Introduction
Many of you have heard about special pool. This is what it is and how it works.
What is Special Pool?
Special Pool is another memory pool type. Therefore, when you have Special Pool enabled, three types of memory pools exist: Paged, Non-paged and Special pool. Allocations will be made from Special Pool depending if it is enabled and configured.
How can I configure special pool?
When memory is allocated, drivers use what is called a tag to identify a memory block. Tags are used to record allocations to see how much memory is used. A tag is just a 4 byte text such as “ABCD”. Special pool can be enabled so whenever an allocation is made for a certain tag, the allocation comes from special pool. For this you need to know what tag you are looking for. Also Special Pool can be set up for a particular allocation size, such as 40.
What happens when a special pool allocation is made?
When a special pool allocation is made, one 4096 byte page is used for the allocation. The actual allocation goes at the end of a page or at the beginning depending on configuration options. Where the allocation goes depends on which option is chosen to catch underruns or overruns. If underruns are selected, the allocation goes at the top of the page. If overruns are selected, the allocation goes at the end of the page. Below is an example of overruns.
0: kd> dd 8ae24fc0-50 l 55
8ae24f70 5d5d5d5d 5d5d5d5d 5d5d5d5d 5d5d5d5d
8ae24f80 5d5d5d5d 5d5d5d5d 5d5d5d5d 5d5d5d5d
8ae24f90 5d5d5d5d 5d5d5d5d 5d5d5d5d 5d5d5d5d ß Fill pattern
8ae24fa0 5d5d5d5d 5d5d5d5d 5d5d5d5d 5d5d5d5d
8ae24fb0 5d5d5d5d 5d5d5d5d 5d5d5d5d 5d5d5d5d
8ae24fc0 00400709 00008003 0078006c e18853f8
8ae24fd0 0000003e 00000000 e1938f70 e1938f70
8ae24fe0 e1938f28 e1938eb0 e1938eb0 00000002
8ae24ff0 00000000 00000000 00000000 00000020
8ae25000 ???????? ???????? ???????? ???????? ß Next page set to an invalid address.
The idea for overruns is to catch a driver writing beyond its allocation. So the next page is set to be invalid. This will cause the system blue screen immediately when a driver attempts to write beyond its allocation. Otherwise the overwrite may not cause a problem until much later and there may be no way to find what did it. In the underrun case, the upper page is invalid.
What is the fill pattern?
The fill pattern is checked for validity after every release. If the fill pattern is written to, the system will blue screen on release.
Are there any other reasons to enable special pool besides pool corruption?
Special Pool has a feature where it saves the stack of the last thread to free the block. So if a block has been freed back to special pool, the !fpsearch command can be used to see the stack of the last free.
0: kd> !fpsearch be962c48Searching the free page list (38 entries) for VA be962c48
VA PFN Tag Size Pagable Thread Tickbe962c48 ec79 CM 3b8 Yes 81ed1020 ae2 CALL STACK AT TIME OF DEALLOCATION nt!ExFreePoolWithTag+0x22 nt!ExFreePool+0xb nt!CmpValidateAlternate+0x63 nt!CmpInitializeHiveList+0x2cd nt!CmpWorker+0x68 nt!NtInitializeRegistry+0x92 nt!_KiSystemService+0xc9 nt!NtClose+0x2d8 nt!_KiSystemService+0xc9
Beware of Red Herrings in the Pool
After enabling Special Pool, the system may blue screen on boot. This is because during boot up, the memory manager may round up some memory allocations thus giving a driver a few more bytes than it actually requested. Some of these drivers may occasionally overrun their requested allocation size, but since the memory manager allocated a few extra bytes, there’s no problem. There’s no problem until you enable Special Pool, that is… Once Special Pool is enabled, the actual allocation size will be strictly enforced and the system will bug check. This may not indicate the actual problem, however.
Conclusion
I hope this gives a better understanding of Special Pool.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment