EldoS | Feel safer!

Software components for data protection, secure storage and transfer

concurrent OnOpenFile to same file -- DesiredAccess sometimes wrong

Also by EldoS: SecureBlackbox
200+ components and classes for digital security, signing, encryption and secure networking.
Posted: 11/30/2010 18:00:00
by Jim Freeman (Standard support level)
Joined: 11/29/2010
Posts: 8

When double clicking an EXE to run it, Explorer appears to concurrently make Open calls to the same EXE file. In this situation, we found the Execute access right is sometimes not passed through to CBFS’s OnOpenFile via the DesiredAccess parameter. Sysinternals’s ProcMon showed CreateFile opening a file with Execute access rights, but OnOpenFile was sometimes not called with this access right. The problem seems timing dependent.

My testing was done with CBFS 3.0.78, C# .NET 3.5, Windows 2008R2x64. I didn’t test permissions other than Execute. I’m not yet able to test with 3.1.83 due to installation issues (see my other forum thread yesterday), but the release notes don’t indicate anything about this issue.

I wrote a 120 line multithreaded C# client test app FileRightsMT to easily demonstrate the problem using VMounter or any other similar CBFS file system app. The test app spawns n threads, where 50% of the threads open the file using read rights, the other 50% using execute rights. The threads opening with Read rights verify the open succeeds; the threads opening with Execute rights verify the open fails with UnauthorizedAccessException. The app is attached to this message. Follow these steps:

1) Add this code block to the top of C# VMounter’s form1.cs OnOpenFile method, and compile (I used VS2008)
const uint ERROR_ACCESS_DENIED = 5;
const uint RIGHTS_FILE_EXECUTE = 0x0020;

// throw error if caller asking for execute permission
if ((DesiredAccess & RIGHTS_FILE_EXECUTE) != 0)
2) Start VMounter
3) Compile FileRightsMT test console app (it is set for .NET 3.5, but 2.0 will can be used).
4) From command line run “FileRightsMT -filename=<path to any file in VMounter> -threadcount=n”, where n is about 5 or more. You should see the problem occur immediately: the app will display “x: y ERROR -- file access was not denied”, where x is the thread number, and y is the iteration count.

The test app never detects any errors when run with 1 thread against CBFS, or against plain NTFS with any number of threads using a file that only has Read permissions but no Execute permissions.

Adding “#define USE_LOCK 1” to top of test app changes so it allows only one thread to have the file open at any given time, which makes the problem go away.

Adding mCbFs.SerializeCallbacks=true to VMounter’s MounterForm_Load() doesn’t appear to affect the problem.

[ Download ]
Posted: 12/02/2010 07:27:39
by Eugene Mayevski (EldoS Corp.)

Thank you for the detailed description. I've moved the question to HelpDesk for investigation.

Sincerely yours
Eugene Mayevski



Topic viewed 1078 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!