bug check 0xa(0, 2, 8, ?)

I have a crash dump synthesized from a xen core dump. Some information is lost in the core dump, so I am not sure of the crash dump code exactly (can’t get to the console right now to confirm).

Is there such a thing as a bug check 0xA with the third parameter as an 8? The docs say it can be 0 or 1. From what I understand that would imply that the access was not read or write but execute, and therefore executing a null address. That would probably explain the stack trace too:

fffff88002e62c18 fffff80002e7d1a9 : 000000000000000a 0000000000000000 0000000000000002 0000000000000008 : nt!KeBugCheckEx
fffff88002e62c20 fffff80002e7be20 : fffffa8000d4f8e0 0000000000000000 fffff88000e317f0 fffff880009e8180 : nt!KiBugCheckDispatch+0x69
fffff88002e62d60 0000000000000000 : fffff80002e882fc fffff880009e8180 0000000000000000 fffff88000e33fc0 : nt!KiPageFault+0x260

thanks

James

IIRC value 8 may mean execution of code at the fault address.
– pa

On 10-Dec-2013 13:03, James Harper wrote:

I have a crash dump synthesized from a xen core dump. Some information is lost in the core dump, so I am not sure of the crash dump code exactly (can’t get to the console right now to confirm).

Is there such a thing as a bug check 0xA with the third parameter as an 8? The docs say it can be 0 or 1. From what I understand that would imply that the access was not read or write but execute, and therefore executing a null address. That would probably explain the stack trace too:

fffff88002e62c18 fffff80002e7d1a9 : 000000000000000a 0000000000000000 0000000000000002 0000000000000008 : nt!KeBugCheckEx
fffff88002e62c20 fffff80002e7be20 : fffffa8000d4f8e0 0000000000000000 fffff88000e317f0 fffff880009e8180 : nt!KiBugCheckDispatch+0x69
fffff88002e62d60 0000000000000000 : fffff80002e882fc fffff880009e8180 0000000000000000 fffff88000e33fc0 : nt!KiPageFault+0x260

thanks

James

>

IIRC value 8 may mean execution of code at the fault address.
– pa

That was my assumption based on the same value in other bug check codes. It’s not documented for 0xA though…

James

Maybe you registered a bugcheck callback, but the function pointer went to NULL?

> IIRC value 8 may mean execution of code at the fault address.

– pa

On 10-Dec-2013 13:03, James Harper wrote:
> I have a crash dump synthesized from a xen core dump. Some information
> is lost in the core dump, so I am not sure of the crash dump code
> exactly (can’t get to the console right now to confirm).
>
> Is there such a thing as a bug check 0xA with the third parameter as an
> 8? The docs say it can be 0 or 1. From what I understand that would
> imply that the access was not read or write but execute, and therefore
> executing a null address. That would probably explain the stack trace
> too:

It might mean you are running with the no-execute mode on. The general
purpose of this is to prevent execution of code on the stack, and I don’t
know if it extends to the heap. But if a buffer overrun clobbers a
return address and sets it to zero, then this might be the kind of error
that happens, which make me suspect the docs are not-quite-up-to-date
(and, as we know, that NEVER happens…)

In this case, the analysis of a bad callback address seems quite credible.
joe

>
> fffff88002e62c18 fffff80002e7d1a9 : 000000000000000a \> 0000000000000000 0000000000000002 0000000000000008 : nt!KeBugCheckEx
> fffff88002e62c20 fffff80002e7be20 : fffffa8000d4f8e0 \> 0000000000000000 fffff88000e317f0 fffff880009e8180 :
> nt!KiBugCheckDispatch+0x69
> fffff88002e62d60 0000000000000000 : fffff80002e882fc \> fffff880009e8180 0000000000000000 fffff88000e33fc0 :
> nt!KiPageFault+0x260
>
> thanks
>
> James
>


NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer