Comments (8)
Hi @fcyinxunpeng ,
RequestContext->Irp->MdlAddress be filled by the program of antivirus software?
It technically could but I believe it shouldn't provide one as the current IRP major is IRP_MJ_DIRECTORY_CONTROL
https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/ns-wdm-_irp
Pointer to an MDL describing a user buffer, if the driver is using direct I/O, and the IRP major function code is one of the following:
IRP_MJ_READ
The MDL describes an empty buffer that the device or driver fills in.
IRP_MJ_WRITE
The MDL describes a buffer that contains data for the device or driver.
IRP_MJ_DEVICE_CONTROL or IRP_MJ_INTERNAL_DEVICE_CONTROL
If the IOCTL code specifies the METHOD_IN_DIRECT transfer type, the MDL describes a buffer that contains data for the device or driver.
Normally we should allocate that MDL from the UserBuffer
and own it but due to how the code is written, we try to use their.
Lines 105 to 114 in 69e3d88
We could change our code to override their value by removing this check and the same one in DokanAllocateMdl
to ignore their (bogus?) value.
Line 106 in 69e3d88
from dokany.
Hi @Liryna ,
Thanks for your reply.
I removed this check and the same one in DokanAllocateMdl()
Line 106 in 69e3d88
Line 589 in 69e3d88
But it seems like it's not working because RequestContext->Irp->UserBuffer is always NULL, while RequestContext->Irp->MdlAddress is not NULL even when I don't have antivirus software installed.
If I zero memory in DokanQueryDirecory():
if (RequestContext->Irp->MdlAddress == NULL) {
...
}else{
// test code
buffer = MmGetSystemAddressForMdlNormalSafe(RequestContext->Irp->MdlAddress);
RtlZeroMemory(buffer, bufferLen); // won't crash at this line
}
Dokany2.sys doesn't crash at this line of code, so RequestContext->Irp->MdlAddress is valid at this moment.
Maybe then the antivirus software free the content of RequestContext->Irp->MdlAddress , even though dokany2.sys returns a STATUS_PENDING?
from dokany.
Thanks for testing!
Yeah that could be possible. Would you be able to contact Rising so they can look into this on their side ?
from dokany.
OK, I intend to ask for official help.
And I found that the MmGetSystemAddressForMdlNormalSafe function returns a user-space address instead of a kernel-space address when I use antivirus software scanning.
from dokany.
This is the official reply of rising:
The problem is that when traversing the directory, Rising Anti-Virus Software V17 passes in a user-mode address, causing a blue screen when the dokany driver writes to this address.
You can suggest to dokany that you add a method to determine whether the request mode is user mode, or after detecting the user mode address, use the writing method of the user mode address, such as __try __except and so on.
But I think the real reason is that the anti-virus software modified the address of MmGetSystemAddressForMdlNormalSafe() to point to user space, but this address is only valid in the current context. When dokany is executing DokanCompleteDirectoryControl(), this address is invalid.
from dokany.
Thanks @fcyinxunpeng ! I am not sure about their answer. I believe we do everything correctly. We try catch and lock the page when we receive the request
Lines 590 to 600 in 69e3d88
and only release when we no longer need it.
https://github.com/dokan-dev/dokany/blob/master/sys/directory.c#L323
I agree with you that they might not wait for our completion and do something with the buffer they gave us and things go wrong.
from dokany.
@fcyinxunpeng Were you able to get more info from Rising ?
from dokany.
Related Issues (20)
- Kernel - DokanGlobal->MountPointList items access isn't safe
- [Question] Too many Guid keys in MountPoint2
- [QUESTION] cannot access the network mapped drive remotely.
- Kernel - Allow passing the session information for the targeted mount
- How to safely remove ISO mount? HOT 4
- There is no certificate in dokan2.sys for version 2.1.0.1000. HOT 2
- Error Installing version 2.1.0.1000 HOT 17
- Error Uninstalling Dokan Library 1.5.1.1000 Bundle (0x80070643) HOT 3
- Possibility to increase thread count & change DOKAN_OPTION_ALLOW_IPC_BATCHING? (FUSE) HOT 14
- some doubts in dokanfuse HOT 2
- 2.1.0.1000 on Windows 11 hangs Windows Explorer in single thread mode HOT 2
- Stdout not working anymore after fuse_main invocation HOT 2
- `DokanInstanceBuilder.Build` returns before file system is ready HOT 1
- unstable on windews : ceph::buffer::v15_2_0::bad_alloc: Bad allocation [buffer:1] HOT 1
- GetFileInformation Not Called by FileDateTime in VB6 HOT 2
- When is ReadFile() called? HOT 1
- There are some errors when test memfs with winfstest HOT 2
- Dokan2 driver fails to install on Windows 10 HOT 2
- Library - Fail mount with DOKAN_OPTION_CURRENT_SESSION and mount point path
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dokany.