2008年7月30日星期三

avast4 collide with ext2ifs

Affected Product:
Avast4 home edition
ext2ifs 1.10c
ext2ifs 1.11
Description:
avast4 home edition is a free anti-virus tools. In 2008-07-30 it update some files, include some file called 'aswSP.sys'. According infomation in autoruns, it's avast self protection module.
[Here is info from autoruns.]
aswSPavast! self protection module ALWIL Software c:\windows\system32\drivers\aswsp.sys
[Here is info from update-log]
2008-7-30 7:36:14 file Direct move of file: C:\Program Files\Alwil Software\Avast4\Setup\INF\AMD64\aswSP.sys
2008-7-30 7:36:14 file Installed file:C:\Program Files\Alwil Software\Avast4\Setup\INF\AMD64\aswSP.sys
2008-7-30 7:36:14 file Direct move of file: C:\Program Files\Alwil Software\Avast4\Setup\INF\aswSP.sys
2008-7-30 7:36:59 system Reboot set by changed resident C:\WINDOWS\system32\drivers\aswSP.sys
2008-7-30 7:36:59 system Driver file copied: C:\WINDOWS\system32\drivers\aswSP.sys
If u use ext2ifs in system for share date with linux, it'll cause system crash with code BAD_POOL_CALLER. There is not evidence show it has connections with ext2ifs, but the crash always happen when I try to access data in a disk use ext2ifs. When I copy data to ntfs disk, it'll be all right. Here is dump analyze.
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

BAD_POOL_CALLER (c2)
The current thread is making a bad pool request. Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 00000007, Attempt to free pool which was already freed
Arg2: 00000cd4, (reserved)
Arg3: 04030401, Memory contents of the pool block
Arg4: e13a7258, Address of the block of pool being deallocated

Debugging Details:
------------------


POOL_ADDRESS: e13a7258

FREED_POOL_TAG: pSsA

BUGCHECK_STR: 0xc2_7_pSsA

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

PROCESS_NAME: _uninst.exe

LAST_CONTROL_TRANSFER: from 80544e86 to 804f9aef

STACK_TEXT:
eb364b68 80544e86 000000c2 00000007 00000cd4 nt!KeBugCheckEx+0x1b
eb364bb8 ee072a0a e13a7258 00000000 8055a584 nt!ExFreePoolWithTag+0x2a0
WARNING: Stack unwind information not available. Following frames may be wrong.
eb364be4 805c5e1c 00000730 0000016c eb364cdc aswSP+0x5a0a
eb364c04 80639346 e3986008 0000016c eb364cdc nt!PsCallImageNotifyRoutines+0x36
eb364d08 805c5bcd 7c810665 00000000 00000000 nt!DbgkCreateThread+0xa2
eb364d50 805421c2 00000000 7c810665 00000001 nt!PspUserThreadStartup+0x9d
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


STACK_COMMAND: kb

FOLLOWUP_IP:
aswSP+5a0a
ee072a0a ?? ???

SYMBOL_STACK_INDEX: 2

SYMBOL_NAME: aswSP+5a0a

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: aswSP

IMAGE_NAME: aswSP.SYS

DEBUG_FLR_IMAGE_TIMESTAMP: 4881fba3

FAILURE_BUCKET_ID: 0xc2_7_pSsA_aswSP+5a0a

BUCKET_ID: 0xc2_7_pSsA_aswSP+5a0a

Followup: MachineOwner

The crash happened in aswSP+5a0a.

Resolve solution:
There is not solution to resolve now. Uninstall avast, or uninstall ext2ifs.

以上内容的中文注释:
不要同时使用avast4和ext2ifs,尤其在今天的更新后。
会使用ext2ifs的,上面的东西应该也看得懂了,其余不翻译。

没有评论: