none
Condrv.sys: Bug Check 0x3B (SYSTEM_SERVICE_EXCEPTION) RRS feed

  • General discussion

  • Hello, everyone.

    I found a subtle bug in the condrv.sys driver. I post it here as a bug report and maybe it would be helpful to someone to avoid the same mistake when developing their own drivers.

    The system crashed when I clicked on the “Stop Debugging” button in Visual Studio.

    3: kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    SYSTEM_SERVICE_EXCEPTION (3b)
    An exception happened while executing a system service routine.
    Arguments:
    Arg1: 00000000c0000005, Exception code that caused the bugcheck
    Arg2: fffff80068af1472, Address of the instruction which caused the bugcheck
    Arg3: ffffd000358cddf0, Address of the context record for the exception that caused the bugcheck
    Arg4: 0000000000000000, zero.
    
    Debugging Details:
    ------------------
    
    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
    
    FAULTING_IP: 
    nt!ExAcquirePushLockExclusiveEx+f2
    fffff800`68af1472 f0480fba2e00    lock bts qword ptr [rsi],0
    
    CONTEXT:  ffffd000358cddf0 -- (.cxr 0xffffd000358cddf0;r)
    rax=0000000000000000 rbx=ffffe001ef45c3d0 rcx=0000000000000282
    rdx=0000000000000000 rsi=0057005c00450052 rdi=ffffe001f1aec3a0
    rip=fffff80068af1472 rsp=ffffd000358ce820 rbp=ffffd000358ceb80
     r8=000000000004001f  r9=000000000000001f r10=ffffe001f1aec308
    r11=ffffd000358ce810 r12=ffffe001eed307c0 r13=ffffe001eed30770
    r14=ffffe001ef45c3d0 r15=0000000000000001
    iopl=0         nv up ei pl zr na po nc
    cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
    nt!ExAcquirePushLockExclusiveEx+0xf2:
    fffff800`68af1472 f0480fba2e00    lock bts qword ptr [rsi],0 ds:002b:0057005c`00450052=????????????????
    ...
    DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT
    
    BUGCHECK_STR:  0x3B
    
    PROCESS_NAME:  CSharpExercise
    
    CURRENT_IRQL:  1
    ...
    
    3: kd> vertarget
    Windows 8 Kernel Version 9600 MP (4 procs) Free x64
    Built by: 9600.17085.amd64fre.winblue_gdr.140330-1035
    
    3: kd> k
     # Child-SP          RetAddr           Call Site
    00 ffffd000`358cd538 fffff800`68bebae9 nt!KeBugCheckEx
    01 ffffd000`358cd540 fffff800`68beb3fc nt!KiBugCheckDispatch+0x69
    02 ffffd000`358cd680 fffff800`68be74ed nt!KiSystemServiceHandler+0x7c
    03 ffffd000`358cd6c0 fffff800`68b71105 nt!RtlpExecuteHandlerForException+0xd
    04 ffffd000`358cd6f0 fffff800`68b6ffbf nt!RtlDispatchException+0x1a5
    05 ffffd000`358cddc0 fffff800`68bebbc2 nt!KiDispatchException+0x61f
    06 ffffd000`358ce4b0 fffff800`68bea0fe nt!KiExceptionDispatch+0xc2
    07 ffffd000`358ce690 fffff800`68af1472 nt!KiGeneralProtectionFault+0xfe
    08 ffffd000`358ce820 fffff800`86a2f16b nt!ExAcquirePushLockExclusiveEx+0xf2
    09 ffffd000`358ce860 fffff800`68b591e2 condrv!CdpCancelIoIrpPaged+0x3f
    0a ffffd000`358ce890 fffff800`68f40183 nt!IoCancelIrp+0x6a
    0b ffffd000`358ce8d0 fffff800`68e84164 nt!IopCancelAlertedRequest+0x3b
    0c ffffd000`358ce910 fffff800`68beb7b3 nt!NtReadFile+0xc14
    0d ffffd000`358cea90 00007ff8`598cabea nt!KiSystemServiceCopyEnd+0x13
    0e 00000027`7a26e188 00007ff8`56c77ca8 ntdll!NtReadFile+0xa
    0f 00000027`7a26e190 00007ff8`47f96c92 KERNELBASE!ReadFile+0x74
    10 00000027`7a26e210 00007ff8`47b26b38 mscorlib_ni+0x556c92
    11 00000027`7a26e218 00000027`6053eaf8 mscorlib_ni+0xe6b38
    12 00000027`7a26e220 00000027`78e9ce70 0x00000027`6053eaf8
    13 00000027`7a26e228 00000027`7a26e3d0 0x00000027`78e9ce70
    14 00000027`7a26e230 00000000`00000000 0x00000027`7a26e3d0
    

    Knowing that the parameter to the IoCancelIrp routine is a pointer to the IRP structure, we can determine where the invalid pointer to the EX_PUSH_LOCK structure came from.

    3: kd> u nt!IoCancelIrp nt!IoCancelIrp+0x6a
    nt!IoCancelIrp:
    fffff800`68b59178 48895c2410      mov     qword ptr [rsp+10h],rbx
    fffff800`68b5917d 4889742418      mov     qword ptr [rsp+18h],rsi
    fffff800`68b59182 57              push    rdi
    fffff800`68b59183 4883ec30        sub     rsp,30h
    fffff800`68b59187 48833da1241e0000 cmp     qword ptr [nt!ViVerifierDriverAddedThunkListHead (fffff800`68d3b630)],0
    fffff800`68b5918f 488bd9          mov     rbx,rcx == nt!_IRP
    fffff800`68b59192 0f8581000000    jne     nt!IoCancelIrp+0xa1 (fffff800`68b59219)
    fffff800`68b59198 488d4c2440      lea     rcx,[rsp+40h]
    fffff800`68b5919d e81af3ffff      call    nt!IoAcquireCancelSpinLock (fffff800`68b584bc)
    fffff800`68b591a2 33ff            xor     edi,edi
    fffff800`68b591a4 c6434401        mov     byte ptr [rbx+44h],1
    fffff800`68b591a8 48877b68        xchg    rdi,qword ptr [rbx+68h]
    fffff800`68b591ac 4885ff          test    rdi,rdi
    fffff800`68b591af 744b            je      nt!IoCancelIrp+0x84 (fffff800`68b591fc)
    fffff800`68b591b1 8a4342          mov     al,byte ptr [rbx+42h]
    fffff800`68b591b4 488bd3          mov     rdx,rbx
    fffff800`68b591b7 fec0            inc     al
    fffff800`68b591b9 384343          cmp     byte ptr [rbx+43h],al
    fffff800`68b591bc 0f8f32b70c00    jg      nt! ?? ::FNODOBFM::`string'+0x34444 (fffff800`68c248f4)
    fffff800`68b591c2 408a742440      mov     sil,byte ptr [rsp+40h]
    fffff800`68b591c7 488b8bb8000000  mov     rcx,qword ptr [rbx+0B8h]
    fffff800`68b591ce 40887345        mov     byte ptr [rbx+45h],sil
    fffff800`68b591d2 48833d56241e0000 cmp     qword ptr [nt!ViVerifierDriverAddedThunkListHead (fffff800`68d3b630)],0
    fffff800`68b591da 488b4928        mov     rcx,qword ptr [rcx+28h]
    fffff800`68b591de 7543            jne     nt!IoCancelIrp+0xab (fffff800`68b59223)
    fffff800`68b591e0 ffd7            call    rdi
    fffff800`68b591e2 440f20c0        mov     rax,cr8
    
