Calling KeWaitForSingleObject, KeDelayExecutionThread, etc cause an access violation

Arush · June 14, 2020, 8:55pm

Hey all,

This is a new problem that hasn’t happened to me before. When I call one of the synchronization routines, like KeWaitForSingleObject, KeDelayExecutionThread, while debugging, WinDbg breaks and shows KiSwapContext threw an access violation.

Access violation - code c0000005 (!!! second chance !!!)
nt!KiSwapContext+0xf:

fffff800`021c81ff 0f29742430 movaps  xmmword ptr [rsp+30h],xmm6

The actual driver code goes along something like this:

/*This is DriverEntry */

_disable();
// Do stuff with no interrupts here

_enable();

KIRQL old = KeRaiseIrqlToDpcLevel();
//Do stuff with IRQL DISPATCH_LEVEL

KeLowerIrql(PASSIVE_LEVEL)
KeWaitForSingleObject(threadObject, Executive, KernelMode, FALSE, NULL);

If anyone knows why the last line is causing access violations within KiSwapContext, that’d be great.

Tim_Roberts · June 15, 2020, 12:18am

KeLowerIrql(PASSIVE_LEVEL);

That’s wrong. It should be KeLowerIrql(old); .

The mere fact that you have _disable() and _enable() in there tells me you’re doing some dirty BS in here. No respectable driver would ever use those.
Without seeing all of the code, none of us will be able to help.

Arush · June 15, 2020, 5:41am

Hey,

I’m sorry I wasted your guys’ time. I found the problem.

Thanks.

MBond2 · June 15, 2020, 8:47pm

will you share in case it helps someone else?

Arush · June 17, 2020, 10:01pm

The problem was some assembly code I had written. I was using assembly because I wasn’t aware that intrinsic existed for my purpose.
Anyways, I did not align the stack on a 16 byte boundary like x64 requires, which is why a fault was caused.