IoAllocateMdl bug

Salam Aleykum 5 Reputation points
2023-02-04T07:40:34.3533333+00:00

Hello, IoAllocateMdl returns non-null value if it's called with Length argument of 0, but when you map mdl using MmMapLockedPagesSpecifyCache and when try to unmap, calling MmUnmapLockedPages results in a bug check with code 0xda and first argument 0x302. Here's a minimal sample to reproduce the problem:

auto TempBuff = ExAllocatePool(NonPagedPool, 0x1000);
if (TempBuff)
{
	memset(TempBuff, 0, 0x1000);

	auto Mdl = IoAllocateMdl(TempBuff, 0, FALSE, FALSE, nullptr);
	if (Mdl)
	{
		__try
		{
			MmProbeAndLockPages(Mdl, KernelMode, IoReadAccess);
		}
		__except (1)
		{

		}

		auto Mapped = MmMapLockedPagesSpecifyCache(Mdl, KernelMode, MmNonCached, nullptr, FALSE, NormalPagePriority);
		if (Mapped)
			MmUnmapLockedPages(Mapped, Mdl);		

		MmUnlockPages(Mdl);
	}
}
Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
10,734 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Limitless Technology 44,526 Reputation points
    2023-02-06T15:30:34.1733333+00:00

    Hi. Thank you for your question and reaching out. I’d be more than happy to help you with your query

    The error you're encountering is because when you call IoAllocateMdl with a Length argument of 0, you are allocating an MDL (Memory Descriptor List) that describes an invalid memory region.

    MmMapLockedPagesSpecifyCache maps the locked pages described by the MDL into a virtually contiguous region of system address space. In this case, the MDL describes a region of 0 length, which means there are no pages to map. This leads to an error when trying to unmap the pages using MmUnmapLockedPages.

    To avoid this error, you should ensure that the Length argument passed to IoAllocateMdl is non-zero and that it represents a valid memory region before calling MmMapLockedPagesSpecifyCache.

    If the reply was helpful, please don’t forget to upvote or accept as answer, thank you.

    0 comments No comments

  2. Limitless Technology 44,526 Reputation points
    2023-02-06T15:31:25.12+00:00

    Double post

    0 comments No comments

  3. Salam Aleykum 5 Reputation points
    2023-02-06T19:55:46.2833333+00:00

    Thanks for your response. If there are no pages to map, why does MmMapLockedPagesSpecifyCache return some pointer if no pages actually were mapped, isn't it look like a bug?

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.