New issue
Advanced search Search tips

Issue 415 attachment: windbg_write_overflow.txt (7.1 KB) 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
 
Connected to Windows 7 7601 x86 compatible target at (Fri May 29 13:26:39.776 2015 (UTC + 2:00)), ptr64 FALSE
Kernel Debugger connection established.
Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols;srv*c:\symbols*http://chromium-browser-symsrv.commondatastorage.googleapis.comSRV*c:\symbols\*http://symbols.mozilla.org/firefox;srv*c:\symbols*https://chromium-browser-symsrv.commondatastorage.googleapis.com;srv*
Executable search path is: srv*
Windows 7 Kernel Version 7601 MP (1 procs) Free x86 compatible
Built by: 7601.18798.x86fre.win7sp1_gdr.150316-1654
Machine Name:
Kernel base = 0x82a0f000 PsLoadedModuleList = 0x82b595b0
System Uptime: not available
nt!DbgLoadImageSymbols+0x47:
82a27584 cc              int     3
kd> g
*******************************************************************************
*
* This is the string you add to your checkin description
* Driver Verifier: Enabled for win32k.sys on Build 7601 Swoke0cxHt9I3y4CfWvmAH
*
*******************************************************************************
nt!DbgLoadImageSymbols+0x47:
82a27584 cc              int     3
kd> g

*** Fatal System Error: 0x000000d6
                       (0xFFA0B000,0x00000001,0x95023E86,0x00000000)

Driver at fault: 
***    win32k.sys - Address 95023E86 base at 94F60000, DateStamp 55345e59
.
Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows 7 7601 x86 compatible target at (Fri May 29 13:29:41.739 2015 (UTC + 2:00)), ptr64 FALSE
Loading Kernel Symbols
...............................................................
................................................................
.........................
Loading User Symbols
........................
Loading unloaded module list
....
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck D6, {ffa0b000, 1, 95023e86, 0}

*** WARNING: Unable to verify checksum for a1.exe
*** ERROR: Module load completed but symbols could not be loaded for a1.exe
Probably caused by : win32k.sys ( win32k!memcpy+166 )

Followup: MachineOwner
---------

Assertion: *** DPC watchdog timeout
    This is NOT a break in update time
    This is most likely a BUG in an ISR
    Perform a stack trace to find the culprit
    The period will be doubled on continuation
    Use gh to continue!!

nt!KeAccumulateTicks+0x3c5:
82a8a9ec cd2c            int     2Ch
kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_PAGE_FAULT_BEYOND_END_OF_ALLOCATION (d6)
N bytes of memory was allocated and more than N bytes are being referenced.
This cannot be protected by try-except.
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: ffa0b000, memory referenced
Arg2: 00000001, value 0 = read operation, 1 = write operation
Arg3: 95023e86, if non-zero, the address which referenced memory.
Arg4: 00000000, (reserved)

Debugging Details:
------------------


WRITE_ADDRESS:  ffa0b000 Special pool

FAULTING_IP: 
win32k!memcpy+166
95023e86 8807            mov     byte ptr [edi],al

MM_INTERNAL_CODE:  0

IMAGE_NAME:  win32k.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  55345e59

MODULE_NAME: win32k

FAULTING_MODULE: 94f60000 win32k

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

BUGCHECK_STR:  0xD6

PROCESS_NAME:  a1.exe

CURRENT_IRQL:  1c

TRAP_FRAME:  96182f2c -- (.trap 0xffffffff96182f2c)
ErrCode = 00000002
eax=00000000 ebx=ffa0affc ecx=00000001 edx=00000001 esi=96183128 edi=ffa0b000
eip=95023e86 esp=96182fa0 ebp=96182fa8 iopl=0         nv up ei ng nz ac pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010296
win32k!memcpy+0x166:
95023e86 8807            mov     byte ptr [edi],al          ds:0023:ffa0b000=??
Resetting default scope

LAST_CONTROL_TRANSFER:  from 82a89eb3 to 82a8a9ec

STACK_TEXT:  
96182950 82a89eb3 0002625a 00000000 00003100 nt!KeAccumulateTicks+0x3c5
96182990 82a89d60 82e3d0a8 1ce94adc 00000000 nt!KeUpdateRunTime+0x145
961829e8 82a89563 00000002 00000002 000000d1 nt!KeUpdateSystemTime+0x613
961829e8 82e3d0a8 00000002 00000002 000000d1 nt!KeUpdateSystemTimeAssist+0x13
96182a6c 82e2bb8c 00001000 00000000 96182acc hal!READ_PORT_USHORT+0x8
96182a7c 82e2bcf5 82aee582 7ce8a00a 00000065 hal!HalpCheckPowerButton+0x2e
96182a80 82aee582 7ce8a00a 00000065 00000000 hal!HaliHaltSystem+0x7
96182acc 82aef029 00000003 00000000 00000002 nt!KiBugCheckDebugBreak+0x73
96182e90 82a9cff9 00000050 ffa0b000 00000001 nt!KeBugCheck2+0x68b
96182f14 82a4fa88 00000001 ffa0b000 00000000 nt!MmAccessFault+0x104
96182f14 95023e86 00000001 ffa0b000 00000000 nt!KiTrap0E+0xdc
96182fa8 94ff9a34 ffa0affc 96183124 00000005 win32k!memcpy+0x166
96183008 94fadb52 00000005 030f7ded 961835d0 win32k!vSrcCopyS1D1LtoR+0x1eb
961835b0 94facf3e 96183738 961835d0 ffa0ada8 win32k!BltLnkRect+0xb82
9618383c 9501c0e1 00000000 d9abe000 00000000 win32k!BltLnk+0x78b
961838c8 950b7bf9 00000000 d9abe010 00000000 win32k!EngBitBlt+0x4c5
96183964 950ad9be ffa0adb8 fef10db8 00000000 win32k!EngStretchBltROP+0x282
96183a44 94fe003e 00000000 96183b84 950b7977 win32k!BLTRECORD::bStretch+0x459
96183bc0 94fdcced 07210156 0000002e 00000029 win32k!GreStretchBltInternal+0x785
96183bfc 82a4c8a6 07210156 0000002e 00000029 win32k!GreStretchBlt+0x30
96183bfc 77267074 07210156 0000002e 00000029 nt!KiSystemServicePostCall
0013fd70 00191032 00000000 07210156 0000002e ntdll!KiFastSystemCallRet
WARNING: Stack unwind information not available. Following frames may be wrong.
0013fda8 0019109e 07210156 0000002e 00000029 a1+0x1032
0013fde8 001911a2 00000001 001dee28 001e0108 a1+0x109e
0013fe30 7639ee1c 7ffd3000 0013fe7c 7728399b a1+0x11a2
0013fe3c 7728399b 7ffd3000 773ecb04 00000000 kernel32!BaseThreadInitThunk+0xe
0013fe7c 7728396e 0019121f 7ffd3000 00000000 ntdll!__RtlUserThreadStart+0x70
0013fe94 00000000 0019121f 7ffd3000 00000000 ntdll!_RtlUserThreadStart+0x1b


STACK_COMMAND:  kb

FOLLOWUP_IP: 
win32k!memcpy+166
95023e86 8807            mov     byte ptr [edi],al

SYMBOL_STACK_INDEX:  b

SYMBOL_NAME:  win32k!memcpy+166

FOLLOWUP_NAME:  MachineOwner

FAILURE_BUCKET_ID:  0xD6_VRF_win32k!memcpy+166

BUCKET_ID:  0xD6_VRF_win32k!memcpy+166

Followup: MachineOwner