KERNEL_SECURITY_CHECK_FAILURE for stack overrun

Hi All,

I got this bugcheck and everything is 0 even trap and exception records also. How can I start analyzing this issue. Any help would be greatly appreciated?

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000000, A stack-based buffer has been overrun.
Arg2: 0000000000000000, Address of the trap frame for the exception that caused the bugcheck
Arg3: 0000000000000000, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved

TRAP_FRAME: 0000000000000000 – (.trap 0x0)

EXCEPTION_RECORD: 0000000000000000 – (.exr 0x0)
STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: 1b

FAILURE_BUCKET_ID: 0x139_0_LEGACY_GS_VIOLATION_nt!guard_icall_bugcheck

BUCKET_ID: 0x139_0_LEGACY_GS_VIOLATION_nt!guard_icall_bugcheck

PRIMARY_PROBLEM_CLASS: 0x139_0_LEGACY_GS_VIOLATION_nt!guard_icall_bugcheck

Which OS? If you build your driver targeting Win10 and try to load on an older release you get something like this.

From the !vertarget command output in the dump file.

1: kd> vertarget
Windows 10 Kernel Version 18362 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 18362.1.amd64fre.19h1_release.190318-1202
Machine Name:
Kernel base = 0xfffff8067f000000 PsLoadedModuleList = 0xfffff8067f445e90
Debug session time: Mon Apr 19 23:16:20.276 2021 (UTC - 4:00)
System Uptime: 5 days 8:56:33.603

The driver also built for Win10 version.

OK, not that then.

Does !analyze -v give you any other information? Do you have a log of anything happening in your driver before the crash?

This is !analyze -v output:

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000000, A stack-based buffer has been overrun.
Arg2: 0000000000000000, Address of the trap frame for the exception that caused the bugcheck
Arg3: 0000000000000000, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved

Debugging Details:

SYSTEM_VERSION: Lenovo Z70-80

BIOS_VENDOR: LENOVO

BIOS_VERSION: ABCN95WW

BIOS_DATE: 07/31/2015

BASEBOARD_MANUFACTURER: LENOVO

BASEBOARD_PRODUCT: Lenovo Z70-80

BASEBOARD_VERSION: SDK0J40709 WIN

TRAP_FRAME: 0000000000000000 – (.trap 0x0)

EXCEPTION_RECORD: 0000000000000000 – (.exr 0x0)
Cannot read Exception record @ 0000000000000000

CPU_COUNT: 4

CPU_MHZ: 95a

CPU_VENDOR: GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 3d

CPU_STEPPING: 4

CPU_MICROCODE: 6,3d,4,0 (F,M,S,R) SIG: 2B’00000000 (cache) 2B’00000000 (init)

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

BUGCHECK_STR: 0x139

PROCESS_NAME: System

CURRENT_IRQL: 0

ANALYSIS_SESSION_HOST: CLW-G4B6HR2

ANALYSIS_SESSION_TIME: 04-20-2021 21:47:40.0960

ANALYSIS_VERSION: 10.0.18362.1 amd64fre

LAST_CONTROL_TRANSFER: from fffff8067f1cc4cb to fffff8067f1c3a90

STACK_TEXT:
ffffe109f602f748 fffff8067f1cc4cb : 0000000000000139 0000000000000000 0000000000000000 0000000000000000 : nt!KeBugCheckEx
ffffe109f602f750 fffff8067f042076 : ffffa7810bdf3318 00000438e762bd7b 00000438e762e494 00000438e762e494 : nt!guard_icall_bugcheck+0x1b
ffffe109f602f780 fffff8067f040a2e : 0000000000000003 0000000000000002 0000000000000000 0000000000000008 : nt!PpmIdleExecuteTransition+0x14a6
ffffe109f602fac0 fffff8067f1c7584 : ffffffff00000000 ffffe7816a300180 ffffa781039a7080 0000000000000261 : nt!PoIdle+0x36e
ffffe109f602fc20 0000000000000000 : ffffe109f6030000 ffffe109f6029000 0000000000000000 0000000000000000 : nt!KiIdleLoop+0x44

FOLLOWUP_IP:
nt!guard_icall_bugcheck+1b
fffff806`7f1cc4cb 90 nop

FAULT_INSTR_CODE: ccccc390

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: nt!guard_icall_bugcheck+1b

