[ros-kernel] Possible SECURITY_DESCRIPTOR cache problem

Mike Nordell tamlin at algonet.se
Sun Aug 22 21:38:04 CEST 2004


I've experienced intermittent crashes at startup in
RtlLengthSecurityDescriptor, coming from ObpCompareSecurityDescriptors,
ObpAddSecurityDescriptor, ObCreateObject ...

>From what I can see, the problem is Sd, second argument to the call to
ObpCompareSecurityDescriptors; line 242 of sdcache.c. It is flagged as
SE_SELF_RELATIVE, but the memory at address
"(ULONG)Owner + (ULONG)SecurityDescriptor" (in RtlLengthSecurityDescriptor)
is not valid.

I could speculate in a couple of reasons this might be, but I'd prefer the
SD cache author to pipe in. Could it be an entry in the cache that is
changed, or even deleted, outside the cache's knowledge?

For completeness I include some annotated disassembly of the crash:

c0073161 <_RtlLengthSecurityDescriptor at 4>: (lib\rtl\sd.c, 47)
c0073161: push   %ebp
c0073162: mov    %esp,%ebp
c0073164: sub    $0x14,%esp
c0073167: movl   $0x14,0xfffffff4(%ebp)
c007316e: mov    0x8(%ebp),%eax

; if (SecurityDescriptor->Owner != NULL)
; {
c0073171: cmpl   $0x0,0x4(%eax)
c0073175: je     c00731ac <_RtlLengthSecurityDescriptor at 4+0x4b>

; Owner = SecurityDescriptor->Owner;

c0073177: mov    0x8(%ebp),%eax
c007317a: mov    0x4(%eax),%eax
c007317d: mov    %eax,0xfffffffc(%ebp)
c0073180: mov    0x8(%ebp),%eax

;if (SecurityDescriptor->Control & SE_SELF_RELATIVE)

c0073183: cmpw   $0x0,0x2(%eax)
c0073188: jns    c0073192 <_RtlLengthSecurityDescriptor at 4+0x31>

; Owner = (PSID)((ULONG)Owner + (ULONG)SecurityDescriptor);

c007318a: mov    0x8(%ebp),%edx        ; edx = SecurityDescriptor
c007318d: lea    0xfffffffc(%ebp),%eax ; eax = &Owner
c0073190: add    %edx,(%eax)           ; Owner += SecurityDescriptor
c0073192: mov    0xfffffffc(%ebp),%eax ; eax = Owner
c0073195: movzbl 0x1(%eax),%eax   <- crash

Page Fault Exception: 14(0)
Processor: 0 CS:EIP 8:c0073195 <ntoskrnl.exe: 73195> rtl\sd.c, 65
cr2 c057b381 cr3 300a000 Proc: c052d580 Pid: 8 <cmd> Thrd: c053bf40 Tid: 2e
DS 10 ES 10 FS 30 GS 10
EAX: c057b380   EBX: c0302630   ECX: 00000300
EDX: c057af6c   EBP: dd6c2e38   ESI: 00638d74   ESP: dd6c2db0
EDI: dd6c2f84   EFLAGS: 00000202 kESP dd6c2db0 kernel stack base dd6c0000
Frames:
<ntoskrnl.exe: 605dd> ob\sdcache.c, 202
<ntoskrnl.exe: 606b4> ob\sdcache.c, 241
<ntoskrnl.exe: 5fc2e> ob\object.c, 480
<ntoskrnl.exe: 5aa76> nt\ntsem.c, 86
<ntoskrnl.exe: 32ab> usercall.c\146
<77F815F7>


/Mike



More information about the Ros-kernel mailing list