ExAllocatePoolWithTag causes a page fault

Hello OSR,

My driver frequently causes a page fault when allocating a nonpaged pool, at PASSIVE_LEVEL IRQL. I am calling ExAllocatePool in my DriverEntry. Somehow I am corrupting the pool. These are the contents of the crash dump:

`
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: ffffba046798a000, memory referenced.
Arg2: 0000000000000002, value 0 = read operation, 1 = write operation.
Arg3: fffff80635e8f66f, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000002, (reserved)

Debugging Details:

KEY_VALUES_STRING: 1

Key  : Analysis.CPU.mSec
Value: 3796

Key  : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on DESKTOP-RJMI7MF

Key  : Analysis.DebugData
Value: CreateObject

Key  : Analysis.DebugModel
Value: CreateObject

Key  : Analysis.Elapsed.mSec
Value: 4351

Key  : Analysis.Memory.CommitPeak.Mb
Value: 88

Key  : Analysis.System
Value: CreateObject

Key  : WER.OS.Branch
Value: vb_release

Key  : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z

Key  : WER.OS.Version
Value: 10.0.19041.1

ADDITIONAL_XML: 1

OS_BUILD_LAYERS: 1

BUGCHECK_CODE: 50

BUGCHECK_P1: ffffba046798a000

BUGCHECK_P2: 2

BUGCHECK_P3: fffff80635e8f66f

BUGCHECK_P4: 2

READ_ADDRESS: ffffba046798a000 Nonpaged pool

MM_INTERNAL_CODE: 2

BLACKBOXBSD: 1 (!blackboxbsd)

BLACKBOXNTFS: 1 (!blackboxntfs)

BLACKBOXPNP: 1 (!blackboxpnp)

BLACKBOXWINLOGON: 1

PROCESS_NAME: System

TRAP_FRAME: ffffcd8daabdb360 – (.trap 0xffffcd8daabdb360)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000001
rdx=ffffffffffffffff rsi=0000000000000000 rdi=0000000000000000
rip=fffff80635e8f66f rsp=ffffcd8daabdb4f0 rbp=ffffba046798a000
r8=0000000000001ffd r9=00000000ffffffff r10=0000000000000000
r11=0000000000000001 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
nt!RtlpHpVsSubsegmentCreate+0xff:
fffff80635e8f66f 0f114500 movups xmmword ptr [rbp],xmm0 ss:0018:ffffba046798a000=???
Resetting default scope

STACK_TEXT:
ffffcd8daabdb0b8 fffff8063607a665 : 0000000000000050 ffffba046798a000 0000000000000002 ffffcd8daabdb360 : nt!KeBugCheckEx
ffffcd8daabdb0c0 fffff80635eea4a0 : 0000000000000000 0000000000000002 ffffcd8daabdb3e0 0000000000000000 : nt!MiSystemFault+0x172315
ffffcd8daabdb1c0 fffff8063600335e : ffffffffffffffff 0000000021000000 ffffba0467901140 0000000000000021 : nt!MmAccessFault+0x400
ffffcd8daabdb360 fffff80635e8f66f : 0000000000020000 ffffba0467a00280 0000000000000000 0000000000000000 : nt!KiPageFault+0x35e
ffffcd8daabdb4f0 fffff80635ec7afb : 0000000000000000 0000000000000000 0000000000000000 ffffe38200000010 : nt!RtlpHpVsSubsegmentCreate+0xff
ffffcd8daabdb550 fffff80635ecad6d : 000000000000e2b0 ffffcd8d0000e2b0 ffffcd8daabdb691 00000000656e6f4e : nt!RtlpHpVsContextAllocateInternal+0x36b
ffffcd8daabdb5b0 fffff806365b1094 : ffffba0400000000 ffffffff80004898 00000000656e6f4e 0000000000000000 : nt!ExAllocateHeapPool+0x6ed
ffffcd8daabdb6f0 fffff80635ead16f : ffffba0474023000 ffffcd8daabdba60 ffffba04745ab510 0000000000000000 : nt!ExAllocatePoolWithTag+0x64
ffffcd8daabdb740 fffff80649922f43 : 0000000000060005 fffff80649925ad0 ffffba04418a5c00 ffffba046798a000 : nt!ExAllocatePool+0xf
ffffcd8daabdb770 fffff8064992471d : 0000000000000000 fffff80649925aa0 0000000000000000 fffff806499244da : kernel!Utils::getDriverBaseAddress+0x73 [C:\Users\user1\source\repos\MyDriver\Kernel\utils.h @ 50]
ffffcd8daabdb7f0 fffff8064992176e : fffff80649925e70 000000000000000e 0000000000000065 0000000000000003 : kernel!NIC::spoofMac+0x15 [C:\Users\user1\source\repos\MyDriver\Kernel\NIC.h @ 100]
ffffcd8daabdb890 fffff8064992398f : ffffba0474146310 ffffba0474023000 ffffba0471c8b490 0000000000000100 : kernel!Entry+0x36 [C:\Users\user1\source\repos\MyDriver\Kernel\Driver.cpp @ 142]
ffffcd8daabdb8d0 fffff806363538f4 : ffffba0474146310 0000000000000000 ffffba0474146310 0000000000000000 : kernel!mapperEntry+0x1f [C:\Users\user1\source\repos\MyDriver\Kernel\Driver.cpp @ 162]
ffffcd8daabdb900 fffff8063631e3cd : 000000000000000e 0000000000000000 0000000000000000 0000000000001000 : nt!PnpCallDriverEntry+0x4c
ffffcd8daabdb960 fffff80636364207 : 0000000000000000 0000000000000000 fffff80636925440 ffffba0472f2ca18 : nt!IopLoadDriver+0x4e5
ffffcd8daabdbb30 fffff80635f034b5 : ffffba0400000000 ffffffff80004898 ffffba0471c50040 ffffba0400000000 : nt!IopLoadUnloadDriver+0x57
ffffcd8daabdbb70 fffff80635ea29a5 : ffffba0471c50040 0000000000000080 ffffba0467eae080 0000000000000080 : nt!ExpWorkerThread+0x105
ffffcd8daabdbc10 fffff80635ffc868 : ffff9081f1ea1180 ffffba0471c50040 fffff80635ea2950 0000000000000000 : nt!PspSystemThreadStartup+0x55
ffffcd8daabdbc60 0000000000000000 : ffffcd8daabdc000 ffffcd8daabd6000 0000000000000000 0000000000000000 : nt!KiStartSystemThread+0x28

