none
BinScope: FunctionPointer checks and IoCreateDeviceSecure RRS feed

  • Question

  • Hi,

    BinScope (V1.2) is complaining about global function pointers in our driver.  Although this is advisory we would like to get a clean run so I started investigating.  I've found that this is caused by our use of IOCreateDeviceSecure.  This occurs if this is the only code in our driver entry, e.g.

    Status = IoCreateDeviceSecure(driverObject, 0 /*DeviceExtensionSize*/, &DeviceName,
        FILE_DEVICE_NETWORK, FILE_DEVICE_SECURE_OPEN, FALSE /*Exclusive*/,
        &SDDL_DEVOBJ_SYS_ALL_ADM_ALL, NULL, &spDeviceObject);

    ==>

    Function pointer PfnIoCreateDeviceSecure could be overrun by the following buffers:
    PiRegStateSysAllInherittedSecurityDescriptor

    FunctionPointer1 :
    Function pointer PfnIoValidateDeviceIoControlAccess could be overrun by the following buffers:
    PiRegStateSysAllInherittedSecurityDescriptor

    First is this safe?  And 2nd how can we suppress the warnings?

    Thanks.

    Tuesday, July 16, 2013 4:23 PM

Answers

All replies

  • Windows drivers are definitely a different environment than the primary target of BinScope.  Consider that all drivers run in the same address space, so it is possible for any other driver to access memory of a driver.   I've never thought of running BinScope on a driver before your question.   Note: there is not any mechanism for suppressing individual warnings (like there is for the compiler and PreFast) that I know of.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Tuesday, July 16, 2013 4:37 PM
  • you can safely ignore the warning

    d -- This posting is provided "AS IS" with no warranties, and confers no rights.

    Tuesday, July 16, 2013 5:15 PM