[ros-dev] Att: Thomas. 2nd Token Bug.

Alex Ionescu ionucu at videotron.ca
Sun Mar 13 23:51:35 CET 2005


Steps to repro: 2nd stage installer, pressing enter really fast to get 
through the screens. At the last screen:

Note that the backtrace seems to be missing kernel-mode stuff beyond the 
syscall. The crash is actually at token.c:1723.
In asm:


800b6657:    3b 02                    cmp    (%edx),%eax

edx is 0x00929004 which is invalid:

Entered debugger on last-chance exception number 14 (Page Fault)
Memory at 0x929004 could not be read: Page not present.

Either this function is missing seh, or something has been changed with 
the token rewrite which messes things up.

More info:

KMODE_EXCEPTION_NOT_HANDLED

Technical information:

*** STOP: 0x0000001E (0xc0000005,0x800b6657,0x00000000,0x00929004)

***    ntoskrnl.exe - Address 0x800b6657 base at 0x80000000, DateStamp 0x0

Page Fault Exception: 14(0)
Processor: 0 CS:EIP 8:800b6657 <ntoskrnl.exe:b6657 (se/token.c:1723 
(NtAdjustPrivilegesToken))>
cr2 929004 cr3 6d8b000 Proc: 80ab8290 Pid: ac <setup.ex> Thrd: 80aba0c8 
Tid: b0
DS 10 ES 10 FS 30 GS 23
EAX: 00000007   EBX: 00000000   ECX: 8cada688
EDX: 00929004   EBP: 9d8c8d54   ESI: 0064ec20   ESP: 9d8c8c88
EDI: 8cada688   EFLAGS: 00000206 kESP 9d8c8c88 kernel stack base 9d8c6000
Frames:
<ntoskrnl.exe:39c2 (/home/alex/tmp/cc6fkKWh.s:178 (KiSystemService))>
<advapi32.dll:13dca (token/token.c:58 (AdjustTokenPrivileges))>


kdb:> bt
Frames:
<ntoskrnl.exe:39c2 (/home/alex/tmp/cc6fkKWh.s:178 (KiSystemService))>
<advapi32.dll:13dca (token/token.c:58 (AdjustTokenPrivileges))>
<syssetup.dll:2aff (wizard.c:1164 (DateTimePageDlgProc))>
<user32.dll:ea41 (windows/message.c:982 (IntCallWindowProcA))>
<user32.dll:eaef (windows/message.c:1031 (CallWindowProcA))>
<user32.dll:1717e (windows/dialog.c:1458 (DefDlgProcA))>
<user32.dll:ea41 (windows/message.c:982 (IntCallWindowProcA))>
<user32.dll:f456 (windows/message.c:1491 (SendMessageA))>
<comctl32.dll:28aac (propsheet.c:1713 (PROPSHEET_Next))>
<comctl32.dll:28d83 (propsheet.c:3075 (PROPSHEET_DoCommand))>
<comctl32.dll:2ab1a (propsheet.c:3412 (PROPSHEET_DialogProc))>
<user32.dll:ea06 (windows/message.c:964 (IntCallWindowProcW))>
<user32.dll:eb75 (windows/message.c:1057 (CallWindowProcW))>
<user32.dll:1700e (windows/dialog.c:1519 (DefDlgProcW))>
<user32.dll:ea06 (windows/message.c:964 (IntCallWindowProcW))>
<user32.dll:f364 (windows/message.c:1428 (SendMessageW))>
<user32.dll:17aca (windows/dialog.c:2220 (IsDialogMessageW))>
<user32.dll:17c5a (windows/dialog.c:531 (DIALOG_DoDialogBox))>
<user32.dll:17df8 (windows/dialog.c:1608 (DialogBoxIndirectParamW))>
<comctl32.dll:27b57 (propsheet.c:729 (PROPSHEET_CreateDialog))>
<comctl32.dll:299ce (propsheet.c:2841 (PropertySheetW))>
<syssetup.dll:2f4a (wizard.c:1482 (InstallWizard))>
<syssetup.dll:172c (install.c:491 (InstallReactOS))>--- Press q to 
abort, any other key to continue ---

<setup.exe:1333 (setup.c:79 (WinMain))>
<setup.exe:145b (setup.c:116 (WinMain))>
<setup.exe:116a>
<setup.exe:1038>
<kernel32.dll:20c30 (process/create.c:339 (BaseProcessStart))>
<deadbeef>

kdb:> regs
CS:EIP  0x0008:0x800b6657
SS:ESP  0x0028:0x80105cb9
   EAX  0x00000007   EBX  0x00000000
   ECX  0x8cada688   EDX  0x00929004
   ESI  0x0064ec20   EDI  0x8cada688
   EBP  0x9d8c8d54
EFLAGS  0x00000206  PF IF IOPL0
kdb:> cregs
CR0  0xe001003b  PE MP TS ET NE WP NW CD PG
CR2  0x00929004
CR3  0x06d8b000  Pagedir-Base 0x06d8b000
CR4  0x00000080  PGE
GDTR  Base 0x800d6100  Size 0x0058
LDTR  Base 0x00000000  Size 0x0000
IDTR  Base 0x80130320  Size 0x0800



More information about the Ros-dev mailing list