ndis crash on NdisRegisterDeviceEx

madaboo · July 12, 2011, 9:58am

I don't know what exactly going on but somehow NdisRegisterDeviceEx is crashing (stack below)

Strage thing in here is - that when i add debug (simple "driver entry 6\n" debug) between NdisFRegisterFilterDriver and NdisRegisterDeviceEx everything is ok.

Can you tell me what Im doing wrong:

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 82874f70, The address that the exception occurred at
Arg3: 80dd7820, Exception Record Address
Arg4: 80dd7400, Context Record Address

Debugging Details:

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod 0x%08lx odwo

FAULTING_IP:
nt!memcpy+130
82874f70 8b448efc mov eax,dword ptr [esi+ecx*4-4]

EXCEPTION_RECORD: 80dd7820 -- (.exr 0xffffffff80dd7820)
ExceptionAddress: 82874f70 (nt!memcpy+0x00000130)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000000
Attempt to read from address 00000000

CONTEXT: 80dd7400 -- (.cxr 0xffffffff80dd7400)
eax=00000004 ebx=00000100 ecx=00000001 edx=00000000 esi=00000000 edi=8a356a00
eip=82874f70 esp=80dd78e8 ebp=80dd78f0 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!memcpy+0x130:
82874f70 8b448efc mov eax,dword ptr [esi+ecx*4-4] ds:0023:00000000=????????
Resetting default scope

DEFAULT_BUCKET_ID: NULL_DEREFERENCE

PROCESS_NAME: System

CURRENT_IRQL: 2

ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod 0x%08lx odwo

EXCEPTION_PARAMETER1: 00000000

EXCEPTION_PARAMETER2: 00000000

READ_ADDRESS: 00000000

FOLLOWUP_IP:
ndislwf!PrepareTcpFilterDeviceObject+9f [d:\sources\drivers\filter\driver.c @ 199]
96633a3f 8945e0 mov dword ptr [ebp-20h],eax

BUGCHECK_STR: 0x7E

LAST_CONTROL_TRANSFER: from 87a529e5 to 82874f70

STACK_TEXT:
80dd78f0 87a529e5 8a356a00 00000000 00000004 nt!memcpy+0x130
80dd790c 87a528a8 8537ad30 00000001 80dd7970 ndis!SeSddlSecurityDescriptorFromSDDL+0x5f
80dd7958 87a1f009 8537ad30 96638148 80dd7a38 ndis!IoDevObjCreateDeviceSecure+0x61
80dd79a8 96633a3f 843d5b08 80dd7a44 96636008 ndis!NdisRegisterDeviceEx+0xfc
80dd7a60 96638099 0068018b 00010006 00000000 ndislwf!PrepareDeviceObject+0x9f [d:\filter\driver.c @ 199]
80dd7ad8 829fd358 8537ad30 843b7000 00000000 ndislwf!DriverEntry+0x89 [d:filter\driver.c @ 70]
80dd7cbc 829e55de 00000001 00000000 80dd7ce4 nt!IopLoadDriver+0x7ed
80dd7d00 8289f183 92869cd0 00000000 842e54c0 nt!IopLoadUnloadDriver+0x70
80dd7d50 82a2c400 00000001 53aaa707 00000000 nt!ExpWorkerThread+0x10d
80dd7d90 828cd979 8289f076 00000001 00000000 nt!PspSystemThreadStartup+0x9e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x19

Daniel_Terhell · July 12, 2011, 10:06am

So [esi+ecx*4-4] is close to NULL. This also says this is a NULL pointer
dereference. Likely your NDIS_DEVICE_OBJECT_ATTRIBUTES are not well
initialized.

//Daniel

wrote in message news:xxxxx@ntdev…
>I don’t know what exactly going on but somehow NdisRegisterDeviceEx is
>crashing (stack below)
>
> Strage thing in here is - that when i add debug (simple “driver entry 6\n”
> debug) between NdisFRegisterFilterDriver and NdisRegisterDeviceEx
> everything is ok.
>
> Can you tell me what Im doing wrong:
>
> SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
> This is a very common bugcheck. Usually the exception address pinpoints
> the driver/function that caused the problem. Always note this address
> as well as the link date of the driver/image that contains this address.
> Arguments:
> Arg1: c0000005, The exception code that was not handled
> Arg2: 82874f70, The address that the exception occurred at
> Arg3: 80dd7820, Exception Record Address
> Arg4: 80dd7400, Context Record Address
>
> Debugging Details:
> ------------------
>
>
> EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod 0x%08lx odwo
>
> FAULTING_IP:
> nt!memcpy+130
> 82874f70 8b448efc mov eax,dword ptr [esi+ecx4-4]
>
> EXCEPTION_RECORD: 80dd7820 – (.exr 0xffffffff80dd7820)
> ExceptionAddress: 82874f70 (nt!memcpy+0x00000130)
> ExceptionCode: c0000005 (Access violation)
> ExceptionFlags: 00000000
> NumberParameters: 2
> Parameter[0]: 00000000
> Parameter[1]: 00000000
> Attempt to read from address 00000000
>
> CONTEXT: 80dd7400 – (.cxr 0xffffffff80dd7400)
> eax=00000004 ebx=00000100 ecx=00000001 edx=00000000 esi=00000000
> edi=8a356a00
> eip=82874f70 esp=80dd78e8 ebp=80dd78f0 iopl=0 nv up ei pl zr na pe
> nc
> cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
> efl=00000246
> nt!memcpy+0x130:
> 82874f70 8b448efc mov eax,dword ptr [esi+ecx4-4]
> ds:0023:00000000=???
> Resetting default scope
>
> DEFAULT_BUCKET_ID: NULL_DEREFERENCE
>
> PROCESS_NAME: System
>
> CURRENT_IRQL: 2
>
> ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod 0x%08lx odwo
>
> EXCEPTION_PARAMETER1: 00000000
>
> EXCEPTION_PARAMETER2: 00000000
>
> READ_ADDRESS: 00000000
>
> FOLLOWUP_IP:
> ndislwf!PrepareTcpFilterDeviceObject+9f
> [d:\sources\drivers\filter\driver.c @ 199]
> 96633a3f 8945e0 mov dword ptr [ebp-20h],eax
>
> BUGCHECK_STR: 0x7E
>
> LAST_CONTROL_TRANSFER: from 87a529e5 to 82874f70
>
> STACK_TEXT:
> 80dd78f0 87a529e5 8a356a00 00000000 00000004 nt!memcpy+0x130
> 80dd790c 87a528a8 8537ad30 00000001 80dd7970
> ndis!SeSddlSecurityDescriptorFromSDDL+0x5f
> 80dd7958 87a1f009 8537ad30 96638148 80dd7a38
> ndis!IoDevObjCreateDeviceSecure+0x61
> 80dd79a8 96633a3f 843d5b08 80dd7a44 96636008
> ndis!NdisRegisterDeviceEx+0xfc
> 80dd7a60 96638099 0068018b 00010006 00000000
> ndislwf!PrepareDeviceObject+0x9f [d:\filter\driver.c @ 199]
> 80dd7ad8 829fd358 8537ad30 843b7000 00000000 ndislwf!DriverEntry+0x89
> [d:filter\driver.c @ 70]
> 80dd7cbc 829e55de 00000001 00000000 80dd7ce4 nt!IopLoadDriver+0x7ed
> 80dd7d00 8289f183 92869cd0 00000000 842e54c0 nt!IopLoadUnloadDriver+0x70
> 80dd7d50 82a2c400 00000001 53aaa707 00000000 nt!ExpWorkerThread+0x10d
> 80dd7d90 828cd979 8289f076 00000001 00000000
> nt!PspSystemThreadStartup+0x9e
> 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x19
>
>

Jeffrey_Tippet_MSFT · July 12, 2011, 3:35pm

And from the stack, you can infer that it’s the DefaultSDDLString that’s invalid.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@resplendence.com
Sent: Tuesday, July 12, 2011 7:06 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] ndis crash on NdisRegisterDeviceEx

So [esi+ecx*4-4] is close to NULL. This also says this is a NULL pointer dereference. Likely your NDIS_DEVICE_OBJECT_ATTRIBUTES are not well initialized.

