Stack overran of luafv.sys

Hi, all.

I got a bsod like this. I don’t know if it has relationship with my redirector minifilter fs filter. After my filter was removed, it doesnot happend any more.But I cannot find any clue that my filter cause this bsod.

I need some hint to move on.
Thanks in adv!

Alex.

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

DRIVER_OVERRAN_STACK_BUFFER (f7)
A driver has overrun a stack-based buffer. This overrun could potentially
allow a malicious user to gain control of this machine.
DESCRIPTION
A driver overran a stack-based buffer (or local variable) in a way that would
have overwritten the function’s return address and jumped back to an arbitrary
address when the function returned. This is the classic “buffer overrun”
hacking attack and the system has been brought down to prevent a malicious user
from gaining complete control of it.
Do a kb to get a stack backtrace – the last routine on the stack before the
buffer overrun handlers and bugcheck call is the one that overran its local
variable(s).
Arguments:
Arg1: 997ac83f, Actual security check cookie from the stack
Arg2: 93339862, Expected security check cookie
Arg3: 6ccc679d, Complement of the expected security check cookie
Arg4: 00000000, zero

Debugging Details:

GSFAILURE_FUNCTION: luafv!CreateTableNode

GSFAILURE_RA_SMASHED: TRUE

GSFAILURE_MODULE_COOKIE: 93339862 luafv!__security_cookie [9333905c]

GSFAILURE_FRAME_COOKIE: ffffffff

SECURITY_COOKIE: Expected 93339862 found 997ac83f

GSFAILURE_ANALYSIS_TEXT: !gs output:
Corruption occurred in luafv!CreateTableNode or one of its callers

Analyzing __report_gsfailure frame (5)…
LEA usage: Function @0xFFFFFFFF9333EBAB-0xFFFFFFFF9333EFCA is NOT using LEA
Module canary at 0xFFFFFFFF9333905C (luafv!__security_cookie): 0x93339862
Complement at 0xFFFFFFFF93339060: 0x6CCC679D (matches OK)
couldn’t disassemble

Stack buffer overrun analysis completed successfully.

BUGCHECK_STR: STACK_BUFFER_OVERRUN

DEFAULT_BUCKET_ID: GS_FALSE_POSITIVE_PROBABLY_NOT_USING_GS

PROCESS_NAME: PPLive.exe

CURRENT_IRQL: 2

STACK_TEXT:
9d72c2dc 844d36d5 00000003 0a384b6e 00000065 nt!RtlpBreakWithStatusInstruction
9d72c32c 844d41d1 00000003 00000000 a04d9900 nt!KiBugCheckDebugBreak+0x1c
9d72c6f0 844d3574 000000f7 997ac83f 93339862 nt!KeBugCheck2+0x68b
9d72c714 93334fa2 000000f7 997ac83f 93339862 nt!KeBugCheckEx+0x1e
9d72c734 9333efca 00000000 00180018 a07dcd4e luafv!__report_gsfailure+0x25
9d72c828 93330000 a04d9900 a050b870 00000003 luafv!CreateTableNode+0x41f
9d72c854 891469ec 00520052 a05b01ae 9333e1f4 monitor! ?? ::NNGAKEGL::`string’ (monitor+0x8000)
9d72c860 9333e1f4 00540054 a05b01ac 00520052 fltmgr!FltReleasePushLock+0x3e
a05b01ae 00320047 00310030 002d0030 00300031 luafv!LuafvFindUserStore+0x2f3
WARNING: Frame IP not in any known module. Following frames may be wrong.
a05b01c2 00310030 0077002d 00720061 006c0066 0x320047
a05b01c6 0077002d 00720061 006c0066 00760079 0x310030
a05b01ca 00720061 006c0066 00760079 006c0073 0x77002d
a05b01ce 006c0066 00760079 006c0073 006e0079 0x720061
a05b01d2 00760079 006c0073 006e0079 0030005b 0x6c0066
a05b01d6 006c0073 006e0079 0030005b 002e005d 0x760079
a05b01da 006e0079 0030005b 002e005d 0070006d 0x6c0073
a05b01de 0030005b 002e005d 0070006d 002e0034 0x6e0079
a05b01e2 002e005d 0070006d 002e0034 00700074 0x30005b
a05b01e6 0070006d 002e0034 00700074 002e0070 0x2e005d
a05b01ea 002e0034 00700074 002e0070 00660063 0x70006d
a05b01ee 00700074 002e0070 00660063 00000067 0x2e0034
a05b01f2 002e0070 00660063 00000067 00630073 0x700074
a05b01f6 00660063 00000067 00630073 006e006f 0x2e0070
a05b01fa 00000000 00630073 006e006f 00690066 0x660063

STACK_COMMAND: kb

FOLLOWUP_IP:
luafv!CreateTableNode+41f
9333efca c9 leave

SYMBOL_STACK_INDEX: 5

SYMBOL_NAME: luafv!CreateTableNode+41f

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: luafv

IMAGE_NAME: luafv.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bc020

FAILURE_BUCKET_ID: STACK_BUFFER_OVERRUN_MISMATCH_GSCOOKIE_luafv!CreateTableNode+41f

BUCKET_ID: STACK_BUFFER_OVERRUN_MISMATCH_GSCOOKIE_luafv!CreateTableNode+41f

Followup: MachineOwner
---------

And here it came again:

kd> !analyze -v
Connected to Windows 7 7600 x86 compatible target at (Mon Oct 4 23:24:42.244 2010 (UTC + 8:00)), ptr64 FALSE
Loading Kernel Symbols



Loading User Symbols


Loading unloaded module list

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

DRIVER_OVERRAN_STACK_BUFFER (f7)
A driver has overrun a stack-based buffer. This overrun could potentially
allow a malicious user to gain control of this machine.
DESCRIPTION
A driver overran a stack-based buffer (or local variable) in a way that would
have overwritten the function’s return address and jumped back to an arbitrary
address when the function returned. This is the classic “buffer overrun”
hacking attack and the system has been brought down to prevent a malicious user
from gaining complete control of it.
Do a kb to get a stack backtrace – the last routine on the stack before the
buffer overrun handlers and bugcheck call is the one that overran its local
variable(s).
Arguments:
Arg1: a668c83f, Actual security check cookie from the stack
Arg2: 9831d7a1, Expected security check cookie
Arg3: 67ce285e, Complement of the expected security check cookie
Arg4: 00000000, zero

Debugging Details:

*** ERROR: Symbol file could not be found. Defaulted to export symbols for peer.dll -

GSFAILURE_FUNCTION: luafv!CreateTableNode

GSFAILURE_RA_SMASHED: TRUE

GSFAILURE_MODULE_COOKIE: 9831d7a1 luafv!__security_cookie [9831d05c]

GSFAILURE_FRAME_COOKIE: ffffffff

SECURITY_COOKIE: Expected 9831d7a1 found a668c83f

GSFAILURE_ANALYSIS_TEXT: !gs output:
Corruption occurred in luafv!CreateTableNode or one of its callers

Analyzing __report_gsfailure frame (5)…
LEA usage: Function @0xFFFFFFFF98322BAB-0xFFFFFFFF98322FCA is NOT using LEA
Module canary at 0xFFFFFFFF9831D05C (luafv!__security_cookie): 0x9831D7A1
Complement at 0xFFFFFFFF9831D060: 0x67CE285E (matches OK)
couldn’t disassemble

Stack buffer overrun analysis completed successfully.

