Hi, I am using network driver where we are reinjecting packet using FwpsStreamInjectAsync API. It works fine normally but at one point it is getting crash randomly.
Below is the output of !anaylze -v:
SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the BugCheck
Arg2: fffff8074f3ed66f, Address of the instruction which caused the BugCheck
Arg3: fffff686432cdf80, Address of the context record for the exception that caused the BugCheck
Arg4: 0000000000000000, zero.
Debugging Details:
BUGCHECK_CODE: 3b
BUGCHECK_P1: c0000005
BUGCHECK_P2: fffff8074f3ed66f
BUGCHECK_P3: fffff686432cdf80
BUGCHECK_P4: 0
FILE_IN_CAB: MEMORY.DMP
FAULTING_THREAD: ffffe50958df2080
CONTEXT: fffff686432cdf80 -- (.cxr 0xfffff686432cdf80)
rax=0000000000001001 rbx=fffff686432ceaf8 rcx=ffffe50967dee000
rdx=0000000000001001 rsi=fffff686432ceac0 rdi=ffffe50967dee0e0
rip=fffff8074f3ed66f rsp=fffff686432ce980 rbp=fffff686432ce9f9
r8=000000000008c0b2 r9=0000000000000000 r10=0000000000000106
r11=0000000000003000 r12=0000000000000004 r13=fffff686432cede0
r14=0000000000000001 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00050246
NETIO!StreamInvokeCalloutAndNormalizeAction+0x213:
fffff8074f3ed66f 4183795003 cmp dword ptr [r9+50h],3 ds:002b:00000000
00000050=????????
Resetting default scope
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXWINLOGON: 1
PROCESS_NAME: process.exe
STACK_TEXT:
fffff686432ce980 fffff807
4f3ed1c4 : fffff686432cede0 ffffe509
67dee010 0000000000000000 ffffe509
67dee0e0 : NETIO!StreamInvokeCalloutAndNormalizeAction+0x213
fffff686432cea50 fffff807
4f3ec7cf : 0000000000000014 fffff807
616e1af4 ffffe50900000002 ffffe509
58ec6ae0 : NETIO!StreamProcessCallout+0x3fc
fffff686432ceb80 fffff807
4f3e962b : 0000000000000014 ffffe509
58ec6ae0 ffffe5095f6f31c0 fffff686
432cf2b0 : NETIO!ProcessCallout+0x76f
fffff686432ced00 fffff807
4f3e81ca : ffffe5095c9a9ea0 ffffe509
44ce6960 0000000000000000 fffff807
4a42ee99 : NETIO!ArbitrateAndEnforce+0x71b
fffff686432cee60 fffff807
4f43ab9a : 00000000ffffffff fffff807
4f7b1143 ffffe5095c46beb0 ffffe509
5ecd9800 : NETIO!KfdClassify+0x37a
fffff686432cf260 fffff807
4f43a5bf : 0000000000000000 fffff686
432cf401 00000000000004d6 00000000
00000000 : NETIO!StreamInternalClassify+0x106
fffff686432cf380 fffff807
4f43747b : 0000000000000014 ffffe509
5f6f3010 0000000000000000 ffffe509
5ecd9820 : NETIO!StreamInject+0x253
fffff686432cf450 fffff807
4f7ca1fd : ffffe5095f6f3010 00000000
0000012c 0000000000000000 00000000
00010000 : NETIO!FwppStreamInject+0x13b
fffff686432cf4e0 fffff807
4f94a77e : ffffe509568ec700 fffff686
432cf5a9 0000000000000001 fffff686
432cf598 : fwpkclnt!FwpsStreamInjectAsync0+0xfd
fffff686432cf540 fffff807
4f948d59 : 0000000000000000 ffffe509
568ec700 000000000000002c 00000000
00000000 : myDriver!funct1+0x652 [myFile.c @ 2191]
fffff686432cf610 fffff807
4f953568 : ffff9d807226b5c0 00000000
00000000 ffffe5095a261af0 00000000
84002123 : myDriver!func2+0x1f5 [myFile.c @ 798]
fffff686432cf650 fffff807
4a42d3f5 : b0834c7100000000 ffffe509
614fb550 fffff68684002123 00000000
00000000 : myDriver!func3+0x250 [myFile.c @ 2143]
fffff686432cf6f0 fffff807
4a81bddc : 0000000000000002 00000000
00000000 ffffe5094aebe150 00000000
0000002c : nt!IofCallDriver+0x55
fffff686432cf730 fffff807
4a81ba2a : 0000000000000000 fffff686
432cfa80 0000000000040800 00000000
84002123 : nt!IopSynchronousServiceTail+0x34c
fffff686432cf7d0 fffff807
4a81ad06 : 0000000000000000 00000000
00000580 0000000000000000 00000000
03380410 : nt!IopXxxControlFile+0xd0a
fffff686432cf920 fffff807
4a611d05 : 00000000000003c4 00000000
00000007 000000000ebf2038 00000000
cec0fa8e : nt!NtDeviceIoControlFile+0x56
fffff686432cf990 00007ff9
ba5ad644 : 00007ff9b7bf2931 00000000
00000000 0000000000000000 00000000
00000000 : nt!KiSystemServiceCopyEnd+0x25
000000000ebf4428 00007ff9
b7bf2931 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : ntdll!NtDeviceIoControlFile+0x14
000000000ebf4430 00007ff9
ba395951 : 0000000084002123 00000000
00000000 0000000000000000 00007ff9
b7bf2931 : KERNELBASE!DeviceIoControl+0x121
000000000ebf44a0 00007ff9
aa5d40de : 000000000000002c 00000000
00000000 0000000000000000 00000000
03380410 : KERNEL32!DeviceIoControlImplementation+0x81
000000000ebf44f0 00000000
0000002c : 0000000000000000 00000000
00000000 0000000003380410 00000000
00000000 : driver!CApi::DeviceIoControl+0x5e
000000000ebf44f8 00000000
00000000 : 0000000000000000 00000000
03380410 0000000000000000 00000000
00000000 : 0x2c
MODULE_NAME: memory_corruption
IMAGE_NAME: memory_corruption
MEMORY_CORRUPTOR: LARGE
STACK_COMMAND: .cxr 0xfffff686432cdf80 ; kb
FAILURE_BUCKET_ID: MEMORY_CORRUPTION_LARGE
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {e29154ac-69a4-0eb8-172a-a860f73c0a3c}
Followup: memory_corruption
I can see in context that while executing below instruction, r9 register is not valid.
NETIO!StreamInvokeCalloutAndNormalizeAction+0x213:
fffff8074f3ed66f 4183795003 cmp dword ptr [r9+50h],3 ds:002b:00000000
00000050=????????
What could be the reason of the crash? Is it possible that somehow nbl is getting corrupt and how to check it? Thanks in advance.