another puzzle with faulting ip address

Petr_Kurtin · May 21, 2013, 7:00pm

Hi,

I have got several minidumps from two different users (XP SP3).

Both crash on the RtlPrefixUnicodeString API, source/destination buffers are
in memory and valid:

kd> db f4d95da6 L10

f4d95da6 44 00 65 00 76 00 69 00-63 00 65 00 5c 00 4d 00 D.e.v.i.c.e..M.

kd> db e2bdc4ca L10

e2bdc4ca 44 00 65 00 76 00 69 00-63 00 65 00 5c 00 48 00 D.e.v.i.c.e..H.

RtlPrefixUnicodeString has already read first WORDs from these buffers (to
DX and SI) and crash occured on CMP DX,SI instruction. Memory should be
valid (both WORDs were read). Instructions around faulting IP seems ok too.

What do you think guys?

Thanks, Petr

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)

Arguments:

Arg1: c0000005, The exception code that was not handled

Arg2: 805db95e, The address that the exception occurred at

Arg3: f758f64c, Trap Frame

Arg4: 00000000

FAULTING_IP:

nt!RtlPrefixUnicodeString+4b

805db95e 663bd6 cmp dx,si

TRAP_FRAME: f758f64c – (.trap 0xfffffffff758f64c)

ErrCode = 00000000

eax=c1062004 ebx=e2bdc4cc ecx=e2bdc48c edx=00000044 esi=805d0044
edi=f4d95da8

eip=805db95e esp=f758f6c0 ebp=f758f6cc iopl=0 nv up ei ng nz na pe
nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010286

nt!RtlPrefixUnicodeString+0x4b:

805db95e 663bd6 cmp dx,si

kd> u eip-0n10 L0n12

nt!RtlPrefixUnicodeString+0x41:

805db954 668b17 mov dx,word ptr [edi]

805db957 668b33 mov si,word ptr [ebx]

805db95a 47 inc edi

805db95b 47 inc edi

805db95c 43 inc ebx

805db95d 43 inc ebx

805db95e 663bd6 cmp dx,si <<<<<<

805db961 897d10 mov dword ptr [ebp+10h],edi

805db964 895d0c mov dword ptr [ebp+0Ch],ebx

805db967 750e jne nt!RtlPrefixUnicodeString+0x5a (805db977)

805db969 ff4d08 dec dword ptr [ebp+8]

805db96c 75e6 jne nt!RtlPrefixUnicodeString+0x41 (805db954)

callstack:

f758f6cc f4d35e90 nt!RtlPrefixUnicodeString+0x4b

f758f6fc f4d2669c aswSnx!IsFileNameInTarget+0x1c8
[d:\avast800\drivers\aswsnx\files.cpp @ 305]

f758f738 f7905c3f aswSnx!SnxGenerateFileName+0x64
[d:\avast800\drivers\aswsnx\snx.cpp @ 1190]

f758f768 f790818e fltMgr!FltpCallOpenedFileNameHandler+0x45

f758f784 f790876b fltMgr!FltpGetNormalizedFileNameWorker+0xc4

f758f79c f79062a2 fltMgr!FltpGetNormalizedFileName+0x19

f758f7b4 f7906365 fltMgr!FltpCreateFileNameInformation+0x84

f758f7c4 f78f6e0a fltMgr!CreateTemporaryFileNameInformation+0xf

f758f7f0 f78f7366 fltMgr!FltpGetFileNameInformation+0xaa

f758f818 f06c5c73 fltMgr!FltGetFileNameInformation+0x114

kd> lmvm nt

start end module name

804d7000 806ef180 nt (pdb symbols)
c:\windows\symbols\ntoskrnl.pdb\754D4664AD754F69AB434EB0E8B41C7C2\ntoskrnl.p
db

Loaded symbol image file: ntoskrnl.exe

Mapped memory image file:
c:\windows\symbols\ntoskrnl.exe\5137ED2C218180\ntoskrnl.exe

Image path: ntoskrnl.exe

Image name: ntoskrnl.exe

Timestamp: Thu Mar 07 02:28:12 2013 (5137ED2C)

CheckSum: 00222397

ImageSize: 00218180

File version: 5.1.2600.6368

Product version: 5.1.2600.6368

File flags: 0 (Mask 3F)

File OS: 40004 NT Win32

File type: 1.0 App

File date: 00000000.00000000

Translations: 0c0a.04b0

CompanyName: Microsoft Corporation

ProductName: Sistema operativo Microsoft? Windows?

InternalName: ntoskrnl.exe

OriginalFilename: ntoskrnl.exe

ProductVersion: 5.1.2600.6368

FileVersion: 5.1.2600.6368 (xpsp_sp3_gdr.130307-0422)

FileDescription: Sistema y n?cleo de Windows NT

LegalCopyright: Copyright (C) Microsoft Corporation. Reservados todos
los derechos.

Tim_Roberts · May 21, 2013, 7:34pm

Petr Kurtin wrote:

I have got several minidumps from two different users (XP SP3).

Both crash on the RtlPrefixUnicodeString API, source/destination
buffers are in memory and valid:

kd> db f4d95da6 L10

f4d95da6 44 00 65 00 76 00 69 00-63 00 65 00 5c 00 4d 00
D.e.v.i.c.e..M.

kd> db e2bdc4ca L10

e2bdc4ca 44 00 65 00 76 00 69 00-63 00 65 00 5c 00 48 00
D.e.v.i.c.e..H.

RtlPrefixUnicodeString has already read first WORDs from these buffers
(to DX and SI) and crash occured on CMP DX,SI instruction. Memory
should be valid (both WORDs were read). Instructions around faulting
IP seems ok too.

One possible answer is that you were running at a raised IRQL and the
system chose that exact moment to swap your code out. Is it possible
you hold a spinlock when you call this?

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

OSR_Community_User · May 22, 2013, 2:04am

There are a huge number of things tat could go wrong that it woud be
impossible to guess the cause without seeing the source code and te
!analyze -v output. I have some ideas, but I don’t want to waste a lot of
space discussing them when only one might matter.

Note that “valid” has a very specific meaning here; not only must the
addresses exist, but they must be writeable, and your vague handwave
description doesn’t address (pardon the pun) that issue.

joe

Hi,

I have got several minidumps from two different users (XP SP3).

Both crash on the RtlPrefixUnicodeString API, source/destination buffers
are
in memory and valid:

kd> db f4d95da6 L10

f4d95da6 44 00 65 00 76 00 69 00-63 00 65 00 5c 00 4d 00
D.e.v.i.c.e..M.

kd> db e2bdc4ca L10

e2bdc4ca 44 00 65 00 76 00 69 00-63 00 65 00 5c 00 48 00
D.e.v.i.c.e..H.

RtlPrefixUnicodeString has already read first WORDs from these buffers (to
DX and SI) and crash occured on CMP DX,SI instruction. Memory should be
valid (both WORDs were read). Instructions around faulting IP seems ok
too.

What do you think guys?

Thanks, Petr

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)

Arguments:

Arg1: c0000005, The exception code that was not handled

Arg2: 805db95e, The address that the exception occurred at

Arg3: f758f64c, Trap Frame

Arg4: 00000000

FAULTING_IP:

nt!RtlPrefixUnicodeString+4b

805db95e 663bd6 cmp dx,si

TRAP_FRAME: f758f64c – (.trap 0xfffffffff758f64c)

ErrCode = 00000000

eax=c1062004 ebx=e2bdc4cc ecx=e2bdc48c edx=00000044 esi=805d0044
edi=f4d95da8

eip=805db95e esp=f758f6c0 ebp=f758f6cc iopl=0 nv up ei ng nz na pe
nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010286

nt!RtlPrefixUnicodeString+0x4b:

805db95e 663bd6 cmp dx,si

kd> u eip-0n10 L0n12

nt!RtlPrefixUnicodeString+0x41:

805db954 668b17 mov dx,word ptr [edi]

805db957 668b33 mov si,word ptr [ebx]

805db95a 47 inc edi

805db95b 47 inc edi

805db95c 43 inc ebx

805db95d 43 inc ebx

805db95e 663bd6 cmp dx,si <<<<<<

805db961 897d10 mov dword ptr [ebp+10h],edi

805db964 895d0c mov dword ptr [ebp+0Ch],ebx

805db967 750e jne nt!RtlPrefixUnicodeString+0x5a (805db977)

805db969 ff4d08 dec dword ptr [ebp+8]

805db96c 75e6 jne nt!RtlPrefixUnicodeString+0x41 (805db954)

callstack:

f758f6cc f4d35e90 nt!RtlPrefixUnicodeString+0x4b

f758f6fc f4d2669c aswSnx!IsFileNameInTarget+0x1c8
[d:\avast800\drivers\aswsnx\files.cpp @ 305]

f758f738 f7905c3f aswSnx!SnxGenerateFileName+0x64
[d:\avast800\drivers\aswsnx\snx.cpp @ 1190]

f758f768 f790818e fltMgr!FltpCallOpenedFileNameHandler+0x45

f758f784 f790876b fltMgr!FltpGetNormalizedFileNameWorker+0xc4

f758f79c f79062a2 fltMgr!FltpGetNormalizedFileName+0x19

f758f7b4 f7906365 fltMgr!FltpCreateFileNameInformation+0x84

f758f7c4 f78f6e0a fltMgr!CreateTemporaryFileNameInformation+0xf

f758f7f0 f78f7366 fltMgr!FltpGetFileNameInformation+0xaa

f758f818 f06c5c73 fltMgr!FltGetFileNameInformation+0x114

kd> lmvm nt

start end module name

804d7000 806ef180 nt (pdb symbols)
c:\windows\symbols\ntoskrnl.pdb\754D4664AD754F69AB434EB0E8B41C7C2\ntoskrnl.p
db

Loaded symbol image file: ntoskrnl.exe

Mapped memory image file:
c:\windows\symbols\ntoskrnl.exe\5137ED2C218180\ntoskrnl.exe

Image path: ntoskrnl.exe

Image name: ntoskrnl.exe

Timestamp: Thu Mar 07 02:28:12 2013 (5137ED2C)

CheckSum: 00222397

ImageSize: 00218180

File version: 5.1.2600.6368

Product version: 5.1.2600.6368

File flags: 0 (Mask 3F)

File OS: 40004 NT Win32

File type: 1.0 App

File date: 00000000.00000000

Translations: 0c0a.04b0

CompanyName: Microsoft Corporation

ProductName: Sistema operativo Microsoft® Windows®

InternalName: ntoskrnl.exe

OriginalFilename: ntoskrnl.exe

ProductVersion: 5.1.2600.6368

FileVersion: 5.1.2600.6368 (xpsp_sp3_gdr.130307-0422)

FileDescription: Sistema y núcleo de Windows NT

LegalCopyright: Copyright (C) Microsoft Corporation. Reservados
todos
los derechos.

WINDBG is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Scott_Noone_OSR · May 24, 2013, 11:15am

What does !pte @eip say? " cmp dx,si" doesn’t perform a pointer
dereference, so it’s an odd instruction to fault on unless the EIP is bad.

-scott
OSR

“Petr Kurtin” wrote in message news:xxxxx@windbg…

Hi,

I have got several minidumps from two different users (XP SP3).

Both crash on the RtlPrefixUnicodeString API, source/destination buffers are
in memory and valid:

kd> db f4d95da6 L10

f4d95da6 44 00 65 00 76 00 69 00-63 00 65 00 5c 00 4d 00 D.e.v.i.c.e..M.

kd> db e2bdc4ca L10

e2bdc4ca 44 00 65 00 76 00 69 00-63 00 65 00 5c 00 48 00 D.e.v.i.c.e..H.

RtlPrefixUnicodeString has already read first WORDs from these buffers (to
DX and SI) and crash occured on CMP DX,SI instruction. Memory should be
valid (both WORDs were read). Instructions around faulting IP seems ok too.

What do you think guys?

Thanks, Petr

-------

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)

Arguments:

Arg1: c0000005, The exception code that was not handled

Arg2: 805db95e, The address that the exception occurred at

Arg3: f758f64c, Trap Frame

Arg4: 00000000

FAULTING_IP:

nt!RtlPrefixUnicodeString+4b

805db95e 663bd6 cmp dx,si

TRAP_FRAME: f758f64c – (.trap 0xfffffffff758f64c)

ErrCode = 00000000

eax=c1062004 ebx=e2bdc4cc ecx=e2bdc48c edx=00000044 esi=805d0044
edi=f4d95da8

eip=805db95e esp=f758f6c0 ebp=f758f6cc iopl=0 nv up ei ng nz na pe
nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010286

nt!RtlPrefixUnicodeString+0x4b:

805db95e 663bd6 cmp dx,si

kd> u eip-0n10 L0n12

nt!RtlPrefixUnicodeString+0x41:

805db954 668b17 mov dx,word ptr [edi]

805db957 668b33 mov si,word ptr [ebx]

805db95a 47 inc edi

805db95b 47 inc edi

805db95c 43 inc ebx

805db95d 43 inc ebx

805db95e 663bd6 cmp dx,si <<<<<<

805db961 897d10 mov dword ptr [ebp+10h],edi

805db964 895d0c mov dword ptr [ebp+0Ch],ebx

805db967 750e jne nt!RtlPrefixUnicodeString+0x5a (805db977)

805db969 ff4d08 dec dword ptr [ebp+8]

805db96c 75e6 jne nt!RtlPrefixUnicodeString+0x41 (805db954)

callstack:

f758f6cc f4d35e90 nt!RtlPrefixUnicodeString+0x4b

f758f6fc f4d2669c aswSnx!IsFileNameInTarget+0x1c8
[d:\avast800\drivers\aswsnx\files.cpp @ 305]

f758f738 f7905c3f aswSnx!SnxGenerateFileName+0x64
[d:\avast800\drivers\aswsnx\snx.cpp @ 1190]

f758f768 f790818e fltMgr!FltpCallOpenedFileNameHandler+0x45

f758f784 f790876b fltMgr!FltpGetNormalizedFileNameWorker+0xc4

f758f79c f79062a2 fltMgr!FltpGetNormalizedFileName+0x19

f758f7b4 f7906365 fltMgr!FltpCreateFileNameInformation+0x84

f758f7c4 f78f6e0a fltMgr!CreateTemporaryFileNameInformation+0xf

f758f7f0 f78f7366 fltMgr!FltpGetFileNameInformation+0xaa

f758f818 f06c5c73 fltMgr!FltGetFileNameInformation+0x114

kd> lmvm nt

start end module name

804d7000 806ef180 nt (pdb symbols)
c:\windows\symbols\ntoskrnl.pdb\754D4664AD754F69AB434EB0E8B41C7C2\ntoskrnl.pdb

Loaded symbol image file: ntoskrnl.exe

Mapped memory image file:
c:\windows\symbols\ntoskrnl.exe\5137ED2C218180\ntoskrnl.exe

Image path: ntoskrnl.exe

Image name: ntoskrnl.exe

Timestamp: Thu Mar 07 02:28:12 2013 (5137ED2C)

CheckSum: 00222397

ImageSize: 00218180

File version: 5.1.2600.6368

Product version: 5.1.2600.6368

File flags: 0 (Mask 3F)

File OS: 40004 NT Win32

File type: 1.0 App

File date: 00000000.00000000

Translations: 0c0a.04b0

CompanyName: Microsoft Corporation

ProductName: Sistema operativo Microsoft® Windows®

InternalName: ntoskrnl.exe

OriginalFilename: ntoskrnl.exe

ProductVersion: 5.1.2600.6368

FileVersion: 5.1.2600.6368 (xpsp_sp3_gdr.130307-0422)

FileDescription: Sistema y núcleo de Windows NT

LegalCopyright: Copyright (C) Microsoft Corporation. Reservados todos
los derechos.