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 0

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: 1b

FAILURE_BUCKET_ID: 0x139_0_LEGACY_GS_VIOLATION_nt!guard_icall_bugcheck

BUCKET_ID: 0x139_0_LEGACY_GS_VIOLATION_nt!guard_icall_bugcheck

PRIMARY_PROBLEM_CLASS: 0x139_0_LEGACY_GS_VIOLATION_nt!guard_icall_bugcheck

TARGET_TIME: 2021-04-20T03:16:20.000Z

OSBUILD: 18362

OSSERVICEPACK: 0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK: 784

PRODUCT_TYPE: 1

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS Personal

OS_LOCALE:

USER_LCID: 0

From this system I am getting different BSODs but all are pointing to some memory corruption. Whenever I enable my driver system is bug checking. One more BSOD related to pool corruption.

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 000000000000001d, Type of memory safety violation
Arg2: ffffec07a8247520, Address of the trap frame for the exception that caused the bugcheck
Arg3: ffffec07a8247478, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved

Debugging Details:

KEY_VALUES_STRING: 1

PROCESSES_ANALYSIS: 1

SERVICE_ANALYSIS: 1

STACKHASH_ANALYSIS: 1

TIMELINE_ANALYSIS: 1

DUMP_CLASS: 1

DUMP_QUALIFIER: 401

BUILD_VERSION_STRING: 18362.1.amd64fre.19h1_release.190318-1202

SYSTEM_MANUFACTURER: LENOVO

SYSTEM_PRODUCT_NAME: 80FG

SYSTEM_SKU: LENOVO_MT_80FG_BU_idea_FM_Lenovo Z70-80

SYSTEM_VERSION: Lenovo Z70-80

BIOS_VENDOR: LENOVO

BIOS_VERSION: ABCN95WW

BIOS_DATE: 07/31/2015

BASEBOARD_MANUFACTURER: LENOVO

BASEBOARD_PRODUCT: Lenovo Z70-80

BASEBOARD_VERSION: SDK0J40709 WIN

DUMP_TYPE: 1

BUGCHECK_P1: 1d

BUGCHECK_P2: ffffec07a8247520

BUGCHECK_P3: ffffec07a8247478

BUGCHECK_P4: 0

TRAP_FRAME: ffffec07a8247520 – (.trap 0xffffec07a8247520)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=000000000000001d
rdx=ffffa6046312de48 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80411e0c9a3 rsp=ffffec07a82476b8 rbp=0000000000000040
r8=0000000000000000 r9=0000000000000000 r10=ffffa604620ed7f8
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz ac po cy
nt!RtlRbRemoveNode+0x199a93:
fffff804`11e0c9a3 cd29 int 29h
Resetting default scope

EXCEPTION_RECORD: ffffec07a8247478 – (.exr 0xffffec07a8247478)
ExceptionAddress: fffff80411e0c9a3 (nt!RtlRbRemoveNode+0x0000000000199a93)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 000000000000001d
Subcode: 0x1d FAST_FAIL_INVALID_BALANCED_TREE

CPU_COUNT: 4

CPU_MHZ: 95a

CPU_VENDOR: GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 3d

CPU_STEPPING: 4

CPU_MICROCODE: 6,3d,4,0 (F,M,S,R) SIG: 2B’00000000 (cache) 2B’00000000 (init)

