Uploaded image for project: 'Core ReactOS'
  1. Core ReactOS
  2. CORE-11224

Use after free on shutdown in VfatFlushVolume

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Fix Version/s: 0.4.2
    • Component/s: Filesystems
    • Labels:
      None

      Description

      *** Fatal System Error: 0x000000d5
                             (0xF6787E88,0x00000000,0xF7BAD72D,0x00000000)
       
      Driver at fault: 
      ***   fastfat.sys - Address F7BAD72D base at F7BA0000, DateStamp 572f405c
      .
      Break instruction exception - code 80000003 (first chance)
       
      A fatal system error has occurred.
      Debugger entered on first try; Bugcheck callbacks have not been invoked.
       
      A fatal system error has occurred.
       
      Connected to Windows Server 2003 3790 x86 compatible target at (Tue May 10 14:50:23.510 2016 (UTC + 2:00)), ptr64 FALSE
      Loading Kernel Symbols
      ....................................................
      Loading User Symbols
       
      *******************************************************************************
      *                                                                             *
      *                        Bugcheck Analysis                                    *
      *                                                                             *
      *******************************************************************************
       
      Use !analyze -v to get detailed debugging information.
       
      BugCheck D5, {f6787e88, 0, f7bad72d, 0}
       
      Probably caused by : fastfat.sys ( fastfat!VfatFlushVolume+21d )
       
      Followup: MachineOwner
      ---------
       
      nt!RtlpBreakWithStatusInstruction:
      8051f958 cc              int     3
      kd> !analyze -v
      *******************************************************************************
      *                                                                             *
      *                        Bugcheck Analysis                                    *
      *                                                                             *
      *******************************************************************************
       
      DRIVER_PAGE_FAULT_IN_FREED_SPECIAL_POOL (d5)
      Memory was referenced after it was freed.
      This cannot be protected by try-except.
      When possible, the guilty driver's name (Unicode string) is printed on
      the bugcheck screen and saved in KiBugCheckDriver.
      Arguments:
      Arg1: f6787e88, memory referenced
      Arg2: 00000000, value 0 = read operation, 1 = write operation
      Arg3: f7bad72d, if non-zero, the address which referenced memory.
      Arg4: 00000000, (reserved)
       
      Debugging Details:
      ------------------
       
       
      READ_ADDRESS:  f6787e88 
       
      FAULTING_IP: 
      fastfat!VfatFlushVolume+21d [c:\ros\reactos-clean\reactos\drivers\filesystems\fastfat\flush.c @ 118]
      f7bad72d 8b4218          mov     eax,dword ptr [edx+18h]
       
      MM_INTERNAL_CODE:  0
       
      IMAGE_NAME:  fastfat.sys
       
      DEBUG_FLR_IMAGE_TIMESTAMP:  572f405c
       
      MODULE_NAME: fastfat
       
      FAULTING_MODULE: f7ba0000 fastfat
       
      DEFAULT_BUCKET_ID:  DRIVER_FAULT
       
      BUGCHECK_STR:  0xD5
       
      PROCESS_NAME:  System
       
      CURRENT_IRQL:  1
       
      TRAP_FRAME:  00000010 -- (.trap 0x10)
      Unable to read trap frame at 00000010
       