SYMBOL_NAME: nt!ExAllocatePool+f

IMAGE_NAME: Pool_Corruption

MODULE_NAME: Pool_Corruption

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: f

FAILURE_BUCKET_ID: AV_INVALID_nt!ExAllocatePool

OS_VERSION: 10.0.19041.1

BUILDLAB_STR: vb_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {bf01aada-9771-ad56-bb83-80fbba6594cf}

Followup: Pool_corruption

`

Could anyone help? Thanks in advance.

Is your driver really called “kernel”? Really?

It is suspicious that the address you failed on is on a new page boundary. That suggests that you wrote sequentially right off the end of your allocation. Without seeing your code, of course, there’s very little we can do.

@Tim_Roberts said:
Is your driver really called “kernel”? Really?

It is suspicious that the address you failed on is on a new page boundary. That suggests that you wrote sequentially right off the end of your allocation. Without seeing your code, of course, there’s very little we can do.
This is where it fails:

`` //get size of system module information
Status = ZwQuerySystemInformation(SystemModuleInformation, 0, Bytes, &Bytes);
if (Bytes == 0)
{
DbgPrint(“%s: Invalid SystemModuleInformation size\n”);
return NULL;
}
arrayOfModules = (PRTL_PROCESS_MODULES)ExAllocatePool(NonPagedPool, Bytes); //array of loaded kernel modules

    if (MmIsAddressValid(arrayOfModules))
    {
        RtlZeroMemory(arrayOfModules, Bytes);
    }
    else
    {
        DbgPrint("pool isn't valid \n");
        return NULL;
    }

    Status = ZwQuerySystemInformation(SystemModuleInformation, arrayOfModules, Bytes, &Bytes);``

Well, with a heap problem, just because this is where the problem was diagnosed does not mean this is where the problem occurred. You probably messed up the heap pointers at some earlier point. Or, maybe you have a double-free.

Your first DbgPrint has a %s that doesn’t match anything.

ffffcd8daabdb7f0 fffff8064992176e : fffff80649925e70 000000000000000e 0000000000000065 0000000000000003 : kernel!NIC::spoofMac+0x15 > [C:\Users\user1\source\repos\MyDriver\Kernel\NIC.h @ 100]
ffffcd8daabdb8d0 fffff806363538f4 : ffffba0474146310 0000000000000000 ffffba0474146310 0000000000000000 : kernel!mapperEntry+0x1f [C:\Users\user1\source\repos\MyDriver\Kernel\Driver.cpp @ 162]

This person is writting a kernel driver to “bypass” hardware bans on triple A games.
He is crashing when modifying his network adapters mac addresses.

No one will help you.

@ThatsBerkan said:

ffffcd8daabdb7f0 fffff8064992176e : fffff80649925e70 000000000000000e 0000000000000065 0000000000000003 : kernel!NIC::spoofMac+0x15 > [C:\Users\user1\source\repos\MyDriver\Kernel\NIC.h @ 100]
ffffcd8daabdb8d0 fffff806363538f4 : ffffba0474146310 0000000000000000 ffffba0474146310 0000000000000000 : kernel!mapperEntry+0x1f [C:\Users\user1\source\repos\MyDriver\Kernel\Driver.cpp @ 162]

This person is writting a kernel driver to “bypass” hardware bans on triple A games.
He is crashing when modifying his network adapters mac addresses.

No one will help you.

I managed to avoid this bug by walking PsLoadedModuleList rather than allocating any pools.

And by the way I successfully unbanned myself from ARMA

@driverwriter123 said:

@ThatsBerkan said:

ffffcd8daabdb7f0 fffff8064992176e : fffff80649925e70 000000000000000e 0000000000000065 0000000000000003 : kernel!NIC::spoofMac+0x15 > [C:\Users\user1\source\repos\MyDriver\Kernel\NIC.h @ 100]
ffffcd8daabdb8d0 fffff806363538f4 : ffffba0474146310 0000000000000000 ffffba0474146310 0000000000000000 : kernel!mapperEntry+0x1f [C:\Users\user1\source\repos\MyDriver\Kernel\Driver.cpp @ 162]

This person is writting a kernel driver to “bypass” hardware bans on triple A games.
He is crashing when modifying his network adapters mac addresses.

No one will help you.

I managed to avoid this bug by walking PsLoadedModuleList rather than allocating any pools.

And by the way I successfully unbanned myself from ARMA

You might want to learn how to code next time