avast4 collide with ext2ifs

Affected Product:
Avast4 home edition
ext2ifs 1.10c
ext2ifs 1.11
Description:
avast4 home edition is a free anti-virus tools. In 2008-07-30 it update some files, include some file called ‘aswSP.sys’. According infomation in autoruns, it’s avast self protection module.
[Here is info from autoruns.]
aswSPavast! self protection module ALWIL Software c:\windows\system32\drivers\aswsp.sys
[Here is info from update-log]
2008-7-30 7:36:14 file Direct move of file: C:\Program Files\Alwil Software\Avast4\Setup\INF\AMD64\aswSP.sys
2008-7-30 7:36:14 file Installed file:C:\Program Files\Alwil Software\Avast4\Setup\INF\AMD64\aswSP.sys
2008-7-30 7:36:14 file Direct move of file: C:\Program Files\Alwil Software\Avast4\Setup\INF\aswSP.sys
2008-7-30 7:36:59 system Reboot set by changed resident C:\WINDOWS\system32\drivers\aswSP.sys
2008-7-30 7:36:59 system Driver file copied: C:\WINDOWS\system32\drivers\aswSP.sys
If u use ext2ifs in system for share date with linux, it’ll cause system crash with code BAD_POOL_CALLER. There is not evidence show it has connections with ext2ifs, but the crash always happen when I try to access data in a disk use ext2ifs. When I copy data to ntfs disk, it’ll be all right. Here is dump analyze.


  •                                                                         *
    
  •                    Bugcheck Analysis                                    *
    
  •                                                                         *
    

BAD_POOL_CALLER (c2)
The current thread is making a bad pool request. Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 00000007, Attempt to free pool which was already freed
Arg2: 00000cd4, (reserved)
Arg3: 04030401, Memory contents of the pool block
Arg4: e13a7258, Address of the block of pool being deallocated

Debugging Details:

POOL_ADDRESS: e13a7258

FREED_POOL_TAG: pSsA

BUGCHECK_STR: 0xc2_7_pSsA

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

PROCESS_NAME: _uninst.exe

LAST_CONTROL_TRANSFER: from 80544e86 to 804f9aef

STACK_TEXT:
eb364b68 80544e86 000000c2 00000007 00000cd4 nt!KeBugCheckEx+0x1b
eb364bb8 ee072a0a e13a7258 00000000 8055a584 nt!ExFreePoolWithTag+0x2a0
WARNING: Stack unwind information not available. Following frames may be wrong.
eb364be4 805c5e1c 00000730 0000016c eb364cdc aswSP+0x5a0a
eb364c04 80639346 e3986008 0000016c eb364cdc nt!PsCallImageNotifyRoutines+0x36
eb364d08 805c5bcd 7c810665 00000000 00000000 nt!DbgkCreateThread+0xa2
eb364d50 805421c2 00000000 7c810665 00000001 nt!PspUserThreadStartup+0x9d
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

STACK_COMMAND: kb

FOLLOWUP_IP:
aswSP+5a0a
ee072a0a ?? ???

SYMBOL_STACK_INDEX: 2

SYMBOL_NAME: aswSP+5a0a

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: aswSP

IMAGE_NAME: aswSP.SYS

DEBUG_FLR_IMAGE_TIMESTAMP: 4881fba3

FAILURE_BUCKET_ID: 0xc2_7_pSsA_aswSP+5a0a

BUCKET_ID: 0xc2_7_pSsA_aswSP+5a0a

Followup: MachineOwner

The crash happened in aswSP+5a0a.

Resolve solution:
There is not solution to resolve now. Uninstall avast, or uninstall ext2ifs.

Can you send the dump(s) to Vlk’s e-mail, please? (with a link to this thread)

Thanks.

I sended, but still not any anwser.

Vlk is currently in US, and I’m not sure how often he checks the e-mails.
Please give him a few days :).
Thanks.

I don’t have a dump, since I have since removed Avast! from my computer, but the same problem related to ext2ifs also occurs when using a similar driver, Ext2Fsd (http://sourceforge.net/projects/ext2fsd). Both ext2ifs and Ext2Fsd allow usage of EXT2 and EXT3 file formats within Windows. I’ve tried both drivers on my system, and both cause the BSOD. I’ve discovered that running an executable file from the EXT3 volume on my system will create the BSOD instantly.

I’ve been having the same problem. I run a dual-boot system with Ubuntu, so eliminating access to ext3 volumes really isn’t an option; I was forced to uninstall Avast!

Just a short update on this: so far (from the minidumps I have seen to date) it seems that this is a problem that will need to be solved by the ext2ifs driver author. If this turns out to be the case, I’ll get in touch with him and discuss the next steps.

In any case, I’ll be testing the issue in more detail early next week in Redmond (MS labs) and let you know as soon as I know more.

Thanks
Vlk

Here’s an update: the issue has been identified, and will be fixed in the next avast program update.

Thanks for reporting this by the way. It turned out to be a bug in avast code after all… :-\

Cheers
Vlk

Any schedule?

Any workaround until the new version ir released without having to uninstall Avast? Disabling all the providers won’t help, and this issue is quite inconvenient.

A Work-around would help massively indeed.

I was experiencing this Ext2IFS issue too, so I uninstalled it. Any word on when the update will be released?

Edited: Next program update… we even enter a beta phase (yet)… Sorry… maybe a month or more…
Alwil team is always faster ;D

Here’s a preliminary fix that should resolve the issue.

To install it, please follow these steps:

  1. disable the avast self-protection module (right click avast tray icon, select Program Settings, go to the Troubleshooting page and check the disable self defense box)

  2. download the fixed driver:

32-bit Windows: http://public.avast.com/~vlk/aswsp-ext2fsd-fix/i386/aswSP.sys
64-bit Windows: http://public.avast.com/~vlk/aswsp-ext2fsd-fix/x64/aswSP.sys

and place it to the \windows\system32\drivers folder (overwrite existing)

  1. re-enable avast self defense (disabled in step 1)

  2. reboot the system.

Hope this helps,
Vlk

Works like a charm. Keep up the good work guys! :wink:

The patch worked nice for the BSOD, but I still have a minor issue remaining:
I have multiple ext2/3 partitions and not all of them are mapped to a drive by Ext2IFS (for example: my linux /boot partition remains hidden).
But now, whenever I reboot my system, all my ext2/3 partitions are mapped automatically…
I can remove them manually in the Ext2IFS tool once I’m logged in, but they are mapped again to a drive next time I boot.

Uninstalling Avast stops this behaviour.

Any ideas?

Hmm.

With all respect, I don’t see a way how this could be caused by avast.
The BSOD was indeed caused by an interesting bug in aswSP.sys, but this sounds like a completely unrelated problem.

Maybe you could try to get in touch with the ext2fsd author and ask him about his opinion?

Thanks
Vlk

You have updated the IFS-driver to 1.11?
I have the same Problems since i had updated to this release, the author of it will fix this in another minor-release.

Thanks! It looks like I only have the problem when both Avast and IFS-driver v1.11 are installed.
Downgrading IFS-driver to version v1.10c solves it for me!

Any chance of getting the details of this bug? I’m always interested in windows internals, if you could post the logic error that was producing the bug, I’d appriciate that.

Thanks