      LAST_CONTROL_TRANSFER:  from 8047cba8 to 8051f958
       
      STACK_TEXT:  
      f279036c 8047cba8 00000003 f279068c ffdff408 nt!RtlpBreakWithStatusInstruction
      f279039c 8047d4b3 00000003 f2790a70 f2790b40 nt!KiBugCheckDebugBreak+0x38 [c:\ros\reactos-clean\reactos\ntoskrnl\ke\bug.c @ 538]
      f2790738 8047db80 00000050 f6787e88 00000000 nt!KeBugCheckWithTf+0x553 [c:\ros\reactos-clean\reactos\ntoskrnl\ke\bug.c @ 1102]
      f2790758 8049f06a 00000050 f6787e88 00000000 nt!KeBugCheckEx+0x20 [c:\ros\reactos-clean\reactos\ntoskrnl\ke\bug.c @ 1462]
      f2790834 804c1f7b 00000000 f6787e88 00000000 nt!MmArmAccessFault+0x7ca [c:\ros\reactos-clean\reactos\ntoskrnl\mm\arm3\pagfault.c @ 1860]
      f2790850 80503cb3 00000000 f6787e88 00000000 nt!MmAccessFault+0xdb [c:\ros\reactos-clean\reactos\ntoskrnl\mm\mmfault.c @ 251]
      f279088c 8040371f f2790934 f7bad72d badb0d00 nt!KiTrap0EHandler+0x1f3 [c:\ros\reactos-clean\reactos\ntoskrnl\ke\i386\traphdlr.c @ 1281]
      f279088c f7bad72d f2790934 f7bad72d badb0d00 nt!KiTrap0E+0x8f
      f2790934 f7bad8d5 b4b120d0 f2e3de18 00000001 fastfat!VfatFlushVolume+0x21d [c:\ros\reactos-clean\reactos\drivers\filesystems\fastfat\flush.c @ 118]
      f2790950 f7bafaa4 f6751fb8 00000001 00000009 fastfat!VfatFlush+0x95 [c:\ros\reactos-clean\reactos\drivers\filesystems\fastfat\flush.c @ 163]
      f279096c f7baf921 f6751fb8 00000001 00000001 fastfat!VfatDispatchRequest+0x164 [c:\ros\reactos-clean\reactos\drivers\filesystems\fastfat\misc.c @ 172]
      f2790988 80467975 b4b12018 f6921f20 00000297 fastfat!VfatBuildRequest+0xa1 [c:\ros\reactos-clean\reactos\drivers\filesystems\fastfat\misc.c @ 235]
      f27909c4 8045e7f2 01466cf1 00000000 80466d03 nt!IofCallDriver+0xc5 [c:\ros\reactos-clean\reactos\ntoskrnl\io\iomgr\irp.c @ 1529]
      f27909e0 8045fd17 b4b12018 f6921f20 f610df80 nt!IopPerformSynchronousRequest+0x32 [c:\ros\reactos-clean\reactos\ntoskrnl\io\iomgr\iofunc.c @ 136]
      f2790a60 8050500b 80000e70 f2790d7c f25177c0 nt!NtFlushBuffersFile+0x257 [c:\ros\reactos-clean\reactos\ntoskrnl\io\iomgr\iofunc.c @ 1431]
      f2790a78 805046af 8045fac0 f2790b38 00000008 nt!KiSystemCallTrampoline+0x1b [c:\ros\reactos-clean\reactos\ntoskrnl\include\internal\i386\ke.h @ 742]
      f2790ab8 80403db6 f2790d8c 80401675 badb0d00 nt!KiSystemServiceHandler+0x22f [c:\ros\reactos-clean\reactos\ntoskrnl\ke\i386\traphdlr.c @ 1738]
      f2790ab8 80401675 f2790d8c 80401675 badb0d00 nt!KiSystemService+0x60
      f2790b30 804d8d5d 80000e70 f2790d7c 804028c3 nt!ZwFlushBuffersFile+0x11
      f2790d8c 804e7a04 f2517af0 f25177c0 8001003b nt!PopFlushVolumeWorker+0x11d [c:\ros\reactos-clean\reactos\ntoskrnl\po\povolume.c @ 210]
      f2790dc0 80501902 804d8c40 f2517af0 f2790de0 nt!PspSystemThreadStartup+0x64 [c:\ros\reactos-clean\reactos\ntoskrnl\ps\thread.c @ 158]
      f2790ddc 804e799f 804d8c40 f2517af0 00000000 nt!KiThreadStartup+0x42 [c:\ros\reactos-clean\reactos\ntoskrnl\ke\i386\thrdini.c @ 81]
      f2790de0 804d8c3f f2517af0 00000000 0000027f nt!PspUnhandledExceptionInSystemThread+0xcf
      f2790de4 f2517af0 00000000 0000027f 00000000 nt!PoRemoveVolumeDevice+0x9f
      WARNING: Frame IP not in any known module. Following frames may be wrong.
      f2790de8 00000000 0000027f 00000000 00000000 0xf2517af0
       
       
      STACK_COMMAND:  kb
       
      FOLLOWUP_IP: 
      fastfat!VfatFlushVolume+21d [c:\ros\reactos-clean\reactos\drivers\filesystems\fastfat\flush.c @ 118]
      f7bad72d 8b4218          mov     eax,dword ptr [edx+18h]
       
      FAULTING_SOURCE_CODE:  
         114:         Status = IoCallDriver(DeviceExt->StorageDevice, Irp);
         115:         if (Status == STATUS_PENDING)
         116:         {
         117:             KeWaitForSingleObject(&Event, Executive, KernelMode, FALSE, NULL);
      >  118:             Status = Irp->IoStatus.Status;
         119:         }
         120: 
         121:         /* Ignore device not supporting flush operation */
         122:         if (Status == STATUS_INVALID_DEVICE_REQUEST)
         123:         {
       
       
      SYMBOL_STACK_INDEX:  8
       
      SYMBOL_NAME:  fastfat!VfatFlushVolume+21d
       
      FOLLOWUP_NAME:  MachineOwner
       
      FAILURE_BUCKET_ID:  0xD5_fastfat!VfatFlushVolume+21d
       
      BUCKET_ID:  0xD5_fastfat!VfatFlushVolume+21d
       
      Followup: MachineOwner
      ---------
       
      kd> ?? Irp->IoStatus
      struct _IO_STATUS_BLOCK
         +0x000 Status           : ??
         +0x000 Pointer          : ???? 
         +0x004 Information      : ??
      kd> ?? IoStatusBlock
      struct _IO_STATUS_BLOCK
         +0x000 Status           : 0
         +0x000 Pointer          : (null) 
         +0x004 Information      : 0

        Attachments

          Activity

            People

            • Assignee:
              ThFabba ThFabba
              Reporter:
              ThFabba ThFabba
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: