Uploaded image for project: 'Core ReactOS'
  1. Core ReactOS
  2. CORE-18711

Kaspersky Anti-Virus 2012 installer hangs the system after beginning the installation

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Critical
    • 0.4.15
    • NTCore
    • VirtualBox 6.1.40, ReactOS 0.4.15-dev-5499-g1341c38.

    Description

      Steps to reproduce:

      1. Copy fltmgr.sys driver from XP or 2003 to system32\drivers.
      2. Open Regedit.
      3. Go to HKLM\SYSTEM\CurrentControlSet\Services\fltmgr.
      4. Change 'Start' value from 3 to 1.
      5. Reboot the system.
      6. Download Kaspersky Anti-Virus 2012 installer here: http://software.oldversion.com/download.php?f=YTo1OntzOjQ6InRpbWUiO2k6MTY3MDM1MDAwNTtzOjI6ImlkIjtpOjE0NzYwO3M6NDoiZmlsZSI7czo1MDoia2FzcGVyc2t5LWFudGl2aXJ1cy0xMi0wLTAtMzc0LWthdjEyLjAuMC4zNzRlbi5leGUiO3M6MzoidXJsIjtzOjY0OiJodHRwOi8vd3d3Lm9sZHZlcnNpb24uY29tL3dpbmRvd3Mva2FzcGVyc2t5LWFudGl2aXJ1cy0xMi0wLTAtMzc0IjtzOjQ6InBhc3MiO3M6MzI6ImJlNjk4ZmExZjVlOTRjOTc3YWVjNWQ1ZDlkNjNlODc4Ijt9 . This is the last version with classic installer, so it is able to render properly at all. 2013 and newer versions are not installable because new installer is not displaying properly. See CORE-15178.
      7. Launch installer and follow wizard steps. You can use default or custom settings, changing them doesn't affect the bug.
      8. Start installation by clicking 'Install' button.

      After performing these steps, appears an assert from FsRtl:

      *** Assertion failed: IsListEmpty(&(FOContext->FilterContexts))
      ***   Source File: /srv/buildbot/worker_data/Build_GCCLin_x86/build/ntoskrnl/fsrtl/filtrctx.c, line 40
      

      The backtrace looks as follows:

      Eip:
      <ntoskrnl.exe:19d6c2 (:0 (DbgUserBreakPoint))>
      Frames:
      <ntoskrnl.exe:46337 (ntoskrnl/fsrtl/filtrctx.c:40 (FsRtlPTeardownPerFileObjectContexts))>
      <ntoskrnl.exe:67fcf (sdk/include/crt/mingw32/intrin_x86.h:1724 (IopDeleteFile))>
      <ntoskrnl.exe:118719 (ntoskrnl/ob/oblife.c:210 (ObpDeleteObject))>
      <ntoskrnl.exe:11eeff (ntoskrnl/ob/obref.c:343 (ObfDereferenceObject))>
      <ntoskrnl.exe:113ce5 (ntoskrnl/ob/obhandle.c:770 (ObpCloseHandleTableEntry))>
      <ntoskrnl.exe:1157ef (ntoskrnl/ob/obhandle.c:1775 (ObpCloseHandle))>
      <ntoskrnl.exe:117a79 (ntoskrnl/ob/obhandle.c:3405 (NtClose))>
      <ntoskrnl.exe:3fe5 (:0 (KiSystemCallTrampoline))>
      <ntoskrnl.exe:16069f (ntoskrnl/ke/i386/traphdlr.c:1840 (KiSystemServiceHandler))>
      <ntoskrnl.exe:3d9b (:0 (KiSystemService))>
      <ntoskrnl.exe:1228 (:0 (ZwClose))>
      <klif.sys:8600b>
      <klif.sys:839bf>
      <ntoskrnl.exe:63043 (ntoskrnl/io/iomgr/driver.c:630 (IopInitializeDriverModule))>
      <ntoskrnl.exe:63c1d (ntoskrnl/io/iomgr/driver.c:2012 (IopLoadDriver))>
      <ntoskrnl.exe:63edd (ntoskrnl/io/iomgr/driver.c:2056 (IopLoadUnloadDriverWorker))>
      <ntoskrnl.exe:3fb1c (ntoskrnl/ex/work.c:158 (ExpWorkerThreadEntryPoint))>
      <ntoskrnl.exe:1392ea (ntoskrnl/ps/thread.c:156 (PspSystemThreadStartup))>
      <ntoskrnl.exe:15bee9 (ntoskrnl/ke/i386/thrdini.c:78 (KiThreadStartup))>
      <ntoskrnl.exe:1392bd (ntoskrnl/ps/thread.c:63 (PspUserThreadStartup))>
      

