Hi, all.
I got a bsod like this. I don’t know if it has relationship with my redirector minifilter fs filter. After my filter was removed, it doesnot happend any more.But I cannot find any clue that my filter cause this bsod.
I need some hint to move on.
Thanks in adv!
Alex.
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_OVERRAN_STACK_BUFFER (f7)
A driver has overrun a stack-based buffer. This overrun could potentially
allow a malicious user to gain control of this machine.
DESCRIPTION
A driver overran a stack-based buffer (or local variable) in a way that would
have overwritten the function’s return address and jumped back to an arbitrary
address when the function returned. This is the classic “buffer overrun”
hacking attack and the system has been brought down to prevent a malicious user
from gaining complete control of it.
Do a kb to get a stack backtrace – the last routine on the stack before the
buffer overrun handlers and bugcheck call is the one that overran its local
variable(s).
Arguments:
Arg1: 997ac83f, Actual security check cookie from the stack
Arg2: 93339862, Expected security check cookie
Arg3: 6ccc679d, Complement of the expected security check cookie
Arg4: 00000000, zero
Debugging Details:
GSFAILURE_FUNCTION: luafv!CreateTableNode
GSFAILURE_RA_SMASHED: TRUE
GSFAILURE_MODULE_COOKIE: 93339862 luafv!__security_cookie [9333905c]
GSFAILURE_FRAME_COOKIE: ffffffff
SECURITY_COOKIE: Expected 93339862 found 997ac83f
GSFAILURE_ANALYSIS_TEXT: !gs output:
Corruption occurred in luafv!CreateTableNode or one of its callers
Analyzing __report_gsfailure frame (5)…
LEA usage: Function @0xFFFFFFFF9333EBAB-0xFFFFFFFF9333EFCA is NOT using LEA
Module canary at 0xFFFFFFFF9333905C (luafv!__security_cookie): 0x93339862
Complement at 0xFFFFFFFF93339060: 0x6CCC679D (matches OK)
couldn’t disassemble
Stack buffer overrun analysis completed successfully.
BUGCHECK_STR: STACK_BUFFER_OVERRUN
DEFAULT_BUCKET_ID: GS_FALSE_POSITIVE_PROBABLY_NOT_USING_GS
PROCESS_NAME: PPLive.exe
CURRENT_IRQL: 2
STACK_TEXT:
9d72c2dc 844d36d5 00000003 0a384b6e 00000065 nt!RtlpBreakWithStatusInstruction
9d72c32c 844d41d1 00000003 00000000 a04d9900 nt!KiBugCheckDebugBreak+0x1c
9d72c6f0 844d3574 000000f7 997ac83f 93339862 nt!KeBugCheck2+0x68b
9d72c714 93334fa2 000000f7 997ac83f 93339862 nt!KeBugCheckEx+0x1e
9d72c734 9333efca 00000000 00180018 a07dcd4e luafv!__report_gsfailure+0x25
9d72c828 93330000 a04d9900 a050b870 00000003 luafv!CreateTableNode+0x41f
9d72c854 891469ec 00520052 a05b01ae 9333e1f4 monitor! ?? ::NNGAKEGL::`string’ (monitor+0x8000)
9d72c860 9333e1f4 00540054 a05b01ac 00520052 fltmgr!FltReleasePushLock+0x3e
a05b01ae 00320047 00310030 002d0030 00300031 luafv!LuafvFindUserStore+0x2f3
WARNING: Frame IP not in any known module. Following frames may be wrong.
a05b01c2 00310030 0077002d 00720061 006c0066 0x320047
a05b01c6 0077002d 00720061 006c0066 00760079 0x310030
a05b01ca 00720061 006c0066 00760079 006c0073 0x77002d
a05b01ce 006c0066 00760079 006c0073 006e0079 0x720061
a05b01d2 00760079 006c0073 006e0079 0030005b 0x6c0066
a05b01d6 006c0073 006e0079 0030005b 002e005d 0x760079
a05b01da 006e0079 0030005b 002e005d 0070006d 0x6c0073
a05b01de 0030005b 002e005d 0070006d 002e0034 0x6e0079
a05b01e2 002e005d 0070006d 002e0034 00700074 0x30005b
a05b01e6 0070006d 002e0034 00700074 002e0070 0x2e005d
a05b01ea 002e0034 00700074 002e0070 00660063 0x70006d
a05b01ee 00700074 002e0070 00660063 00000067 0x2e0034
a05b01f2 002e0070 00660063 00000067 00630073 0x700074
a05b01f6 00660063 00000067 00630073 006e006f 0x2e0070
a05b01fa 00000000 00630073 006e006f 00690066 0x660063
STACK_COMMAND: kb
FOLLOWUP_IP:
luafv!CreateTableNode+41f
9333efca c9 leave
SYMBOL_STACK_INDEX: 5
SYMBOL_NAME: luafv!CreateTableNode+41f
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: luafv
IMAGE_NAME: luafv.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bc020
FAILURE_BUCKET_ID: STACK_BUFFER_OVERRUN_MISMATCH_GSCOOKIE_luafv!CreateTableNode+41f
BUCKET_ID: STACK_BUFFER_OVERRUN_MISMATCH_GSCOOKIE_luafv!CreateTableNode+41f
Followup: MachineOwner
---------