Does this dump point to stack overflow corruption??

NTFSD
1

Thanks for your input.

*******************************************************************************

*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

UNEXPECTED_KERNEL_MODE_TRAP (7f)
This means a trap occurred in kernel mode, and it's a trap of a kind
that the kernel isn't allowed to have/catch (bound trap) or that
is always instant death (double fault). The first number in the
bugcheck parens is the number of the trap (8 = double fault, etc)
Consult an Intel x86 family manual to learn more about what these
traps are. Here is a *portion* of those codes:
If kv shows a taskGate
use .tss on the part before the colon, then kv.
Else if kv shows a trapframe
use .trap on that value
Else
.trap on the appropriate frame will show where the trap was taken
(on x86, this will be the ebp that goes with the procedure KiTrap)
Endif
kb will then show the corrected stack.
Arguments:
Arg1: 00000008, EXCEPTION_DOUBLE_FAULT
Arg2: fa1a8d70
Arg3: 00000000
Arg4: 00000000

Debugging Details:

BUGCHECK_STR: 0x7f_8

TSS: 00000028 -- (.tss 28)
eax=0000003c ebx=00000000 ecx=e20041f0 edx=00000000 esi=e1024248
edi=f116e110
eip=8052d4b9 esp=f116dffc ebp=f116e048 iopl=0 nv up ei ng nz ac po
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010296
nt!_SEH_prolog+21:
8052d4b9 53 push ebx
Resetting default context

DEFAULT_BUCKET_ID: DRIVER_FAULT

LAST_CONTROL_TRANSFER: from 8061118d to 8052d4b9

STACK_TEXT:
f116e048 8061118d f116e0e0 e2015cd0 f116e0e4 nt!_SEH_prolog+0x21
f116e060 80611e2b e1292b84 f116e0e0 e2015cd0
nt!CmpQuerySecurityDescriptorInfo+0x21
f116e0ac 805a33aa e20041f0 00000001 f116e0e0 nt!CmpSecurityMethod+0xcf
f116e0e8 805a374b e20041f0 f116e110 e20041ec nt!ObGetObjectSecurity+0x94
f116e114 8060a395 e20041f0 ffb54e90 00000001 nt!ObCheckObjectAccess+0x27
f116e160 8060abfa e1013768 0026ea30 00000000 nt!CmpDoOpen+0x245
f116e354 805a2e75 0026ea30 00000000 ffb54e90 nt!CmpParseKey+0x552
f116e3cc 8059fa7c 00000000 f116e40c 00000040 nt!ObpLookupObjectName+0x539
f116e420 806018cf 00000000 80f40040 ffad6c00 nt!ObOpenObjectByName+0xe8
f116e4f0 80532584 f116e7b8 000f003f f116e798 nt!NtOpenKey+0x191
f116e4f0 804fc979 f116e7b8 000f003f f116e798 nt!KiSystemService+0xc9
f116e574 f197efc1 f116e7b8 000f003f f116e798 nt!ZwOpenKey+0x11

2

Use !thread and look at the stack limits. The BIG hint here is that the
faulting instruction is a push. Note that the debugger tells you to do
certain things (you need to use the TSS in order to get the CPU state prior
to the task switch) and you should also do those in order to extract
additional information.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.

-----Original Message-----
From: Fred Walters [mailto:xxxxx@charter.net]
Sent: Thursday, June 19, 2003 9:02 PM
To: File Systems Developers
Subject: [ntfsd] Does this dump point to stack overflow corruption??

Thanks for your input.

****************************************************************************
***

*
*
* Bugcheck Analysis
*
*
*
****************************************************************************
***

UNEXPECTED_KERNEL_MODE_TRAP (7f)
This means a trap occurred in kernel mode, and it's a trap of a kind
that the kernel isn't allowed to have/catch (bound trap) or that
is always instant death (double fault). The first number in the
bugcheck parens is the number of the trap (8 = double fault, etc)
Consult an Intel x86 family manual to learn more about what these
traps are. Here is a *portion* of those codes:
If kv shows a taskGate
use .tss on the part before the colon, then kv.
Else if kv shows a trapframe
use .trap on that value
Else
.trap on the appropriate frame will show where the trap was taken
(on x86, this will be the ebp that goes with the procedure KiTrap)
Endif
kb will then show the corrected stack.
Arguments:
Arg1: 00000008, EXCEPTION_DOUBLE_FAULT
Arg2: fa1a8d70
Arg3: 00000000
Arg4: 00000000

Debugging Details:

BUGCHECK_STR: 0x7f_8

TSS: 00000028 -- (.tss 28)
eax=0000003c ebx=00000000 ecx=e20041f0 edx=00000000 esi=e1024248
edi=f116e110
eip=8052d4b9 esp=f116dffc ebp=f116e048 iopl=0 nv up ei ng nz ac po
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010296
nt!_SEH_prolog+21:
8052d4b9 53 push ebx
Resetting default context

DEFAULT_BUCKET_ID: DRIVER_FAULT

LAST_CONTROL_TRANSFER: from 8061118d to 8052d4b9

STACK_TEXT:
f116e048 8061118d f116e0e0 e2015cd0 f116e0e4 nt!_SEH_prolog+0x21
f116e060 80611e2b e1292b84 f116e0e0 e2015cd0
nt!CmpQuerySecurityDescriptorInfo+0x21
f116e0ac 805a33aa e20041f0 00000001 f116e0e0 nt!CmpSecurityMethod+0xcf
f116e0e8 805a374b e20041f0 f116e110 e20041ec nt!ObGetObjectSecurity+0x94
f116e114 8060a395 e20041f0 ffb54e90 00000001 nt!ObCheckObjectAccess+0x27
f116e160 8060abfa e1013768 0026ea30 00000000 nt!CmpDoOpen+0x245
f116e354 805a2e75 0026ea30 00000000 ffb54e90 nt!CmpParseKey+0x552
f116e3cc 8059fa7c 00000000 f116e40c 00000040 nt!ObpLookupObjectName+0x539
f116e420 806018cf 00000000 80f40040 ffad6c00 nt!ObOpenObjectByName+0xe8
f116e4f0 80532584 f116e7b8 000f003f f116e798 nt!NtOpenKey+0x191
f116e4f0 804fc979 f116e7b8 000f003f f116e798 nt!KiSystemService+0xc9
f116e574 f197efc1 f116e7b8 000f003f f116e798 nt!ZwOpenKey+0x11

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com