New issue
Advanced search Search tips

Issue 311 attachment: analysis311.txt (13.0 KB) 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
 

Bitmap object Use-after-Free #2

The attached PoC triggers a blue screen due to a use after free vulnerability. The crashes are unreliable, however you can use Special Pool in order to get reliable crashes ( see below ). The crashes indicate that it is possible to write to arbitrary addresses. Crash without Special Pool:


*** Fatal System Error: 0x0000000a
                       (0x00000000,0x00000002,0x00000001,0x82AB566F)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows 7 7601 x86 compatible target at (Tue Mar 31 11:24:03.150 2015 (UTC + 2:00)), ptr64 FALSE
Loading Kernel Symbols
...............................................................
................................................................
.........................
Loading User Symbols
...............................................
Loading unloaded module list
....
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck A, {0, 2, 1, 82ab566f}

*** WARNING: Unable to verify checksum for a31.exe
*** ERROR: Module load completed but symbols could not be loaded for a31.exe
Probably caused by : win32k.sys ( win32k!W32PIDLOCK::vLockSingleThread+14 )

Followup: MachineOwner
---------

Assertion: *** DPC watchdog timeout
    This is NOT a break in update time
    This is most likely a BUG in an ISR
    Perform a stack trace to find the culprit
    The period will be doubled on continuation
    Use gh to continue!!

nt!KeAccumulateTicks+0x3c5:
82aba38c cd2c            int     2Ch
kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, bitfield :
	bit 0 : value 0 = read operation, 1 = write operation
	bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 82ab566f, address which referenced memory

Debugging Details:
------------------


WRITE_ADDRESS:  00000000 

CURRENT_IRQL:  1c

FAULTING_IP: 
nt!KeWaitForSingleObject+373
82ab566f 8939            mov     dword ptr [ecx],edi

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

BUGCHECK_STR:  0xA

PROCESS_NAME:  a31.exe

TRAP_FRAME:  97433acc -- (.trap 0xffffffff97433acc)
ErrCode = 00000002
eax=85247580 ebx=85247578 ecx=00000000 edx=00000000 esi=8531fd48 edi=8531fe08
eip=82ab566f esp=97433b40 ebp=97433ba0 iopl=0         nv up ei pl zr na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010246
nt!KeWaitForSingleObject+0x373:
82ab566f 8939            mov     dword ptr [ecx],edi  ds:0023:00000000=????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from 82ab9853 to 82aba38c

STACK_TEXT:  
97433568 82ab9853 0002625a 00000000 0000a600 nt!KeAccumulateTicks+0x3c5
974335a8 82ab9700 82a210a8 b44c75c4 00000000 nt!KeUpdateRunTime+0x145
97433600 82ab8f03 97433602 97433602 000000d1 nt!KeUpdateSystemTime+0x613
97433600 82a210a8 97433602 97433602 000000d1 nt!KeUpdateSystemTimeAssist+0x13
97433684 82a0fb8c 00001000 00000000 974336e4 hal!READ_PORT_USHORT+0x8
97433694 82a0fcf5 82b1df92 3235ebba 00000065 hal!HalpCheckPowerButton+0x2e
97433698 82b1df92 3235ebba 00000065 00000000 hal!HaliHaltSystem+0x7
974336e4 82b1ea39 00000003 00000000 82ab566f nt!KiBugCheckDebugBreak+0x73
97433aac 82a7fb4f 0000000a 00000000 00000002 nt!KeBugCheck2+0x68b
97433aac 82ab566f 0000000a 00000000 00000002 nt!KiTrap0E+0x1b3
97433ba0 9539a4c6 85247578 00000006 00000000 nt!KeWaitForSingleObject+0x373
97433bb8 95397337 fe9e3728 97433be8 95396115 win32k!W32PIDLOCK::vLockSingleThread+0x14
97433bc4 95396115 210109de 0026f74c 953fb057 win32k!DC::vSetRendering+0x53
97433bd8 953ead4d ffb84008 00000001 00000000 win32k!DEVLOCKOBJ::bLock+0x265
97433c20 82a7c896 210109de 00000003 00000010 win32k!GreSetICMMode+0x3d
97433c20 778e70f4 210109de 00000003 00000010 nt!KiSystemServicePostCall
0026f734 77341864 7734181e 210109de 00000003 ntdll!KiFastSystemCallRet
0026f738 7734181e 210109de 00000003 00000010 GDI32!NtGdiSetIcmMode+0xc
0026f750 773417cf 210109de 000e0740 00000000 GDI32!IcmSelectColorTransform+0x4a
0026f770 77341870 210109de 000e0740 00000000 GDI32!IcmDeleteLocalDC+0x21
0026f790 76075439 210109de 0026f808 000512ef GDI32!GdiReleaseDC+0x6b
0026f79c 000512ef 00000000 210109de 001f0334 USER32!ReleaseDC+0x18
WARNING: Stack unwind information not available. Following frames may be wrong.
0026f808 000516d8 00000001 00292d08 00292d48 a31+0x12ef
0026f850 75d5ee1c 7ffdf000 0026f89c 779037eb a31+0x16d8
0026f85c 779037eb 7ffdf000 77b85930 00000000 kernel32!BaseThreadInitThunk+0xe
0026f89c 779037be 00051755 7ffdf000 00000000 ntdll!__RtlUserThreadStart+0x70
0026f8b4 00000000 00051755 7ffdf000 00000000 ntdll!_RtlUserThreadStart+0x1b