//Daniel

wrote in message news:xxxxx@ntdev…
>I don’t know what exactly going on but somehow NdisRegisterDeviceEx is
>crashing (stack below)
>
> Strage thing in here is - that when i add debug (simple “driver entry 6\n”
> debug) between NdisFRegisterFilterDriver and NdisRegisterDeviceEx
> everything is ok.
>
> Can you tell me what Im doing wrong:
>
> SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e) This is a very common
> bugcheck. Usually the exception address pinpoints the driver/function
> that caused the problem. Always note this address as well as the link
> date of the driver/image that contains this address.
> Arguments:
> Arg1: c0000005, The exception code that was not handled
> Arg2: 82874f70, The address that the exception occurred at
> Arg3: 80dd7820, Exception Record Address
> Arg4: 80dd7400, Context Record Address
>
> Debugging Details:
> ------------------
>
>
> EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod 0x%08lx odwo
>
> FAULTING_IP:
> nt!memcpy+130
> 82874f70 8b448efc mov eax,dword ptr [esi+ecx4-4]
>
> EXCEPTION_RECORD: 80dd7820 – (.exr 0xffffffff80dd7820)
> ExceptionAddress: 82874f70 (nt!memcpy+0x00000130)
> ExceptionCode: c0000005 (Access violation)
> ExceptionFlags: 00000000
> NumberParameters: 2
> Parameter[0]: 00000000
> Parameter[1]: 00000000
> Attempt to read from address 00000000
>
> CONTEXT: 80dd7400 – (.cxr 0xffffffff80dd7400)
> eax=00000004 ebx=00000100 ecx=00000001 edx=00000000 esi=00000000
> edi=8a356a00
> eip=82874f70 esp=80dd78e8 ebp=80dd78f0 iopl=0 nv up ei pl zr na pe
> nc
> cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
> efl=00000246
> nt!memcpy+0x130:
> 82874f70 8b448efc mov eax,dword ptr [esi+ecx4-4]
> ds:0023:00000000=???
> Resetting default scope
>
> DEFAULT_BUCKET_ID: NULL_DEREFERENCE
>
> PROCESS_NAME: System
>
> CURRENT_IRQL: 2
>
> ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod 0x%08lx odwo
>
> EXCEPTION_PARAMETER1: 00000000
>
> EXCEPTION_PARAMETER2: 00000000
>
> READ_ADDRESS: 00000000
>
> FOLLOWUP_IP:
> ndislwf!PrepareTcpFilterDeviceObject+9f
> [d:\sources\drivers\filter\driver.c @ 199]
> 96633a3f 8945e0 mov dword ptr [ebp-20h],eax
>
> BUGCHECK_STR: 0x7E
>
> LAST_CONTROL_TRANSFER: from 87a529e5 to 82874f70
>
> STACK_TEXT:
> 80dd78f0 87a529e5 8a356a00 00000000 00000004 nt!memcpy+0x130 80dd790c
> 87a528a8 8537ad30 00000001 80dd7970
> ndis!SeSddlSecurityDescriptorFromSDDL+0x5f
> 80dd7958 87a1f009 8537ad30 96638148 80dd7a38
> ndis!IoDevObjCreateDeviceSecure+0x61
> 80dd79a8 96633a3f 843d5b08 80dd7a44 96636008
> ndis!NdisRegisterDeviceEx+0xfc
> 80dd7a60 96638099 0068018b 00010006 00000000
> ndislwf!PrepareDeviceObject+0x9f [d:\filter\driver.c @ 199]
> 80dd7ad8 829fd358 8537ad30 843b7000 00000000 ndislwf!DriverEntry+0x89
> [d:filter\driver.c @ 70] 80dd7cbc 829e55de 00000001 00000000 80dd7ce4
> nt!IopLoadDriver+0x7ed
> 80dd7d00 8289f183 92869cd0 00000000 842e54c0
> nt!IopLoadUnloadDriver+0x70
> 80dd7d50 82a2c400 00000001 53aaa707 00000000 nt!ExpWorkerThread+0x10d
> 80dd7d90 828cd979 8289f076 00000001 00000000
> nt!PspSystemThreadStartup+0x9e
> 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x19
>
>

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer