Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

394 lines
7.0 KiB

  1. #include <ntddk.h>
  2. #include "tdriver.h"
  3. #include "bugcheck.h"
  4. /////////////////////////////////////////////////////////////////////
  5. ////////////////////////////////////////////////// Bugcheck functions
  6. /////////////////////////////////////////////////////////////////////
  7. VOID
  8. BgChkForceCustomBugcheck (
  9. PVOID NotUsed
  10. )
  11. /*++
  12. Routine Description:
  13. This function breaks into debugger and waits for the user to set the
  14. value for bugcheck data. Then it will bugcheck using the specified code
  15. and data. It is useful to test the mini triage feature.
  16. Arguments:
  17. None.
  18. Return Value:
  19. None.
  20. Environment:
  21. Kernel mode.
  22. --*/
  23. {
  24. ULONG BugcheckData [5];
  25. DbgPrint ("Buggy: `ed %p' to enter the bugcheck code and data \n", BugcheckData );
  26. DbgBreakPoint();
  27. KeBugCheckEx (
  28. BugcheckData [ 0 ],
  29. BugcheckData [ 1 ],
  30. BugcheckData [ 2 ],
  31. BugcheckData [ 3 ],
  32. BugcheckData [ 4 ] );
  33. }
  34. VOID BgChkProcessHasLockedPages (
  35. PVOID NotUsed
  36. )
  37. {
  38. PMDL Mdl;
  39. PVOID Address;
  40. DbgPrint ("Buggy: ProcessHasLockedPages \n");
  41. Mdl = IoAllocateMdl(
  42. (PVOID)0x10000, // adress
  43. 0x1000, // size
  44. FALSE, // not secondary buffer
  45. FALSE, // do not charge quota
  46. NULL); // no irp
  47. if (Mdl != NULL) {
  48. DbgPrint ("Buggy: mdl created \n");
  49. }
  50. #if 0
  51. try {
  52. MmProbeAndLockPages (
  53. Mdl,
  54. KernelMode,
  55. IoReadAccess);
  56. DbgPrint ("Buggy: locked pages \n");
  57. }
  58. except (EXCEPTION_EXECUTE_HANDLER) {
  59. DbgPrint ("Buggy: exception raised while locking \n");
  60. }
  61. #endif
  62. }
  63. VOID BgChkNoMoreSystemPtes (
  64. PVOID NotUsed
  65. )
  66. {
  67. DWORDLONG Index;
  68. PHYSICAL_ADDRESS Address;
  69. ULONG Count = 0;
  70. char Buffer [1024];
  71. DbgPrint ("Buggy: NoMoresystemPtes\n");
  72. for (Index = 0; Index < (DWORDLONG)0x80000000 * 4; Index += 0x10000) {
  73. Address.QuadPart = (DWORDLONG)Index;
  74. if (MmMapIoSpace (Address, 0x10000, FALSE)) {
  75. Count += 0x10000;
  76. }
  77. }
  78. DbgPrint ("Finished eating system PTEs %08X ... \n", Count);
  79. }
  80. VOID BgChkBadPoolHeader (
  81. PVOID NotUsed
  82. )
  83. {
  84. PULONG Block;
  85. DbgPrint ("Buggy: BadPoolHeader\n");
  86. Block = (PULONG) ExAllocatePoolWithTag (
  87. NonPagedPool,
  88. 128,
  89. TD_POOL_TAG);
  90. //
  91. // Trash 4 bytes in the block header.
  92. //
  93. *(Block - 1) = 0xBADBAD01;
  94. //
  95. // This free operation should bugcheck.
  96. //
  97. ExFreePool (Block);
  98. }
  99. VOID BgChkDriverCorruptedSystemPtes (
  100. PVOID NotUsed
  101. )
  102. {
  103. PVOID Block;
  104. DbgPrint ("Buggy: DriverCorruptedSystemPtes\n");
  105. Block = (PULONG) ExAllocatePoolWithTag (
  106. NonPagedPool,
  107. 0x2000,
  108. TD_POOL_TAG);
  109. MmUnmapIoSpace (Block, 0x2000);
  110. }
  111. VOID BgChkDriverCorruptedExPool (
  112. PVOID NotUsed
  113. )
  114. {
  115. PULONG Block;
  116. DbgPrint ("Buggy: DriverCorruptedExPool\n");
  117. Block = (PULONG) ExAllocatePoolWithTag (
  118. NonPagedPool,
  119. 128,
  120. TD_POOL_TAG);
  121. //
  122. // Trash 8 bytes in the block header.
  123. //
  124. *(Block - 2) = 0xBADBAD01;
  125. *(Block - 1) = 0xBADBAD01;
  126. //
  127. // This free operation should bugcheck.
