IoAllocateMdl bug

Question

Hello, IoAllocateMdl returns non-null value if it's called with Length argument of 0, but when you map mdl using MmMapLockedPagesSpecifyCache and when try to unmap, calling MmUnmapLockedPages results in a bug check with code 0xda and first argument 0x302. Here's a minimal sample to reproduce the problem:

auto TempBuff = ExAllocatePool(NonPagedPool, 0x1000);
if (TempBuff)
{
	memset(TempBuff, 0, 0x1000);

	auto Mdl = IoAllocateMdl(TempBuff, 0, FALSE, FALSE, nullptr);
	if (Mdl)
	{
		__try
		{
			MmProbeAndLockPages(Mdl, KernelMode, IoReadAccess);
		}
		__except (1)
		{

		}

		auto Mapped = MmMapLockedPagesSpecifyCache(Mdl, KernelMode, MmNonCached, nullptr, FALSE, NormalPagePriority);
		if (Mapped)
			MmUnmapLockedPages(Mapped, Mdl);		

		MmUnlockPages(Mdl);
	}
}

Answer 1

Hi. Thank you for your question and reaching out. I’d be more than happy to help you with your query

The error you're encountering is because when you call IoAllocateMdl with a Length argument of 0, you are allocating an MDL (Memory Descriptor List) that describes an invalid memory region.

MmMapLockedPagesSpecifyCache maps the locked pages described by the MDL into a virtually contiguous region of system address space. In this case, the MDL describes a region of 0 length, which means there are no pages to map. This leads to an error when trying to unmap the pages using MmUnmapLockedPages.

To avoid this error, you should ensure that the Length argument passed to IoAllocateMdl is non-zero and that it represents a valid memory region before calling MmMapLockedPagesSpecifyCache.

If the reply was helpful, please don’t forget to upvote or accept as answer, thank you.

Answer 2

Double post

Answer 3

Thanks for your response. If there are no pages to map, why does MmMapLockedPagesSpecifyCache return some pointer if no pages actually were mapped, isn't it look like a bug?