BUGCHECK_STR: STACK_BUFFER_OVERRUN

DEFAULT_BUCKET_ID: GS_FALSE_POSITIVE_PROBABLY_NOT_USING_GS

PROCESS_NAME: PPLive.exe

CURRENT_IRQL: 2

STACK_TEXT:
a264c2dc 8450a6d5 00000003 18896eb1 00000065 nt!RtlpBreakWithStatusInstruction
a264c32c 8450b1d1 00000003 00000000 9f0a3858 nt!KiBugCheckDebugBreak+0x1c
a264c6f0 8450a574 000000f7 a668c83f 9831d7a1 nt!KeBugCheck2+0x68b
a264c714 98318fa2 000000f7 a668c83f 9831d7a1 nt!KeBugCheckEx+0x1e
a264c734 98322fca 00000000 00180018 9f3c14fe luafv!__report_gsfailure+0x25
a264c828 98320000 9f0a3858 9dcd6598 00000003 luafv!CreateTableNode+0x41f
a264c8e4 89185a7b 00000000 a264c928 00000000 luafv!LuafvScavengeFileTable+0x1b9
a264c8fc a282c9e8 00000000 a264c900 91110cd4 Ntfs!NtfsExtendedCompleteRequestInternal+0x107
WARNING: Frame IP not in any known module. Following frames may be wrong.
a264c924 9831f7ae 9b923c60 00000000 a264c954 0xa282c9e8
a264c9ac 89136aeb 85ea0528 0064c9cc a264c9f8 luafv!LuafvQueryVirtualizationCaller+0x51
a264ca18 891399f0 a264ca5c 85e944c8 00000000 fltmgr!FltpPerformPreCallbacks+0x34d
a264ca30 8914d1fe a264ca5c 89150f3c 00000000 fltmgr!FltpPassThroughInternal+0x40
a264ca44 8914d8b7 a264ca5c 85e944c8 85da38e0 fltmgr!FltpCreateInternal+0x24
a264ca88 84467f44 872a1490 87271ae0 85da393c fltmgr!FltpCreate+0x2c9
a264caa0 8463b7ad 188966e5 a264cc48 00000000 nt!IofCallDriver+0x63
a264cb78 8463e988 872595b0 85bcb588 85e74008 nt!IopParseDevice+0xed7
a264cbf4 8467d354 00000000 a264cc48 00000040 nt!ObpLookupObjectName+0x4fa
a264cc50 84638d4e 0579f650 85bcb588 83e24b01 nt!ObOpenObjectByName+0x165
a264cccc 8468ef55 0579f698 00010080 0579f650 nt!IopCreateFile+0x673
a264cd14 8446e79a 0579f698 00010080 0579f650 nt!NtOpenFile+0x2a
a264cd14 76ec64f4 0579f698 00010080 0579f650 nt!KiFastCallEntry+0x12a
0579f620 76ec514c 7503f77e 0579f698 00010080 ntdll!KiFastSystemCallRet
0579f624 7503f77e 0579f698 00010080 0579f650 ntdll!NtOpenFile+0xc
0579f6a0 04f6639c 05411bd0 6b081788 0579f9a8 KERNELBASE!DeleteFileW+0xa9
00000000 00000000 00000000 00000000 00000000 peer!TS_XXXX+0x10060c

STACK_COMMAND: kb

FOLLOWUP_IP:
luafv!CreateTableNode+41f
98322fca c9 leave

SYMBOL_STACK_INDEX: 5

SYMBOL_NAME: luafv!CreateTableNode+41f

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: luafv

IMAGE_NAME: luafv.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bc020

FAILURE_BUCKET_ID: STACK_BUFFER_OVERRUN_MISMATCH_GSCOOKIE_luafv!CreateTableNode+41f

BUCKET_ID: STACK_BUFFER_OVERRUN_MISMATCH_GSCOOKIE_luafv!CreateTableNode+41f

Followup: MachineOwner

Well, the bugcheck analysis says something is overrunning the stack.

I would review my code to make sure I’m not overwriting anything and that
I’m not passing some stack-based variable to any asynchronous function
without waiting.

The value the security cookie was overwritten with in this bugcheck was
0xa668c83f and in the previous one was 0x997ac83f. This might provide some
hint as to what was overwriting it. Because it’s unlikely that only the
security cookie was overwritten you could also look around the security
cookie some more to get more data which might help you identify what it was
that overwrote it.

Thanks,
Alex.

Probably something is going wrong in luafv!GetFileInformation when your filter is present ? Also note that in both crashes, PPlive is the active process.

Satya
http://www.winprogger.com

Thanks!

I am following your advice :slight_smile:

Alex.

Hi, guys!

Thanks for your advice!
I’ve fixed the bsod. It did caused by my filter.

Thanks very much :slight_smile:

Alex.

hey, Alex! please teach me.
How did you solved your problem? I have same problem.

Its debugging 201. In user mode I’d look for negative offsets for arrays declared on the stack. I’d look to see what the value being overwritten was and see whether it was meaningful for me. I’d wonder about repeatability and use data access breakpoints.