Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. Bugcheck in MPIO.sys when passing IOCTL_MPIO_PASS_THROUGH_PATH on Windows Server 2012 and 64-bit Windows 8

Bugcheck in MPIO.sys when passing IOCTL_MPIO_PASS_THROUGH_PATH on Windows Server 2012 and 64-bit Windows 8

View products that this article applies to.

Symptoms

Consider the following scenario:

You have a Windows Server 2012 or a 64-bit Windows 8 system. When a 32-bit application calls DeviceIoControl() and passes the control code IOCTL_MPIO_PASS_THROUGH_PATH, a bugcheck error can occur.

The bugcheck generated in this scenario is "DRIVER_PAGE_FAULT_BEYOND_END_OF_ALLOCATION (d6). N bytes of memory was allocated and more than N bytes are being referenced."


↑ Back to the top

Cause

A buffer overflow can occur in kernel mode leading to a system crash when a 32-bit application running on 64-bit Windows 8 or Windows Server 2012 passes the control code IOCTL_MPIO_PASS_THROUGH_PATH to DeviceIoControl() and the input or output buffer sizes exceeds the size of the MPIO_PASS_THROUGH_PATH data structure.

↑ Back to the top

Resolution

Workaround #1 - Compile the application as a 64-bit application

Workaround #2 - Correct the input and output buffer sizes to equal the size of the MPIO_PASS_THROUGH_PATH data sctructure passed to the API

↑ Back to the top

More Information

Below is the crashing stack in kernel mode:

1: kd> k
Child-SP          RetAddr           Call Site
fffff880`07763d18 fffff801`96058d6d nt!KeBugCheckEx
fffff880`07763d20 fffff801`95f25d6f nt!MiSystemFault+0x114d0d
fffff880`07763dc0 fffff801`95ee87ee nt!MmAccessFault+0x54f
fffff880`07763f00 fffff880`017e1ef4 nt!KiPageFault+0x16e
fffff880`07764098 fffff880`017e1330 mpio!memcpy+0xb4
fffff880`077640a0 fffff880`017cbc4e mpio!MPLIBSendDeviceIoControlSynchronous+0x1b8
fffff880`07764110 fffff880`017ca3cb mpio!MPIOPdoHandleRequest+0xfe6
fffff880`077643a0 fffff880`017c9f5c mpio!MPIOPdoCommonDeviceControl+0x43f
fffff880`07764400 fffff801`964add76 mpio!MPIOPdoDispatch+0x1a4
(Inline Function) --------`-------- nt!IopfCallDriver+0x63
fffff880`07764450 fffff880`0202cc68 nt!IovCallDriver+0x3e6
fffff880`077644a0 fffff880`0200d971 CLASSPNP!ClassDeviceControl+0x298
fffff880`07764650 fffff880`0202d6cd disk!DiskDeviceControl+0x121
fffff880`077646d0 fffff801`964add76 CLASSPNP!ClassDeviceControlDispatch+0x2d
(Inline Function) --------`-------- nt!IopfCallDriver+0x63
fffff880`07764700 fffff880`01618a13 nt!IovCallDriver+0x3e6
fffff880`07764750 fffff801`964add76 partmgr!PmFilterDeviceControl+0xc3
(Inline Function) --------`-------- nt!IopfCallDriver+0x63
fffff880`077647a0 fffff801`963294cf nt!IovCallDriver+0x3e6
fffff880`077647f0 fffff801`963290e9 nt!RawReadWriteDeviceControl+0xa3
fffff880`07764830 fffff801`964add76 nt!RawDispatch+0x89
(Inline Function) --------`-------- nt!IopfCallDriver+0x63
fffff880`07764890 fffff880`00b790ee nt!IovCallDriver+0x3e6
fffff880`077648e0 fffff801`964add76 fltmgr!FltpDispatch+0xee
(Inline Function) --------`-------- nt!IopfCallDriver+0x63
fffff880`07764940 fffff801`962cf2ff nt!IovCallDriver+0x3e6
(Inline Function) --------`-------- nt!IoCallDriverWithTracing+0x20
(Inline Function) --------`-------- nt!IopCallDriverReference+0xa5
(Inline Function) --------`-------- nt!IopSynchronousServiceTail+0x142
fffff880`07764990 fffff801`962cfc86 nt!IopXxxControlFile+0x7dd
fffff880`07764b20 fffff801`95ee9d53 nt!NtDeviceIoControlFile+0x56
fffff880`07764b90 00000000`76f42ad2 nt!KiSystemServiceCopyEnd+0x13
00000000`0008ee28 00000000`76f42717 wow64cpu!CpupSyscallStub+0x2
00000000`0008ee30 00000000`76f5c4f6 wow64cpu!DeviceIoctlFileFault+0x31
00000000`0008eee0 00000000`76f5b8f5 wow64!RunCpuSimulation+0xa
00000000`0008ef30 000007fa`93bca107 wow64!Wow64LdrpInitialize+0x435
00000000`0008f470 000007fa`93bb216a ntdll!LdrpInitializeProcess+0x1521
00000000`0008f770 000007fa`93ba32ae ntdll!_LdrpInitialize+0xee9a
00000000`0008f7e0 00000000`00000000 ntdll!LdrInitializeThunk+0xe

Here are the relevant links describing the IOCTL, API, and data structures from MSDN:

http://msdn.microsoft.com/en-us/library/aa363216(v=VS.85).aspx
http://msdn.microsoft.com/en-us/library/windows/hardware/ff562411(v=vs.85).aspx
http://msdn.microsoft.com/en-us/library/windows/hardware/ff560492(v=vs.85).aspx

↑ Back to the top

Keywords: kb

↑ Back to the top

Article Info
Article ID : 2809247
Revision : 1
Created on : 1/7/2017
Published on : 2/11/2013
Exists online : False
Views : 508