VirtualBox

Opened 5 years ago

Closed 5 years ago

Last modified 3 years ago

#18187 closed defect (fixed)

Mismatched pool allocation/free in VBoxGuest.sys in 6.0 RC1 => fixed in svn

Reported by: Thomas Faber Owned by:
Component: guest additions Version:
Keywords: Cc:
Guest type: Windows Host type: all

Description

VBoxGuest.sys calls ExAllocatePoolWithTag(..., 'TRPI') on an allocation that was made with an ExAllocatePool() call.

This happens in rtR0InitNative, where RTR0DbgKrnlInfoOpen is called before g_pfnrtExAllocatePoolWithTag is initialized. Therefore the object will be allocated with ExAllocatePool (tracked by Windows as tag "None"). The RTR0DbgKrnlInfoRelease call that follows happens after g_pfnrtExFreePoolWithTag is initialized, however, and therefore causes a mismatch.

This should result in a BAD_POOL_CALLER bug check when using a checked build of Windows. It also reproduces in ReactOS (downstream bug https://jira.reactos.org/browse/CORE-15446), and produces log output like the following:

(ntoskrnl/mm/ARM3/expool.c:2530) Freeing pool - invalid tag specified: IPRT != None

*** Fatal System Error: 0x000000c2
                       (0x0000000A,0xB6B08BD8,0x656E6F4E,0x54525049)

[7h
Entered debugger on embedded INT3 at 0x0008:0x809543a4.
kdb:> bt
Eip:
<ntoskrnl.exe:1543a5 (:0 (RtlpBreakWithStatusInstruction))>
Frames:
<ntoskrnl.exe:8c47d (ntoskrnl/ke/bug.c:1100 (KeBugCheckWithTf))>
<ntoskrnl.exe:8ca54 (ntoskrnl/ke/bug.c:1456 (KeBugCheckEx))>
<ntoskrnl.exe:ab8c2 (ntoskrnl/mm/ARM3/expool.c:2531 (ExFreePoolWithTag))>
<VBoxGuest.sys:153f5 (src/VBox/Runtime/r0drv/nt/alloc-r0drv-nt.cpp:80 (rtR0MemFree))>
<VBoxGuest.sys:d496 (src/VBox/Runtime/r0drv/alloc-r0drv.cpp:108 (RTMemTmpFree))>
<VBoxGuest.sys:fd27 (src/VBox/Runtime/r0drv/nt/dbgkrnlinfo-r0drv-nt.cpp:594 (RTR0DbgKrnlInfoRelease))>
<VBoxGuest.sys:15e95 (src/VBox/Runtime/r0drv/nt/initterm-r0drv-nt.cpp:345 (rtR0InitNative))>
<VBoxGuest.sys:d29c (src/VBox/Runtime/r0drv/initterm-r0drv.cpp:88 (RTR0Init))>
<ntoskrnl.exe:63cd4 (ntoskrnl/io/iomgr/driver.c:1587 (IopCreateDriver))>

Attachments (1)

howtoreproduce.PNG (6.6 KB ) - added by Saibamen 5 years ago.

Download all attachments as: .zip

Change History (8)

comment:1 by bird, 5 years ago

Summary: Mismatched pool allocation/free in VBoxGuest.sys in 6.0 RC1Mismatched pool allocation/free in VBoxGuest.sys in 6.0 RC1 => fixed in svn

Thanks a lot for pointing directly to the problem. I've committed a fix to trunk and 6.0. Will be shipped in the next 6.0.x release, and any test build additions with revision number 128657 or higher.

comment:2 by Saibamen, 5 years ago

It is fixed in 6.0.6? I didn't see any changelog for this in 6.0.6

Last edited 5 years ago by Saibamen (previous) (diff)

by Saibamen, 5 years ago

Attachment: howtoreproduce.PNG added

comment:3 by Michael Thayer, 5 years ago

Sorry about that, adding to the 6.0.6 change log "after the fact".

comment:4 by Michael Thayer, 5 years ago

I hope I credited you correctly<1>.

  1. https://www.reactos.org/wiki/User:Saibamen

comment:5 by Michael Thayer, 5 years ago

Resolution: fixed
Status: newclosed

comment:6 by nidhigh, 3 years ago

Last edited 3 years ago by nidhigh (previous) (diff)

comment:7 by nidhigh, 3 years ago

Last edited 3 years ago by nidhigh (previous) (diff)
Note: See TracTickets for help on using tickets.

© 2023 Oracle
ContactPrivacy policyTerms of Use