locked
calling ExAllocatePoolWithTag causes problems RRS feed

  • Question

  • Hello, when I call ExAllocatePool from my DriverEntry, I get a PAGE_FAULT_IN_NONPAGED_AREA violation. I am calling with PASSIVE_LEVEL IRQL and requesting memory from nonpaged pool. If anyone could help, I would appreciate it. This bug doesn't occur in my virtual machine, which is strange. Thanks in Advance!

    This is the crash dump:

    PAGE_FAULT_IN_NONPAGED_AREA (50)
    Invalid system memory was referenced. This cannot be protected by try-except.
    Typically the address is just plain bad or it is pointing at freed memory.
    Arguments:
    Arg1: ffffba046798a000, memory referenced.
    Arg2: 0000000000000002, value 0 = read operation, 1 = write operation.
    Arg3: fffff80635e8f66f, If non-zero, the instruction address which referenced the bad memory
    address.
    Arg4: 0000000000000002, (reserved)
    
    Debugging Details:
    KEY_VALUES_STRING: 1
    
    Key  : Analysis.CPU.mSec
    Value: 3796
    
    Key  : Analysis.DebugAnalysisProvider.CPP
    Value: Create: 8007007e on DESKTOP-RJMI7MF
    
    Key  : Analysis.DebugData
    Value: CreateObject
    
    Key  : Analysis.DebugModel
    Value: CreateObject
    
    Key  : Analysis.Elapsed.mSec
    Value: 4351
    
    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 88
    
    Key  : Analysis.System
    Value: CreateObject
    
    Key  : WER.OS.Branch
    Value: vb_release
    
    Key  : WER.OS.Timestamp
    Value: 2019-12-06T14:06:00Z
    
    Key  : WER.OS.Version
    Value: 10.0.19041.1
    ADDITIONAL_XML: 1
    
    OS_BUILD_LAYERS: 1
    
    BUGCHECK_CODE: 50
    
    BUGCHECK_P1: ffffba046798a000
    
    BUGCHECK_P2: 2
    
    BUGCHECK_P3: fffff80635e8f66f
    
    BUGCHECK_P4: 2
    
    READ_ADDRESS: ffffba046798a000 Nonpaged pool
    
    MM_INTERNAL_CODE: 2
    
    BLACKBOXBSD: 1 (!blackboxbsd)
    
    BLACKBOXNTFS: 1 (!blackboxntfs)
    
    BLACKBOXPNP: 1 (!blackboxpnp)
    
    BLACKBOXWINLOGON: 1
    
    PROCESS_NAME: System
    
    TRAP_FRAME: ffffcd8daabdb360 -- (.trap 0xffffcd8daabdb360)
    NOTE: The trap frame does not contain all registers.
    Some register values may be zeroed or incorrect.
    rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000001
    rdx=ffffffffffffffff rsi=0000000000000000 rdi=0000000000000000
    rip=fffff80635e8f66f rsp=ffffcd8daabdb4f0 rbp=ffffba046798a000
    r8=0000000000001ffd r9=00000000ffffffff r10=0000000000000000
    r11=0000000000000001 r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=0000000000000000
    iopl=0 nv up ei ng nz na po nc
    nt!RtlpHpVsSubsegmentCreate+0xff:
    fffff80635e8f66f 0f114500 movups xmmword ptr [rbp],xmm0 ss:0018:ffffba046798a000=????????????????????????????????
    Resetting default scope
    
