[ros-kernel] Possible SECURITY_DESCRIPTOR cache problem
Mike Nordell
tamlin at algonet.se
Sun Aug 22 21:38:04 CEST 2004
I've experienced intermittent crashes at startup in
RtlLengthSecurityDescriptor, coming from ObpCompareSecurityDescriptors,
ObpAddSecurityDescriptor, ObCreateObject ...
>From what I can see, the problem is Sd, second argument to the call to
ObpCompareSecurityDescriptors; line 242 of sdcache.c. It is flagged as
SE_SELF_RELATIVE, but the memory at address
"(ULONG)Owner + (ULONG)SecurityDescriptor" (in RtlLengthSecurityDescriptor)
is not valid.
I could speculate in a couple of reasons this might be, but I'd prefer the
SD cache author to pipe in. Could it be an entry in the cache that is
changed, or even deleted, outside the cache's knowledge?
For completeness I include some annotated disassembly of the crash:
c0073161 <_RtlLengthSecurityDescriptor at 4>: (lib\rtl\sd.c, 47)
c0073161: push %ebp
c0073162: mov %esp,%ebp
c0073164: sub $0x14,%esp
c0073167: movl $0x14,0xfffffff4(%ebp)
c007316e: mov 0x8(%ebp),%eax
; if (SecurityDescriptor->Owner != NULL)
; {
c0073171: cmpl $0x0,0x4(%eax)
c0073175: je c00731ac <_RtlLengthSecurityDescriptor at 4+0x4b>
; Owner = SecurityDescriptor->Owner;
c0073177: mov 0x8(%ebp),%eax
c007317a: mov 0x4(%eax),%eax
c007317d: mov %eax,0xfffffffc(%ebp)
c0073180: mov 0x8(%ebp),%eax
;if (SecurityDescriptor->Control & SE_SELF_RELATIVE)
c0073183: cmpw $0x0,0x2(%eax)
c0073188: jns c0073192 <_RtlLengthSecurityDescriptor at 4+0x31>
; Owner = (PSID)((ULONG)Owner + (ULONG)SecurityDescriptor);
c007318a: mov 0x8(%ebp),%edx ; edx = SecurityDescriptor
c007318d: lea 0xfffffffc(%ebp),%eax ; eax = &Owner
c0073190: add %edx,(%eax) ; Owner += SecurityDescriptor
c0073192: mov 0xfffffffc(%ebp),%eax ; eax = Owner
c0073195: movzbl 0x1(%eax),%eax <- crash
Page Fault Exception: 14(0)
Processor: 0 CS:EIP 8:c0073195 <ntoskrnl.exe: 73195> rtl\sd.c, 65
cr2 c057b381 cr3 300a000 Proc: c052d580 Pid: 8 <cmd> Thrd: c053bf40 Tid: 2e
DS 10 ES 10 FS 30 GS 10
EAX: c057b380 EBX: c0302630 ECX: 00000300
EDX: c057af6c EBP: dd6c2e38 ESI: 00638d74 ESP: dd6c2db0
EDI: dd6c2f84 EFLAGS: 00000202 kESP dd6c2db0 kernel stack base dd6c0000
Frames:
<ntoskrnl.exe: 605dd> ob\sdcache.c, 202
<ntoskrnl.exe: 606b4> ob\sdcache.c, 241
<ntoskrnl.exe: 5fc2e> ob\object.c, 480
<ntoskrnl.exe: 5aa76> nt\ntsem.c, 86
<ntoskrnl.exe: 32ab> usercall.c\146
<77F815F7>
/Mike
More information about the Ros-kernel
mailing list