JustKernel

Ray Of Hope

Shared memory Between User-Mode And Kernel Mode (IOCTL)

User-mode components cannot allocate virtual memory in the kernel address spaces. Although it is possible to map kenrel memory into user mode, a driver should never do so for security reasons. Therefor, drivers and user-mode components must use other strategies fo sharing memory. Such strategies typically involve :

– Mapped memory buffers.

– Section objects with shared views.

<strong>Mapped Memory Buffers :</strong>

The simplest and most secure way for a driver to share memory with a user-mode application is to pass a buffer in an IOCTL. In short:

  • The driver defines a IOCTL with one of these transfer types:
  1. METHOD_IN_DIRECT
  2. METHOD_OUT_DIRECT
  3. METHOD NEITHER
  4. The user-mode application allocates buffer and then calls DeviceIoControl, supplying the driver-defined I/O control code and describing the buffer. In response the system builds an IRP_MJ_DEVICE_CONTROL request and sends it to the driver. The IRP contains the IOCTL code, the buffer length and the I/O transfer type.

If the transfer type is METHOD_IN_DIRECT or METHOD_OUT_DIRECT, the system checks the address and size of the buffer. IF these are valid, the system builds an MDL that describes the physical pages that comprise the buffer, tand then it locks (or “pins”) those pages in physical memory. The pages will be unlocksd later when the MDL is freed.

Upon receiving the IRP_MJ_DEVICE_CONTROL request, the driver proceeds as follows to access the shared memroy that is represented by the buffer

  1. If the MDL pointer in the IRP is not NULL, the driver calls MmGetSystemAddressForMdlSafe to map the pages that are described by the MDL into the kernel virtual address space, so that the driver can access them.
  2. The driver uses the kernel virtual address to access the buffer. The driver can read and write the buffer at any IRQL and in any thread context because the pages that comprise the user buffer are locked into memory.

If the transfer type is METHOD_NEITHER, the driver can use the user-space virtual address to access the buffer in the context of the requesting process.  But to use this buffer, the driver must validate all user-space addresses. To validate an address, the driver must call ProbeForRead or ProbeForWrite within a structured exception handler.

Originally Posted On: 2010-04-24 02:13:43

Anshul makkar, anshul_makkar@justkernel.com

 

Tags:

«
»


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Recent Posts

Recent Comments

Archives

Categories

Meta

Powered by Wordpress. Design by Handla-Online.org.