    3: kd> dq ffffd000`358ce890-8+8 L1
    ffffd000`358ce890  ffffe001`ef45c3d0
    
    3: kd> u condrv!CdpCancelIoIrpPaged condrv!CdpCancelIoIrpPaged+0x3f
    condrv!CdpCancelIoIrpPaged:
    fffff800`86a2f12c 48895c2408      mov     qword ptr [rsp+8],rbx == nt!_IRP ffffe001`ef45c3d0
    fffff800`86a2f131 4889742410      mov     qword ptr [rsp+10h],rsi
    fffff800`86a2f136 57              push    rdi
    fffff800`86a2f137 4883ec20        sub     rsp,20h
    fffff800`86a2f13b 488b81b8000000  mov     rax,qword ptr [rcx+0B8h]
    fffff800`86a2f142 488bd9          mov     rbx,rcx
    fffff800`86a2f145 4032ff          xor     dil,dil
    fffff800`86a2f148 488b7008        mov     rsi,qword ptr [rax+8]
    fffff800`86a2f14c 440f20c0        mov     rax,cr8
    fffff800`86a2f150 3c01            cmp     al,1
    fffff800`86a2f152 7709            ja      condrv!CdpCancelIoIrpPaged+0x31 (fffff800`86a2f15d)
    fffff800`86a2f154 ff15ae5effff    call    qword ptr [condrv!_imp_KeEnterCriticalRegion (fffff800`86a25008)]
    fffff800`86a2f15a 40b701          mov     dil,1
    fffff800`86a2f15d 488b0e          mov     rcx,qword ptr [rsi] rsi == ffffc000`d624d050; rcx == 0057005c`00450052
    fffff800`86a2f160 ba01000000      mov     edx,1
    fffff800`86a2f165 ff15a55effff    call    qword ptr [condrv!_imp_ExAcquirePushLockExclusiveEx (fffff800`86a25010)]
    fffff800`86a2f16b b201            mov     dl,1
    
    3: kd> dt ffffe001`ef45c3d0 nt!_IRP Tail.Overlay.CurrentStackLocation
       +0x078 Tail                              : 
          +0x000 Overlay                           : 
             +0x040 CurrentStackLocation              : 0xffffe001`ef45c4a0 _IO_STACK_LOCATION
    
    3: kd> dt 0xffffe001`ef45c4a0 nt!_IO_STACK_LOCATION Parameters.Others.
       +0x008 Parameters         : 
          +0x000 Others             : 
             +0x000 Argument1          : 0xffffc000`d624d050 Void
             +0x008 Argument2          : 0x0000002f`37e0ae90 Void
             +0x010 Argument3          : (null) 
             +0x018 Argument4          : 0xffffe001`eea56a10 Void
    
    3: kd> dq 0xffffc000`d624d050 L1
    ffffc000`d624d050  0057005c`00450052
    
    3: kd> u nt!ExAcquirePushLockExclusiveEx nt!ExAcquirePushLockExclusiveEx+0xf2
    nt!ExAcquirePushLockExclusiveEx:
    fffff800`68af1380 4889742410      mov     qword ptr [rsp+10h],rsi
    fffff800`68af1385 57              push    rdi
    fffff800`68af1386 4883ec30        sub     rsp,30h
    fffff800`68af138a 488bf1          mov     rsi,rcx == 0057005c`00450052
    ...
    fffff800`68af1472 f0480fba2e00    lock bts qword ptr [rsi],0
    
    3: kd> !pool 0xffffc000`d624d050
    Pool page ffffc000d624d050 region is Paged pool
    *ffffc000d624d000 size:   f0 previous size:    0  (Free ) *CMNb
    		Pooltag CMNb : Configuration Manager Name Tag, Binary : nt!cm
     ffffc000d624d0f0 size:   a0 previous size:   f0  (Allocated)  Sect
     ffffc000d624d190 size:  220 previous size:   a0  (Allocated)  FMfn
     ffffc000d624d3b0 size:  170 previous size:  220  (Allocated)  NtFU
     ffffc000d624d520 size:  3f0 previous size:  170  (Free)       FIcs
     ffffc000d624d910 size:   30 previous size:  3f0  (Allocated)  ObDi
     ffffc000d624d940 size:  480 previous size:   30  (Free)       Free
     ffffc000d624ddc0 size:   90 previous size:  480  (Allocated)  AlCI
     ffffc000d624de50 size:  1b0 previous size:   90  (Free)       FMfn
    

    We can see from the information above that the memory where should be the pointer to the EX_PUSH_LOCK structure doesn’t belong to condrv.sys and was freed by the Configuration Manager. Here’s how this pool allocation looks on a healthy
    system:

    kd> !pool poi(poi(ffffe000431a9900+b8)+8)
    Pool page ffffc0001fb78cf0 region is Paged pool
    ...
    *ffffc0001fb78ca0 size:   f0 previous size:   30  (Allocated) *CdSe
    		Owning component : Unknown (update pooltag.txt)
     ffffc0001fb78d90 size:   a0 previous size:   f0  (Allocated)  MSeg
     ffffc0001fb78e30 size:   90 previous size:   a0  (Allocated)  FSim
     ffffc0001fb78ec0 size:  140 previous size:   90  (Allocated)  FMfn
    

    We can search for the ‘CdSe’ tag to determine which drivers use it.

    Find

    Now let’s find out where the pointer in the Argument1 member of the IO_STACK_LOCATION structure came from.

    condrv

    If we examine the same structures in the crash dump, we can see that the “\Connect”, “\Reference” and “\Server” file objects and all associated with them structures were deleted.

    3: kd> !irp ffffe001`ef45c3d0
    Irp is active with 2 stacks 1 is current (= 0xffffe001ef45c4a0)
     Mdl=ffffe001eea56a10: No System Buffer: Thread ffffe001f1aec080:  Irp stack trace.  
         cmd  flg cl Device   File     Completion-Context
    >[  f, 6]   0  1 00000000 00000000 00000000-00000000    pending
    
    			Args: ffffc000d624d050 2f37e0ae90 00000000 ffffe001eea56a10
     [  3, 0]   0  0 ffffe001ed0505c0 ffffe001eed30770 00000000-00000000    
    	       \Driver\condrv
    			Args: 00000100 00000000 00000000 00000000
    
    3: kd> dt nt!_FILE_OBJECT -l RelatedFileObject -y FileName FsContext ffffe001eed30770
    RelatedFileObject at 0xffffe001`eed30770
    ---------------------------------------------
       +0x018 FsContext : 0xffffc000`d070c320 Void
       +0x058 FileName  : _UNICODE_STRING "\Input"
    
    RelatedFileObject at 0xffffe001`eea9e990
    ---------------------------------------------
       +0x018 FsContext : 0xffffc000`e1433ae0 Void
       +0x058 FileName  : _UNICODE_STRING "???"
    ...
    
    3: kd> !pool 0xffffe001`eea9e990
    Pool page ffffe001eea9e990 region is Unknown
    ...
    *ffffe001eea9e8d0 size:  1a0 previous size:   30  (Free)      *Free
    		Owning component : Unknown (update pooltag.txt)
    ...
    
    3: kd> !pool 0xffffc000`e1433ae0
    Pool page ffffc000e1433ae0 region is Paged pool
    ...
    *ffffc000e1433ad0 size:   50 previous size:  9f0  (Free ) *CdCo
    		Owning component : Unknown (update pooltag.txt)
    

    After digging around I found out the root cause of the failure. Here’s the major events that led to the crash:

    1. Click on the “Stop Debugging” button in Visual Studio.

    2. The Remote Debugging Monitor (msvsmon.exe) calls NtTerminateProcess to terminate our debuggee and end up calling KeAlertThread to alert the thread ffffe001f1aec080. The dispatcher performs a context switch to this thread due to its higher priority.

    3. The IoCancelIrp routine calls condrv!CdpCancelIoIrpPaged, but because the page with this routine is paged out to a paging file, a page fault occurs and the thread is put into a Wait state. The dispatcher performs a context switch to the thread ffffe001f0e09880.

    4. The ObClearProcessHandleTable routine (only called if a process hasn’t any threads or the process being debugged (i.e. the DebugPort member of the EPROCESS structure is not null) and the process handle was specified in the call to the
    NtTerminateProcess routine) is called to clear debuggee’s handle table and the “\Connect”, “\Reference” and “\Server” file objects and all associated with them structures get deleted. Meanwhile, the Configuration Manager allocates and
    releases pool memory. The dispatcher performs a context switch to the thread ffffe001f1aec080, because the
    page fault was resolved.

    5. The condrv!CdpCancelIoIrpPaged calls ExAcquirePushLockExclusiveEx and the bug check occurs.

    3: kd> !thread ffffe001f1aec080
    THREAD ffffe001f1aec080  Cid 095c.0cbc  Teb: 00007ff5ff5f8000 Win32Thread: 0000000000000000 RUNNING on processor 3
    IRP List:
        ffffe001ef45c3d0: (0006,0160) Flags: 00060900  Mdl: ffffe001eea56a10
    Not impersonating
    DeviceMap                 ffffc000d08b1d10
    Owning Process            ffffe001f02346c0       Image:         CSharpExercise.vshost.exe
    Attached Process          N/A            Image:         N/A
    Wait Start TickCount      1415073        Ticks: 3 (0:00:00:00.046)
    Context Switch Count      81             IdealProcessor: 3             
    UserTime                  00:00:00.000
    KernelTime                00:00:00.015
    Win32 Start Address clr!Thread::intermediateThreadProc (0x00007ff84960e840)
    Stack Init ffffd000358cec90 Current ffffd000358ce0d0
    Base ffffd000358cf000 Limit ffffd000358c9000 Call 0
    Priority 11 BasePriority 8 UnusualBoost 0 ForegroundBoost 2 IoPriority 2 PagePriority 5
    Child-SP          RetAddr           : Args to Child                                                           : Call Site
    ffffd000`358cd538 fffff800`68bebae9 : 00000000`0000003b 00000000`c0000005 fffff800`68af1472 ffffd000`358cddf0 : nt!KeBugCheckEx
    ffffd000`358cd540 fffff800`68beb3fc : ffffd000`358cd770 fffff800`68bdc886 ffffd000`358ceb00 ffffd000`358ce5e8 : nt!KiBugCheckDispatch+0x69
    ffffd000`358cd680 fffff800`68be74ed : ffffd000`358cddf0 00000000`00000000 ffffd000`358ce5e8 ffffd000`358cd7f0 : nt!KiSystemServiceHandler+0x7c
    ffffd000`358cd6c0 fffff800`68b71105 : 00000000`00000001 fffff800`68a8c000 ffffd000`358ce501 00000000`00000000 : nt!RtlpExecuteHandlerForException+0xd
    ffffd000`358cd6f0 fffff800`68b6ffbf : ffffd000`358ce5e8 ffffd000`358ce690 ffffd000`358ce5e8 ffffe001`f1aec3a0 : nt!RtlDispatchException+0x1a5
    ffffd000`358cddc0 fffff800`68bebbc2 : 00000000`00000000 fffff800`68dd8ec0 fffffa80`02497f80 fffff6fc`00435178 : nt!KiDispatchException+0x61f
    ffffd000`358ce4b0 fffff800`68bea0fe : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiExceptionDispatch+0xc2
    ffffd000`358ce690 fffff800`68af1472 : ffffe001`ef45c4e8 ffffe001`f1aec118 ffffe001`f1aec3a0 ffffe001`ef45c3d0 : nt!KiGeneralProtectionFault+0xfe (TrapFrame @ ffffd000`358ce690)
    ffffd000`358ce820 fffff800`86a2f16b : ffffe001`ef45c3d0 ffffc000`d624d050 ffffd000`358ce888 00000000`00000018 : nt!ExAcquirePushLockExclusiveEx+0xf2
    ffffd000`358ce860 fffff800`68b591e2 : ffffe001`ef45c3d0 00000000`00000001 ffffe001`ef45c3d0 00000000`00000000 : condrv!CdpCancelIoIrpPaged+0x3f
    ffffd000`358ce890 fffff800`68f40183 : ffffe001`ef45c301 ffffe001`eed30808 00000000`00000000 ffffe001`eed30808 : nt!IoCancelIrp+0x6a
    ffffd000`358ce8d0 fffff800`68e84164 : ffffe001`eed30808 ffffe001`ef45c400 00000000`00000000 fffff800`00000000 : nt!IopCancelAlertedRequest+0x3b
    ffffd000`358ce910 fffff800`68beb7b3 : ffffe001`f1aec080 00000027`7a26dcb8 00000000`00000000 fffff6fb`7dafff08 : nt!NtReadFile+0xc14
    ffffd000`358cea90 00007ff8`598cabea : 00007ff8`56c77ca8 00007ff8`494a19fc 00000027`78e9ce70 000e0027`5eb534c0 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ ffffd000`358ceb00)
    00000027`7a26e188 00007ff8`56c77ca8 : 00007ff8`494a19fc 00000027`78e9ce70 000e0027`5eb534c0 00000027`6053eaf8 : ntdll!NtReadFile+0xa
    00000027`7a26e190 00007ff8`47f96c92 : 00007ff8`47b26b38 00000027`6053eaf8 00000027`78e9ce70 00000027`7a26e3d0 : KERNELBASE!ReadFile+0x74
    00000027`7a26e210 00007ff8`47b26b38 : 00000027`6053eaf8 00000027`78e9ce70 00000027`7a26e3d0 00000000`00000000 : mscorlib_ni+0x556c92
    00000027`7a26e218 00000027`6053eaf8 : 00000027`78e9ce70 00000027`7a26e3d0 00000000`00000000 00007ff8`4945206a : mscorlib_ni+0xe6b38
    00000027`7a26e220 00000027`78e9ce70 : 00000027`7a26e3d0 00000000`00000000 00007ff8`4945206a 00000027`7a26e210 : 0x00000027`6053eaf8
    00000027`7a26e228 00000027`7a26e3d0 : 00000000`00000000 00007ff8`4945206a 00000027`7a26e210 0000b74d`ede770cf : 0x00000027`78e9ce70
    00000027`7a26e230 00000000`00000000 : 00007ff8`4945206a 00000027`7a26e210 0000b74d`ede770cf 00007ff8`49b00000 : 0x00000027`7a26e3d0
    
    3: kd> dt nt!_KTHREAD ffffe001f1aec080 -y WaitReason
       +0x283 WaitReason : 0x9 ''
    
    3: kd> dt ntkrnlmp!_KWAIT_REASON
       Executive = 0n0
       FreePage = 0n1
       PageIn = 0n2
       PoolAllocation = 0n3
       DelayExecution = 0n4
       Suspended = 0n5
       UserRequest = 0n6
       WrExecutive = 0n7
       WrFreePage = 0n8
       WrPageIn = 0n9
    ...
    
    3: kd> !thread ffffe001f0e09880
    THREAD ffffe001f0e09880  Cid 1a04.1bfc  Teb: 00007ff7f5485000 Win32Thread: fffff901425fcb70 WAIT: (Executive) KernelMode Non-Alertable
        ffffe001eed307f0  SynchronizationEvent
    Not impersonating
    DeviceMap                 ffffc000d08b1d10
    Owning Process            ffffe001f03f4900       Image:         msvsmon.exe
    Attached Process          ffffe001f02346c0       Image:         CSharpExercise.vshost.exe
    Wait Start TickCount      1415073        Ticks: 3 (0:00:00:00.046)
    Context Switch Count      581            IdealProcessor: 3             
    UserTime                  00:00:00.093
    KernelTime                00:00:00.093
    Win32 Start Address 0x00007ff8255c3390
    Stack Init ffffd00035d92c90 Current ffffd00035d92310
    Base ffffd00035d93000 Limit ffffd00035d8d000 Call 0
    Priority 9 BasePriority 8 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
    Child-SP          RetAddr           : Args to Child                                                           : Call Site
    ffffd000`35d92350 fffff800`68ae2d1e : ffffd000`207e6180 ffffe001`f0e09880 00000000`00000008 fffff800`68acb3a1 : nt!KiSwapContext+0x76
    ffffd000`35d92490 fffff800`68ae2779 : 00000000`00000000 ffffc000`d2f5a040 ffffe001`ee444400 00000000`00000000 : nt!KiSwapThread+0x14e
    ffffd000`35d92530 fffff800`68af2dfa : ffffc000`d2f5a040 00000000`00000000 ffffe001`ee66ed98 00000000`00000000 : nt!KiCommitThreadWait+0x129
    ffffd000`35d925b0 fffff800`68f1d9ed : ffffe001`eed307f0 ffffc000`00000000 ffffe001`ee5bc500 fffff800`00000000 : nt!KeWaitForSingleObject+0x22a
    ffffd000`35d92640 fffff800`68fdc241 : 00000000`00000000 ffffe001`f02346c0 00000000`00000000 ffffe001`eed30770 : nt!IopAcquireFileObjectLock+0x85
    ffffd000`35d92690 fffff800`68e9574a : ffffe001`eed30740 ffffe001`ec545c60 ffffe001`eed30750 ffffe001`eed30700 : nt! ?? ::NNGAKEGL::`string'+0x25bd1
    ffffd000`35d92720 fffff800`68e95543 : 00000000`00000000 00000000`ffff8001 00000000`00000000 00000000`00000001 : nt!ObpDecrementHandleCount+0x1b6
    ffffd000`35d927c0 fffff800`68e9517e : ffffd000`20504180 fffff800`68af1274 7fffe001`f0234988 ffffe001`f0234988 : nt!ObCloseHandleTableEntry+0x313
    ffffd000`35d92890 fffff800`690152b0 : ffffe001`f02346c0 ffffe001`f0e09c60 ffffc000`d4d56c40 ffffe001`f0e09880 : nt!ExSweepHandleTable+0xba
    ffffd000`35d928f0 fffff800`68ea9592 : 00000000`00000001 00000000`00000001 ffffe001`f0234988 ffffffff`ffffffff : nt! ?? ::NNGAKEGL::`string'+0x5ec40
    ffffd000`35d92960 fffff800`68e1b3e3 : 00000000`f02346c8 00000000`f02346c8 00000000`c000010a 00000000`00000000 : nt!PspRundownSingleProcess+0x286
    ffffd000`35d929f0 fffff800`68e1b0e9 : ffffe001`f1aec080 ffffe001`f0e09c60 ffffe001`f02346c0 ffffe001`f02346c0 : nt!PspTerminateAllThreads+0x27f
    ffffd000`35d92a50 fffff800`68e1ae76 : ffffffff`ffffffff ffffe001`f03f4900 ffffe001`f02346c0 ffffe001`f0e09880 : nt!PspTerminateProcess+0xe5
    ffffd000`35d92a90 fffff800`68beb7b3 : ffffe001`f02346c0 ffffe001`f0e09880 ffffd000`35d92b80 01cf99d6`b1f19cdd : nt!NtTerminateProcess+0x9e
    ffffd000`35d92b00 00007ff8`598cae4a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ ffffd000`35d92b00)
    000000b4`ad6bcb28 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!NtTerminateProcess+0xa
    
    3: kd> .thread ffffe001f0e09880
    Implicit thread is now ffffe001`f0e09880
    3: kd> !cmkd.stack
    Call Stack : 16 frames
    ## Stack-Pointer    Return-Address   Call-Site       
    00 ffffd00035d92350 fffff80068ae2d1e nt!KiSwapContext+76 
    01 ffffd00035d92490 fffff80068ae2779 nt!KiSwapThread+14e (perf)
    02 ffffd00035d92530 fffff80068af2dfa nt!KiCommitThreadWait+129 (perf)
    03 ffffd00035d925b0 fffff80068f1d9ed nt!KeWaitForSingleObject+22a 
    04 ffffd00035d92640 fffff80068fdc241 nt!IopAcquireFileObjectLock+85 
    05 ffffd00035d92690 fffff80068e9574a nt!IopCloseFile+15d861 (perf)
    06 ffffd00035d92720 fffff80068e95543 nt!ObpDecrementHandleCount+1b6 
    07 ffffd00035d927c0 fffff80068e9517e nt!ObCloseHandleTableEntry+313 
    08 ffffd00035d92890 fffff800690152b0 nt!ExSweepHandleTable+ba 
    09 ffffd00035d928f0 fffff80068ea9592 nt!ObClearProcessHandleTable+d5944 (perf)
    0a ffffd00035d92960 fffff80068e1b3e3 nt!PspRundownSingleProcess+286 
    0b ffffd00035d929f0 fffff80068e1b0e9 nt!PspTerminateAllThreads+27f 
    0c ffffd00035d92a50 fffff80068e1ae76 nt!PspTerminateProcess+e5 
    0d ffffd00035d92a90 fffff80068beb7b3 nt!NtTerminateProcess+9e 
    0e ffffd00035d92b00 00007ff8598cae4a nt!KiSystemServiceCopyEnd+13 
    0f 000000b4ad6bcb28 0000000000000000 ntdll!NtTerminateProcess+a
    

    Conclusion

    Because of the subtle bug in the condrv.sys driver we can experience the system crash. The good news (only for users) is that it only can happen when you debug a console application.


    http://www.andreybazhan.com




    Tuesday, September 30, 2014 4:20 PM