      The app's driver fails when trying to close some file object handle. However, there is one FsRtl call on the top of call stack.
      After continuing the execution, ExFreePoolWithTag call from the FsRtlPTeardownPerFileObjectContexts function causes a BAD_POOL_CALLER bugcheck:

      *** Fatal System Error: 0x000000c2
                             (0x0000000A,0xB3F83D88,0x61639CB9,0x464F4358)
      

      with the following stack trace:

      Eip:
      <ntoskrnl.exe:19d6c8 (sdk/lib/rtl/i386/debug_asm.S:56 (RtlpBreakWithStatusInstruction))>
      Frames:
      <ntoskrnl.exe:94d31 (ntoskrnl/ke/bug.c:1066 (KeBugCheckWithTf))>
      <ntoskrnl.exe:9529b (ntoskrnl/ke/bug.c:1413 (KeBugCheckEx))>
      <ntoskrnl.exe:b7ad9 (ntoskrnl/mm/ARM3/expool.c:2689 (ExFreePoolWithTag))>
      <ntoskrnl.exe:4634a (ntoskrnl/fsrtl/filtrctx.c:42 (FsRtlPTeardownPerFileObjectContexts))>
      <ntoskrnl.exe:67fcf (sdk/include/crt/mingw32/intrin_x86.h:1724 (IopDeleteFile))>
      <ntoskrnl.exe:118719 (ntoskrnl/ob/oblife.c:210 (ObpDeleteObject))>
      <ntoskrnl.exe:11eeff (ntoskrnl/ob/obref.c:343 (ObfDereferenceObject))>
      <ntoskrnl.exe:113ce5 (ntoskrnl/ob/obhandle.c:770 (ObpCloseHandleTableEntry))>
      <ntoskrnl.exe:1157ef (ntoskrnl/ob/obhandle.c:1775 (ObpCloseHandle))>
      <ntoskrnl.exe:117a79 (ntoskrnl/ob/obhandle.c:3405 (NtClose))>
      <ntoskrnl.exe:3fe5 (:0 (KiSystemCallTrampoline))>
      <ntoskrnl.exe:16069f (ntoskrnl/ke/i386/traphdlr.c:1840 (KiSystemServiceHandler))>
      <ntoskrnl.exe:3d9b (:0 (KiSystemService))>
      <ntoskrnl.exe:1228 (:0 (ZwClose))>
      <klif.sys:8600b>
      <klif.sys:839bf>
      <ntoskrnl.exe:63043 (ntoskrnl/io/iomgr/driver.c:630 (IopInitializeDriverModule))>
      <ntoskrnl.exe:63c1d (ntoskrnl/io/iomgr/driver.c:2012 (IopLoadDriver))>
      <ntoskrnl.exe:63edd (ntoskrnl/io/iomgr/driver.c:2056 (IopLoadUnloadDriverWorker))>
      <ntoskrnl.exe:3fb1c (ntoskrnl/ex/work.c:158 (ExpWorkerThreadEntryPoint))>
      <ntoskrnl.exe:1392ea (ntoskrnl/ps/thread.c:156 (PspSystemThreadStartup))>--- Press q to abort, any other key to continue ---<ntoskrnl.exe:15bee9 (ntoskrnl/ke/i386/thrdini.c:78 (KiThreadStartup))>
      <ntoskrnl.exe:1392bd (ntoskrnl/ps/thread.c:63 (PspUserThreadStartup))>
      

      See kav12.log for details.

      As my investigation shows, the driver tries to create a file object with extension. And it fails to delete it properly later, because it isn't initialized properly during creation in our PnP code. The function which should initialize it, is IopParseDevice. But actually, it doesn't do that. Therefore, FilterContext and TopDeviceObjectHint members of FileObject->FileObjectExtension remain uninitialized, which leads to FsRtlPTeardownPerFileObjectContexts failure. This function manages the FilterContext member, so it badly requires to have it initialized correctly.

      I made a patch with initialization of these members to NULL: kav_fix_1.patch. I can confirm that it fixes the mentioned problem for me. After this change, it fails with another BAD_POOL_CALLER bugcheck on ExFreePoolWithTag call directly from the driver. It's not the one called from FsRtlPTeardownPerFileObjectContexts. So assuming the 1st part of the problem is fixed.

      I'll submit a PR with this fix soon.

      Attachments

        1. hangs_here.png
          hangs_here.png
          56 kB
        2. kav_fix_1.patch
          0.8 kB
        3. kav12.log
          66 kB

        Issue Links

          Activity

            People

              Oleg Dubinskij Oleg Dubinskiy
              Oleg Dubinskij Oleg Dubinskiy
              Votes:
              2 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: