Re: USBFN => data abort in Windows Embedded CE6.0

On Mon, 19 May 2008 23:24:45 -0700 (PDT), okayhj@xxxxxxxxx wrote:

Hi, how are u?

Previously I made a question about 'Data Abort' in Usbfn pdd device
driver.
But, I tested several times with the other souce code, Sc2440pdd.cpp
file for WinEmbCE6.0.
This code already has been confirmed by the reference board made by
MDS technology which is one of embedded software company.

So, with this confirmed source code Sc2440pdd.cpp, I tried to adapt to
my WinEmbCE6.0 BSP project.
But error has happed like below.

error has been happened just after finishing calling UfnPdd_IOControl
function.

I'm not at all familiar with this function (or drivers for that
matter), and I'm having trouble understanding the details of your
problem. Also, I'm heavily biased towards C/C++. But this may be
relevant anyway:

Bad pointers are common causes of nasty problems. The symptom occurs
when code tries to use a bad pointer. But the bug is when the pointer
becomes bad, and that may be in code that seems unrelated to the code
where the symptom occurs. So the real way to find such problems is to
find bad pointers as soon after they are created as possible. And that
is where ASSERTs are really, really helpful. Definitely a pain to add,
but well worth effort. In this case, if you can determine what
pointers are used in the function that shows the symptom, then you can
use ASSERTs to check all those pointers in code that might set them
before the function is called. Be sure to fortify yourself with as
much patience as you can muster.

Buffer overruns are particularly hard bugs to track down. Code that
writes past the end of a buffer can clobber a pointer used in code
that seems very, very unrelated. I find some of these by putting a
debugger break on the corrupted pointer, and that stops when something
changes the value of the pointer. Not an option without a debugger.
The only other way I know to catch these is to check for buffer
overruns in all code that might have such a bug; I generally put a
null at the end of a buffer and use an ASSERT to make sure it is still
null after a put something in the buffer.

and the parameter of UfnPdd_IOControl is wired.
(with WinCE5.0 there is no calling this function with this parameter)

...
OEMInit: KITLIoctl end
VBridge:: VB_INITIALIZED returns [0]
[2846]UFNPDD : RegOpenKeyEx success 0, 1, Mass_Storage_Class, 38
[2849]UFNPDD : RegQueryValueEx success
[2863]UFNPDD : USB MSF Function Class Enabled : Mass_Storage_Class
[2972]UFNPDD : SC2440UsbFn!UfnPdd_Init: Using IO Base 50000000
[2974]UFNPDD : SC2440UsbFn!UfnPdd_Init: Using SysIntr 17
[2976]UFNPDD : SC2440UsbFn!UfnPdd_Init: Using IST priority 100
[1167]UsbFnMdd!UFN_Init: PDD has 5 endpoints
[1170]UsbFnMdd!UFN_Init: PDD supports speeds 0x1
[1489]00..
[2644]UFNPDD : ++UfnPdd_IOControl, dwCode = 2752584
[2716]UFNPDD : found !! dwCnt=9
[2717]UFNPDD : sSTATEs[dwCnt].strState=IOCTL_BUS_POSTINIT <- I added
to find out what code has been passed.
[2724]UFNPDD : --UfnPdd_IOControl
Exception 'Data Abort' (4): Thread-Id=00df0002(pth=87e30c98), Proc-
Id=00400002(pprc=81108308) 'NK.EXE', VM-active=015f0002(pprc=87
e06b70) 'udevice.exe'
PC=c0978d18(mv8760usbfn.dll+0x00008d18) RA=c0979d7c(mv8760usbfn.dll
+0x00009d7c) SP=d03ce2d8, BVA=00000000
[1498]EXCEPTION_EXECUTE_HANDLER..
[1527]Error !! -> GetLastError() = 0x57, fRet = 0

Recently, I really made lots of questions at this place.
Because I think you are very good at WinCE over the world.
Thanx for your help in advance.

-----------------------------------------
To reply to me, remove the underscores (_) from my email address (and please indicate which newsgroup and message).

Robert E. Zaret, eMVP
PenFact, Inc.
20 Park Plaza, Suite 478
Boston, MA 02116
www.penfact.com
.

Relevant Pages

  • Re: [Full-Disclosure] Win32 Device Drivers Communication Vulnerabilities + PoC for Symantec Norton A
    ... Function Codes/IRP Function Codes and IOCTRL/Defining I/O Control Codes): ... IRPs containing the I/O control code will supply a pointer ... describing the output buffer at Irp->MdlAddress. ... if the driver can be sent such a request only while it is ...
    (Full-Disclosure)
  • [net-next PATCH 4/5] igb: Add support for enabling VFs to PF driver.
    ... pointer to the hardware struct ... under the terms and conditions of the GNU General Public License, ... * @msg: The message buffer ... * returns SUCCESS if it successfully copied message into the buffer ...
    (Linux-Kernel)
  • Re: some unanswered questions on C
    ... A pointer variable that's never been given a value. ... you don't know what memory you're modifying. ... >what i want to ask is that when i declare my buffer for fgets as ... "char *buffer" creates a pointer, ...
    (comp.unix.programmer)
  • [patch] x86, ptrace: PEBS support
    ... BTS and PEBS recording. ... * - buffer overflow handling ... (interrupt occurs when write pointer passes interrupt pointer) ... * guarding context and buffer memory allocation. ...
    (Linux-Kernel)
  • Re: The coming death of all RISC chips.
    ... different area of memory than the "stack", ... Any arbitrarily indirect pointer to code that can be ... overwritten by a buffer overflow is a potential hole (and an actual ... ways to exploit buffer overflows. ...
    (comp.arch)