New issue
Advanced search Search tips

Issue 179 attachment: crash.txt (11.2 KB) 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
 
*** Fatal System Error: 0x00000139
                       (0x00000003,0x81BE4B54,0x81BE4A80,0x00000000)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows 8 9600 x86 compatible target at (Wed Nov 19 17:13:11.168 2014 (UTC + 1:00)), ptr64 FALSE
Loading Kernel Symbols
...............................................................
................................................................
.........................
Loading User Symbols
................................................................
................................................................
................................................................
....................
Loading unloaded module list
...............
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 139, {3, 81be4b54, 81be4a80, 0}

Probably caused by : Pool_Corruption ( nt!ExDeferredFreePool+483 )

Followup: Pool_corruption
---------

nt!RtlpBreakWithStatusInstruction:
81f10ef4 cc              int     3
1: kd> .reload
Connected to Windows 8 9600 x86 compatible target at (Wed Nov 19 17:14:17.937 2014 (UTC + 1:00)), ptr64 FALSE
Loading Kernel Symbols
...............................................................
................................................................
.........................
Loading User Symbols
................................................................
................................................................
................................................................
....................
Loading unloaded module list
...............
1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure.  The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 00000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: 81be4b54, Address of the trap frame for the exception that caused the bugcheck
Arg3: 81be4a80, Address of the exception record for the exception that caused the bugcheck
Arg4: 00000000, Reserved

Debugging Details:
------------------


TRAP_FRAME:  81be4b54 -- (.trap 0xffffffff81be4b54)
ErrCode = 00000000
eax=00000000 ebx=a5415da8 ecx=9933b5d0 edx=00000003 esi=00000002 edi=88827334
eip=81ff04a3 esp=81be4bc8 ebp=81be4c10 iopl=0         nv up ei pl nz ac po cy
cs=0008  ss=0010  ds=b5c0  es=0023  fs=0030  gs=0023             efl=00000213
nt!ExDeferredFreePool+0x483:
81ff04a3 cd29            int     29h
Resetting default scope

EXCEPTION_RECORD:  81be4a80 -- (.exr 0xffffffff81be4a80)
ExceptionAddress: 81ff04a3 (nt!ExDeferredFreePool+0x00000483)
   ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
  ExceptionFlags: 00000001
NumberParameters: 1
   Parameter[0]: 00000003

DEFAULT_BUCKET_ID:  LIST_ENTRY_CORRUPT

BUGCHECK_STR:  0x139

PROCESS_NAME:  explorer.exe

CURRENT_IRQL:  1

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_PARAMETER1:  00000003

LAST_CONTROL_TRANSFER:  from 81f91cbe to 81f10ef4

STACK_TEXT:  
81be4614 81f91cbe 00000003 d630f8a2 00000065 nt!RtlpBreakWithStatusInstruction
81be4668 81f917d8 801c8138 81be4a68 81be4b54 nt!KiBugCheckDebugBreak+0x1f
81be4a3c 81f0fab6 00000139 00000003 81be4b54 nt!KeBugCheck2+0x676
81be4a60 81f20efa 00000139 00000003 81be4b54 nt!KiBugCheck2+0xc6
81be4a60 81ff04a3 00000139 00000003 81be4b54 nt!KiRaiseSecurityCheckFailure+0xf6
81be4c10 81ff0bd4 90600fc0 8886f978 00000001 nt!ExDeferredFreePool+0x483
81be4c88 932fd58e 8886f978 00000000 c431a195 nt!ExFreePoolWithTag+0x724
81be4f3c 81f20b27 00000042 0000000c 8886f978 win32k!NtUserSystemParametersInfo+0x1c2
81be4f3c 77c26ce4 00000042 0000000c 8886f978 nt!KiSystemServicePostCall
042fda68 7796bc63 7796bcd9 00000042 0000000c ntdll!KiFastSystemCallRet
042fda6c 7796bcd9 00000042 0000000c 042fdbd4 USER32!NtUserSystemParametersInfo+0xa
042fdab0 74681f1a 00000042 0000000c 042fdbd4 USER32!RealSystemParametersInfoW+0x5d
042fdb60 7796bda2 00000042 0000000c 042fdbd4 UxTheme!ThemeSystemParametersInfoW+0x9e [d:\blue_gdr\shell\themes\uxtheme\sethook.cpp @ 1388]
042fdba8 7468cc6e 00000042 0000000c 042fdbd4 USER32!SystemParametersInfoW+0xa2
042fde0c 6471bf5d 042fdea0 ffffffff 6471e72c UxTheme!IsThemeActive+0x4d [d:\blue_gdr\shell\themes\uxtheme\wrapper.cpp @ 2516]
042fde18 6471e72c 0000000f 042fdfcc 0ecdfc60 UIRibbon!MsoThemeFActive+0x1c
042fded0 6471b5dd 01010919 042fe1b0 042fe020 UIRibbon!NetUI::Element::Paint+0x65
042fdf6c 6471b634 0fcbba38 0ecdfc60 042fdfcc UIRibbon!NetUI::Element::_DisplayNodeCallback+0x440
042fdfb8 6471d308 0fcbba38 042fdfcc 00000002 UIRibbon!GPCB::xwInvokeDirect+0x22
042fdff4 6471ea45 0fcbba38 01010919 042fe1b0 UIRibbon!GPCB::xrFirePaint+0x4a
042fe034 6471df1e 042fe074 042fe1b0 0fcbba38 UIRibbon!DuVisual::xrDrawCore+0xcc
042fe1d4 6471df7b 042fe210 0fcbba90 00000000 UIRibbon!DuVisual::xrDrawFull+0x6a2
042fe370 6471df7b 042fe3ac 0fcbc4e0 00000000 UIRibbon!DuVisual::xrDrawFull+0x733
042fe50c 6471df7b 042fe548 0fcbc590 00000000 UIRibbon!DuVisual::xrDrawFull+0x733
042fe6a8 6471df7b 042fe6e4 0fcbc640 00000000 UIRibbon!DuVisual::xrDrawFull+0x733
042fe844 6471df7b 042fe880 0fcbc6f0 00000000 UIRibbon!DuVisual::xrDrawFull+0x733
042fe9e0 6471df7b 042fea1c 0fcb1678 ffffffff UIRibbon!DuVisual::xrDrawFull+0x733
042feb7c 6471d298 042fec6c 0fcb1678 00000000 UIRibbon!DuVisual::xrDrawFull+0x733
042feb90 64720f03 042fec6c 00000000 7700930b UIRibbon!DuVisual::xrDrawStart+0x3a
042feca8 6472806f 00000000 5f0108e7 042fed00 UIRibbon!DuRootGadget::xrDrawTree+0x384
042fed24 746d8254 00000000 5f0108e7 5f0108e7 UIRibbon!HWndContainer::OnNcPaint+0x176
042fed4c 746d81e9 0ade8e44 04010908 0ade8e20 UxTheme!NcDrawCustomElements+0x61 [d:\blue_gdr\shell\themes\uxtheme\nctheme.cpp @ 4692]
042fedfc 746d7e60 04010908 0ade8e44 042fee40 UxTheme!CThemeWnd::NcPaintCaption+0x5a6 [d:\blue_gdr\shell\themes\uxtheme\nctheme.cpp @ 4819]
042feefc 746d2930 00000000 00000000 05040918 UxTheme!CThemeWnd::NcPaint+0x457 [d:\blue_gdr\shell\themes\uxtheme\nctheme.cpp @ 5170]
042fef20 74685a13 0ade8e20 042fef68 779de2a8 UxTheme!OnDwpNcPaint+0x60 [d:\blue_gdr\shell\themes\uxtheme\nctheme.cpp @ 5764]
042fef90 74681964 05040918 00000000 00000001 UxTheme!_ThemeDefWindowProc+0x629 [d:\blue_gdr\shell\themes\uxtheme\sethook.cpp @ 1070]
042fefa4 77969962 00030102 00000085 05040918 UxTheme!ThemeDefWindowProcW+0x18 [d:\blue_gdr\shell\themes\uxtheme\sethook.cpp @ 1114]
