wdfrequest neither cancelable nor forwardable to manual queue

  • Thread starter Thread starter Jenitta
  • Start date Start date
J

Jenitta

Guest
I have an IOCTL request (wdfrequest) which could be in a pending status for sometime in my driver.

When the application exits , I want the request to be cancelled.

For this I tried 2 methods .1)marking it cancelable and 2)forwarding it to a manual I/O queue.

But both these methods are crashing the system .

In method 1- when I invoke WdfRequestMarkCancelable the system crashes.

In method 2- when I invoke WdfRequestForwardToIoQueue ,the system crashes.

The crash dump analysis of both the bugchecks is the same.

The common thing in both methods is the wdfrequest. In first method I tried to mark it cancelable and in second method I tried to forward it to a queue which I have created.

So something is common in both the trials.

--------------------------------------------

3: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: fffffc0f61faf0a0, Address of the trap frame for the exception that caused the bugcheck
Arg3: fffffc0f61faeff8, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved

Debugging Details:
------------------


KEY_VALUES_STRING: 1

Key : Analysis.CPU.Sec
Value: 9

Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on DESKTOP-DTNBC9V

Key : Analysis.DebugData
Value: CreateObject

Key : Analysis.DebugModel
Value: CreateObject

Key : Analysis.Elapsed.Sec
Value: 54

Key : Analysis.Memory.CommitPeak.Mb
Value: 76

Key : Analysis.System
Value: CreateObject


BUGCHECK_CODE: 139

BUGCHECK_P1: 3

BUGCHECK_P2: fffffc0f61faf0a0

BUGCHECK_P3: fffffc0f61faeff8

BUGCHECK_P4: 0

TRAP_FRAME: fffffc0f61faf0a0 -- (.trap 0xfffffc0f61faf0a0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffde0dd66b00b8 rbx=0000000000000000 rcx=0000000000000003
rdx=0000000000000002 rsi=0000000000000000 rdi=0000000000000000
rip=fffff804c03d8aa0 rsp=fffffc0f61faf230 rbp=ffffde0dd71c3090
r8=0000000000000003 r9=ffffde0dd959c010 r10=ffffde0dd7489498
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na pe cy
Wdf01000!RtlFailFast+0x5:
fffff804`c03d8aa0 cd29 int 29h
Resetting default scope

EXCEPTION_RECORD: fffffc0f61faeff8 -- (.exr 0xfffffc0f61faeff8)
ExceptionAddress: fffff804c03d8aa0 (Wdf01000!RtlFailFast+0x0000000000000005)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 0000000000000003
Subcode: 0x3 FAST_FAIL_CORRUPT_LIST_ENTRY

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXPNP: 1 (!blackboxpnp)


PROCESS_NAME: my-test.exe

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE_STR: c0000409

EXCEPTION_PARAMETER1: 0000000000000003

EXCEPTION_STR: 0xc0000409

STACK_TEXT:
fffffc0f`61faed78 fffff803`fdc67669 : 00000000`00000139 00000000`00000003 fffffc0f`61faf0a0 fffffc0f`61faeff8 : nt!KeBugCheckEx
fffffc0f`61faed80 fffff803`fdc67a10 : 00000000`00001000 fffffc0f`61faee00 00000000`00035200 fffff803`fdcee22c : nt!KiBugCheckDispatch+0x69
fffffc0f`61faeec0 fffff803`fdc66025 : 00000000`00000002 ffff8bfb`d1200010 00000000`00001000 00000000`00000004 : nt!KiFastFailDispatch+0xd0
fffffc0f`61faf0a0 fffff804`c03d8aa0 : ffffde0d`d71cc2a0 00000000`00000004 ffffde0d`d4551950 fffff804`c06b9a94 : nt!KiRaiseSecurityCheckFailure+0x2e5
fffffc0f`61faf230 fffff804`c03834d8 : ffffde0d`d7489402 ffffde0d`d71c3090 ffffde0d`d959c010 00000000`00000001 : Wdf01000!FxIoQueue::QueueRequestFromForward+0x4bfe0 [minkernel\wdf\framework\shared\irphandlers\io\fxioqueue.cpp @ 2447]
fffffc0f`61faf2b0 fffff804`c2e8bf76 : 00000001`00000102 ffffde0d`d7489420 ffffde0d`d71cc2a0 ffffde0d`d7489420 : Wdf01000!imp_WdfRequestForwardToIoQueue+0x1b8 [minkernel\wdf\framework\shared\core\fxrequestapi.cpp @ 3130]
fffffc0f`61faf330 fffff804`c2e7d0e6 : 000021f2`28b76bd8 000021f2`28e33d58 ffffde0d`d8e86120 fffff804`c03fbc1c : my-driver!WdfRequestForwardToIoQueue+0x46 [c:\program files (x86)\windows kits\10\include\wdf\kmdf\1.19\wdfrequest.h @ 1588]
fffffc0f`61faf370 fffff804`c038c50b : 000021f2`28e3cfd8 000021f2`28b76bd8 00000000`0000000c 00000000`0000001c : my-driver!myEvtIoDeviceControl+0x626 [c:\users\sys\my-driver-control.c @ 749]
fffffc0f`61faf3d0 fffff804`c038ba43 : ffff930f`294be400 00000000`00000001 00000000`00000000 00000000`00000000 : Wdf01000!FxIoQueue::DispatchRequestToDriver+0x1bb [minkernel\wdf\framework\shared\irphandlers\io\fxioqueue.cpp @ 3325]
fffffc0f`61faf470 fffff804`c03887ad : ffffde0d`d71c3020 ffffde0d`00000000 00000000`00000000 ffffde0d`d28d1550 : Wdf01000!FxIoQueue::DispatchEvents+0x473 [minkernel\wdf\framework\shared\irphandlers\io\fxioqueue.cpp @ 3125]
fffffc0f`61faf550 fffff804`c03878d1 : ffffde0d`d5c4d7c0 ffffde0d`d959c000 ffffde0d`d7489420 0a000001`61a70801 : Wdf01000!FxPkgIo::DispatchStep1+0x52d [minkernel\wdf\framework\shared\irphandlers\io\fxpkgio.cpp @ 324]
fffffc0f`61faf610 fffff803`fdb35839 : 00000000`00000000 fffff803`fdb35b05 ffffde0d`d664c7c0 ffffde0d`d72582b0 : Wdf01000!FxDevice::DispatchWithLock+0x5a1 [minkernel\wdf\framework\shared\core\fxdevice.cpp @ 1430]
fffffc0f`61faf700 fffff803`fdfb6f7b : ffffde0d`d959c010 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IofCallDriver+0x59
fffffc0f`61faf740 fffff803`fdfbb4ea : ffffde0d`d959c010 fffffc0f`61fafa80 00000000`20206f00 fffffc0f`61fafa80 : nt!IopSynchronousServiceTail+0x1ab
fffffc0f`61faf7f0 fffff803`fdfb8ed6 : 000000da`0a52d6d0 00000000`00000104 00000000`00000000 000000da`0a52d7a8 : nt!IopXxxControlFile+0x68a
fffffc0f`61faf920 fffff803`fdc67143 : ffffde0d`d664c080 000000da`0a52d6b8 fffffc0f`61faf9a8 00000000`00000000 : nt!NtDeviceIoControlFile+0x56
fffffc0f`61faf990 00007ffe`078eaa84 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
000000da`0a52d688 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffe`078eaa84


FAULTING_SOURCE_LINE: c:\program files (x86)\windows kits\10\include\wdf\kmdf\1.19\wdfrequest.h

FAULTING_SOURCE_FILE: c:\program files (x86)\windows kits\10\include\wdf\kmdf\1.19\wdfrequest.h

FAULTING_SOURCE_LINE_NUMBER: 1588

FAULTING_SOURCE_CODE:
1584: WDFQUEUE DestinationQueue
1585: )
1586: {
1587: return ((PFN_WDFREQUESTFORWARDTOIOQUEUE) WdfFunctions[WdfRequestForwardToIoQueueTableIndex])(WdfDriverGlobals, Request, DestinationQueue);
> 1588: }
1589:
1590: //
1591: // WDF Function: WdfRequestGetIoQueue
1592: //
1593: typedef


SYMBOL_NAME: my-driver!WdfRequestForwardToIoQueue+46

MODULE_NAME: my-driver

IMAGE_NAME: my-driver.sys

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: 46

FAILURE_BUCKET_ID: 0x139_3_CORRUPT_LIST_ENTRY_my-driver!WdfRequestForwardToIoQueue

OS_VERSION: 10.0.17134.1

BUILDLAB_STR: rs4_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {0383c06b-ea6c-c04a-e415-0ca76955bfb5}

Followup: MachineOwner
---------

Continue reading...
 
You must log in or register to reply here.

Similar threads

L
Difficulty tracking down cause of DPC Watchdog Violation BSOD
Replies
0
Views
13
LariputtomusMcFly
L
A
Computer crashes after hibernating
Replies
0
Views
8
ab_530
A
A
Computer crashes after hibernating
Replies
0
Views
17
ab_530
A
S
BSOD dmp. file analysis
Replies
0
Views
14
SquishyElf4556
S
A
Windows 10 randomly crashes and show bsod
Replies
0
Views
20
alessioric
A
Back
Top