Surprisingly Windows 8 Object Manager allocates some objects from the Paged Pool, that means that ObReferenceObject and ObDereferenceObject can't be safely called at DISPATCH_LEVEL as the actual maximum IRQL becomes APC_LEVEL if an object is allocated from the paged pool, for example a token object might be from the paged pool, as !pool command shows
1: kd> !pool ffffc00002b73770
Pool page ffffc00002b73770 region is Paged pool
.....
*ffffc00002b73740 size: 8c0 previous size: 1c0 (Allocated) *Toke
Pooltag Toke : Token objects, Binary : nt!se
The object itself ( a pretty large pointer count, but nevertheless this is a valid object )
1: kd> !object ffffc00002b737a0
Object: ffffc00002b737a0 Type: (ffffe00000153db0) Token
ObjectHeader: ffffc00002b73770 (new version)
HandleCount: 33 PointerCount: 131067
Driver Verifier was active and cleared the valid bit from a PTE mapping the paged pool's page on which the object was allocated
1: kd> !pte ffffc00002b737a0
VA ffffc00002b737a0
PXE at FFFFF6FB7DBEDC00 PPE at FFFFF6FB7DB80000 PDE at FFFFF6FB700000A8 PTE at FFFFF6E000015B98
contains 000000000134F863 contains 0000000001DCE863 contains 00000001257C2863 contains FB40000129FE9882
pfn 134f ---DA--KWEV pfn 1dce ---DA--KWEV pfn 1257c2 ---DA--KWEV not valid
Transition: 129fe9
Protect: 4 - ReadWrite
the PTE was marked as invalid though the physical page actually contains valid data and has not been reused and swapped out, the valid bit will be brought back by the page fault handler when processing a page fault ( this is called a soft page fault when there is no IO from backing store ), but calling ObDereferenceObject and providing this object at DISPATCH_LEVEL would crash the system
TRAP_FRAME: ffffd000201fc800 -- (.trap 0xffffd000201fc800)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000005 rbx=0000000000000000 rcx=ffffc00002b737a0
rdx=0000000000000005 rsi=0000000000000000 rdi=0000000000000000
rip=fffff803b20565a3 rsp=ffffd000201fc990 rbp=fffff800017bf594
r8=0000000000000007 r9=fffff800017debac r10=0000000000000000
r11=ffffd000201fcc70 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
nt!ObfDereferenceObject+0x23:
fffff803`b20565a3 f0480fc15ed0 lock xadd qword ptr [rsi-30h],rbx ds:ffffffff`ffffffd0=????????????????
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff803b21f10ea to fffff803b216f890
STACK_TEXT:
nt!DbgBreakPointWithStatus
nt!KiBugCheckDebugBreak+0x12
nt!KeBugCheck2+0x8ab
nt!KeBugCheckEx+0x104
nt!KiBugCheckDispatch+0x69
nt!KiPageFault+0x23a
nt!ObfDereferenceObject+0x23
<here is an offending driver ))))>
1: kd> !pool ffffc00002b73770
Pool page ffffc00002b73770 region is Paged pool
.....
*ffffc00002b73740 size: 8c0 previous size: 1c0 (Allocated) *Toke
Pooltag Toke : Token objects, Binary : nt!se
The object itself ( a pretty large pointer count, but nevertheless this is a valid object )
1: kd> !object ffffc00002b737a0
Object: ffffc00002b737a0 Type: (ffffe00000153db0) Token
ObjectHeader: ffffc00002b73770 (new version)
HandleCount: 33 PointerCount: 131067
Driver Verifier was active and cleared the valid bit from a PTE mapping the paged pool's page on which the object was allocated
1: kd> !pte ffffc00002b737a0
VA ffffc00002b737a0
PXE at FFFFF6FB7DBEDC00 PPE at FFFFF6FB7DB80000 PDE at FFFFF6FB700000A8 PTE at FFFFF6E000015B98
contains 000000000134F863 contains 0000000001DCE863 contains 00000001257C2863 contains FB40000129FE9882
pfn 134f ---DA--KWEV pfn 1dce ---DA--KWEV pfn 1257c2 ---DA--KWEV not valid
Transition: 129fe9
Protect: 4 - ReadWrite
the PTE was marked as invalid though the physical page actually contains valid data and has not been reused and swapped out, the valid bit will be brought back by the page fault handler when processing a page fault ( this is called a soft page fault when there is no IO from backing store ), but calling ObDereferenceObject and providing this object at DISPATCH_LEVEL would crash the system
TRAP_FRAME: ffffd000201fc800 -- (.trap 0xffffd000201fc800)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000005 rbx=0000000000000000 rcx=ffffc00002b737a0
rdx=0000000000000005 rsi=0000000000000000 rdi=0000000000000000
rip=fffff803b20565a3 rsp=ffffd000201fc990 rbp=fffff800017bf594
r8=0000000000000007 r9=fffff800017debac r10=0000000000000000
r11=ffffd000201fcc70 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
nt!ObfDereferenceObject+0x23:
fffff803`b20565a3 f0480fc15ed0 lock xadd qword ptr [rsi-30h],rbx ds:ffffffff`ffffffd0=????????????????
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff803b21f10ea to fffff803b216f890
STACK_TEXT:
nt!DbgBreakPointWithStatus
nt!KiBugCheckDebugBreak+0x12
nt!KeBugCheck2+0x8ab
nt!KeBugCheckEx+0x104
nt!KiBugCheckDispatch+0x69
nt!KiPageFault+0x23a
nt!ObfDereferenceObject+0x23
<here is an offending driver ))))>
No comments:
Post a Comment