042feff8 6ab72147 00030102 00000085 05040918 USER32!DefWindowProcW+0x1e7
042ff03c 6ab6b41c 00030102 00000085 05040918 explorerframe!CExplorerFrame::v_WndProc+0xfc
042ff060 779675b3 00030102 00000085 05040918 explorerframe!CImpWndProc::s_WndProc+0x69
042ff08c 779677b8 6ab6b3db 00030102 00000085 USER32!_InternalCallWinProc+0x23
042ff10c 77969b6a 00030102 00000085 05040918 USER32!UserCallWinProcCheckWow+0x110
042ff138 6470b6f1 6ab6b3db 00030102 00000085 USER32!CallWindowProcW+0x63
042ff170 779675b3 01650fc0 00000085 05040918 UIRibbon!WndBridge::RawWndProc+0xfa
042ff19c 77967677 04650fc0 00030102 00000085 USER32!_InternalCallWinProc+0x23
042ff21c 77969744 00030102 00000085 05040918 USER32!UserCallWinProcCheckWow+0x1c9
042ff278 77969894 016661b0 00000085 05040918 USER32!DispatchClientMessage+0xb5
042ff2a0 77c26c1e 042ff2bc 00000018 042ff398 USER32!__fnDWORD+0x2c
042ff2d0 779698b6 77969bb0 00030102 0000000f ntdll!KiUserCallbackDispatcher+0x2e
042ff2d4 77969bb0 00030102 0000000f 00000000 USER32!NtUserMessageCall+0xa
042ff358 7796857c 00000000 00000000 00000000 USER32!RealDefWindowProcWorker+0x183
042ff3a8 6ab72147 00030102 0000000f 00000000 USER32!DefWindowProcW+0x100
042ff3e8 6ab6b41c 00030102 0000000f 00000000 explorerframe!CExplorerFrame::v_WndProc+0xfc
042ff40c 779675b3 00030102 0000000f 00000000 explorerframe!CImpWndProc::s_WndProc+0x69
042ff438 779677b8 6ab6b3db 00030102 0000000f USER32!_InternalCallWinProc+0x23
042ff4b8 77969b6a 00030102 0000000f 00000000 USER32!UserCallWinProcCheckWow+0x110
042ff4e4 6470b6f1 6ab6b3db 00030102 0000000f USER32!CallWindowProcW+0x63
042ff51c 779675b3 00650fc0 0000000f 00000000 UIRibbon!WndBridge::RawWndProc+0xfa
042ff548 77967677 04650fc0 00030102 0000000f USER32!_InternalCallWinProc+0x23
042ff5c8 77969744 00030102 0000000f 00000000 USER32!UserCallWinProcCheckWow+0x1c9
042ff624 77969894 016661b0 0000000f 00000000 USER32!DispatchClientMessage+0xb5
042ff64c 77c26c1e 042ff668 00000018 042ff6bc USER32!__fnDWORD+0x2c
042ff67c 77969a79 77969a91 042ff6f0 37d74c98 ntdll!KiUserCallbackDispatcher+0x2e
042ff680 77969a91 042ff6f0 37d74c98 ffffffff USER32!NtUserDispatchMessage+0xa
042ff6cc 7796783b ffffff0f 042ff714 6ab6b2e2 USER32!DispatchMessageWorker+0x29a
042ff6d8 6ab6b2e2 042ff6f0 00000000 0c716a48 USER32!DispatchMessageW+0x10
042ff714 6abc579d 0e98d8e0 75b8de39 00000000 explorerframe!CExplorerFrame::FrameMessagePump+0xda
042ff72c 6abc5efd 0ec8f928 0ec8f928 0ec8f940 explorerframe!BrowserThreadProc+0x4b
042ff744 6abc5eb9 00000000 042ff76c 6ab77467 explorerframe!BrowserNewThreadProc+0x34
042ff750 6ab77467 0ec8f928 00200000 fffffffe explorerframe!CExplorerTask::InternalResumeRT+0x11
042ff76c 759e8126 00c8f928 00000000 0ec89990 explorerframe!CRunnableTask::Run+0xab
042ff81c 759e82d3 00000000 042ff8ac 76bb5ab3 SHELL32!CShellTaskThread::ThreadProc+0x240
042ff828 76bb5ab3 0ec89990 00000000 00000000 SHELL32!CShellTaskThread::s_ThreadProc+0x2b
042ff8ac 773c17ad 00fae940 042ff8fc 77c1226c SHCORE!SHCreateStreamOnFileW+0x21f
042ff8b8 77c1226c 00fae940 37ddd6bd 00000000 KERNEL32!BaseThreadInitThunk+0xe


STACK_COMMAND:  kb

FOLLOWUP_IP: 
nt!ExDeferredFreePool+483
81ff04a3 cd29            int     29h

SYMBOL_STACK_INDEX:  5

SYMBOL_NAME:  nt!ExDeferredFreePool+483

FOLLOWUP_NAME:  Pool_corruption

IMAGE_NAME:  Pool_Corruption

DEBUG_FLR_IMAGE_TIMESTAMP:  0

MODULE_NAME: Pool_Corruption

BUCKET_ID_FUNC_OFFSET:  483

FAILURE_BUCKET_ID:  0x139_3_nt!ExDeferredFreePool

BUCKET_ID:  0x139_3_nt!ExDeferredFreePool

Followup: Pool_corruption
---------