a manual I/O queue.

    But both these methods are crashing the system .

    In method 1- when I invoke WdfRequestMarkCancelable the system crashes.

    In method 2- when I invoke  WdfRequestForwardToIoQueue ,the system crashes.

    The crash dump analysis of both the bugchecks is the same.

    The common thing in both methods is the wdfrequest. In first method I tried to mark it cancelable and in second method I tried to forward it to a queue which I have created.

    So something is common in both the trials.

    --------------------------------------------

    3: kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    KERNEL_SECURITY_CHECK_FAILURE (139)
    A kernel component has corrupted a critical data structure.  The corruption
    could potentially allow a malicious user to gain control of this machine.
    Arguments:
    Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
    Arg2: fffffc0f61faf0a0, Address of the trap frame for the exception that caused the bugcheck
    Arg3: fffffc0f61faeff8, Address of the exception record for the exception that caused the bugcheck
    Arg4: 0000000000000000, Reserved
    
    Debugging Details:
    ------------------
    
    
    KEY_VALUES_STRING: 1
    
        Key  : Analysis.CPU.Sec
        Value: 9
    
        Key  : Analysis.DebugAnalysisProvider.CPP
        Value: Create: 8007007e on DESKTOP-DTNBC9V
    
        Key  : Analysis.DebugData
        Value: CreateObject
    
        Key  : Analysis.DebugModel
        Value: CreateObject
    
        Key  : Analysis.Elapsed.Sec
        Value: 54
    
        Key  : Analysis.Memory.CommitPeak.Mb
        Value: 76
    
        Key  : Analysis.System
        Value: CreateObject
    
    
    BUGCHECK_CODE:  139
    
    BUGCHECK_P1: 3
    
    BUGCHECK_P2: fffffc0f61faf0a0
    
    BUGCHECK_P3: fffffc0f61faeff8
    
    BUGCHECK_P4: 0
    
    TRAP_FRAME:  fffffc0f61faf0a0 -- (.trap 0xfffffc0f61faf0a0)
    NOTE: The trap frame does not contain all registers.
    Some register values may be zeroed or incorrect.
    rax=ffffde0dd66b00b8 rbx=0000000000000000 rcx=0000000000000003
    rdx=0000000000000002 rsi=0000000000000000 rdi=0000000000000000
    rip=fffff804c03d8aa0 rsp=fffffc0f61faf230 rbp=ffffde0dd71c3090
     r8=0000000000000003  r9=ffffde0dd959c010 r10=ffffde0dd7489498
    r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=0000000000000000
    iopl=0         nv up ei ng nz na pe cy
    Wdf01000!RtlFailFast+0x5:
    fffff804`c03d8aa0 cd29            int     29h
    Resetting default scope
    
    EXCEPTION_RECORD:  fffffc0f61faeff8 -- (.exr 0xfffffc0f61faeff8)
    ExceptionAddress: fffff804c03d8aa0 (Wdf01000!RtlFailFast+0x0000000000000005)
       ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
      ExceptionFlags: 00000001
    NumberParameters: 1
       Parameter[0]: 0000000000000003
    Subcode: 0x3 FAST_FAIL_CORRUPT_LIST_ENTRY
    
    BLACKBOXBSD: 1 (!blackboxbsd)
    
    
    BLACKBOXPNP: 1 (!blackboxpnp)
    
