内核资源泄漏样本之一


2012-11-02

又遇到一个很好玩的内核资源泄漏样本,分享一下。
某台WinXP sp3系统出现了死机现象,该现象是在安装了我的驱动后才出现的,第一反应是“MD,怎么又泄漏了”。
以下是分析过程:

!poolused的输出

0: kd> !poolused 2

Sorting by NonPaged Pool Consumed

           NonPaged                  Paged
Tag     Allocs         Used     Allocs         Used

tsni     62403     33947232          0            0 UNKNOWN pooltag 'tsni', please update pooltag.txt
FMvo     21652     21825376          0            0 FLT_VOLUME structure , Binary: fltmgr.sys
SBcx     10828     11780864          0            0 UNKNOWN pooltag 'SBcx', please update pooltag.txt
Devi     32861     10905648          0            0 Device objects 
FMis     10841      6503328          0            0 FLT_INSTANCE structure , Binary: fltmgr.sys
Drti     10844      5899136          0            0 UNKNOWN pooltag 'Drti', please update pooltag.txt
FMrr     21682      2425184          0            0 Per-processor Cache-aware rundown ref structure , Binary: fltmgr.sys
FMct     10841      2339864          0            0 TRACK_COMPLETION_NODES structure , Binary: fltmgr.sys
Tef2       220      2242016          0            0 UNKNOWN pooltag 'Tef2', please update pooltag.txt
WPSd       278      1677896          0            0 UNKNOWN pooltag 'WPSd', please update pooltag.txt
MmCm        30       963440          0            0 Calls made to MmAllocateContiguousMemory , Binary: nt!mm
Pp       10822       779184        287        33456 UNKNOWN pooltag 'Pp  ', please update pooltag.txt
DmaB        34       729088          0            0 UNKNOWN pooltag 'DmaB', please update pooltag.txt
Io       16786       693632        156         6480 general IO allocations , Binary: nt!io
Thre      1033       661120          0            0 Thread objects , Binary: nt!ps
File      3038       465648          0            0 File objects 
FMwi     10831       433240          0            0 Work item structures , Binary: fltmgr.sys
iAEC       183       361992          0            0 UNKNOWN pooltag 'iAEC', please update pooltag.txt
SEY4      2970       332752          0            0 UNKNOWN pooltag 'SEY4', please update pooltag.txt

可见fltmgr的卷相关资源占用特别严重(tag名以”FM”开头的几项,如”FMvo”和”FMi”等)
fltmgr.sys是微软的文件过滤驱动,一般可以排除由它导致资源泄漏的可能性。于是想到可能是基于fltmgr的minifilter驱动引起此故障。
于是继续列举系统中目前以存在的minifilter驱动。

!fltkd.filters的输出

0: kd> !fltkd.filters

Filter List: 8999805c "Frame 1" 
   FLT_FILTER: 897e5ba8 "SEyeFilter" "382020"
      FLT_INSTANCE: 89965510 "SEyeFilter - Top Instance" "382020"
      FLT_INSTANCE: 89964b50 "SEyeFilter - Top Instance" "382020"
   FLT_FILTER: 89e8be68 "SPBBCDrv" "365100"
      FLT_INSTANCE: 89987420 "SPBBCDrv" "365100"
      FLT_INSTANCE: 89984008 "SPBBCDrv" "365100"
   FLT_FILTER: 89e4aba8 "eeCtrl" "329010"
      FLT_INSTANCE: 89ec5c28 "eeCtrl" "329010"
      FLT_INSTANCE: 899ba008 "eeCtrl" "329010"
   FLT_FILTER: 89ab9568 "SRTSP" "329000"
      FLT_INSTANCE: 89981de0 "SRTSP" "329000"
      FLT_INSTANCE: 89982270 "SRTSP" "329000"
      FLT_INSTANCE: 896dd780 "SRTSP" "329000"
      FLT_INSTANCE: 896be9d8 "SRTSP" "329000"
   FLT_FILTER: 893e0e30 "vfsmfd" "263410"
      FLT_INSTANCE: 893f6008 "VEAI" "263400"
      FLT_INSTANCE: 89649008 "VEAI" "263400"
      FLT_INSTANCE: 895ee008 "VEAI" "263400"
      FLT_INSTANCE: 895f0008 "VEAI" "263400"
      FLT_INSTANCE: 893f67c0 "Default" "263410"
   FLT_FILTER: 8971bb58 "WavxDMgr" "145300"
      FLT_INSTANCE: 89cf58b0 "WavxDMgr Instance" "145300"
      FLT_INSTANCE: 8997b400 "WavxDMgr Instance" "145300"
      FLT_INSTANCE: 896de608 "WavxDMgr Instance" "145300"
      FLT_INSTANCE: 896d7998 "WavxDMgr Instance" "145300"
      FLT_INSTANCE: 89230cf0 "WavxDMgr Instance" "145300"
      FLT_INSTANCE: 87018878 "WavxDMgr Instance" "145300"
      FLT_INSTANCE: 870076a8 "WavxDMgr Instance" "145300"
      FLT_INSTANCE: 87018b30 "WavxDMgr Instance" "145300"
      FLT_INSTANCE: 870032d0 "WavxDMgr Instance" "145300"
      FLT_INSTANCE: 8700e970 "WavxDMgr Instance" "145300"
      FLT_INSTANCE: 87003008 "WavxDMgr Instance" "145300"
      FLT_INSTANCE: 87003580 "WavxDMgr Instance" "145300"
      FLT_INSTANCE: 86fffdb0 "WavxDMgr Instance" "145300"
      FLT_INSTANCE: 86ff02d0 "WavxDMgr Instance" "145300"
      ... 省略若干重复输出

发现WavxDmgr这个minifilter对卷设备进行了上万次的挂载(有上万条“FLT_INSTANCE: XXXXXXXX “WavxDMgr Instance” “145300””),
因此占用了大量的Nonpaged Pool资源。有理由猜测某种操作触发了WavxDmgr的BUG,导致它疯狂的进行挂载操作,最终导致系统资源耗尽而死机。

以“WavxDmgr”为关键字搜索,可以找到这么一篇文章:Novell ZENworks 11 SP2

其中有一段相关的说明:

2.6.3 数据加密与 Tablet PC 上的 Dell ControlPoint Security Manager 不兼容
如果将数据加密策略应用到使用 Dell ControlPoint Security Manager 的 Tablet PC,设备将无法重引导到操作系统。
此问题是因 Dell ControlPoint Security Manager 驱动程序 (WavxDMgr.sys) 过渡使用文件系统堆栈所致。对于任何使用名称解析且晚于该安全管理器驱动程序装载的文件系统过滤器驱动程序,都可能会发生同样的结果。

而我的驱动正好符合“使用名称解析且晚于该安全管理器驱动程序装载的文件系统过滤器驱动程序”,于是触发了WavxDmgr的资源泄漏BUG。

验证

0: kd> !for_each_module s -a @#Base @#End "tsni"
a7e0f300  74 73 6e 69 14 02 00 00-68 c9 54 80 50 c9 54 80  tsni....h.T.P.T.
a7e10ba3  74 73 6e 69 68 14 02 00-00 53 53 53 68 e0 f2 e0  tsnih....SSSh...

0: kd> lm a a7e0f300
start    end        module name
a7ddb000 a7e14180   WavxDMgr   (deferred)             

0: kd> lm a a7e10ba3
start    end        module name
a7ddb000 a7e14180   WavxDMgr   (deferred)             

0: kd> !for_each_module s -a @#Base @#End "SBcx"
a7e0e114  53 42 63 78 00 00 00 00-00 00 00 00 00 00 00 00  SBcx............

0: kd> lm a a7e0e114
start    end        module name
a7ddb000 a7e14180   WavxDMgr   (deferred)             

0: kd> !for_each_module s -a @#Base @#End "Drti"
a7dde5ad  44 72 74 69 68 18 02 00-00 6a 00 ff 15 e8 df e0  Drtih....j......

0: kd> lm a a7dde5ad
start    end        module name
a7ddb000 a7e14180   WavxDMgr   (deferred)             

就是这厮!