    STACK_TEXT:
    ffffcd8daabdb0b8 fffff8063607a665 : 0000000000000050 ffffba046798a000 0000000000000002 ffffcd8daabdb360 : nt!KeBugCheckEx
    ffffcd8daabdb0c0 fffff80635eea4a0 : 0000000000000000 0000000000000002 ffffcd8daabdb3e0 0000000000000000 : nt!MiSystemFault+0x172315
    ffffcd8daabdb1c0 fffff8063600335e : ffffffffffffffff 0000000021000000 ffffba0467901140 0000000000000021 : nt!MmAccessFault+0x400
    ffffcd8daabdb360 fffff80635e8f66f : 0000000000020000 ffffba0467a00280 0000000000000000 0000000000000000 : nt!KiPageFault+0x35e
    ffffcd8daabdb4f0 fffff80635ec7afb : 0000000000000000 0000000000000000 0000000000000000 ffffe38200000010 : nt!RtlpHpVsSubsegmentCreate+0xff
    ffffcd8daabdb550 fffff80635ecad6d : 000000000000e2b0 ffffcd8d0000e2b0 ffffcd8daabdb691 00000000656e6f4e : nt!RtlpHpVsContextAllocateInternal+0x36b
    ffffcd8daabdb5b0 fffff806365b1094 : ffffba0400000000 ffffffff80004898 00000000656e6f4e 0000000000000000 : nt!ExAllocateHeapPool+0x6ed
    ffffcd8daabdb6f0 fffff80635ead16f : ffffba0474023000 ffffcd8daabdba60 ffffba04745ab510 0000000000000000 : nt!ExAllocatePoolWithTag+0x64
    ffffcd8daabdb740 fffff80649922f43 : 0000000000060005 fffff80649925ad0 ffffba04418a5c00 ffffba046798a000 : nt!ExAllocatePool+0xf
    ffffcd8daabdb770 fffff8064992471d : 0000000000000000 fffff80649925aa0 0000000000000000 fffff806499244da : kernel!Utils::GetDriverBaseAddress+0x73 [C:\Users\user1\source\repos\MyDriver\Kernel\utils.h @ 50]
    ffffcd8daabdb7f0 fffff8064992176e : fffff80649925e70 000000000000000e 0000000000000065 0000000000000003 : kernel!NIC::EnumerateModules+0x15 [C:\Users\user1\source\repos\MyDriver\Kernel\NIC.h @ 100]
    ffffcd8daabdb890 fffff8064992398f : ffffba0474146310 ffffba0474023000 ffffba0471c8b490 0000000000000100 : kernel!Entry+0x36 [C:\Users\user1\source\repos\MyDriver\Kernel\Driver.cpp @ 142]
    ffffcd8daabdb900 fffff8063631e3cd : 000000000000000e 0000000000000000 0000000000000000 0000000000001000 : nt!PnpCallDriverEntry+0x4c
    ffffcd8daabdb960 fffff80636364207 : 0000000000000000 0000000000000000 fffff80636925440 ffffba0472f2ca18 : nt!IopLoadDriver+0x4e5
    ffffcd8daabdbb30 fffff80635f034b5 : ffffba0400000000 ffffffff80004898 ffffba0471c50040 ffffba0400000000 : nt!IopLoadUnloadDriver+0x57
    ffffcd8daabdbb70 fffff80635ea29a5 : ffffba0471c50040 0000000000000080 ffffba0467eae080 0000000000000080 : nt!ExpWorkerThread+0x105
    ffffcd8daabdbc10 fffff80635ffc868 : ffff9081f1ea1180 ffffba0471c50040 fffff80635ea2950 0000000000000000 : nt!PspSystemThreadStartup+0x55
    ffffcd8daabdbc60 0000000000000000 : ffffcd8daabdc000 ffffcd8daabd6000 0000000000000000 0000000000000000 : nt!KiStartSystemThread+0x28
    
    SYMBOL_NAME: nt!ExAllocatePool+f
    
    IMAGE_NAME: Pool_Corruption
    
    MODULE_NAME: Pool_Corruption
    
    STACK_COMMAND: .thread ; .cxr ; kb
    
    BUCKET_ID_FUNC_OFFSET: f
    
    FAILURE_BUCKET_ID: AV_INVALID_nt!ExAllocatePool
    
    OS_VERSION: 10.0.19041.1
    
    BUILDLAB_STR: vb_release
    
    OSPLATFORM_TYPE: x64
    
    OSNAME: Windows 10
    
    FAILURE_ID_HASH: {bf01aada-9771-ad56-bb83-80fbba6594cf}
    
    Followup: Pool_corruption

    Tuesday, December 8, 2020 4:44 PM

All replies

  • You've messed up the heap tables, but it probably happened well before this point.  That is, it isn't ExAllocatePool that CAUSED the problem, it just DIAGNOSED the problem.

    Is this a game cheat driver?


    Tim Roberts | Driver MVP Emeritus | Providenza & Boekelheide, Inc.

    Wednesday, December 9, 2020 6:25 AM