BUGCHECK_STR: 0x139

PROCESS_NAME: DrvIstService.exe

CURRENT_IRQL: 2

DEFAULT_BUCKET_ID: FAIL_FAST_INVALID_BALANCED_TREE

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE_STR: c0000409

EXCEPTION_PARAMETER1: 000000000000001d

ANALYSIS_SESSION_HOST: CLW-G4B6HR2

ANALYSIS_SESSION_TIME: 04-20-2021 22:36:27.0437

ANALYSIS_VERSION: 10.0.18362.1 amd64fre

DPC_STACK_BASE: FFFFEC07A8247FB0

LAST_CONTROL_TRANSFER: from fffff80411dd5929 to fffff80411dc3a90

STACK_TEXT:
ffffec07a82471f8 fffff80411dd5929 : 0000000000000139 000000000000001d ffffec07a8247520 ffffec07a8247478 : nt!KeBugCheckEx
ffffec07a8247200 fffff80411dd5d50 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiBugCheckDispatch+0x69
ffffec07a8247340 fffff80411dd40e3 : 0000000000005231 fffff80414f3f590 ffffa604569518e0 0000000000000000 : nt!KiFastFailDispatch+0xd0
ffffec07a8247520 fffff80411e0c9a3 : 00000026001a0000 0001001a00400001 fffff80411c72c90 0000000000000040 : nt!KiRaiseSecurityCheckFailure+0x323
ffffec07a82476b8 fffff80411c72c90 : 0000000000000040 ffffa6046312dfe0 0000000000000000 ffffa6046312de40 : nt!RtlRbRemoveNode+0x199a93
ffffec07a82476d0 fffff80411c7274a : ffffa60455802280 ffffa60455802280 ffffa60456d02c00 ffffec07a82477e0 : nt!RtlpHpVsChunkCoalesce+0xb0
ffffec07a8247740 fffff80411c749bd : ffffec070000003e fffff80400000000 ffffa6046b7dfb73 0000000000000000 : nt!RtlpHpVsContextFree+0x18a
ffffec07a82477e0 fffff80411f6e0a9 : ffffffffffffffff ffffca01000003b0 ffffa6046b7ea910 0100000000100000 : nt!ExFreeHeapPool+0x56d
ffffec07a8247900 fffff804126d3fce : 0000000000000000 ffffa604567e09d0 ffffec07a8247b00 0000000000000001 : nt!ExFreePool+0x9
ffffec07a8247930 fffff804126b844b : 0000000000000000 ffffec07a8247b00 0000000000000001 ffffa604567e09d0 : hal!HalPutScatterGatherListV3+0x12c76
ffffec07a8247980 fffff80414f29e5f : 0000000000000000 0000000000989680 ffffec07a8247b00 ffffa6045686c1f0 : hal!HalPutScatterGatherList+0x5b
ffffec07a8247a00 fffff80414f3ec0b : ffffa6045b9f9348 0000000000000000 0000000000000000 ffffca01ee7fa020 : storport!RaidUnitCompleteRequest+0x8df
ffffec07a8247ba0 fffff80411cc5b2a : ffffa6045688d100 ffffa604560da000 ffffca01edba5f90 ffffca0100000002 : storport!RaidpAdapterRedirectDpcRoutine+0x8b
ffffec07a8247c40 fffff80411cc517f : 0000000000000018 0000000000989680 ffffec07a8247e80 fffff8040e3b9800 : nt!KiExecuteAllDpcs+0x30a
ffffec07a8247d80 fffff80411dcaa95 : 0000000000000000 ffffca01edba0180 0000000000000000 0000000008b28e25 : nt!KiRetireDpcList+0x1ef
ffffec07a8247fb0 fffff80411dca880 : 000001cb80b72006 0000000000002007 000001cb80b70000 000001cb80b71f47 : nt!KxRetireDpcList+0x5
ffffec07aaacfa90 fffff80411dc9f4e : 0000000000000000 ffffec0700000001 0000000000000048 ffffec07aaacfb40 : nt!KiDispatchInterruptContinue
ffffec07aaacfac0 00000000554ed431 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiDpcInterrupt+0x2ee
00000028363fe580 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x554ed431

THREAD_SHA1_HASH_MOD_FUNC: 10b899fcccfea3bbeb9235411a26acda53c52f28

THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 12ad10d19feb0057bedf82792633eff299a06e1f

THREAD_SHA1_HASH_MOD: f74a78403b304dde9bcdd08279d10fd74687aa3c

FOLLOWUP_IP:
nt!ExFreePool+9
fffff804`11f6e0a9 4883c428 add rsp,28h

FAULT_INSTR_CODE: 28c48348

SYMBOL_STACK_INDEX: 8

SYMBOL_NAME: nt!ExFreePool+9

FOLLOWUP_NAME: Pool_corruption

IMAGE_NAME: Pool_Corruption

DEBUG_FLR_IMAGE_TIMESTAMP: 0

MODULE_NAME: Pool_Corruption

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: 9

FAILURE_BUCKET_ID: 0x139_1d_INVALID_BALANCED_TREE_nt!ExFreePool

BUCKET_ID: 0x139_1d_INVALID_BALANCED_TREE_nt!ExFreePool

PRIMARY_PROBLEM_CLASS: 0x139_1d_INVALID_BALANCED_TREE_nt!ExFreePool

TARGET_TIME: 2021-03-30T15:32:59.000Z

Have you enabled Driver Verifier on your driver? That’s the place to start when you have a pool corruption.