Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: shell909090 on July 31, 2008, 03:38:41 AM
-
Affected Product:
Avast4 home edition
ext2ifs 1.10c
ext2ifs 1.11
Description:
avast4 home edition is a free anti-virus tools. In 2008-07-30 it update some files, include some file called 'aswSP.sys'. According infomation in autoruns, it's avast self protection module.
[Here is info from autoruns.]
aswSPavast! self protection module ALWIL Software c:\windows\system32\drivers\aswsp.sys
[Here is info from update-log]
2008-7-30 7:36:14 file Direct move of file: C:\Program Files\Alwil Software\Avast4\Setup\INF\AMD64\aswSP.sys
2008-7-30 7:36:14 file Installed file:C:\Program Files\Alwil Software\Avast4\Setup\INF\AMD64\aswSP.sys
2008-7-30 7:36:14 file Direct move of file: C:\Program Files\Alwil Software\Avast4\Setup\INF\aswSP.sys
2008-7-30 7:36:59 system Reboot set by changed resident C:\WINDOWS\system32\drivers\aswSP.sys
2008-7-30 7:36:59 system Driver file copied: C:\WINDOWS\system32\drivers\aswSP.sys
If u use ext2ifs in system for share date with linux, it'll cause system crash with code BAD_POOL_CALLER. There is not evidence show it has connections with ext2ifs, but the crash always happen when I try to access data in a disk use ext2ifs. When I copy data to ntfs disk, it'll be all right. Here is dump analyze.
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
BAD_POOL_CALLER (c2)
The current thread is making a bad pool request. Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 00000007, Attempt to free pool which was already freed
Arg2: 00000cd4, (reserved)
Arg3: 04030401, Memory contents of the pool block
Arg4: e13a7258, Address of the block of pool being deallocated
Debugging Details:
------------------
POOL_ADDRESS: e13a7258
FREED_POOL_TAG: pSsA
BUGCHECK_STR: 0xc2_7_pSsA
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT
PROCESS_NAME: _uninst.exe
LAST_CONTROL_TRANSFER: from 80544e86 to 804f9aef
STACK_TEXT:
eb364b68 80544e86 000000c2 00000007 00000cd4 nt!KeBugCheckEx+0x1b
eb364bb8 ee072a0a e13a7258 00000000 8055a584 nt!ExFreePoolWithTag+0x2a0
WARNING: Stack unwind information not available. Following frames may be wrong.
eb364be4 805c5e1c 00000730 0000016c eb364cdc aswSP+0x5a0a
eb364c04 80639346 e3986008 0000016c eb364cdc nt!PsCallImageNotifyRoutines+0x36
eb364d08 805c5bcd 7c810665 00000000 00000000 nt!DbgkCreateThread+0xa2
eb364d50 805421c2 00000000 7c810665 00000001 nt!PspUserThreadStartup+0x9d
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
STACK_COMMAND: kb
FOLLOWUP_IP:
aswSP+5a0a
ee072a0a ?? ???
SYMBOL_STACK_INDEX: 2
SYMBOL_NAME: aswSP+5a0a
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: aswSP
IMAGE_NAME: aswSP.SYS
DEBUG_FLR_IMAGE_TIMESTAMP: 4881fba3
FAILURE_BUCKET_ID: 0xc2_7_pSsA_aswSP+5a0a
BUCKET_ID: 0xc2_7_pSsA_aswSP+5a0a
Followup: MachineOwner
The crash happened in aswSP+5a0a.
Resolve solution:
There is not solution to resolve now. Uninstall avast, or uninstall ext2ifs.
-
Can you send the dump(s) to Vlk's (http://forum.avast.com/index.php?action=profile;u=4) e-mail, please? (with a link to this thread)
Thanks.
-
I sended, but still not any anwser.
-
Vlk is currently in US, and I'm not sure how often he checks the e-mails.
Please give him a few days :).
Thanks.
-
I don't have a dump, since I have since removed Avast! from my computer, but the same problem related to ext2ifs also occurs when using a similar driver, Ext2Fsd (http://sourceforge.net/projects/ext2fsd). Both ext2ifs and Ext2Fsd allow usage of EXT2 and EXT3 file formats within Windows. I've tried both drivers on my system, and both cause the BSOD. I've discovered that running an executable file from the EXT3 volume on my system will create the BSOD instantly.
-
I've been having the same problem. I run a dual-boot system with Ubuntu, so eliminating access to ext3 volumes really isn't an option; I was forced to uninstall Avast!
-
Just a short update on this: so far (from the minidumps I have seen to date) it seems that this is a problem that will need to be solved by the ext2ifs driver author. If this turns out to be the case, I'll get in touch with him and discuss the next steps.
In any case, I'll be testing the issue in more detail early next week in Redmond (MS labs) and let you know as soon as I know more.
Thanks
Vlk
-
Here's an update: the issue has been identified, and will be fixed in the next avast program update.
Thanks for reporting this by the way. It turned out to be a bug in avast code after all... :-\
Cheers
Vlk
-
next avast program update
Any schedule?
-
Any workaround until the new version ir released without having to uninstall Avast? Disabling all the providers won't help, and this issue is quite inconvenient.
-
A Work-around would help massively indeed.
-
I was experiencing this Ext2IFS issue too, so I uninstalled it. Any word on when the update will be released?
-
I was experiencing this Ext2IFS issue too, so I uninstalled it. Any word on when the update will be released?
Edited: Next program update... we even enter a beta phase (yet)... Sorry... maybe a month or more...
Alwil team is always faster ;D
-
Here's a preliminary fix that should resolve the issue.
To install it, please follow these steps:
1. disable the avast self-protection module (right click avast tray icon, select Program Settings, go to the Troubleshooting page and check the disable self defense box)
2. download the fixed driver:
32-bit Windows: http://public.avast.com/~vlk/aswsp-ext2fsd-fix/i386/aswSP.sys
64-bit Windows: http://public.avast.com/~vlk/aswsp-ext2fsd-fix/x64/aswSP.sys
and place it to the \windows\system32\drivers folder (overwrite existing)
3. re-enable avast self defense (disabled in step 1)
4. reboot the system.
Hope this helps,
Vlk
-
Works like a charm. Keep up the good work guys! ;)
-
The patch worked nice for the BSOD, but I still have a minor issue remaining:
I have multiple ext2/3 partitions and not all of them are mapped to a drive by Ext2IFS (for example: my linux /boot partition remains hidden).
But now, whenever I reboot my system, all my ext2/3 partitions are mapped automatically...
I can remove them manually in the Ext2IFS tool once I'm logged in, but they are mapped again to a drive next time I boot.
Uninstalling Avast stops this behaviour.
Any ideas?
-
Hmm.
With all respect, I don't see a way how this could be caused by avast.
The BSOD was indeed caused by an interesting bug in aswSP.sys, but this sounds like a completely unrelated problem.
Maybe you could try to get in touch with the ext2fsd author and ask him about his opinion?
Thanks
Vlk
-
I can remove them manually in the Ext2IFS tool once I'm logged in, but they are mapped again to a drive next time I boot.
You have updated the IFS-driver to 1.11?
I have the same Problems since i had updated to this release, the author of it will fix this in another minor-release.
-
Thanks! It looks like I only have the problem when both Avast and IFS-driver v1.11 are installed.
Downgrading IFS-driver to version v1.10c solves it for me!
-
Any chance of getting the details of this bug? I'm always interested in windows internals, if you could post the logic error that was producing the bug, I'd appriciate that.
Thanks
-
More or less, it was like this:
One of the NT API calls (I think it was ZwQueryInformationProcess), when called on a file that was residing on an ext2fs volume, returns a UNICODE_STRING that had all its fields (Size, MaximumSize and Buffer set to zero/NULL) while the function still returned STATUS_SUCCESS.
In aswSP.sys, in case of returned STATUS_SUCCESS, we were touching the Buffer pointer value without first checking the Size field.
Bang....! :)
-
I'm kind of wondering what the status of this bug is.
Had BSOD hit me on Oct 16, while it was related to Avast and Ext2IFS (1.10c), the system would only crash during particular Windows XP updates. I guess I shouldn't have allowed the updates, cause I didn't have any trouble before. Took awhile to figure out as I had to come up to speed on reading minidumps. Then search the internet for aswsp.sys references.
Intial events didn't go well for me as the restore points were currupted at the disk level, clearing all my history. Then found many windows applications didn't work when the system came back (truncated this's and that's). Did a Window's repair install. Then preceeded to reload individual updates skipping updates that crashed the system. I include them here for the benefit of others searching the internet.
Not in any particular order, KB935448, KB890830, KB922582, KB900725, KB913580, KB951066,
KB954211, KB950974, KB952954, and the best for last WMP11
My personel workaround was to unload the Ext2IFS driver then the remaining updates installed without a problem.
I guess I'm wondering was there an issue with the Ext2IFS driver and will Avast's daily updates look after the patch for me? Also if my system seemed quite happy until I did some updates (I think there was 17 outstanding), what was it that the updates did that provoked Avast and Ext2IFS to collide?
David R