none
Get SYSTEM_SERVICE_EXCEPTION bluescreen when starting Wireshark on Win10 VMware guest RRS feed

  • Question

  • Hi. I am developing WinPcap, a NDIS filter driver. This driver together Wireshark is installed in my Win10 x64 VMware Workstation guest. I found that after this VM is suspended and recovered, I will encounter the SYSTEM_SERVICE_EXCEPTION bluescreen when launching Wireshark. After analyzing the dump file, I locates the error in my driver, it's the NdisFOidRequest call in my NPF_GetDeviceMTU function, this function is used to get the MTU value from an adapter when this adapter is opened by ring 3. But I still don't know what's wrong with my call, because the two arguments of NdisFOidRequest are not NULL, there's no reason for NdisFOidRequest to cause a BSoD.

    My source code is here: https://github.com/nmap/npcap/blob/master/packetWin7/npf/npf/Openclos.c

    My dump file is here: https://svn.nmap.org/nmap-exp/yang/NPcap-LWF/080715-26093-01.dmp

    My driver's name is npf.sys, and paste my "!analyze -v" result here:

    1: kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    SYSTEM_SERVICE_EXCEPTION (3b)
    An exception happened while executing a system service routine.
    Arguments:
    Arg1: 00000000c0000005, Exception code that caused the bugcheck
    Arg2: fffff80129404e22, Address of the instruction which caused the bugcheck
    Arg3: ffffd0019e0d5930, Address of the context record for the exception that caused the bugcheck
    Arg4: 0000000000000000, zero.
    
    Debugging Details:
    ------------------
    
    
    VIRTUAL_MACHINE:  VMware
    
    SYSTEM_VERSION:  None
    
    BIOS_DATE:  05/20/2014
    
    BASEBOARD_PRODUCT:  440BX Desktop Reference Platform
    
    BASEBOARD_VERSION:  None
    
    BUGCHECK_P1: c0000005
    
    BUGCHECK_P2: fffff80129404e22
    
    BUGCHECK_P3: ffffd0019e0d5930
    
    BUGCHECK_P4: 0
    
    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
    
    FAULTING_IP: 
    ndis!NdisFOidRequest+62
    fffff801`29404e22 f780980e000000040000 test dword ptr [rax+0E98h],400h
    
    CONTEXT:  ffffd0019e0d5930 -- (.cxr 0xffffd0019e0d5930)
    rax=0000000000000002 rbx=ffffe0011864c0c0 rcx=ffffe00117805910
    rdx=ffffe0011864c0c0 rsi=00000000c0000001 rdi=ffffe00117805910
    rip=fffff80129404e22 rsp=ffffd0019e0d6350 rbp=ffffe0011864c070
     r8=0000000000000000  r9=0000000000000002 r10=0000000000000000
    r11=fffff8012b806bc7 r12=ffffe00117d3cdb0 r13=ffffe00117ac0cb0
    r14=ffffe0011864c0c0 r15=ffffe0011864c078
    iopl=0         nv up ei pl zr na po nc
    cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
    ndis!NdisFOidRequest+0x62:
    fffff801`29404e22 f780980e000000040000 test dword ptr [rax+0E98h],400h ds:002b:00000000`00000e9a=????????
    Resetting default scope
    