  128. //
  129. ExFreePool (Block);
  130. }
  131. VOID BgChkDriverCorruptedMmPool (
  132. PVOID NotUsed
  133. )
  134. {
  135. DbgPrint ("Buggy: DriverCorruptedMmPool\n");
  136. ExFreePool (NULL);
  137. }
  138. VOID BgChkIrqlNotLessOrEqual (
  139. PVOID NotUsed
  140. )
  141. {
  142. KIRQL irql;
  143. VOID *pPagedData;
  144. DbgPrint ("Buggy: IrqlNotLessOrEqual\n");
  145. pPagedData = ExAllocatePoolWithTag(
  146. PagedPool,
  147. 16,
  148. TD_POOL_TAG);
  149. if( pPagedData == NULL )
  150. {
  151. DbgPrint( "Cannot allocate 16 bytes of paged pool\n" );
  152. return;
  153. }
  154. KeRaiseIrql( DISPATCH_LEVEL, &irql );
  155. *((ULONG*)pPagedData) = 16;
  156. KeLowerIrql( irql );
  157. }
  158. VOID BgChkPageFaultBeyondEndOfAllocation (
  159. PVOID NotUsed
  160. )
  161. {
  162. PVOID *pHalfPage;
  163. PVOID *pLastUlongToWrite;
  164. ULONG *pCrtULONG;
  165. DbgPrint ("Buggy: PageFaultBeyondEndOfAllocation\n");
  166. //
  167. // allocate half a page
  168. //
  169. pHalfPage = ExAllocatePoolWithTag(
  170. NonPagedPool,
  171. PAGE_SIZE >> 1,
  172. TD_POOL_TAG);
  173. if( pHalfPage == NULL )
  174. {
  175. DbgPrint ("Buggy: cannot allocate half page of NP pool\n");
  176. }
  177. else
  178. {
  179. //
  180. // touch a page more
  181. //
  182. pCrtULONG = (ULONG*)pHalfPage;
  183. while( (ULONG_PTR)pCrtULONG < (ULONG_PTR)pHalfPage + (PAGE_SIZE >> 1) + 2 * PAGE_SIZE )
  184. {
  185. *pCrtULONG = PtrToUlong( pCrtULONG );
  186. pCrtULONG ++;
  187. }
  188. ExFreePool( pHalfPage );
  189. }
  190. }
  191. VOID BgChkDriverVerifierDetectedViolation (
  192. PVOID NotUsed
  193. )
  194. {
  195. PVOID *pHalfPage;
  196. PVOID *pLastUlongToWrite;
  197. ULONG *pCrtULONG;
  198. DbgPrint ("Buggy: DriverVerifierDetectedViolation\n");
  199. //
  200. // allocate half a page
  201. //
  202. pHalfPage = ExAllocatePoolWithTag(
  203. NonPagedPool,
  204. PAGE_SIZE >> 1,
  205. TD_POOL_TAG);
  206. if( pHalfPage == NULL )
  207. {
  208. DbgPrint ("Buggy: cannot allocate half page of NP pool\n");
  209. }
  210. else
  211. {
  212. //
  213. // touch 1 ULONG more
  214. //
  215. pCrtULONG = (ULONG*)pHalfPage;
  216. while( (ULONG_PTR)pCrtULONG < (ULONG_PTR)pHalfPage + (PAGE_SIZE >> 1) + sizeof( ULONG) )
  217. {
  218. *pCrtULONG = PtrToUlong( pCrtULONG );
  219. pCrtULONG ++;
  220. }
  221. //
  222. // free -> BC
  223. //
  224. ExFreePool( pHalfPage );
  225. }
  226. }
  227. VOID
  228. BgChkCorruptSystemPtes(
  229. PVOID NotUsed
  230. )
  231. /*++
  232. Routine Description:
  233. This function corrupts system PTEs area on purpose. This is
  234. done so that we can test if the crache is mini triaged correctly.
  235. Arguments:
  236. None.
  237. Return Value:
  238. None.
  239. Environment:
  240. Kernel mode.
  241. --*/
  242. {
  243. PULONG puCrtAdress = (PULONG)LongToPtr(0xC0300000);
  244. ULONG uCrtValue;
  245. int nCrtStep;
  246. #define NUM_ULONGS_TO_CORRUPT 0x100
  247. #define FIRST_ULONG_VALUE 0xABCDDCBA
  248. #define NUM_ULONGS_SKIP_EACH_STEP 16
  249. uCrtValue = FIRST_ULONG_VALUE;
  250. for( nCrtStep = 0; nCrtStep < NUM_ULONGS_TO_CORRUPT; nCrtStep++ )
  251. {
  252. *puCrtAdress = uCrtValue;
  253. puCrtAdress += NUM_ULONGS_SKIP_EACH_STEP;
  254. uCrtValue++;
  255. }
  256. }
  257. VOID
  258. BgChkHangCurrentProcessor (
  259. PVOID NotUsed
  260. )
  261. /*++
  262. Routine Description:
  263. This routine will hang the current processor.
  264. Arguments:
  265. None.
  266. Return Value:
  267. None.
  268. Environment:
  269. Kernel mode.
  270. --*/
  271. {
  272. KIRQL PreviousIrql;
  273. KeRaiseIrql( DISPATCH_LEVEL, &PreviousIrql );
  274. while ( TRUE ) {
  275. //
  276. // this will hang the current processor
  277. //
  278. }
  279. }