Uploaded image for project: 'Core ReactOS'
  1. Core ReactOS
  2. CORE-8671

Use after free of ChildDeviceNode in IopEnumerateDevice

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Major
    • None
    • NTCore
    • None

    Description

      My friend Special Pool is complaining about this. Looks like IopGetDeviceNode is either returning an already freed node, or not correctly giving the caller a reference to prevent it from being destroyed concurrently.

      kd> kp
      		 
      ChildEBP RetAddr  
      f392c6a4 8054e666 nt!DbgUserBreakPoint
      		 
      f392c6ac 804c56c4 nt!RtlAssert(void * FailedAssertion = 0x805dfc60, void * FileName = 0x805dfc3c, unsigned long LineNumber = 0x339, char * Message = 0x00000000 "")+0x46 [c:\ros\reactos-clean\reactos\lib\rtl\assert.c @ 119]
      		 
      f392c73c 804c71fd nt!MiResolvePageFileFault(unsigned char StoreInstruction = 0x00 '', void * FaultingAddress = 0xf3f2bf5c, struct _MMPTE * PointerPte = 0xc03cfcac, struct _EPROCESS * CurrentProcess = 0x00000000, unsigned char * OldIrql = 0xf392c84b "???")+0x54 [c:\ros\reactos-clean\reactos\ntoskrnl\mm\arm3\pagfault.c @ 825]
      		 
      f392c860 804c7df8 nt!MiDispatchFault(unsigned char StoreInstruction = 0x00 '', void * Address = 0xf3f2bf5c, struct _MMPTE * PointerPte = 0xc03cfcac, struct _MMPTE * PointerProtoPte = 0x00000000, unsigned char Recursive = 0x00 '', struct _EPROCESS * Process = 0x00000000, void * TrapInformation = 0xf392c9bc, struct _MMVAD * Vad = 0x00000000)+0xbfd [c:\ros\reactos-clean\reactos\ntoskrnl\mm\arm3\pagfault.c @ 1444]
      		 
      f392c964 804f1efe nt!MmArmAccessFault(unsigned char StoreInstruction = 0x00 '', void * Address = 0xf3f2bf5c, char Mode = 0n0 '', void * TrapInformation = 0xf392c9bc)+0x898 [c:\ros\reactos-clean\reactos\ntoskrnl\mm\arm3\pagfault.c @ 1865]
      		 
      f392c980 8053e953 nt!MmAccessFault(unsigned char StoreInstruction = 0x00 '', void * Address = 0xf3f2bf5c, char Mode = 0n0 '', void * TrapInformation = 0xf392c9bc)+0xce [c:\ros\reactos-clean\reactos\ntoskrnl\mm\mmfault.c @ 243]
      		 
      f392c9b4 804036df nt!KiTrap0EHandler(struct _KTRAP_FRAME * TrapFrame = 0xf392c9bc)+0x1c3 [c:\ros\reactos-clean\reactos\ntoskrnl\ke\i386\traphdlr.c @ 1277]
      		 
      f392c9b4 8049289c nt!KiTrap0E+0x8f
      		 
      f392caac 8057aea6 nt!IopEnumerateDevice(struct _DEVICE_OBJECT * DeviceObject = 0xf399bf10)+0x24c [c:\ros\reactos-clean\reactos\ntoskrnl\io\pnpmgr\pnpmgr.c @ 2344]
      		 
      f392cbfc 8043bdd1 nt!IoInitSystem(struct _LOADER_PARAMETER_BLOCK * LoaderBlock = 0x80201000)+0x326 [c:\ros\reactos-clean\reactos\ntoskrnl\io\iomgr\iomgr.c @ 566]
      		 
      f392cd7c 8043c70c nt!Phase1InitializationDiscard(void * Context = 0x80201000)+0x9d1 [c:\ros\reactos-clean\reactos\ntoskrnl\ex\init.c @ 1798]
      		 
      f392cd88 80520601 nt!Phase1Initialization(void * Context = 0x80201000)+0xc [c:\ros\reactos-clean\reactos\ntoskrnl\ex\init.c @ 2012]
      		 
      f392cdbc 8053c8c1 nt!PspSystemThreadStartup(<function> * StartRoutine = 0x8043c700, void * StartContext = 0x80201000)+0x91 [c:\ros\reactos-clean\reactos\ntoskrnl\ps\thread.c @ 156]
      		 
      f392cddc 8052056f nt!KiThreadStartup(void)+0x61 [c:\ros\reactos-clean\reactos\ntoskrnl\ke\i386\thrdini.c @ 78]
      		 
      f392cde0 8043c6ff nt!PspUnhandledExceptionInSystemThread+0xcf
      		 
      f392cde4 80201000 nt!RtlStringCbCatExA+0xcf
      		 
      WARNING: Frame IP not in any known module. Following frames may be wrong.
      		 
      f392cde8 00000000 0x80201000
      		 
      kd> ?? ChildDeviceNode
      		 
      struct _DEVICE_NODE * 0xf3f2bed0
      		 
         +0x000 Sibling          : ???? 
         +0x004 Child            : ???? 
         +0x008 Parent           : ???? 
         +0x00c LastChild        : ???? 
         +0x010 Level            : ??
      		 
         +0x014 Notify           : ???? 
         +0x018 PoIrpManager     : _PO_IRP_MANAGER
      		 
         +0x028 State            : ??
      		 
         +0x02c PreviousState    : ??
      		 
         +0x030 StateHistory     : [20] ??
      		 
         +0x080 StateHistoryEntry : ??
      		 
         +0x084 CompletionStatus : ??
      		 
