Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Stack overran of luafv.sys

Alex_Li-2Alex_Li-2 Member Posts: 97
Hi, all.

I got a bsod like this. I don't know if it has relationship with my redirector minifilter fs filter. After my filter was removed, it doesnot happend any more.But I cannot find any clue that my filter cause this bsod.

I need some hint to move on.
Thanks in adv!

Alex.

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

DRIVER_OVERRAN_STACK_BUFFER (f7)
A driver has overrun a stack-based buffer. This overrun could potentially
allow a malicious user to gain control of this machine.
DESCRIPTION
A driver overran a stack-based buffer (or local variable) in a way that would
have overwritten the function's return address and jumped back to an arbitrary
address when the function returned. This is the classic "buffer overrun"
hacking attack and the system has been brought down to prevent a malicious user
from gaining complete control of it.
Do a kb to get a stack backtrace -- the last routine on the stack before the
buffer overrun handlers and bugcheck call is the one that overran its local
variable(s).
Arguments:
Arg1: 997ac83f, Actual security check cookie from the stack
Arg2: 93339862, Expected security check cookie
Arg3: 6ccc679d, Complement of the expected security check cookie
Arg4: 00000000, zero

Debugging Details:
------------------


GSFAILURE_FUNCTION: luafv!CreateTableNode

GSFAILURE_RA_SMASHED: TRUE

GSFAILURE_MODULE_COOKIE: 93339862 luafv!__security_cookie [ 9333905c ]

GSFAILURE_FRAME_COOKIE: ffffffff

SECURITY_COOKIE: Expected 93339862 found 997ac83f

GSFAILURE_ANALYSIS_TEXT: !gs output:
Corruption occurred in luafv!CreateTableNode or one of its callers

Analyzing __report_gsfailure frame (5)...
LEA usage: Function @0xFFFFFFFF9333EBAB-0xFFFFFFFF9333EFCA is NOT using LEA
Module canary at 0xFFFFFFFF9333905C (luafv!__security_cookie): 0x93339862
Complement at 0xFFFFFFFF93339060: 0x6CCC679D (matches OK)
couldn't disassemble

Stack buffer overrun analysis completed successfully.


BUGCHECK_STR: STACK_BUFFER_OVERRUN

DEFAULT_BUCKET_ID: GS_FALSE_POSITIVE_PROBABLY_NOT_USING_GS

PROCESS_NAME: PPLive.exe

CURRENT_IRQL: 2

STACK_TEXT:
9d72c2dc 844d36d5 00000003 0a384b6e 00000065 nt!RtlpBreakWithStatusInstruction
9d72c32c 844d41d1 00000003 00000000 a04d9900 nt!KiBugCheckDebugBreak+0x1c
9d72c6f0 844d3574 000000f7 997ac83f 93339862 nt!KeBugCheck2+0x68b
9d72c714 93334fa2 000000f7 997ac83f 93339862 nt!KeBugCheckEx+0x1e
9d72c734 9333efca 00000000 00180018 a07dcd4e luafv!__report_gsfailure+0x25
9d72c828 93330000 a04d9900 a050b870 00000003 luafv!CreateTableNode+0x41f
9d72c854 891469ec 00520052 a05b01ae 9333e1f4 monitor! ?? ::NNGAKEGL::`string' <PERF> (monitor+0x8000)
9d72c860 9333e1f4 00540054 a05b01ac 00520052 fltmgr!FltReleasePushLock+0x3e
a05b01ae 00320047 00310030 002d0030 00300031 luafv!LuafvFindUserStore+0x2f3
WARNING: Frame IP not in any known module. Following frames may be wrong.
a05b01c2 00310030 0077002d 00720061 006c0066 0x320047
a05b01c6 0077002d 00720061 006c0066 00760079 0x310030
a05b01ca 00720061 006c0066 00760079 006c0073 0x77002d
a05b01ce 006c0066 00760079 006c0073 006e0079 0x720061
a05b01d2 00760079 006c0073 006e0079 0030005b 0x6c0066
a05b01d6 006c0073 006e0079 0030005b 002e005d 0x760079
a05b01da 006e0079 0030005b 002e005d 0070006d 0x6c0073
a05b01de 0030005b 002e005d 0070006d 002e0034 0x6e0079
a05b01e2 002e005d 0070006d 002e0034 00700074 0x30005b
a05b01e6 0070006d 002e0034 00700074 002e0070 0x2e005d
a05b01ea 002e0034 00700074 002e0070 00660063 0x70006d
a05b01ee 00700074 002e0070 00660063 00000067 0x2e0034
a05b01f2 002e0070 00660063 00000067 00630073 0x700074
a05b01f6 00660063 00000067 00630073 006e006f 0x2e0070
a05b01fa 00000000 00630073 006e006f 00690066 0x660063


STACK_COMMAND: kb

FOLLOWUP_IP:
luafv!CreateTableNode+41f
9333efca c9 leave

SYMBOL_STACK_INDEX: 5

SYMBOL_NAME: luafv!CreateTableNode+41f

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: luafv

IMAGE_NAME: luafv.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bc020

FAILURE_BUCKET_ID: STACK_BUFFER_OVERRUN_MISMATCH_GSCOOKIE_luafv!CreateTableNode+41f

BUCKET_ID: STACK_BUFFER_OVERRUN_MISMATCH_GSCOOKIE_luafv!CreateTableNode+41f

Followup: MachineOwner
---------

Comments

  • Alex_Li-2Alex_Li-2 Member Posts: 97
    And here it came again:

    kd> !analyze -v
    Connected to Windows 7 7600 x86 compatible target at (Mon Oct 4 23:24:42.244 2010 (UTC + 8:00)), ptr64 FALSE
    Loading Kernel Symbols
    ...............................................................
    ................................................................
    ..................................
    Loading User Symbols
    ................................................................
    ...................................................
    Loading unloaded module list
    ....
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    DRIVER_OVERRAN_STACK_BUFFER (f7)
    A driver has overrun a stack-based buffer. This overrun could potentially
    allow a malicious user to gain control of this machine.
    DESCRIPTION
    A driver overran a stack-based buffer (or local variable) in a way that would
    have overwritten the function's return address and jumped back to an arbitrary
    address when the function returned. This is the classic "buffer overrun"
    hacking attack and the system has been brought down to prevent a malicious user
    from gaining complete control of it.
    Do a kb to get a stack backtrace -- the last routine on the stack before the
    buffer overrun handlers and bugcheck call is the one that overran its local
    variable(s).
    Arguments:
    Arg1: a668c83f, Actual security check cookie from the stack
    Arg2: 9831d7a1, Expected security check cookie
    Arg3: 67ce285e, Complement of the expected security check cookie
    Arg4: 00000000, zero

    Debugging Details:
    ------------------

    *** ERROR: Symbol file could not be found. Defaulted to export symbols for peer.dll -

    GSFAILURE_FUNCTION: luafv!CreateTableNode

    GSFAILURE_RA_SMASHED: TRUE

    GSFAILURE_MODULE_COOKIE: 9831d7a1 luafv!__security_cookie [ 9831d05c ]

    GSFAILURE_FRAME_COOKIE: ffffffff

    SECURITY_COOKIE: Expected 9831d7a1 found a668c83f

    GSFAILURE_ANALYSIS_TEXT: !gs output:
    Corruption occurred in luafv!CreateTableNode or one of its callers

    Analyzing __report_gsfailure frame (5)...
    LEA usage: Function @0xFFFFFFFF98322BAB-0xFFFFFFFF98322FCA is NOT using LEA
    Module canary at 0xFFFFFFFF9831D05C (luafv!__security_cookie): 0x9831D7A1
    Complement at 0xFFFFFFFF9831D060: 0x67CE285E (matches OK)
    couldn't disassemble

    Stack buffer overrun analysis completed successfully.


    BUGCHECK_STR: STACK_BUFFER_OVERRUN

    DEFAULT_BUCKET_ID: GS_FALSE_POSITIVE_PROBABLY_NOT_USING_GS

    PROCESS_NAME: PPLive.exe

    CURRENT_IRQL: 2

    STACK_TEXT:
    a264c2dc 8450a6d5 00000003 18896eb1 00000065 nt!RtlpBreakWithStatusInstruction
    a264c32c 8450b1d1 00000003 00000000 9f0a3858 nt!KiBugCheckDebugBreak+0x1c
    a264c6f0 8450a574 000000f7 a668c83f 9831d7a1 nt!KeBugCheck2+0x68b
    a264c714 98318fa2 000000f7 a668c83f 9831d7a1 nt!KeBugCheckEx+0x1e
    a264c734 98322fca 00000000 00180018 9f3c14fe luafv!__report_gsfailure+0x25
    a264c828 98320000 9f0a3858 9dcd6598 00000003 luafv!CreateTableNode+0x41f
    a264c8e4 89185a7b 00000000 a264c928 00000000 luafv!LuafvScavengeFileTable+0x1b9
    a264c8fc a282c9e8 00000000 a264c900 91110cd4 Ntfs!NtfsExtendedCompleteRequestInternal+0x107
    WARNING: Frame IP not in any known module. Following frames may be wrong.
    a264c924 9831f7ae 9b923c60 00000000 a264c954 0xa282c9e8
    a264c9ac 89136aeb 85ea0528 0064c9cc a264c9f8 luafv!LuafvQueryVirtualizationCaller+0x51
    a264ca18 891399f0 a264ca5c 85e944c8 00000000 fltmgr!FltpPerformPreCallbacks+0x34d
    a264ca30 8914d1fe a264ca5c 89150f3c 00000000 fltmgr!FltpPassThroughInternal+0x40
    a264ca44 8914d8b7 a264ca5c 85e944c8 85da38e0 fltmgr!FltpCreateInternal+0x24
    a264ca88 84467f44 872a1490 87271ae0 85da393c fltmgr!FltpCreate+0x2c9
    a264caa0 8463b7ad 188966e5 a264cc48 00000000 nt!IofCallDriver+0x63
    a264cb78 8463e988 872595b0 85bcb588 85e74008 nt!IopParseDevice+0xed7
    a264cbf4 8467d354 00000000 a264cc48 00000040 nt!ObpLookupObjectName+0x4fa
    a264cc50 84638d4e 0579f650 85bcb588 83e24b01 nt!ObOpenObjectByName+0x165
    a264cccc 8468ef55 0579f698 00010080 0579f650 nt!IopCreateFile+0x673
    a264cd14 8446e79a 0579f698 00010080 0579f650 nt!NtOpenFile+0x2a
    a264cd14 76ec64f4 0579f698 00010080 0579f650 nt!KiFastCallEntry+0x12a
    0579f620 76ec514c 7503f77e 0579f698 00010080 ntdll!KiFastSystemCallRet
    0579f624 7503f77e 0579f698 00010080 0579f650 ntdll!NtOpenFile+0xc
    0579f6a0 04f6639c 05411bd0 6b081788 0579f9a8 KERNELBASE!DeleteFileW+0xa9
    00000000 00000000 00000000 00000000 00000000 peer!TS_XXXX+0x10060c


    STACK_COMMAND: kb

    FOLLOWUP_IP:
    luafv!CreateTableNode+41f
    98322fca c9 leave

    SYMBOL_STACK_INDEX: 5

    SYMBOL_NAME: luafv!CreateTableNode+41f

    FOLLOWUP_NAME: MachineOwner

    MODULE_NAME: luafv

    IMAGE_NAME: luafv.sys

    DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bc020

    FAILURE_BUCKET_ID: STACK_BUFFER_OVERRUN_MISMATCH_GSCOOKIE_luafv!CreateTableNode+41f

    BUCKET_ID: STACK_BUFFER_OVERRUN_MISMATCH_GSCOOKIE_luafv!CreateTableNode+41f

    Followup: MachineOwner
    ---------
  • Alex_CarpAlex_Carp Member Posts: 1,016
    Well, the bugcheck analysis says something is overrunning the stack.

    I would review my code to make sure I'm not overwriting anything and that
    I'm not passing some stack-based variable to any asynchronous function
    without waiting.

    The value the security cookie was overwritten with in this bugcheck was
    0xa668c83f and in the previous one was 0x997ac83f. This might provide some
    hint as to what was overwriting it. Because it's unlikely that only the
    security cookie was overwritten you could also look around the security
    cookie some more to get more data which might help you identify what it was
    that overwrote it.

    Thanks,
    Alex.
  • john_bloejohn_bloe Member Posts: 40
    Probably something is going wrong in luafv!GetFileInformation when your filter is present ? Also note that in both crashes, PPlive is the active process.

    Satya
    http://www.winprogger.com
  • Alex_Li-2Alex_Li-2 Member Posts: 97
    Thanks!

    I am following your advice :)

    Alex.
  • Alex_Li-2Alex_Li-2 Member Posts: 97
    Hi, guys!

    Thanks for your advice!
    I've fixed the bsod. It did caused by my filter.

    Thanks very much :)

    Alex.
  • iamupdiamupd Member Posts: 2

    hey, Alex! please teach me.
    How did you solved your problem? I have same problem.

  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,038

    Its debugging 201. In user mode I'd look for negative offsets for arrays declared on the stack. I'd look to see what the value being overwritten was and see whether it was meaningful for me. I'd wonder about repeatability and use data access breakpoints.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Developing Minifilters 29 July 2019 OSR Seminar Space
Writing WDF Drivers 23 Sept 2019 OSR Seminar Space
Kernel Debugging 21 Oct 2019 OSR Seminar Space
Internals & Software Drivers 18 Nov 2019 Dulles, VA