STACK_COMMAND:  kb

FOLLOWUP_IP: 
win32k!W32PIDLOCK::vLockSingleThread+14
9539a4c6 c3              ret

SYMBOL_STACK_INDEX:  b

SYMBOL_NAME:  win32k!W32PIDLOCK::vLockSingleThread+14

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: win32k

IMAGE_NAME:  win32k.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  54ee8ecd

FAILURE_BUCKET_ID:  0xA_win32k!W32PIDLOCK::vLockSingleThread+14

BUCKET_ID:  0xA_win32k!W32PIDLOCK::vLockSingleThread+14

Followup: MachineOwner
---------




The issue reproduces reliably with Special Pool ( https://msdn.microsoft.com/en-us/library/windows/hardware/ff551832%28v=vs.85%29.aspx ) enabled for win32k.sys. The resulting crash output looks as follows:


*******************************************************************************
*
* This is the string you add to your checkin description
* Driver Verifier: Enabled for win32k.sys on Build 7601 Swoke0cxHt9I3y4CfWvmAH
*
*******************************************************************************
nt!DbgLoadImageSymbols+0x47:
82a36578 cc              int     3
kd> g

*** Fatal System Error: 0x0000000a
                       (0xBFBFBFE7,0x00000002,0x00000001,0x82A94579)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows 7 7601 x86 compatible target at (Tue Mar 31 11:55:25.308 2015 (UTC + 2:00)), ptr64 FALSE
Loading Kernel Symbols
...............................................................
................................................................
.........................
Loading User Symbols
...............................................
Loading unloaded module list
....
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck A, {bfbfbfe7, 2, 1, 82a94579}

*** WARNING: Unable to verify checksum for a31.exe
*** ERROR: Module load completed but symbols could not be loaded for a31.exe
Probably caused by : win32k.sys ( win32k!W32PIDLOCK::vLockSingleThread+14 )

Followup: MachineOwner
---------

Assertion: *** DPC watchdog timeout
    This is NOT a break in update time
    This is most likely a BUG in an ISR
    Perform a stack trace to find the culprit
    The period will be doubled on continuation
    Use gh to continue!!

nt!KeAccumulateTicks+0x3c5:
82a9938c cd2c            int     2Ch
kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: bfbfbfe7, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, bitfield :
	bit 0 : value 0 = read operation, 1 = write operation
	bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 82a94579, address which referenced memory

Debugging Details:
------------------


WRITE_ADDRESS:  bfbfbfe7 

CURRENT_IRQL:  1c

FAULTING_IP: 
nt!KeWaitForSingleObject+27d
82a94579 f00fba2807      lock bts dword ptr [eax],7

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

BUGCHECK_STR:  0xA

PROCESS_NAME:  a31.exe

TRAP_FRAME:  930fca9c -- (.trap 0xffffffff930fca9c)
ErrCode = 00000002
eax=bfbfbfe7 ebx=bfbfbfe7 ecx=8a4737c0 edx=00000000 esi=8a473760 edi=8a473820
eip=82a94579 esp=930fcb10 ebp=930fcb70 iopl=0         nv up ei pl zr na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010246
nt!KeWaitForSingleObject+0x27d:
82a94579 f00fba2807      lock bts dword ptr [eax],7   ds:0023:bfbfbfe7=????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from 82a98853 to 82a9938c

STACK_TEXT:  
930fc538 82a98853 0002625a 00000000 00007100 nt!KeAccumulateTicks+0x3c5
930fc578 82a98700 82e4b0a8 40799a77 00000000 nt!KeUpdateRunTime+0x145
930fc5d0 82a97f03 930fc502 930fc502 000000d1 nt!KeUpdateSystemTime+0x613
930fc5d0 82e4b0a8 930fc502 930fc502 000000d1 nt!KeUpdateSystemTimeAssist+0x13
930fc654 82e39b8c 00001000 00000000 930fc6b4 hal!READ_PORT_USHORT+0x8
930fc664 82e39cf5 82afcf92 26f0a881 00000065 hal!HalpCheckPowerButton+0x2e
930fc668 82afcf92 26f0a881 00000065 00000000 hal!HaliHaltSystem+0x7
930fc6b4 82afda39 00000003 bfbfbfe7 82a94579 nt!KiBugCheckDebugBreak+0x73
930fca7c 82a5eb4f 0000000a bfbfbfe7 00000002 nt!KeBugCheck2+0x68b
930fca7c 82a94579 0000000a bfbfbfe7 00000002 nt!KiTrap0E+0x1b3
930fcb70 82d5b9b3 bfbfbfe7 00000006 00000000 nt!KeWaitForSingleObject+0x27d
930fcba0 9366a4c6 bfbfbfe7 00000006 00000000 nt!VerifierKeWaitForSingleObject+0xfe
930fcbb8 93667337 fbf1e728 930fcbe8 93666115 win32k!W32PIDLOCK::vLockSingleThread+0x14
930fcbc4 93666115 0c01021a 0016fbf0 936cb057 win32k!DC::vSetRendering+0x53
930fcbd8 936bad4d fef78130 00000001 00000000 win32k!DEVLOCKOBJ::bLock+0x265
930fcc20 82a5b896 0c01021a 00000003 00000010 win32k!GreSetICMMode+0x3d
930fcc20 774770f4 0c01021a 00000003 00000010 nt!KiSystemServicePostCall
0016fbd8 76871864 7687181e 0c01021a 00000003 ntdll!KiFastSystemCallRet
0016fbdc 7687181e 0c01021a 00000003 00000010 GDI32!NtGdiSetIcmMode+0xc
0016fbf4 768717cf 0c01021a 00050740 00000000 GDI32!IcmSelectColorTransform+0x4a
0016fc14 76871870 0c01021a 00050740 00000000 GDI32!IcmDeleteLocalDC+0x21
0016fc34 759e5439 0c01021a 0016fcac 002c12ef GDI32!GdiReleaseDC+0x6b
0016fc40 002c12ef 00000000 0c01021a 0003017c USER32!ReleaseDC+0x18
WARNING: Stack unwind information not available. Following frames may be wrong.
0016fcac 002c16d8 00000001 00362a70 00362ab0 a31+0x12ef
0016fcf4 771bee1c 7ffdb000 0016fd40 774937eb a31+0x16d8
0016fd00 774937eb 7ffdb000 7740fde2 00000000 kernel32!BaseThreadInitThunk+0xe
0016fd40 774937be 002c1755 7ffdb000 00000000 ntdll!__RtlUserThreadStart+0x70
0016fd58 00000000 002c1755 7ffdb000 00000000 ntdll!_RtlUserThreadStart+0x1b


STACK_COMMAND:  kb

FOLLOWUP_IP: 
win32k!W32PIDLOCK::vLockSingleThread+14
9366a4c6 c3              ret

SYMBOL_STACK_INDEX:  c

SYMBOL_NAME:  win32k!W32PIDLOCK::vLockSingleThread+14

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: win32k

IMAGE_NAME:  win32k.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  54ee8ecd

FAILURE_BUCKET_ID:  0xA_VRF_win32k!W32PIDLOCK::vLockSingleThread+14

BUCKET_ID:  0xA_VRF_win32k!W32PIDLOCK::vLockSingleThread+14

Followup: MachineOwner
---------