Details
Critical Description
Steps to reproduce:
- Copy fltmgr.sys driver from XP or 2003 to system32\drivers.
- Open Regedit.
- Go to HKLM\SYSTEM\CurrentControlSet\Services\fltmgr.
- Change 'Start' value from 3 to 1.
- Reboot the system.
- Download Kaspersky Anti-Virus 2012 installer here: http://software.oldversion.com/download.php?f=YTo1OntzOjQ6InRpbWUiO2k6MTY3MDM1MDAwNTtzOjI6ImlkIjtpOjE0NzYwO3M6NDoiZmlsZSI7czo1MDoia2FzcGVyc2t5LWFudGl2aXJ1cy0xMi0wLTAtMzc0LWthdjEyLjAuMC4zNzRlbi5leGUiO3M6MzoidXJsIjtzOjY0OiJodHRwOi8vd3d3Lm9sZHZlcnNpb24uY29tL3dpbmRvd3Mva2FzcGVyc2t5LWFudGl2aXJ1cy0xMi0wLTAtMzc0IjtzOjQ6InBhc3MiO3M6MzI6ImJlNjk4ZmExZjVlOTRjOTc3YWVjNWQ1ZDlkNjNlODc4Ijt9 . This is the last version with classic installer, so it is able to render properly at all. 2013 and newer versions are not installable because new installer is not displaying properly. See CORE-15178.
- Launch installer and follow wizard steps. You can use default or custom settings, changing them doesn't affect the bug.
- Start installation by clicking 'Install' button.
After performing these steps, appears an assert from FsRtl:
*** Assertion failed: IsListEmpty(&(FOContext->FilterContexts))
|
*** Source File: /srv/buildbot/worker_data/Build_GCCLin_x86/build/ntoskrnl/fsrtl/filtrctx.c, line 40 |
The backtrace looks as follows:
Eip:
|
<ntoskrnl.exe:19d6c2 (:0 (DbgUserBreakPoint))> |
Frames:
|
<ntoskrnl.exe:46337 (ntoskrnl/fsrtl/filtrctx.c:40 (FsRtlPTeardownPerFileObjectContexts))> |
<ntoskrnl.exe:67fcf (sdk/include/crt/mingw32/intrin_x86.h:1724 (IopDeleteFile))> |
<ntoskrnl.exe:118719 (ntoskrnl/ob/oblife.c:210 (ObpDeleteObject))> |
<ntoskrnl.exe:11eeff (ntoskrnl/ob/obref.c:343 (ObfDereferenceObject))> |
<ntoskrnl.exe:113ce5 (ntoskrnl/ob/obhandle.c:770 (ObpCloseHandleTableEntry))> |
<ntoskrnl.exe:1157ef (ntoskrnl/ob/obhandle.c:1775 (ObpCloseHandle))> |
<ntoskrnl.exe:117a79 (ntoskrnl/ob/obhandle.c:3405 (NtClose))> |
<ntoskrnl.exe:3fe5 (:0 (KiSystemCallTrampoline))> |
<ntoskrnl.exe:16069f (ntoskrnl/ke/i386/traphdlr.c:1840 (KiSystemServiceHandler))> |
<ntoskrnl.exe:3d9b (:0 (KiSystemService))> |
<ntoskrnl.exe:1228 (:0 (ZwClose))> |
<klif.sys:8600b>
|
<klif.sys:839bf>
|
<ntoskrnl.exe:63043 (ntoskrnl/io/iomgr/driver.c:630 (IopInitializeDriverModule))> |
<ntoskrnl.exe:63c1d (ntoskrnl/io/iomgr/driver.c:2012 (IopLoadDriver))> |
<ntoskrnl.exe:63edd (ntoskrnl/io/iomgr/driver.c:2056 (IopLoadUnloadDriverWorker))> |
<ntoskrnl.exe:3fb1c (ntoskrnl/ex/work.c:158 (ExpWorkerThreadEntryPoint))> |
<ntoskrnl.exe:1392ea (ntoskrnl/ps/thread.c:156 (PspSystemThreadStartup))> |
<ntoskrnl.exe:15bee9 (ntoskrnl/ke/i386/thrdini.c:78 (KiThreadStartup))> |
<ntoskrnl.exe:1392bd (ntoskrnl/ps/thread.c:63 (PspUserThreadStartup))> |
The app's driver fails when trying to close some file object handle. However, there is one FsRtl call on the top of call stack.
After continuing the execution, ExFreePoolWithTag call from the FsRtlPTeardownPerFileObjectContexts function causes a BAD_POOL_CALLER bugcheck:
*** Fatal System Error: 0x000000c2 |
(0x0000000A,0xB3F83D88,0x61639CB9,0x464F4358) |
with the following stack trace:
Eip:
|
<ntoskrnl.exe:19d6c8 (sdk/lib/rtl/i386/debug_asm.S:56 (RtlpBreakWithStatusInstruction))> |
Frames:
|
<ntoskrnl.exe:94d31 (ntoskrnl/ke/bug.c:1066 (KeBugCheckWithTf))> |
<ntoskrnl.exe:9529b (ntoskrnl/ke/bug.c:1413 (KeBugCheckEx))> |
<ntoskrnl.exe:b7ad9 (ntoskrnl/mm/ARM3/expool.c:2689 (ExFreePoolWithTag))> |
<ntoskrnl.exe:4634a (ntoskrnl/fsrtl/filtrctx.c:42 (FsRtlPTeardownPerFileObjectContexts))> |
<ntoskrnl.exe:67fcf (sdk/include/crt/mingw32/intrin_x86.h:1724 (IopDeleteFile))> |
<ntoskrnl.exe:118719 (ntoskrnl/ob/oblife.c:210 (ObpDeleteObject))> |
<ntoskrnl.exe:11eeff (ntoskrnl/ob/obref.c:343 (ObfDereferenceObject))> |
<ntoskrnl.exe:113ce5 (ntoskrnl/ob/obhandle.c:770 (ObpCloseHandleTableEntry))> |
<ntoskrnl.exe:1157ef (ntoskrnl/ob/obhandle.c:1775 (ObpCloseHandle))> |
<ntoskrnl.exe:117a79 (ntoskrnl/ob/obhandle.c:3405 (NtClose))> |
<ntoskrnl.exe:3fe5 (:0 (KiSystemCallTrampoline))> |
<ntoskrnl.exe:16069f (ntoskrnl/ke/i386/traphdlr.c:1840 (KiSystemServiceHandler))> |
<ntoskrnl.exe:3d9b (:0 (KiSystemService))> |
<ntoskrnl.exe:1228 (:0 (ZwClose))> |
<klif.sys:8600b>
|
<klif.sys:839bf>
|
<ntoskrnl.exe:63043 (ntoskrnl/io/iomgr/driver.c:630 (IopInitializeDriverModule))> |
<ntoskrnl.exe:63c1d (ntoskrnl/io/iomgr/driver.c:2012 (IopLoadDriver))> |
<ntoskrnl.exe:63edd (ntoskrnl/io/iomgr/driver.c:2056 (IopLoadUnloadDriverWorker))> |
<ntoskrnl.exe:3fb1c (ntoskrnl/ex/work.c:158 (ExpWorkerThreadEntryPoint))> |
<ntoskrnl.exe:1392ea (ntoskrnl/ps/thread.c:156 (PspSystemThreadStartup))>--- Press q to abort, any other key to continue ---<ntoskrnl.exe:15bee9 (ntoskrnl/ke/i386/thrdini.c:78 (KiThreadStartup))> |
<ntoskrnl.exe:1392bd (ntoskrnl/ps/thread.c:63 (PspUserThreadStartup))> |
See kav12.log
for details.
As my investigation shows, the driver tries to create a file object with extension. And it fails to delete it properly later, because it isn't initialized properly during creation in our PnP code. The function which should initialize it, is IopParseDevice. But actually, it doesn't do that. Therefore, FilterContext and TopDeviceObjectHint members of FileObject->FileObjectExtension remain uninitialized, which leads to FsRtlPTeardownPerFileObjectContexts failure. This function manages the FilterContext member, so it badly requires to have it initialized correctly.
I made a patch with initialization of these members to NULL: kav_fix_1.patch. I can confirm that it fixes the mentioned problem for me. After this change, it fails with another BAD_POOL_CALLER bugcheck on ExFreePoolWithTag call directly from the driver. It's not the one called from FsRtlPTeardownPerFileObjectContexts. So assuming the 1st part of the problem is fixed.
I'll submit a PR with this fix soon. 
Attachments
Issue Links
- is duplicated by
-
CORE-17466 eBoostr causes a BSOD while doing disk activity
-
- Resolved
-
- relates to
-
-
- Resolved
-