[wdmaudiodev] Re: [EXTERNAL] Page fault in PortCls when it tries to use interfaces obtained from a destroyed object

  • From: "Matthew van Eerde" <dmarc-noreply@xxxxxxxxxxxxx> ("Matthew.van.Eerde")
  • To: "wdmaudiodev@xxxxxxxxxxxxx" <wdmaudiodev@xxxxxxxxxxxxx>
  • Date: Mon, 27 Feb 2023 18:59:09 +0000

Thank you for reporting this in Feedback Hub, I have promoted your report to a 
bug on the Microsoft backend

-----Original Message-----
From: wdmaudiodev-bounce@xxxxxxxxxxxxx <wdmaudiodev-bounce@xxxxxxxxxxxxx> On 
Behalf Of Eugene Muzychenko
Sent: Tuesday, February 21, 2023 1:32 AM
To: wdmaudiodev@xxxxxxxxxxxxx
Subject: [EXTERNAL] [wdmaudiodev] Page fault in PortCls when it tries to use 
interfaces obtained from a destroyed object

Hello,

Found another bug in PortCls.

My KS audio driver (implemented as a PortCls WaveRT miniport) implements 
dynamic packet mode support. At any time, packet mode support can be enabled or 
disabled.

After a stream object (IMiniportWaveRTStream) is created, PortCls queries it 
for IMiniportWaveRTInputStream/IMiniportWaveRTOutputStream.
If packet mode support is enabled, my driver satisfies the request, returning 
valid interface pointers. Then the stream works for a while, all packet mode 
requests are processed as expected.

After a while, the stream object is destroyed. After some more time, a new 
stream object is created, and PortCls queries for packet mode interfaces again. 
If packet mode support is disabled at this time, my driver fails these 
request(s).

But even if the last QueryInterface request was failed, PortCls still returns 
STATUS_SUCCESS when the client queries KSPROPERTY_RTAUDIO_GETREADPACKET, 
KSPROPERTY_RTAUDIO_SETWRITEPACKET and KSPROPERTY_RTAUDIO_PACKETCOUNT properties 
with KSPROPERTY_TYPE_BASICSUPPORT.

Later, when the client issues KSPROPERTY_RTAUDIO_GETREADPACKET or 
KSPROPERTY_RTAUDIO_PACKETCOUNT with KSPROPERTY_TYPE_GET, PortCls generates a 
page fault in PinPropertyHandler_GetReadPacket or 
PinPropertyHandler_GetPacketCount, trying to dereference a null pointer.

Most likely, KSPROPERTY_RTAUDIO_SETWRITEPACKET/SET is affected too, and 
PinPropertyHandler_SetWritePacket may generate a page fault as well.

Since packet mode interfaces are obtained from a stream object, they should not 
be used after the destruction of the object.

Feedback Hub report: 
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2FAAjqqi5&data=05%7C01%7CMatthew.van.Eerde%40microsoft.com%7Cda4ca54fa94e431290c908db13eea7f3%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638125687985617445%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=mrqHO%2BoXPa%2BUXrh%2Bs5%2Faeyd8tAJDizMHVzTFHS73%2BtU%3D&reserved=0

Reproduced with PortCls versions: 10.0.17134.1, 10.0.19041.746, 10.0.22000.120, 
10.0.22621.1. Most likely, all 10.x versions are affected.

Sincerely,
Eugene

******************

WDMAUDIODEV addresses:
Post message: mailto:wdmaudiodev@xxxxxxxxxxxxx
Subscribe:    mailto:wdmaudiodev-request@xxxxxxxxxxxxx?subject=subscribe
Unsubscribe:  mailto:wdmaudiodev-request@xxxxxxxxxxxxx?subject=unsubscribe
Moderator:    mailto:wdmaudiodev-moderators@xxxxxxxxxxxxx

URL to WDMAUDIODEV page:
https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.wdmaudiodev.com%2F&data=05%7C01%7CMatthew.van.Eerde%40microsoft.com%7Cda4ca54fa94e431290c908db13eea7f3%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638125687985617445%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=5tEF7K0uj8%2BZCVdqX9N%2FAayFygn9Qr05o9BlCJwRrtw%3D&reserved=0

******************

WDMAUDIODEV addresses:
Post message: mailto:wdmaudiodev@xxxxxxxxxxxxx
Subscribe:    mailto:wdmaudiodev-request@xxxxxxxxxxxxx?subject=subscribe
Unsubscribe:  mailto:wdmaudiodev-request@xxxxxxxxxxxxx?subject=unsubscribe
Moderator:    mailto:wdmaudiodev-moderators@xxxxxxxxxxxxx

URL to WDMAUDIODEV page:
http://www.wdmaudiodev.com/

Other related posts:

  1. Home
  2. wdmaudiodev
  3. Archive
  4. 02-2023