    CPU_COUNT: 2
    
    CPU_MHZ: 95a
    
    CPU_VENDOR:  GenuineIntel
    
    CPU_FAMILY: 6
    
    CPU_MODEL: 3c
    
    CPU_STEPPING: 3
    
    CUSTOMER_CRASH_COUNT:  1
    
    DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT
    
    BUGCHECK_STR:  0x3B
    
    PROCESS_NAME:  dumpcap.exe
    
    CURRENT_IRQL:  0
    
    ANALYSIS_VERSION: 10.0.10240.9 amd64fre
    
    LAST_CONTROL_TRANSFER:  from fffff8012b802b1a to fffff80129404e22
    
    STACK_TEXT:  
    ffffd001`9e0d6350 fffff801`2b802b1a : ffffe001`1864c098 ffffe001`186551b0 ffffe001`1864c098 ffffe001`186551b0 : ndis!NdisFOidRequest+0x62
    ffffd001`9e0d6410 fffff801`2b802e9a : ffffe001`17ac0e00 ffffe001`1afb6620 ffffe001`1864c000 ffffe001`1afb6550 : npf!NPF_GetDeviceMTU+0xb2 [j:\npcap\packetwin7\npf\npf\openclos.c @ 596]
    ffffd001`9e0d6450 fffff800`634a4866 : 00000000`00000025 ffffd001`9e0d6790 00000000`00000000 ffffc000`30df5e01 : npf!NPF_OpenAdapter+0x11a [j:\npcap\packetwin7\npf\npf\openclos.c @ 332]
    ffffd001`9e0d6480 fffff800`6349f9d1 : ffffc000`302294e8 ffffc000`302294e8 ffffd001`9e0d6790 ffffe001`17ac0c80 : nt!IopParseDevice+0x9a6
    ffffd001`9e0d6690 fffff800`634fe38c : ffffe001`1b58c001 ffffd001`9e0d68b8 ffffe001`00000040 ffffe001`1530b9a0 : nt!ObpLookupObjectName+0x711
    ffffd001`9e0d6830 fffff800`634fa69c : ffffe001`00000001 ffffe001`197056a0 00000094`2d4ec878 00000094`2d4ec818 : nt!ObOpenObjectByName+0x1ec
    ffffd001`9e0d6960 fffff800`634fa2e9 : 00000094`2d4ec800 00000000`00000001 00000094`2d4ec878 00000094`2d4ec818 : nt!IopCreateFile+0x38c
    ffffd001`9e0d6a00 fffff800`631cf863 : ffffe001`1793b4c0 ffffd001`9e0d6b80 ffffd001`9e0d6aa8 00000000`00000074 : nt!NtCreateFile+0x79
    ffffd001`9e0d6a90 00007ffd`d1753a4a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
    00000094`2d4ec788 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffd`d1753a4a
    
    
    FOLLOWUP_IP: 
    npf!NPF_GetDeviceMTU+b2 [j:\npcap\packetwin7\npf\npf\openclos.c @ 596]
    fffff801`2b802b1a 8bf8            mov     edi,eax
    
    FAULTING_SOURCE_LINE:  j:\npcap\packetwin7\npf\npf\openclos.c
    
    FAULTING_SOURCE_FILE:  j:\npcap\packetwin7\npf\npf\openclos.c
    
    FAULTING_SOURCE_LINE_NUMBER:  596
    
    FAULTING_SOURCE_CODE:  
       592: 	// submit the request
       593: 	MaxSizeReq->Request.RequestId = (PVOID) NPF_REQUEST_ID;
       594: 	if (pOpen->AdapterHandle)
       595: 	{
    >  596: 		ReqStatus = NdisFOidRequest(pOpen->AdapterHandle, &MaxSizeReq->Request);
       597: 	}
       598: 	else
       599: 	{
       600: 		ReqStatus = STATUS_UNSUCCESSFUL;
       601: 	}
    
    
    SYMBOL_STACK_INDEX:  1
    
    SYMBOL_NAME:  npf!NPF_GetDeviceMTU+b2
    
    FOLLOWUP_NAME:  MachineOwner
    
    MODULE_NAME: npf
    
    IMAGE_NAME:  npf.sys
    
    DEBUG_FLR_IMAGE_TIMESTAMP:  55c41b29
    
    IMAGE_VERSION:  0.3.0.727
    
    STACK_COMMAND:  .cxr 0xffffd0019e0d5930 ; kb
    
    BUCKET_ID_FUNC_OFFSET:  b2
    
    FAILURE_BUCKET_ID:  0x3B_npf!NPF_GetDeviceMTU
    
    BUCKET_ID:  0x3B_npf!NPF_GetDeviceMTU
    
    PRIMARY_PROBLEM_CLASS:  0x3B_npf!NPF_GetDeviceMTU
    
    ANALYSIS_SOURCE:  KM
    
    FAILURE_ID_HASH_STRING:  km:0x3b_npf!npf_getdevicemtu
    
    FAILURE_ID_HASH:  {e1970511-e942-3732-24b3-db2603bc49c0}
    
    Followup:     MachineOwner
    ---------
    

    Friday, August 7, 2015 3:43 AM

Answers

  • There's a bad pointer dereference somewhere in NdisFOidRequest; rax is 0x02 in the instruction:

    test dword ptr [rax+0E98h],400h
    -- pa
    • Marked as answer by Yang Luo Tuesday, August 18, 2015 12:20 PM
    Friday, August 7, 2015 5:28 AM