Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: shell909090 on July 31, 2008, 03:38:41 AM

Title: avast4 collide with ext2ifs
Post by: shell909090 on July 31, 2008, 03:38:41 AM
Affected Product:
    Avast4 home edition
    ext2ifs 1.10c
    ext2ifs 1.11
Description:
    avast4 home edition is a free anti-virus tools. In 2008-07-30 it update some files, include some file called 'aswSP.sys'. According infomation in autoruns, it's avast self protection module.
[Here is info from autoruns.]
aswSPavast! self protection module    ALWIL Software    c:\windows\system32\drivers\aswsp.sys
[Here is info from update-log]
2008-7-30 7:36:14    file        Direct move of file: C:\Program Files\Alwil Software\Avast4\Setup\INF\AMD64\aswSP.sys
2008-7-30 7:36:14    file        Installed file:C:\Program Files\Alwil Software\Avast4\Setup\INF\AMD64\aswSP.sys
2008-7-30 7:36:14    file        Direct move of file: C:\Program Files\Alwil Software\Avast4\Setup\INF\aswSP.sys
2008-7-30 7:36:59    system        Reboot set by changed resident C:\WINDOWS\system32\drivers\aswSP.sys
2008-7-30 7:36:59    system        Driver file copied: C:\WINDOWS\system32\drivers\aswSP.sys
    If u use ext2ifs in system for share date with linux, it'll cause system crash with code BAD_POOL_CALLER. There is not evidence show it has connections with ext2ifs, but the crash always happen when I try to access data in a disk use ext2ifs. When I copy data to ntfs disk, it'll be all right. Here is dump analyze.
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

BAD_POOL_CALLER (c2)
The current thread is making a bad pool request.  Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 00000007, Attempt to free pool which was already freed
Arg2: 00000cd4, (reserved)
Arg3: 04030401, Memory contents of the pool block
Arg4: e13a7258, Address of the block of pool being deallocated

Debugging Details:
------------------


POOL_ADDRESS:  e13a7258

FREED_POOL_TAG:  pSsA

BUGCHECK_STR:  0xc2_7_pSsA

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT

PROCESS_NAME:  _uninst.exe

LAST_CONTROL_TRANSFER:  from 80544e86 to 804f9aef

STACK_TEXT:
eb364b68 80544e86 000000c2 00000007 00000cd4 nt!KeBugCheckEx+0x1b
eb364bb8 ee072a0a e13a7258 00000000 8055a584 nt!ExFreePoolWithTag+0x2a0
WARNING: Stack unwind information not available. Following frames may be wrong.
eb364be4 805c5e1c 00000730 0000016c eb364cdc aswSP+0x5a0a
eb364c04 80639346 e3986008 0000016c eb364cdc nt!PsCallImageNotifyRoutines+0x36
eb364d08 805c5bcd 7c810665 00000000 00000000 nt!DbgkCreateThread+0xa2
eb364d50 805421c2 00000000 7c810665 00000001 nt!PspUserThreadStartup+0x9d
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


STACK_COMMAND:  kb

FOLLOWUP_IP:
aswSP+5a0a
ee072a0a ??              ???

SYMBOL_STACK_INDEX:  2

SYMBOL_NAME:  aswSP+5a0a

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: aswSP

IMAGE_NAME:  aswSP.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  4881fba3

FAILURE_BUCKET_ID:  0xc2_7_pSsA_aswSP+5a0a

BUCKET_ID:  0xc2_7_pSsA_aswSP+5a0a

Followup: MachineOwner

    The crash happened in aswSP+5a0a.