    
    PROCESS_NAME:  my-test.exe
    
    ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
    
    EXCEPTION_CODE_STR:  c0000409
    
    EXCEPTION_PARAMETER1:  0000000000000003
    
    EXCEPTION_STR:  0xc0000409
    
    STACK_TEXT:  
    fffffc0f`61faed78 fffff803`fdc67669 : 00000000`00000139 00000000`00000003 fffffc0f`61faf0a0 fffffc0f`61faeff8 : nt!KeBugCheckEx
    fffffc0f`61faed80 fffff803`fdc67a10 : 00000000`00001000 fffffc0f`61faee00 00000000`00035200 fffff803`fdcee22c : nt!KiBugCheckDispatch+0x69
    fffffc0f`61faeec0 fffff803`fdc66025 : 00000000`00000002 ffff8bfb`d1200010 00000000`00001000 00000000`00000004 : nt!KiFastFailDispatch+0xd0
    fffffc0f`61faf0a0 fffff804`c03d8aa0 : ffffde0d`d71cc2a0 00000000`00000004 ffffde0d`d4551950 fffff804`c06b9a94 : nt!KiRaiseSecurityCheckFailure+0x2e5
    fffffc0f`61faf230 fffff804`c03834d8 : ffffde0d`d7489402 ffffde0d`d71c3090 ffffde0d`d959c010 00000000`00000001 : Wdf01000!FxIoQueue::QueueRequestFromForward+0x4bfe0 [minkernel\wdf\framework\shared\irphandlers\io\fxioqueue.cpp @ 2447] 
    fffffc0f`61faf2b0 fffff804`c2e8bf76 : 00000001`00000102 ffffde0d`d7489420 ffffde0d`d71cc2a0 ffffde0d`d7489420 : Wdf01000!imp_WdfRequestForwardToIoQueue+0x1b8 [minkernel\wdf\framework\shared\core\fxrequestapi.cpp @ 3130] 
    fffffc0f`61faf330 fffff804`c2e7d0e6 : 000021f2`28b76bd8 000021f2`28e33d58 ffffde0d`d8e86120 fffff804`c03fbc1c : my-driver!WdfRequestForwardToIoQueue+0x46 [c:\program files (x86)\windows kits\10\include\wdf\kmdf\1.19\wdfrequest.h @ 1588] 
    fffffc0f`61faf370 fffff804`c038c50b : 000021f2`28e3cfd8 000021f2`28b76bd8 00000000`0000000c 00000000`0000001c : my-driver!myEvtIoDeviceControl+0x626 [c:\users\sys\my-driver-control.c @ 749] 
    fffffc0f`61faf3d0 fffff804`c038ba43 : ffff930f`294be400 00000000`00000001 00000000`00000000 00000000`00000000 : Wdf01000!FxIoQueue::DispatchRequestToDriver+0x1bb [minkernel\wdf\framework\shared\irphandlers\io\fxioqueue.cpp @ 3325] 
    fffffc0f`61faf470 fffff804`c03887ad : ffffde0d`d71c3020 ffffde0d`00000000 00000000`00000000 ffffde0d`d28d1550 : Wdf01000!FxIoQueue::DispatchEvents+0x473 [minkernel\wdf\framework\shared\irphandlers\io\fxioqueue.cpp @ 3125] 
    fffffc0f`61faf550 fffff804`c03878d1 : ffffde0d`d5c4d7c0 ffffde0d`d959c000 ffffde0d`d7489420 0a000001`61a70801 : Wdf01000!FxPkgIo::DispatchStep1+0x52d [minkernel\wdf\framework\shared\irphandlers\io\fxpkgio.cpp @ 324] 
    fffffc0f`61faf610 fffff803`fdb35839 : 00000000`00000000 fffff803`fdb35b05 ffffde0d`d664c7c0 ffffde0d`d72582b0 : Wdf01000!FxDevice::DispatchWithLock+0x5a1 [minkernel\wdf\framework\shared\core\fxdevice.cpp @ 1430] 
    fffffc0f`61faf700 fffff803`fdfb6f7b : ffffde0d`d959c010 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IofCallDriver+0x59
    fffffc0f`61faf740 fffff803`fdfbb4ea : ffffde0d`d959c010 fffffc0f`61fafa80 00000000`20206f00 fffffc0f`61fafa80 : nt!IopSynchronousServiceTail+0x1ab
    fffffc0f`61faf7f0 fffff803`fdfb8ed6 : 000000da`0a52d6d0 00000000`00000104 00000000`00000000 000000da`0a52d7a8 : nt!IopXxxControlFile+0x68a
    fffffc0f`61faf920 fffff803`fdc67143 : ffffde0d`d664c080 000000da`0a52d6b8 fffffc0f`61faf9a8 00000000`00000000 : nt!NtDeviceIoControlFile+0x56
    fffffc0f`61faf990 00007ffe`078eaa84 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
    000000da`0a52d688 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffe`078eaa84
    
    
    FAULTING_SOURCE_LINE:  c:\program files (x86)\windows kits\10\include\wdf\kmdf\1.19\wdfrequest.h
    
    FAULTING_SOURCE_FILE:  c:\program files (x86)\windows kits\10\include\wdf\kmdf\1.19\wdfrequest.h
    
    FAULTING_SOURCE_LINE_NUMBER:  1588
    
    FAULTING_SOURCE_CODE:  
      1584:     WDFQUEUE DestinationQueue
      1585:     )
      1586: {
      1587:     return ((PFN_WDFREQUESTFORWARDTOIOQUEUE) WdfFunctions[WdfRequestForwardToIoQueueTableIndex])(WdfDriverGlobals, Request, DestinationQueue);
    > 1588: }
      1589: 
      1590: //
      1591: // WDF Function: WdfRequestGetIoQueue
      1592: //
      1593: typedef
    
    
    SYMBOL_NAME:  my-driver!WdfRequestForwardToIoQueue+46
    
    MODULE_NAME: my-driver
    
    IMAGE_NAME:  my-driver.sys
    
    STACK_COMMAND:  .thread ; .cxr ; kb
    
    BUCKET_ID_FUNC_OFFSET:  46
    
    FAILURE_BUCKET_ID:  0x139_3_CORRUPT_LIST_ENTRY_my-driver!WdfRequestForwardToIoQueue
    
    OS_VERSION:  10.0.17134.1
    
    BUILDLAB_STR:  rs4_release
    
    OSPLATFORM_TYPE:  x64
    
    OSNAME:  Windows 10
    
    FAILURE_ID_HASH:  {0383c06b-ea6c-c04a-e415-0ca76955bfb5}
    
    Followup:     MachineOwner
    ---------

    Monday, September 16, 2019 8:32 AM

All replies

  • The problem with a bug like this, where memory has been overwritten, is that the root cause of the problem might have occurred long ago.  Just as an example (not suggesting that this is your problem), if you had fetched the IRP pointer from the WDFREQUEST and accidentally overwrote part of the IRP structure, that would cause this problem.  It wouldn't detected until much later, when someone tried to use those fields.

    You'll need to go over your code very carefully to make sure you are following all the rules.


    Tim Roberts | Driver MVP Emeritus | Providenza & Boekelheide, Inc.

    Monday, September 16, 2019 4:40 PM