Cleanup中获取文件名的RelateObject是无效指针

[GoogleCodeExporter]

1. 外发中打开adobe
2. 访问文件是 _UNICODE_STRING "\Program Files\Common Files\Adobe\Adobe 
PCD\pcd.db"
3. RelatedFileObject值无效
4. 名称提供器获取文件名时判断RelatedFileObject访问无效地址

Original issue reported on code.google.com by m.azun...@gmail.com on 16 Nov 2012 at 3:45

[GoogleCodeExporter]

1: kd> dt nt!_FILE_OBJECT 0xe4227c38 
   +0x000 Type             : 5
   +0x002 Size             : 128
   +0x004 DeviceObject     : 0x857633d0 _DEVICE_OBJECT
   +0x008 Vpb              : 0x85763748 _VPB
   +0x00c FsContext        : 0x87eb2298 
   +0x010 FsContext2       : 0xcc92baa8 
   +0x014 SectionObjectPointer : 0x8660da80 _SECTION_OBJECT_POINTERS
   +0x018 PrivateCacheMap  : (null) 
   +0x01c FinalStatus      : 0
   +0x020 RelatedFileObject : 0x84d848f8 _FILE_OBJECT
   +0x024 LockOperation    : 0 ''
   +0x025 DeletePending    : 0 ''
   +0x026 ReadAccess       : 0 ''
   +0x027 WriteAccess      : 0 ''
   +0x028 DeleteAccess     : 0 ''
   +0x029 SharedRead       : 0 ''
   +0x02a SharedWrite      : 0 ''
   +0x02b SharedDelete     : 0 ''
   +0x02c Flags            : 0x40040
   +0x030 FileName         : _UNICODE_STRING "\Program Files\Common Files\Adobe\Adobe PCD\pcd.db"
   +0x038 CurrentByteOffset : _LARGE_INTEGER 0x0
   +0x040 Waiters          : 0
   +0x044 Busy             : 0
   +0x048 LastLock         : (null) 
   +0x04c Lock             : _KEVENT
   +0x05c Event            : _KEVENT
   +0x06c CompletionContext : (null) 
   +0x070 IrpListLock      : 0
   +0x074 IrpList          : _LIST_ENTRY [ 0xe4227cac - 0xe4227cac ]
   +0x07c FileObjectExtension : (null) 
1: kd> dt nt!_FILE_OBJECT 0x84d848f8 
   +0x000 Type             : 0
   +0x002 Size             : 0
   +0x004 DeviceObject     : (null) 
   +0x008 Vpb              : (null) 
   +0x00c FsContext        : 0x08ba2d3a 
   +0x010 FsContext2       : 0x37a9317a 
   +0x014 SectionObjectPointer : 0x14da9199 _SECTION_OBJECT_POINTERS
   +0x018 PrivateCacheMap  : 0xfbed9ac2 
   +0x01c FinalStatus      : 1048533348
   +0x020 RelatedFileObject : 0x94097337 _FILE_OBJECT
   +0x024 LockOperation    : 0x93 ''
   +0x025 DeletePending    : 0xa4 ''
   +0x026 ReadAccess       : 0x5b '['
   +0x027 WriteAccess      : 0xdf ''
   +0x028 DeleteAccess     : 0x4a 'J'
   +0x029 SharedRead       : 0xd9 ''
   +0x02a SharedWrite      : 0x53 'S'
   +0x02b SharedDelete     : 0x63 'c'
   +0x02c Flags            : 0x4b
   +0x030 FileName         : _UNICODE_STRING ""
   +0x038 CurrentByteOffset : _LARGE_INTEGER 0xffe12cdc`e4190b7f
   +0x040 Waiters          : 0
   +0x044 Busy             : 0x37
   +0x048 LastLock         : 0x00000100 
   +0x04c Lock             : _KEVENT
   +0x05c Event            : _KEVENT
   +0x06c CompletionContext : (null) 
   +0x070 IrpListLock      : 0
   +0x074 IrpList          : _LIST_ENTRY [ 0x0 - 0x0 ]
   +0x07c FileObjectExtension : (null) 


1: kd> !pool 0x84d848f8 
Pool page 84d848f8 region is Nonpaged pool
 84d84000 size:   40 previous size:    0  (Allocated)  CxRc
 84d84040 size:   30 previous size:   40  (Allocated)  FLli
 84d84070 size:   28 previous size:   30  (Allocated)  VadS
 84d84098 size:   40 previous size:   28  (Allocated)  CxRc
 84d840d8 size:   b8 previous size:   40  (Allocated)  File (Protected)
 84d84190 size:   40 previous size:   b8  (Allocated)  Even (Protected)
 84d841d0 size:   20 previous size:   40  (Allocated)  ReTa
 84d841f0 size:   68 previous size:   20  (Allocated)  FMsl
 84d84258 size:   b8 previous size:   68  (Allocated)  File (Protected)
 84d84310 size:   48 previous size:   b8  (Allocated)  Sema (Protected)
 84d84358 size:  228 previous size:   48  (Allocated)  TdxA
 84d84580 size:   98 previous size:  228  (Allocated)  WFSK
 84d84618 size:   40 previous size:   98  (Allocated)  CxRc
 84d84658 size:  248 previous size:   40  (Allocated)  NKBS
 84d848a0 size:   20 previous size:  248  (Free)       MmCi
*84d848c0 size:   b8 previous size:   20  (Free ) *UsCx
        Owning component : Unknown (update pooltag.txt)
 84d84978 size:   18 previous size:   b8  (Allocated)  360t
 84d84990 size:   18 previous size:   18  (Allocated)  360t
 84d849a8 size:   18 previous size:   18  (Allocated)  360t
 84d849c0 size:   40 previous size:   18  (Allocated)  CxRc
 84d84a00 size:   40 previous size:   40  (Allocated)  SeTl
 84d84a40 size:    8 previous size:   40  (Free)       MuIc
 84d84a48 size:   48 previous size:    8  (Free )  Vad 
 84d84a90 size:   b8 previous size:   48  (Allocated)  File (Protected)
 84d84b48 size:   20 previous size:   b8  (Allocated)  ReTa
 84d84b68 size:   18 previous size:   20  (Allocated)  WFSK
 84d84b80 size:  210 previous size:   18  (Allocated)  TcpE
 84d84d90 size:   28 previous size:  210  (Allocated)  VadS
 84d84db8 size:  248 previous size:   28  (Allocated)  NKBS

Original comment by m.azun...@gmail.com on 16 Nov 2012 at 3:46

[GoogleCodeExporter]

RelatedFileObject 
A pointer to a FILE_OBJECT structure used to indicate that the current file 
object has been opened relative to an already open file object. The file object 
pointed to by this member is usually a directory (meaning the current file has 
been opened relative to this directory). However, a file can be reopened 
relative to itself, and alternate data streams for a file can be opened 
relative to an already open primary data stream for that same file. ---- The 
RelatedFileObject member is only valid during the processing of the 
IRP_MJ_CREATE requests.  -----

Original comment by m.azun...@gmail.com on 16 Nov 2012 at 5:24

• Changed state: Verified

[GoogleCodeExporter]

对名称提供其中的Callback_data做特殊条件处理，RelatedFileObject 
member is only valid during the processing of the IRP_MJ_CREATE requests. 

Original comment by m.azun...@gmail.com on 16 Nov 2012 at 5:27

• Changed state: Fixed