Resolve solution:
    There is not solution to resolve now. Uninstall avast, or uninstall ext2ifs.
Title: Re: avast4 collide with ext2ifs
Post by: igor on July 31, 2008, 02:28:39 PM
Can you send the dump(s) to Vlk's (http://forum.avast.com/index.php?action=profile;u=4) e-mail, please? (with a link to this thread)

Thanks.
Title: Re: avast4 collide with ext2ifs
Post by: shell909090 on August 04, 2008, 09:27:20 AM
I sended, but still not any anwser.
Title: Re: avast4 collide with ext2ifs
Post by: igor on August 04, 2008, 09:32:17 AM
Vlk is currently in US, and I'm not sure how often he checks the e-mails.
Please give him a few days :).
Thanks.
Title: Re: avast4 collide with ext2ifs
Post by: Mr_Bumpy on August 06, 2008, 10:32:41 PM
I don't have a dump, since I have since removed Avast! from my computer, but the same problem related to ext2ifs also occurs when using a similar driver, Ext2Fsd (http://sourceforge.net/projects/ext2fsd).  Both ext2ifs and Ext2Fsd allow usage of EXT2 and EXT3 file formats within Windows.  I've tried both drivers on my system, and both cause the BSOD.  I've discovered that running an executable file from the EXT3 volume on my system will create the BSOD instantly.
Title: Re: avast4 collide with ext2ifs
Post by: caulkins on August 07, 2008, 02:37:04 AM
I've been having the same problem.  I run a dual-boot system with Ubuntu, so eliminating access to ext3 volumes really isn't an option; I was forced to uninstall Avast!
Title: Re: avast4 collide with ext2ifs
Post by: Vlk on August 08, 2008, 07:56:23 PM
Just a short update on this: so far (from the minidumps I have seen to date) it seems that this is a problem that will need to be solved by the ext2ifs driver author. If this turns out to be the case, I'll get in touch with him and discuss the next steps.

In any case, I'll be testing the issue in more detail early next week in Redmond (MS labs) and let you know as soon as I know more.

Thanks
Vlk
Title: Re: avast4 collide with ext2ifs
Post by: Vlk on August 15, 2008, 03:05:19 AM
Here's an update: the issue has been identified, and will be fixed in the next avast program update.

Thanks for reporting this by the way. It turned out to be a bug in avast code after all... :-\

Cheers
Vlk
Title: Re: avast4 collide with ext2ifs
Post by: Lisandro on August 15, 2008, 03:13:41 AM
next avast program update
Any schedule?
Title: Re: avast4 collide with ext2ifs
Post by: xdcdx on August 19, 2008, 04:06:01 PM
Any workaround until the new version ir released without having to uninstall Avast? Disabling all the providers won't help, and this issue is quite inconvenient.
Title: Re: avast4 collide with ext2ifs
Post by: nvb on August 20, 2008, 11:37:52 PM
A Work-around would help massively indeed.
Title: Re: avast4 collide with ext2ifs
Post by: pdedecker on August 21, 2008, 10:16:39 AM
I was experiencing this Ext2IFS issue too, so I uninstalled it. Any word on when the update will be released?
Title: Re: avast4 collide with ext2ifs
Post by: Lisandro on August 21, 2008, 04:41:24 PM
I was experiencing this Ext2IFS issue too, so I uninstalled it. Any word on when the update will be released?
Edited: Next program update... we even enter a beta phase (yet)... Sorry... maybe a month or more...
Alwil team is always faster  ;D
Title: Re: avast4 collide with ext2ifs
Post by: Vlk on August 21, 2008, 04:46:58 PM
Here's a preliminary fix that should resolve the issue.

To install it, please follow these steps:

1. disable the avast self-protection module (right click avast tray icon, select Program Settings, go to the Troubleshooting page and check the disable self defense box)

2. download the fixed driver:

32-bit Windows: http://public.avast.com/~vlk/aswsp-ext2fsd-fix/i386/aswSP.sys
64-bit Windows: http://public.avast.com/~vlk/aswsp-ext2fsd-fix/x64/aswSP.sys

and place it to the \windows\system32\drivers folder (overwrite existing)

3. re-enable avast self defense (disabled in step 1)

4. reboot the system.