         +0x088 PendingIrp       : ???? 
         +0x08c Flags            : ??
      		 
         +0x090 UserFlags        : ??
      		 
         +0x094 Problem          : ??
      		 
         +0x098 PhysicalDeviceObject : ???? 
         +0x09c ResourceList     : ???? 
         +0x0a0 ResourceListTranslated : ???? 
         +0x0a4 InstancePath     : _UNICODE_STRING 
         +0x0ac ServiceName      : _UNICODE_STRING 
         +0x0b4 DuplicatePDO     : ???? 
         +0x0b8 ResourceRequirements : ???? 
         +0x0bc InterfaceType    : ??
      		 
         +0x0c0 BusNumber        : ??
      		 
         +0x0c4 ChildInterfaceType : ??
      		 
         +0x0c8 ChildBusNumber   : ??
      		 
         +0x0cc ChildBusTypeIndex : ??
      		 
         +0x0ce RemovalPolicy    : ??
      		 
         +0x0cf HardwareRemovalPolicy : ??
      		 
         +0x0d0 TargetDeviceNotify : _LIST_ENTRY
      		 
         +0x0d8 DeviceArbiterList : _LIST_ENTRY
      		 
         +0x0e0 DeviceTranslatorList : _LIST_ENTRY
      		 
         +0x0e8 NoTranslatorMask : ??
      		 
         +0x0ea QueryTranslatorMask : ??
      		 
         +0x0ec NoArbiterMask    : ??
      		 
         +0x0ee QueryArbiterMask : ??
      		 
         +0x0f0 OverUsed1        : <unnamed-tag>
      		 
         +0x0f4 OverUsed2        : <unnamed-tag>
      		 
         +0x0f8 BootResources    : ???? 
         +0x0fc CapabilityFlags  : ??
      		 
         +0x100 DockInfo         : <unnamed-tag>
      		 
         +0x110 DisableableDepends : ??
      		 
         +0x114 PendedSetInterfaceState : _LIST_ENTRY
      		 
         +0x11c LegacyBusListEntry : _LIST_ENTRY
      		 
         +0x124 DriverUnloadRetryCount : ??
      		 
         +0x128 PreviousParent   : ???? 
         +0x12c DeletedChidren   : ??
      		 
      kd> ?? ChildDeviceObject
      		 
      struct _DEVICE_OBJECT * 0xf3f53f10
      		 
         +0x000 Type             : 3
      		 
         +0x002 Size             : 0xc0
      		 
         +0x004 ReferenceCount   : 0
      		 
         +0x008 DriverObject     : 0xf3967f38 _DRIVER_OBJECT
      		 
         +0x00c NextDevice       : 0xf3d3ff10 _DEVICE_OBJECT
      		 
         +0x010 AttachedDevice   : (null) 
         +0x014 CurrentIrp       : (null) 
         +0x018 Timer            : (null) 
         +0x01c Flags            : 0x1040
      		 
         +0x020 Characteristics  : 0x80
      		 
         +0x024 Vpb              : (null) 
         +0x028 DeviceExtension  : 0xf3f53fc8 Void
      		 
         +0x02c DeviceType       : 4
      		 
         +0x030 StackSize        : 1 ''
      		 
         +0x034 Queue            : <unnamed-tag>
      		 
         +0x05c AlignmentRequirement : 0
      		 
         +0x060 DeviceQueue      : _KDEVICE_QUEUE
      		 
         +0x074 Dpc              : _KDPC
      		 
         +0x094 ActiveThreadCount : 0
      		 
         +0x098 SecurityDescriptor : 0xf3f59f70 Void
      		 
         +0x09c DeviceLock       : _KEVENT
      		 
         +0x0ac SectorSize       : 0
      		 
         +0x0ae Spare1           : 0
      		 
         +0x0b0 DeviceObjectExtension : 0xf3f53fd0 _DEVOBJ_EXTENSION
      		 
         +0x0b4 Reserved         : (null) 
      kd> ?? DeviceObject
      		 
      struct _DEVICE_OBJECT * 0xf399bf10
      		 
         +0x000 Type             : 3
      		 
         +0x002 Size             : 0xc0
      		 
         +0x004 ReferenceCount   : 0
      		 
         +0x008 DriverObject     : 0xf3967f38 _DRIVER_OBJECT
      		 
         +0x00c NextDevice       : (null) 
         +0x010 AttachedDevice   : 0xf39bfee0 _DEVICE_OBJECT
      		 
         +0x014 CurrentIrp       : (null) 
         +0x018 Timer            : (null) 
         +0x01c Flags            : 0x1000
      		 
         +0x020 Characteristics  : 0
      		 
         +0x024 Vpb              : (null) 
         +0x028 DeviceExtension  : 0xf399bfc8 Void
      		 
         +0x02c DeviceType       : 4
      		 
         +0x030 StackSize        : 1 ''
      		 
         +0x034 Queue            : <unnamed-tag>
      		 
         +0x05c AlignmentRequirement : 0
      		 
         +0x060 DeviceQueue      : _KDEVICE_QUEUE
      		 
         +0x074 Dpc              : _KDPC
      		 
         +0x094 ActiveThreadCount : 0
      		 
         +0x098 SecurityDescriptor : (null) 
         +0x09c DeviceLock       : _KEVENT
      		 
         +0x0ac SectorSize       : 0
      		 
         +0x0ae Spare1           : 1
      		 
         +0x0b0 DeviceObjectExtension : 0xf399bfd0 _DEVOBJ_EXTENSION
      		 
         +0x0b4 Reserved         : (null)

      Attachments

        Activity

          People

            ThFabba ThFabba
            ThFabba ThFabba
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: