I'm experiencing a Windows crash, but the kernel stack doesn't indicate any driver code. analyze -v suggests that the kernel state may be corrupt somehow, but I can't figure out anything more from the crash dump file. We recently incorporated some Windows' updates and before that, we added a kernel driver that reads core temperatures, just for full disclosure. This driver is using KeSetSystemAffinityThreadEx to switch to each of the CPU cores and execute an instruction that reads the core temperature, but after the sampling is done, it reverts to the original core. I'm mentioning this in case this could be a factor, although MS documentation does not suggest this could create headaches.
Does the crash report below ring a bell? I'm trying to figure out if the problem is related to this driver, or to Windows kernel itself:
3: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 000000000000001e, Type of memory safety violation
Arg2: ffff93061436a660, Address of the trap frame for the exception that caused the bugcheck
Arg3: ffff93061436a5b8, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved
Debugging Details:
------------------
Failed to find runtime module (coreclr.dll or clr.dll or libcoreclr.so), 0x80004005
Extension commands need it in order to have something to do.
For more information see https://go.microsoft.com/fwlink/?linkid=2135652
KEY_VALUES_STRING: 1
Key : Analysis.CPU.Sec
Value: 2
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on L54928
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.Sec
Value: 54
Key : Analysis.Memory.CommitPeak.Mb
Value: 163
Key : Analysis.System
Value: CreateObject
BUGCHECK_CODE: 139
BUGCHECK_P1: 1e
BUGCHECK_P2: ffff93061436a660
BUGCHECK_P3: ffff93061436a5b8
BUGCHECK_P4: 0
TRAP_FRAME: ffff93061436a660 -- (.trap 0xffff93061436a660)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffff9785fb103640 rbx=0000000000000000 rcx=000000000000001e
rdx=0000000000000001 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8077b2bce88 rsp=ffff93061436a7f0 rbp=ffff93061436a870
r8=0000000000000001 r9=0000000000000000 r10=fffff8077b7762c0
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po cy
nt!KiDeferredReadyThread+0xe38:
fffff807`7b2bce88 cd29 int 29h
Resetting default scope
EXCEPTION_RECORD: ffff93061436a5b8 -- (.exr 0xffff93061436a5b8)
ExceptionAddress: fffff8077b2bce88 (nt!KiDeferredReadyThread+0x0000000000000e38)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 000000000000001e
Subcode: 0x1e FAST_FAIL_INVALID_NEXT_THREAD
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXPNP: 1 (!blackboxpnp)
PROCESS_NAME: Bootstrap.exe
ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
EXCEPTION_CODE_STR: c0000409
EXCEPTION_PARAMETER1: 000000000000001e
EXCEPTION_STR: 0xc0000409
STACK_TEXT:
ffff9306`1436a338 fffff807`7b3e7f69 : 00000000`00000139 00000000`0000001e ffff9306`1436a660 ffff9306`1436a5b8 : nt!KeBugCheckEx
ffff9306`1436a340 fffff807`7b3e8490 : 00000000`00000000 fffff807`7a317700 00000000`00000000 00000000`00000000 : nt!KiBugCheckDispatch+0x69
ffff9306`1436a480 fffff807`7b3e645d : ffff9785`00009000 00000000`0000000f fffff807`7b7762c0 fffff807`7b7762c0 : nt!KiFastFailDispatch+0xd0
ffff9306`1436a660 fffff807`7b2bce88 : 00000000`00000001 ffff9785`fb1037b0 ffff9785`fb103640 ffff9785`f5f35980 : nt!KiRaiseSecurityCheckFailure+0x31d
ffff9306`1436a7f0 fffff807`7b2bbdb7 : ffffc000`def46180 fffff807`7b2bdd09 00000185`4acc43a0 fffff807`00000000 : nt!KiDeferredReadyThread+0xe38
ffff9306`1436a8b0 fffff807`7b2bb877 : ffff9785`f6f5e960 00000000`00000000 ffff9785`f6f5e960 00000000`00000000 : nt!KiExitDispatcher+0x187
ffff9306`1436a920 fffff807`7b81ba62 : ffff9306`00000001 ffff9306`1436aa80 ffff9306`1436aa00 fffff807`7bc8baf6 : nt!KeSetEvent+0xb7
ffff9306`1436a9b0 fffff807`7b3e76c5 : ffff9785`fb219080 00000185`46531e00 ffff9785`00000000 ffff9785`f6f5e960 : nt!NtSetEvent+0x92
ffff9306`1436aa00 00007ffd`87770194 : 00007ffd`8418c90d 0000004b`f617f238 00000000`00000001 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x25
0000004b`fc9dec88 00007ffd`8418c90d : 0000004b`f617f238 00000000`00000001 00000000`00000000 00000185`46531e00 : ntdll!NtSetEvent+0x14
0000004b`fc9dec90 00007ffd`6fc168e5 : 00007ffd`7007cea0 00007ffd`6fc16810 0000004b`fc9ded18 00007ffd`6fc16810 : KERNELBASE!SetEvent+0xd
0000004b`fc9decc0 00007ffd`1119ec89 : 00000000`00000001 00000000`00000000 00000185`46531eb0 00007ffd`6fcab340 : coreclr!ObjectNative::Pulse+0xd5 [D:\a\_work\1\s\src\coreclr\classlibnative\bcltype\objectnative.cpp @ 283]
0000004b`fc9dee20 00000000`00000001 : 00000000`00000000 00000185`46531eb0 00007ffd`6fcab340 0000004b`fc9dee20 : 0x00007ffd`1119ec89
0000004b`fc9dee28 00000000`00000000 : 00000185`46531eb0 00007ffd`6fcab340 0000004b`fc9dee20 00000185`46531b58 : 0x1
SYMBOL_NAME: nt!KiFastFailDispatch+d0
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: d0
FAILURE_BUCKET_ID: 0x139_1e_INVALID_NEXT_THREAD_nt!KiFastFailDispatch
OS_VERSION: 10.0.17763.1
BUILDLAB_STR: rs5_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {bef176cd-c482-4279-6644-552334c6dc54}
Followup: MachineOwner
Any help is appreciated.
Regards,
Milan