Hope this helps,
Vlk
Title: Re: avast4 collide with ext2ifs
Post by: xdcdx on August 21, 2008, 06:45:42 PM
Works like a charm. Keep up the good work guys!  ;)
Title: Re: avast4 collide with ext2ifs
Post by: abcxyz on September 01, 2008, 04:47:54 PM
The patch worked nice for the BSOD, but I still have a minor issue remaining:
I have multiple ext2/3 partitions and not all of them are mapped to a drive by Ext2IFS (for example: my linux /boot partition remains hidden).
But now, whenever I reboot my system, all my ext2/3 partitions are mapped automatically...
I can remove them manually in the Ext2IFS tool once I'm logged in, but they are mapped again to a drive next time I boot.

Uninstalling Avast stops this behaviour.

Any ideas?
Title: Re: avast4 collide with ext2ifs
Post by: Vlk on September 02, 2008, 02:06:06 PM
Hmm.

With all respect, I don't see a way how this could be caused by avast.
The BSOD was indeed caused by an interesting bug in aswSP.sys, but this sounds like a completely unrelated problem.

Maybe you could try to get in touch with the ext2fsd author and ask him about his opinion?


Thanks
Vlk
Title: Re: avast4 collide with ext2ifs
Post by: nvb on September 05, 2008, 03:41:55 PM
I can remove them manually in the Ext2IFS tool once I'm logged in, but they are mapped again to a drive next time I boot.

You have updated the IFS-driver to 1.11?
I have the same Problems since i had updated to this release, the author of it will fix this in another minor-release.
Title: Re: avast4 collide with ext2ifs
Post by: abcxyz on September 05, 2008, 06:57:45 PM
Thanks! It looks like I only have the problem when both Avast and IFS-driver v1.11 are installed.
Downgrading IFS-driver to version v1.10c solves it for me!
Title: Re: avast4 collide with ext2ifs
Post by: Noishe on October 17, 2008, 05:26:07 PM
Any chance of getting the details of this bug? I'm always interested in windows internals, if you could post the logic error that was producing the bug, I'd appriciate that.

Thanks
Title: Re: avast4 collide with ext2ifs
Post by: Vlk on October 17, 2008, 05:44:01 PM
More or less, it was like this:

One of the NT API calls (I think it was ZwQueryInformationProcess), when called on a file that was residing on an ext2fs volume, returns a UNICODE_STRING that had all its fields (Size, MaximumSize and Buffer set to zero/NULL) while the function still returned STATUS_SUCCESS.

In aswSP.sys, in case of returned STATUS_SUCCESS, we were touching the Buffer pointer value without first checking the Size field.

Bang....!  :)
Title: Re: avast4 collide with ext2ifs
Post by: David R on October 29, 2008, 09:58:21 PM
I'm kind of wondering what the status of this bug is.

Had BSOD hit me on Oct 16, while it was related to Avast and Ext2IFS (1.10c), the system would only crash during particular Windows XP updates.  I guess I shouldn't have allowed the updates, cause I didn't have any trouble before.  Took awhile to figure out as I had to come up to speed on reading minidumps.  Then search the internet for aswsp.sys references.

Intial events didn't go well for me as the restore points were currupted at the disk level, clearing all my history.  Then found many windows applications didn't work when the system came back (truncated this's and that's).  Did a Window's repair install.  Then preceeded to reload individual updates skipping updates that crashed the system.  I include them here for the benefit of others searching the internet. 

Not in any particular order, KB935448, KB890830, KB922582, KB900725, KB913580, KB951066,
KB954211, KB950974, KB952954, and the best for last WMP11

My personel workaround was to unload the Ext2IFS driver then the remaining updates installed without a problem.

I guess I'm wondering was there an issue with the Ext2IFS driver and will Avast's daily updates look after the patch for me?  Also if my system seemed quite happy until I did some updates (I think there was 17 outstanding), what was it that the updates did that provoked Avast and Ext2IFS to collide?

David R