BSOD in RtlStringCbVPrintfA() when using %wZ format specifiers on XPSP3
in [Device Drivers]
|
Prev: ifdtest2 issue: GetOverlappedResult
Next: virtual NIC and embedded Linux as USB Device connected to WinXP
From: matt_sykes on 9 Apr 2010 04:12 I get a BSOD when using this func with the UNICODE_STRING format specifier %wZ (the bug is actually in vsnprintf. when the UNICODE_STRING is empty. ie, a valid buffer (zeroed or unzeroed makes no difference) with the Length and MaximumLength set to zero. Now I know these specifiers aren't documented, but they exist, and are well known, and used. This is the crash: 0: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e) This is a very common bugcheck. Usually the exception address pinpoints the driver/function that caused the problem. Always note this address as well as the link date of the driver/image that contains this address. Arguments: Arg1: c0000005, The exception code that was not handled Arg2: 805066f7, The address that the exception occurred at Arg3: f789dfe4, Exception Record Address Arg4: f789dce0, Context Record Address Debugging Details: ------------------ EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. FAULTING_IP: nt!_output+498 805066f7 8b4804 mov ecx,dword ptr [eax+4] EXCEPTION_RECORD: f789dfe4 -- (.exr 0xfffffffff789dfe4) ExceptionAddress: 805066f7 (nt!_output+0x00000498) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 005a005c Attempt to read from address 005a005c CONTEXT: f789dce0 -- (.cxr 0xfffffffff789dce0) eax=005a0058 ebx=0000005a ecx=00000007 edx=8932a026 esi=f789e0f0 edi=8961b860 eip=805066f7 esp=f789e0ac ebp=f789e314 iopl=0 nv up ei pl nz na po nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202 nt!_output+0x498: 805066f7 8b4804 mov ecx,dword ptr [eax+4] ds: 0023:005a005c=???????? Resetting default scope PROCESS_NAME: System ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_PARAMETER1: 00000000 EXCEPTION_PARAMETER2: 005a005c READ_ADDRESS: 005a005c FOLLOWUP_IP: eps!RtlStringVPrintfWorkerA+35 [c:\winddk\6001\inc\ddk\ntstrsafe.h @ 11741] af836375 83c410 add esp,10h BUGCHECK_STR: 0x7E DEFAULT_BUCKET_ID: STRING_DEREFERENCE LAST_CONTROL_TRANSFER: from 80501a97 to 805066f7 STACK_TEXT: f789e314 80501a97 f789e330 af842140 f789e3d4 nt!_output+0x498 f789e350 af836375 8932a000 00000fff af842140 nt!_vsnprintf+0x2f f789e378 af836242 8932a000 00001000 00000000 eps! RtlStringVPrintfWorkerA+0x35 [c:\winddk\6001\inc\ddk\ntstrsafe.h @ 11741] f789e39c af83619a 8932a000 00001000 af842140 eps!RtlStringCbVPrintfA +0x42 [c:\winddk\6001\inc\ddk\ntstrsafe.h @ 4219] f789e3c4 af84001a 00000200 af842140 005a0058 eps!LSDbg+0x6a [c:\work \main\eps\eps\latest\eps\bootstrap\debug.c @ 80] f789e438 af84f878 80574bea 8961b848 00000000 eps! EPSReadRegistryHardenListFromFile+0x2ba [c:\work\main\eps\eps\latest \eps\bootstrap\registry.c @ 1584] f789e56c 8059f7d3 8961b860 8932d000 e15e0208 eps!DriverEntry+0x168 [c: \work\main\eps\eps\latest\eps\bootstrap\lsload.c @ 222] f789e63c 806af6b3 000003b0 00000001 00000000 nt!IopLoadDriver+0x66d f789e698 806afff7 00034000 00000000 00000000 nt! IopInitializeSystemDrivers+0x16c f789e838 806b1012 80088000 00000000 8a1f4750 nt!IoInitSystem+0x7a3 f789edac 8057572b 80088000 00000000 00000000 nt!Phase1Initialization +0xac7 f789eddc 804ec6c9 806b07bf 80088000 00000000 nt!PspSystemThreadStartup +0x34 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16 FAULTING_SOURCE_CODE: 11737: 11738: #if (NTSTRSAFE_USE_SECURE_CRT == 1) && ! defined(NTSTRSAFE_LIB_IMPL) 11739: iRet = _vsnprintf_s(pszDest, cchDest, cchMax, pszFormat, argList); 11740: #else >11741: iRet = _vsnprintf(pszDest, cchMax, pszFormat, argList); 11742: #endif 11743: // ASSERT((iRet < 0) || (((size_t)iRet) <= cchMax)); 11744: 11745: if ((iRet < 0) || (((size_t)iRet) > cchMax)) 11746: { SYMBOL_STACK_INDEX: 2 SYMBOL_NAME: eps!RtlStringVPrintfWorkerA+35 FOLLOWUP_NAME: MachineOwner MODULE_NAME: eps IMAGE_NAME: eps.sys DEBUG_FLR_IMAGE_TIMESTAMP: 4bbedba2 STACK_COMMAND: .cxr 0xfffffffff789dce0 ; kb FAILURE_BUCKET_ID: 0x7E_eps!RtlStringVPrintfWorkerA+35 BUCKET_ID: 0x7E_eps!RtlStringVPrintfWorkerA+35 Followup: MachineOwner --------- If I use the %S string specifier and use 'myUnicodeSstring.Buffer' there isn't a crash. The code is runing at PASSIVE_LEVEL by the way.
From: matt_sykes on 9 Apr 2010 10:02
On 9 Apr, 10:12, matt_sykes <zzeb...(a)hotmail.com> wrote: > I get a BSOD when using this func with the UNICODE_STRING format > specifier %wZ (the bug is actually in vsnprintf. when the > UNICODE_STRING is empty. ie, a valid buffer (zeroed or unzeroed makes > no difference) with the Length and MaximumLength set to zero. > > Now I know these specifiers aren't documented, but they exist, and are > well known, and used. > > This is the crash: > > 0: kd> !analyze -v > ******************************************************************************* > * > * > * Bugcheck > Analysis * > * > * > ******************************************************************************* > > SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e) > This is a very common bugcheck. Usually the exception address > pinpoints > the driver/function that caused the problem. Always note this address > as well as the link date of the driver/image that contains this > address. > Arguments: > Arg1: c0000005, The exception code that was not handled > Arg2: 805066f7, The address that the exception occurred at > Arg3: f789dfe4, Exception Record Address > Arg4: f789dce0, Context Record Address > > Debugging Details: > ------------------ > > EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx > referenced memory at 0x%08lx. The memory could not be %s. > > FAULTING_IP: > nt!_output+498 > 805066f7 8b4804 mov ecx,dword ptr [eax+4] > > EXCEPTION_RECORD: f789dfe4 -- (.exr 0xfffffffff789dfe4) > ExceptionAddress: 805066f7 (nt!_output+0x00000498) > ExceptionCode: c0000005 (Access violation) > ExceptionFlags: 00000000 > NumberParameters: 2 > Parameter[0]: 00000000 > Parameter[1]: 005a005c > Attempt to read from address 005a005c > > CONTEXT: f789dce0 -- (.cxr 0xfffffffff789dce0) > eax=005a0058 ebx=0000005a ecx=00000007 edx=8932a026 esi=f789e0f0 > edi=8961b860 > eip=805066f7 esp=f789e0ac ebp=f789e314 iopl=0 nv up ei pl nz > na po nc > cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 > efl=00010202 > nt!_output+0x498: > 805066f7 8b4804 mov ecx,dword ptr [eax+4] ds: > 0023:005a005c=???????? > Resetting default scope > > PROCESS_NAME: System > > ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx > referenced memory at 0x%08lx. The memory could not be %s. > > EXCEPTION_PARAMETER1: 00000000 > > EXCEPTION_PARAMETER2: 005a005c > > READ_ADDRESS: 005a005c > > FOLLOWUP_IP: > eps!RtlStringVPrintfWorkerA+35 [c:\winddk\6001\inc\ddk\ntstrsafe.h @ > 11741] > af836375 83c410 add esp,10h > > BUGCHECK_STR: 0x7E > > DEFAULT_BUCKET_ID: STRING_DEREFERENCE > > LAST_CONTROL_TRANSFER: from 80501a97 to 805066f7 > > STACK_TEXT: > f789e314 80501a97 f789e330 af842140 f789e3d4 nt!_output+0x498 > f789e350 af836375 8932a000 00000fff af842140 nt!_vsnprintf+0x2f > f789e378 af836242 8932a000 00001000 00000000 eps! > RtlStringVPrintfWorkerA+0x35 [c:\winddk\6001\inc\ddk\ntstrsafe.h @ > 11741] > f789e39c af83619a 8932a000 00001000 af842140 eps!RtlStringCbVPrintfA > +0x42 [c:\winddk\6001\inc\ddk\ntstrsafe.h @ 4219] > f789e3c4 af84001a 00000200 af842140 005a0058 eps!LSDbg+0x6a [c:\work > \main\eps\eps\latest\eps\bootstrap\debug.c @ 80] > f789e438 af84f878 80574bea 8961b848 00000000 eps! > EPSReadRegistryHardenListFromFile+0x2ba [c:\work\main\eps\eps\latest > \eps\bootstrap\registry.c @ 1584] > f789e56c 8059f7d3 8961b860 8932d000 e15e0208 eps!DriverEntry+0x168 [c: > \work\main\eps\eps\latest\eps\bootstrap\lsload.c @ 222] > f789e63c 806af6b3 000003b0 00000001 00000000 nt!IopLoadDriver+0x66d > f789e698 806afff7 00034000 00000000 00000000 nt! > IopInitializeSystemDrivers+0x16c > f789e838 806b1012 80088000 00000000 8a1f4750 nt!IoInitSystem+0x7a3 > f789edac 8057572b 80088000 00000000 00000000 nt!Phase1Initialization > +0xac7 > f789eddc 804ec6c9 806b07bf 80088000 00000000 nt!PspSystemThreadStartup > +0x34 > 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16 > > FAULTING_SOURCE_CODE: > 11737: > 11738: #if (NTSTRSAFE_USE_SECURE_CRT == 1) && ! > defined(NTSTRSAFE_LIB_IMPL) > 11739: iRet = _vsnprintf_s(pszDest, cchDest, cchMax, pszFormat, > argList); > 11740: #else>11741: iRet = _vsnprintf(pszDest, cchMax, pszFormat, argList); > > 11742: #endif > 11743: // ASSERT((iRet < 0) || (((size_t)iRet) <= cchMax)); > 11744: > 11745: if ((iRet < 0) || (((size_t)iRet) > cchMax)) > 11746: { > > SYMBOL_STACK_INDEX: 2 > > SYMBOL_NAME: eps!RtlStringVPrintfWorkerA+35 > > FOLLOWUP_NAME: MachineOwner > > MODULE_NAME: eps > > IMAGE_NAME: eps.sys > > DEBUG_FLR_IMAGE_TIMESTAMP: 4bbedba2 > > STACK_COMMAND: .cxr 0xfffffffff789dce0 ; kb > > FAILURE_BUCKET_ID: 0x7E_eps!RtlStringVPrintfWorkerA+35 > > BUCKET_ID: 0x7E_eps!RtlStringVPrintfWorkerA+35 > > Followup: MachineOwner > --------- > > If I use the %S string specifier and use 'myUnicodeSstring.Buffer' > there isn't a crash. The code is runing at PASSIVE_LEVEL by the way. OK, scrap that. The code I was maintaining was broken, not the function. It wasnt sending the address of the UNICODE_STRING objects, but the objects themselves. So much for using undocumented features... |