Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

KERNEL_SECURITY_CHECK_FAILURE for stack overrun

parsaparsa Member Posts: 50

Hi All,

I got this bugcheck and everything is 0 even trap and exception records also. How can I start analyzing this issue. Any help would be greatly appreciated?

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000000, A stack-based buffer has been overrun.
Arg2: 0000000000000000, Address of the trap frame for the exception that caused the bugcheck
Arg3: 0000000000000000, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved

TRAP_FRAME: 0000000000000000 -- (.trap 0x0)

EXCEPTION_RECORD: 0000000000000000 -- (.exr 0x0)
STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: 1b

FAILURE_BUCKET_ID: 0x139_0_LEGACY_GS_VIOLATION_nt!guard_icall_bugcheck

BUCKET_ID: 0x139_0_LEGACY_GS_VIOLATION_nt!guard_icall_bugcheck

PRIMARY_PROBLEM_CLASS: 0x139_0_LEGACY_GS_VIOLATION_nt!guard_icall_bugcheck

Comments

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,448

    Which OS? If you build your driver targeting Win10 and try to load on an older release you get something like this.

    -scott
    OSR

  • parsaparsa Member Posts: 50

    From the !vertarget command output in the dump file.

    1: kd> vertarget
    Windows 10 Kernel Version 18362 MP (4 procs) Free x64
    Product: WinNt, suite: TerminalServer SingleUserTS Personal
    Built by: 18362.1.amd64fre.19h1_release.190318-1202
    Machine Name:
    Kernel base = 0xfffff8067f000000 PsLoadedModuleList = 0xfffff8067f445e90
    Debug session time: Mon Apr 19 23:16:20.276 2021 (UTC - 4:00)
    System Uptime: 5 days 8:56:33.603

    The driver also built for Win10 version.

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,448

    OK, not that then.

    Does !analyze -v give you any other information? Do you have a log of anything happening in your driver before the crash?

    -scott
    OSR

  • parsaparsa Member Posts: 50

    This is !analyze -v output:

    KERNEL_SECURITY_CHECK_FAILURE (139)
    A kernel component has corrupted a critical data structure. The corruption
    could potentially allow a malicious user to gain control of this machine.
    Arguments:
    Arg1: 0000000000000000, A stack-based buffer has been overrun.
    Arg2: 0000000000000000, Address of the trap frame for the exception that caused the bugcheck
    Arg3: 0000000000000000, Address of the exception record for the exception that caused the bugcheck
    Arg4: 0000000000000000, Reserved

    Debugging Details:

    SYSTEM_VERSION: Lenovo Z70-80

    BIOS_VENDOR: LENOVO

    BIOS_VERSION: ABCN95WW

    BIOS_DATE: 07/31/2015

    BASEBOARD_MANUFACTURER: LENOVO

    BASEBOARD_PRODUCT: Lenovo Z70-80

    BASEBOARD_VERSION: SDK0J40709 WIN

    TRAP_FRAME: 0000000000000000 -- (.trap 0x0)

    EXCEPTION_RECORD: 0000000000000000 -- (.exr 0x0)
    Cannot read Exception record @ 0000000000000000

    CPU_COUNT: 4

    CPU_MHZ: 95a

    CPU_VENDOR: GenuineIntel

    CPU_FAMILY: 6

    CPU_MODEL: 3d

    CPU_STEPPING: 4

    CPU_MICROCODE: 6,3d,4,0 (F,M,S,R) SIG: 2B'00000000 (cache) 2B'00000000 (init)

    DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

    BUGCHECK_STR: 0x139

    PROCESS_NAME: System

    CURRENT_IRQL: 0

    ANALYSIS_SESSION_HOST: CLW-G4B6HR2

    ANALYSIS_SESSION_TIME: 04-20-2021 21:47:40.0960

    ANALYSIS_VERSION: 10.0.18362.1 amd64fre

    LAST_CONTROL_TRANSFER: from fffff8067f1cc4cb to fffff8067f1c3a90

    STACK_TEXT:
    ffffe109f602f748 fffff8067f1cc4cb : 0000000000000139 0000000000000000 0000000000000000 0000000000000000 : nt!KeBugCheckEx
    ffffe109f602f750 fffff8067f042076 : ffffa7810bdf3318 00000438e762bd7b 00000438e762e494 00000438e762e494 : nt!guard_icall_bugcheck+0x1b
    ffffe109f602f780 fffff8067f040a2e : 0000000000000003 0000000000000002 0000000000000000 0000000000000008 : nt!PpmIdleExecuteTransition+0x14a6
    ffffe109f602fac0 fffff8067f1c7584 : ffffffff00000000 ffffe7816a300180 ffffa781039a7080 0000000000000261 : nt!PoIdle+0x36e
    ffffe109f602fc20 0000000000000000 : ffffe109f6030000 ffffe109f6029000 0000000000000000 0000000000000000 : nt!KiIdleLoop+0x44

    FOLLOWUP_IP:
    nt!guard_icall_bugcheck+1b
    fffff806`7f1cc4cb 90 nop

    FAULT_INSTR_CODE: ccccc390

    SYMBOL_STACK_INDEX: 1

    SYMBOL_NAME: nt!guard_icall_bugcheck+1b

    FOLLOWUP_NAME: MachineOwner

    MODULE_NAME: nt

    IMAGE_NAME: ntkrnlmp.exe

    DEBUG_FLR_IMAGE_TIMESTAMP: 0

    STACK_COMMAND: .thread ; .cxr ; kb

    BUCKET_ID_FUNC_OFFSET: 1b

    FAILURE_BUCKET_ID: 0x139_0_LEGACY_GS_VIOLATION_nt!guard_icall_bugcheck

    BUCKET_ID: 0x139_0_LEGACY_GS_VIOLATION_nt!guard_icall_bugcheck

    PRIMARY_PROBLEM_CLASS: 0x139_0_LEGACY_GS_VIOLATION_nt!guard_icall_bugcheck

    TARGET_TIME: 2021-04-20T03:16:20.000Z

    OSBUILD: 18362

    OSSERVICEPACK: 0

    SERVICEPACK_NUMBER: 0

    OS_REVISION: 0

    SUITE_MASK: 784

    PRODUCT_TYPE: 1

    OSPLATFORM_TYPE: x64

    OSNAME: Windows 10

    OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS Personal

    OS_LOCALE:

    USER_LCID: 0

    From this system I am getting different BSODs but all are pointing to some memory corruption. Whenever I enable my driver system is bug checking. One more BSOD related to pool corruption.

    KERNEL_SECURITY_CHECK_FAILURE (139)
    A kernel component has corrupted a critical data structure. The corruption
    could potentially allow a malicious user to gain control of this machine.
    Arguments:
    Arg1: 000000000000001d, Type of memory safety violation
    Arg2: ffffec07a8247520, Address of the trap frame for the exception that caused the bugcheck
    Arg3: ffffec07a8247478, Address of the exception record for the exception that caused the bugcheck
    Arg4: 0000000000000000, Reserved

    Debugging Details:

    KEY_VALUES_STRING: 1

    PROCESSES_ANALYSIS: 1

    SERVICE_ANALYSIS: 1

    STACKHASH_ANALYSIS: 1

    TIMELINE_ANALYSIS: 1

    DUMP_CLASS: 1

    DUMP_QUALIFIER: 401

    BUILD_VERSION_STRING: 18362.1.amd64fre.19h1_release.190318-1202

    SYSTEM_MANUFACTURER: LENOVO

    SYSTEM_PRODUCT_NAME: 80FG

    SYSTEM_SKU: LENOVO_MT_80FG_BU_idea_FM_Lenovo Z70-80

    SYSTEM_VERSION: Lenovo Z70-80

    BIOS_VENDOR: LENOVO

    BIOS_VERSION: ABCN95WW

    BIOS_DATE: 07/31/2015

    BASEBOARD_MANUFACTURER: LENOVO

    BASEBOARD_PRODUCT: Lenovo Z70-80

    BASEBOARD_VERSION: SDK0J40709 WIN

    DUMP_TYPE: 1

    BUGCHECK_P1: 1d

    BUGCHECK_P2: ffffec07a8247520

    BUGCHECK_P3: ffffec07a8247478

    BUGCHECK_P4: 0

    TRAP_FRAME: ffffec07a8247520 -- (.trap 0xffffec07a8247520)
    NOTE: The trap frame does not contain all registers.
    Some register values may be zeroed or incorrect.
    rax=0000000000000000 rbx=0000000000000000 rcx=000000000000001d
    rdx=ffffa6046312de48 rsi=0000000000000000 rdi=0000000000000000
    rip=fffff80411e0c9a3 rsp=ffffec07a82476b8 rbp=0000000000000040
    r8=0000000000000000 r9=0000000000000000 r10=ffffa604620ed7f8
    r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=0000000000000000
    iopl=0 nv up ei pl nz ac po cy
    nt!RtlRbRemoveNode+0x199a93:
    fffff804`11e0c9a3 cd29 int 29h
    Resetting default scope

    EXCEPTION_RECORD: ffffec07a8247478 -- (.exr 0xffffec07a8247478)
    ExceptionAddress: fffff80411e0c9a3 (nt!RtlRbRemoveNode+0x0000000000199a93)
    ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
    ExceptionFlags: 00000001
    NumberParameters: 1
    Parameter[0]: 000000000000001d
    Subcode: 0x1d FAST_FAIL_INVALID_BALANCED_TREE

    CPU_COUNT: 4

    CPU_MHZ: 95a

    CPU_VENDOR: GenuineIntel

    CPU_FAMILY: 6

    CPU_MODEL: 3d

    CPU_STEPPING: 4

    CPU_MICROCODE: 6,3d,4,0 (F,M,S,R) SIG: 2B'00000000 (cache) 2B'00000000 (init)

    BUGCHECK_STR: 0x139

    PROCESS_NAME: DrvIstService.exe

    CURRENT_IRQL: 2

    DEFAULT_BUCKET_ID: FAIL_FAST_INVALID_BALANCED_TREE

    ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

    EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

    EXCEPTION_CODE_STR: c0000409

    EXCEPTION_PARAMETER1: 000000000000001d

    ANALYSIS_SESSION_HOST: CLW-G4B6HR2

    ANALYSIS_SESSION_TIME: 04-20-2021 22:36:27.0437

    ANALYSIS_VERSION: 10.0.18362.1 amd64fre

    DPC_STACK_BASE: FFFFEC07A8247FB0

    LAST_CONTROL_TRANSFER: from fffff80411dd5929 to fffff80411dc3a90

    STACK_TEXT:
    ffffec07a82471f8 fffff80411dd5929 : 0000000000000139 000000000000001d ffffec07a8247520 ffffec07a8247478 : nt!KeBugCheckEx
    ffffec07a8247200 fffff80411dd5d50 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiBugCheckDispatch+0x69
    ffffec07a8247340 fffff80411dd40e3 : 0000000000005231 fffff80414f3f590 ffffa604569518e0 0000000000000000 : nt!KiFastFailDispatch+0xd0
    ffffec07a8247520 fffff80411e0c9a3 : 00000026001a0000 0001001a00400001 fffff80411c72c90 0000000000000040 : nt!KiRaiseSecurityCheckFailure+0x323
    ffffec07a82476b8 fffff80411c72c90 : 0000000000000040 ffffa6046312dfe0 0000000000000000 ffffa6046312de40 : nt!RtlRbRemoveNode+0x199a93
    ffffec07a82476d0 fffff80411c7274a : ffffa60455802280 ffffa60455802280 ffffa60456d02c00 ffffec07a82477e0 : nt!RtlpHpVsChunkCoalesce+0xb0
    ffffec07a8247740 fffff80411c749bd : ffffec070000003e fffff80400000000 ffffa6046b7dfb73 0000000000000000 : nt!RtlpHpVsContextFree+0x18a
    ffffec07a82477e0 fffff80411f6e0a9 : ffffffffffffffff ffffca01000003b0 ffffa6046b7ea910 0100000000100000 : nt!ExFreeHeapPool+0x56d
    ffffec07a8247900 fffff804126d3fce : 0000000000000000 ffffa604567e09d0 ffffec07a8247b00 0000000000000001 : nt!ExFreePool+0x9
    ffffec07a8247930 fffff804126b844b : 0000000000000000 ffffec07a8247b00 0000000000000001 ffffa604567e09d0 : hal!HalPutScatterGatherListV3+0x12c76
    ffffec07a8247980 fffff80414f29e5f : 0000000000000000 0000000000989680 ffffec07a8247b00 ffffa6045686c1f0 : hal!HalPutScatterGatherList+0x5b
    ffffec07a8247a00 fffff80414f3ec0b : ffffa6045b9f9348 0000000000000000 0000000000000000 ffffca01ee7fa020 : storport!RaidUnitCompleteRequest+0x8df
    ffffec07a8247ba0 fffff80411cc5b2a : ffffa6045688d100 ffffa604560da000 ffffca01edba5f90 ffffca0100000002 : storport!RaidpAdapterRedirectDpcRoutine+0x8b
    ffffec07a8247c40 fffff80411cc517f : 0000000000000018 0000000000989680 ffffec07a8247e80 fffff8040e3b9800 : nt!KiExecuteAllDpcs+0x30a
    ffffec07a8247d80 fffff80411dcaa95 : 0000000000000000 ffffca01edba0180 0000000000000000 0000000008b28e25 : nt!KiRetireDpcList+0x1ef
    ffffec07a8247fb0 fffff80411dca880 : 000001cb80b72006 0000000000002007 000001cb80b70000 000001cb80b71f47 : nt!KxRetireDpcList+0x5
    ffffec07aaacfa90 fffff80411dc9f4e : 0000000000000000 ffffec0700000001 0000000000000048 ffffec07aaacfb40 : nt!KiDispatchInterruptContinue
    ffffec07aaacfac0 00000000554ed431 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiDpcInterrupt+0x2ee
    00000028363fe580 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x554ed431

    THREAD_SHA1_HASH_MOD_FUNC: 10b899fcccfea3bbeb9235411a26acda53c52f28

    THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 12ad10d19feb0057bedf82792633eff299a06e1f

    THREAD_SHA1_HASH_MOD: f74a78403b304dde9bcdd08279d10fd74687aa3c

    FOLLOWUP_IP:
    nt!ExFreePool+9
    fffff804`11f6e0a9 4883c428 add rsp,28h

    FAULT_INSTR_CODE: 28c48348

    SYMBOL_STACK_INDEX: 8

    SYMBOL_NAME: nt!ExFreePool+9

    FOLLOWUP_NAME: Pool_corruption

    IMAGE_NAME: Pool_Corruption

    DEBUG_FLR_IMAGE_TIMESTAMP: 0

    MODULE_NAME: Pool_Corruption

    STACK_COMMAND: .thread ; .cxr ; kb

    BUCKET_ID_FUNC_OFFSET: 9

    FAILURE_BUCKET_ID: 0x139_1d_INVALID_BALANCED_TREE_nt!ExFreePool

    BUCKET_ID: 0x139_1d_INVALID_BALANCED_TREE_nt!ExFreePool

    PRIMARY_PROBLEM_CLASS: 0x139_1d_INVALID_BALANCED_TREE_nt!ExFreePool

    TARGET_TIME: 2021-03-30T15:32:59.000Z

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,448

    Have you enabled Driver Verifier on your driver? That's the place to start when you have a pool corruption.

    -scott
    OSR

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Developing Minifilters 24 May 2021 Live, Online
Writing WDF Drivers 14 June 2021 Live, Online
Internals & Software Drivers 27 September 2021 Live, Online
Kernel Debugging TBD 2021 Live, Online