From a48218314914360517592b740703878ceaf64b89 Mon Sep 17 00:00:00 2001 From: Bill Zissimopoulos Date: Tue, 29 Aug 2023 13:15:37 +0100 Subject: [PATCH] sys: FspPropagateTopFlags: check TopLevelIrp not completed Add a check to verify that the TopLevelIrp has not been completed. This became necessary because on recent Windows kernels, IRP's can have "IRP extensions", which are freed when an IRP is completed. This can trigger a recursive CLOSE with a top-level IRP that has been completed, which can bugcheck the system. Case in point: the new (Win11) NtCopyFileChunk creates IRP's with COPY_INFORMATION attached. Upon completion of such an IRP the SourceFileObject is freed, which results in a recursive IRP_MJ_CLOSE with a completed top-level IRP, which would lead to a BSOD. --- src/sys/callbacks.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/sys/callbacks.c b/src/sys/callbacks.c index c178e37c..8d9dfa02 100644 --- a/src/sys/callbacks.c +++ b/src/sys/callbacks.c @@ -324,7 +324,9 @@ VOID FspPropagateTopFlags(PIRP Irp, PIRP TopLevelIrp) FspFileNodeAcquireMain : FspFileNodeAcquireFull); } - else if ((PIRP)MM_SYSTEM_RANGE_START <= TopLevelIrp && IO_TYPE_IRP == TopLevelIrp->Type) + else if ((PIRP)MM_SYSTEM_RANGE_START <= TopLevelIrp && + IO_TYPE_IRP == TopLevelIrp->Type && + TopLevelIrp->CurrentLocation <= TopLevelIrp->StackCount) { PFILE_OBJECT FileObject = IoGetCurrentIrpStackLocation(Irp)->FileObject; PFILE_OBJECT TopLevelFileObject = IoGetCurrentIrpStackLocation(TopLevelIrp)->FileObject;