Hi Guys,

I’m working on a stack overflow crash dump on Win7 x64 machine. The call stack trace text is as below:

0:000> kn

Child-SP RetAddr Call Site

00 000000000012d468 000007fefcff13a6 ntdll!NtWaitForMultipleObjects+0xa
01 000000000012d470 0000000076bd3143 KERNELBASE!WaitForMultipleObjectsEx+0xe8
02 000000000012d570 0000000076c49025 kernel32!WaitForMultipleObjectsExImplementation+0xb3
03 000000000012d600 0000000076c491a7 kernel32!WerpReportFaultInternal+0x215
04 000000000012d6a0 0000000076c491ff kernel32!WerpReportFault+0x77
05 000000000012d6d0 0000000076c4941c kernel32!BasepReportFault+0x1f
06 000000000012d700 000000013fb3f34b kernel32!UnhandledExceptionFilter+0x1fc
07 000000000012d7e0 000000013fb333c9 ipoint!__report_gsfailure+0x11b [f:\sp\vctools\crt_bld\self_64_amd64\crt\src\gs_report.c @ 313]
08 000000000012d870 0000000076e0554d ipoint!__GSHandlerCheck_EH+0x39 [f:\sp\vctools\crt_bld\self_64_amd64\crt\prebuild\eh\amd64\gshandlereh.c @ 102]
09 000000000012d8a0 0000000076de5d1c ntdll!RtlpExecuteHandlerForException+0xd
0a 000000000012d8d0 0000000076e1fe48 ntdll!RtlDispatchException+0x3cb
0b 000000000012dfb0 000000013fa6fa90 ntdll!KiUserExceptionDispatcher+0x2e
0c 000000000012e570 000000013fa70a5c ipoint!std::_Uninit_movestd::basic_string,std::allocator<wchar_t> > * ptr64,std::basic_string<wchar_t>,std::allocator<wchar_t> > * ptr64,std::allocatorstd::basic_string,std::allocator<wchar_t> > > >+0x80 [c:\tools\vistasdk6.1.6000.16384.10\vc\include\memory @ 223]
0d 000000000012e620 000000013fa7157e ipoint!std::vectorstd::basic_string,std::allocator<wchar_t> >,std::allocatorstd::basic_string,std::allocator<wchar_t> > > >::_Insert_n+0x22c [c:\tools\vistasdk6.1.6000.16384.10\vc\include\vector @ 1143]
0e 000000000012e710 000000013fa989ad ipoint!std::vectorstd::basic_string,std::allocator<wchar_t> >,std::allocatorstd::basic_string,std::allocator<wchar_t> > > >::push_back+0x13e [c:\tools\vistasdk6.1.6000.16384.10\vc\include\vector @ 800]
0f 000000000012e770 000000013fa93ad6 ipoint!DPG::DPGCommandListParser::DPGCommandListParser+0x7d [c:\70base\source\lib\xdetails\dpgcommandlistparser.cpp @ 60]
10 000000000012e830 000000013fa90079 ipoint!DPG::DPGCommandList::DPGCommandList+0xd6 [c:\70base\source\lib\xdetails\dpgcommandlist.cpp @ 40]
11 000000000012e900 000000013fa5934f ipoint!DPG::Command::CreateCommandList+0x29 [c:\70base\source\lib\xdetails\dpgcommands.cpp @ 215]
12 000000000012e940 000000013fb33be0 ipoint!wWinMain+0x4af [c:\70base\source\exe\point32\point32.cpp @ 547]
13 000000000012fb10 0000000076bcf56d ipoint!__tmainCRTStartup+0x260 [f:\sp\vctools\crt_bld\self_64_amd64\crt\src\crt0.c @ 324]

It looks like that the vector::push_back has the stack overflow. How can I go further?

Thanks.
Marshall</wchar_t></std::basic_string></wchar_t></std::basic_string></wchar_t></std::basic_string></wchar_t></std::basic_string></wchar_t></std::basic_string></wchar_t></wchar_t></wchar_t></std::basic_string>

What does !analyze -v say?

-scott

–
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com

wrote in message news:xxxxx@windbg…
> Hi Guys,
>
> I’m working on a stack overflow crash dump on Win7 x64 machine. The call
> stack trace text is as below:
>
> 0:000> kn
> # Child-SP RetAddr Call Site
> 00 000000000012d468 000007fefcff13a6 ntdll!NtWaitForMultipleObjects+0xa
> 01 000000000012d470 0000000076bd3143
> KERNELBASE!WaitForMultipleObjectsEx+0xe8
> 02 000000000012d570 0000000076c49025
> kernel32!WaitForMultipleObjectsExImplementation+0xb3
> 03 000000000012d600 0000000076c491a7
> kernel32!WerpReportFaultInternal+0x215
> 04 000000000012d6a0 0000000076c491ff kernel32!WerpReportFault+0x77
> 05 000000000012d6d0 0000000076c4941c kernel32!BasepReportFault+0x1f
> 06 000000000012d700 000000013fb3f34b
> kernel32!UnhandledExceptionFilter+0x1fc
> 07 000000000012d7e0 000000013fb333c9 ipoint!__report_gsfailure+0x11b
> [f:\sp\vctools\crt_bld\self_64_amd64\crt\src\gs_report.c @ 313]
> 08 000000000012d870 0000000076e0554d ipoint!__GSHandlerCheck_EH+0x39
> [f:\sp\vctools\crt_bld\self_64_amd64\crt\prebuild\eh\amd64\gshandlereh.c @
> 102]
> 09 000000000012d8a0 0000000076de5d1c
> ntdll!RtlpExecuteHandlerForException+0xd
> 0a 000000000012d8d0 0000000076e1fe48 ntdll!RtlDispatchException+0x3cb
> 0b 000000000012dfb0 000000013fa6fa90
> ntdll!KiUserExceptionDispatcher+0x2e
> 0c 000000000012e570 000000013fa70a5c
> ipoint!std::_Uninit_movestd::basic_string,std::allocator<wchar_t>
> > *
> ptr64,std::basic_string<wchar_t>,std::allocator<wchar_t>
> > *
> ptr64,std::allocatorstd::basic_string,std::allocator<wchar_t>
> > > >+0x80 [c:\tools\vistasdk6.1.6000.16384.10\vc\include\memory @ 223]
> 0d 000000000012e620 000000013fa7157e
> ipoint!std::vectorstd::basic_string,std::allocator<wchar_t>
> >,std::allocatorstd::basic_string,std::allocator<wchar_t>
> > > >::_Insert_n+0x22c
> [c:\tools\vistasdk6.1.6000.16384.10\vc\include\vector @ 1143]
> 0e 000000000012e710 000000013fa989ad
> ipoint!std::vectorstd::basic_string,std::allocator<wchar_t>
> >,std::allocatorstd::basic_string,std::allocator<wchar_t>
> > > >::push_back+0x13e
> [c:\tools\vistasdk6.1.6000.16384.10\vc\include\vector @ 800]
> 0f 000000000012e770 000000013fa93ad6
> ipoint!DPG::DPGCommandListParser::DPGCommandListParser+0x7d
> [c:\70base\source\lib\xdetails\dpgcommandlistparser.cpp @ 60]
> 10 000000000012e830 000000013fa90079
> ipoint!DPG::DPGCommandList::DPGCommandList+0xd6
> [c:\70base\source\lib\xdetails\dpgcommandlist.cpp @ 40]
> 11 000000000012e900 000000013fa5934f
> ipoint!DPG::Command::CreateCommandList+0x29
> [c:\70base\source\lib\xdetails\dpgcommands.cpp @ 215]
> 12 000000000012e940 000000013fb33be0 ipoint!wWinMain+0x4af
> [c:\70base\source\exe\point32\point32.cpp @ 547]
> 13 000000000012fb10 0000000076bcf56d ipoint!__tmainCRTStartup+0x260
> [f:\sp\vctools\crt_bld\self_64_amd64\crt\src\crt0.c @ 324]
>
> It looks like that the vector::push_back has the stack overflow.
> How can I go further?
>
> Thanks.
> Marshall
>
>
>
>
></wchar_t></std::basic_string></wchar_t></std::basic_string></wchar_t></std::basic_string></wchar_t></std::basic_string></wchar_t></std::basic_string></wchar_t></wchar_t></wchar_t></std::basic_string>

The !analyze -v said it’s caused by stack buffer overflow and it’s a GS exception. Does it mean some code overrun its buffer and corrupted the stack? Do you know the way to get the root cause except reviewing the suspicious code?

FAULTING_IP:
ipoint!__GSHandlerCheck_EH+39 [f:\sp\vctools\crt_bld\self_64_amd64\crt\prebuild\eh\amd64\gshandlereh.c @ 102]
00000001`3fb333c9 f6450466 test byte ptr [rbp+4],66h

EXCEPTION_RECORD: ffffffffffffffff – (.exr 0xffffffffffffffff)
ExceptionAddress: 000000013fb333c9 (ipoint!__GSHandlerCheck_EH+0x0000000000000039)
ExceptionCode: c0000409 (Stack buffer overflow)
ExceptionFlags: 00000001
NumberParameters: 0

PROCESS_NAME: ipoint.exe

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

GSFAILURE_ANALYSIS_TEXT: !gs output:
4 Threads detected. Fault occured in thread #0
Corruption occured in ipoint!__GSHandlerCheck_EH or one of its callers
Module canary at 0x13FC49910 (ipoint!__security_cookie): 0xE22FE92FE48D
Complement at 0x13FC49918: 0xFFFF1DD016D01B72 (matches OK)

Analyzing __report_gsfailure frame…
LEA usage: Function @0x13FB33390-0x13FB333C9 is NOT using LEA
Canary at gsfailure frame not found. (Non-fatal)

Analyzing faulting frame…
Looking for Stack Canary in Function @0x13FB33390 (ipoint!__GSHandlerCheck_EH)
Detected GSHandler (ipoint!__GSHandlerCheck_EH)
Can’t find stack canary.
Fatal error - aborting analysis!

Stack buffer overrun analysis completed successfully.

NTGLOBALFLAG: 0

APPLICATION_VERIFIER_FLAGS: 0

FAULTING_THREAD: 0000000000000d78

DEFAULT_BUCKET_ID: GS_FALSE_POSITIVE_PROBABLY_NOT_USING_GS

PRIMARY_PROBLEM_CLASS: GS_FALSE_POSITIVE_PROBABLY_NOT_USING_GS

BUGCHECK_STR: APPLICATION_FAULT_GS_FALSE_POSITIVE_PROBABLY_NOT_USING_GS

STACK_TEXT:
000000000012d468 000007fefcff13a6 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!NtWaitForMultipleObjects+0xa
000000000012d470 0000000076bd3143 : 000000000012d5b0 000000000012d5a0 0000000000000000 0000000000000000 : KERNELBASE!WaitForMultipleObjectsEx+0xe8
000000000012d570 0000000076c49025 : 0000000002630000 000000013fbe9bc0 0000000000000000 000000000012e4a0 : kernel32!WaitForMultipleObjectsExImplementation+0xb3
000000000012d600 0000000076c491a7 : 0000000000000000 000000013fbe9bc0 000000000000020c 0000000000000000 : kernel32!WerpReportFaultInternal+0x215
000000000012d6a0 0000000076c491ff : 000000013fbe9bc0 0000000000000001 0000000000000000 0000000000000000 : kernel32!WerpReportFault+0x77
000000000012d6d0 0000000076c4941c : 0000000000000001 0000000088d9cd75 0000000000000001 0000000076e053c1 : kernel32!BasepReportFault+0x1f
000000000012d700 000000013fb3f34b : 000000013fbe9bc0 0000000000000006 0000000100000000 0000000000000001 : kernel32!UnhandledExceptionFilter+0x1fc
000000000012d7e0 000000013fb333c9 : 0000000000000000 000000013fa6fa90 000000000012de80 000000000012d958 : ipoint!__report_gsfailure+0x11b [f:\sp\vctools\crt_bld\self_64_amd64\crt\src\gs_report.c @ 313]
000000000012d870 0000000076e0554d : 0000000000130000 000000000012e570 000000013fc59764 0000000000129000 : ipoint!__GSHandlerCheck_EH+0x39 [f:\sp\vctools\crt_bld\self_64_amd64\crt\prebuild\eh\amd64\gshandlereh.c @ 102]
000000000012d8a0 0000000076de5d1c : 0000000000130000 0000000000000000 000000000001aa48 0000000000000000 : ntdll!RtlpExecuteHandlerForException+0xd
000000000012d8d0 0000000076e1fe48 : 000000000012e4a0 000000000012dfb0 0000000000000000 0000000000000000 : ntdll!RtlDispatchException+0x3cb
000000000012dfb0 000000013fa6fa90 : 0000000000000001 000000000012e8b8 000000000012e8b8 0000000000000028 : ntdll!KiUserExceptionDispatcher+0x2e
000000000012e570 000000013fa70a5c : 000000000012e740 0000000000000000 0000000000000000 000000000012e8b8 : ipoint!std::_Uninit_movestd::basic_string,std::allocator<wchar_t> > * ptr64,std::basic_string<wchar_t>,std::allocator<wchar_t> > * ptr64,std::allocatorstd::basic_string,std::allocator<wchar_t> > > >+0x80 [c:\tools\vistasdk6.1.6000.16384.10\vc\include\memory @ 223]
000000000012e620 000000013fa7157e : 00000000021a7b30 000000013fbaa652 ffffffff00000001 0000000002297520 : ipoint!std::vectorstd::basic_string,std::allocator<wchar_t> >,std::allocatorstd::basic_string,std::allocator<wchar_t> > > >::_Insert_n+0x22c [c:\tools\vistasdk6.1.6000.16384.10\vc\include\vector @ 1143]
000000000012e710 000000013fa989ad : 000000000012e870 00000000021a7b30 0000000000000000 000000000012e870 : ipoint!std::vectorstd::basic_string,std::allocator<wchar_t> >,std::allocatorstd::basic_string,std::allocator<wchar_t> > > >::push_back+0x13e [c:\tools\vistasdk6.1.6000.16384.10\vc\include\vector @ 800]
000000000012e770 000000013fa93ad6 : 0000000000000000 0000000002297ae0 00000000021a7b38 0000000000000000 : ipoint!DPG::DPGCommandListParser::DPGCommandListParser+0x7d [c:\70base\source\lib\xdetails\dpgcommandlistparser.cpp @ 60]
000000000012e830 000000013fa90079 : 000000013fbbb2b0 0000000002297ae0 0000000000000000 0000000000000000 : ipoint!DPG::DPGCommandList::DPGCommandList+0xd6 [c:\70base\source\lib\xdetails\dpgcommandlist.cpp @ 40]
000000000012e900 000000013fa5934f : 00000000021a7b30 0000000002297ae0 0000000000000000 0000000000000000 : ipoint!DPG::Command::CreateCommandList+0x29 [c:\70base\source\lib\xdetails\dpgcommands.cpp @ 215]
000000000012e940 000000013fb33be0 : 0000000000000000 0000000000000006 000000013fa40000 000000013fa40000 : ipoint!wWinMain+0x4af [c:\70base\source\exe\point32\point32.cpp @ 547]
000000000012fb10 0000000076bcf56d : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ipoint!__tmainCRTStartup+0x260 [f:\sp\vctools\crt_bld\self_64_amd64\crt\src\crt0.c @ 324]
000000000012fbd0 0000000076e03281 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : kernel32!BaseThreadInitThunk+0xd
000000000012fc00 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!RtlUserThreadStart+0x1d

STACK_COMMAND: .cxr 000000000012E8B8 ; kb ; ~0s ; kb

FOLLOWUP_IP:
ipoint!__GSHandlerCheck_EH+39 [f:\sp\vctools\crt_bld\self_64_amd64\crt\prebuild\eh\amd64\gshandlereh.c @ 102]
00000001`3fb333c9 f6450466 test byte ptr [rbp+4],66h

SYMBOL_STACK_INDEX: 8

SYMBOL_NAME: ipoint! GSHandlerCheck_EH+39

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: ipoint

IMAGE_NAME: ipoint.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 4a1aee26

FAILURE_BUCKET_ID: GS_FALSE_POSITIVE_PROBABLY_NOT_USING_GS_c0000409_ipoint.exe! GSHandlerCheck_EH

BUCKET_ID: X64_APPLICATION_FAULT_GS_FALSE_POSITIVE_PROBABLY_NOT_USING_GS_ipoint!__GSHandlerCheck_EH+39

WATSON_STAGEONE_URL: http://watson.microsoft.com/000f33c9.htm?Retriage=1

Followup: MachineOwner
---------</wchar_t></std::basic_string></wchar_t></std::basic_string></wchar_t></std::basic_string></wchar_t></std::basic_string></wchar_t></std::basic_string></wchar_t></wchar_t></wchar_t></std::basic_string>

FAILURE_BUCKET_ID: GS_FALSE_POSITIVE_PROBABLY_NOT_USING_GS_c0000409_ipoint.exe!__GSHandlerCheck_EH

BUCKET_ID: X64_APPLICATION_FAULT_GS_FALSE_POSITIVE_PROBABLY_NOT_USING_GS_ipoint!__GSHandlerCheck_EH+39

I’m not really sure what to make of this exactly, but it sounds like it thinks that the module wasn’t built with -GS support.

mm