So, this is day one of MOVB.
Contrary to other Monthes of Bugs, this one will not focus on "security" bugs (do not expect 30 remotely anonymously exploitable bugs ;). My favoraite bugs are "stupid" bugs/features, or blatant QA failures.
First BSOD was caught on a fresh install of Vista32 Ultimate, running on Intel Core Duo processor. Faulting driver was NTFS.SYS - luckily I did not loose any data.
It might be time to get your NTFS fuzzers back on track ;)
PS. Bug has been reported to Microsoft using built-in WER.
PPS. I am willing to answer questions. However, I cannot forward the full memory dump: it holds personal information.
1: kd> !analyze -v *******************************************************************************
Bugcheck Analysis ******************************************************************************* NTFS_FILE_SYSTEM (24)
If you see NtfsExceptionFilter on the stack then the 2nd and 3rd parameters are the exception record and context record. Do a .cxr on the 3rd parameter and then kb to obtain a more informative stack trace.
Arguments:
Arg1: 001904ab
Arg2: 85ac09e4
Arg3: 85ac06e0
Arg4: 81c5e86c
Debugging Details
------------------
EXCEPTION_RECORD: 85ac09e4 -- (.exr 0xffffffff85ac09e4)
ExceptionAddress: 81c5e86c (nt!RtlSubtreePredecessor+0x00000015)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 3f3f3f47
Attempt to read from address 3f3f3f47
CONTEXT: 85ac06e0 -- (.cxr 0xffffffff85ac06e0)
eax=3f3f3f3f ebx=00000000 ecx=3f3f3f3f edx=00000000 esi=a6e36ca8 edi=00010000 eip=81c5e86c esp=85ac0aac ebp=85ac0aac iopl=0 nv up ei pl nz na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
nt!RtlSubtreePredecessor+0x15: 81c5e86c 8b4808 mov ecx,dword ptr [eax+8] ds:0023:3f3f3f47=????????
Resetting default scope
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
PROCESS_NAME: System
CURRENT_IRQL: 0
ERROR_CODE: (NTSTATUS) 0xc0000005
READ_ADDRESS: GetPointerFromAddress: unable to read from 81d315ac
Unable to read MiSystemVaType memory at 81d11780 3f3f3f47 BUGCHECK_STR: 0x24
LAST_CONTROL_TRANSFER: from 81c5e7c7 to 81c5e86c
STACK_TEXT:
85ac0aac 81c5e7c7 a6e36ca8 8a265cfc a6e36ca8 nt!RtlSubtreePredecessor+0x15
85ac0ac4 806629e1 a6e36ca8 00010000 a6e36ca8 nt!RtlDeleteNoSplay+0x20
85ac0ad8 80662cbe a6e36ca8 8a265cec 8487e2f8 fltmgr!TreeUnlinkNoBalance+0x13
85ac0af0 80674fb6 8a265cfc ffffffff ffffffff fltmgr!TreeUnlinkMulti+0x22
85ac0b10 8067509f 8a265cb8 00008000 ffffffff fltmgr!DeleteNameCacheNodes+0x84
85ac0b2c 806783d1 8487e008 8a265cb8 8a265cf8 fltmgr!FltpFreeNameCacheList+0x17
85ac0b48 806785d6 8a265cb8 8a265cbc ac3e1d08 fltmgr!CleanupStreamListCtrl+0x37
85ac0b5c 81d7cd18 8a265cbc 85acb0d4 81ce7b69 fltmgr!DeleteStreamListCtrlCallback+0x5a
85ac0b94 8517cd79 ac3e1d08 00000000 ac3e1d08 nt!FsRtlTeardownPerStreamContexts+0xd4
85ac0bb0 8518f1ad 00000705 ac3e1c18 ac3e1c40 Ntfs!NtfsDeleteScb+0x1f2
85ac0bc8 85109c9b 83bbec90 ac3e1d08 00000000 Ntfs!NtfsRemoveScb+0xc2
85ac0be4 8519bed4 83bbec90 ac3e1c18 00000000 Ntfs!NtfsPrepareFcbForRemoval+0x59
85ac0c28 851113be 83bbec90 ac3e1d08 00000000 Ntfs!NtfsTeardownStructures+0x62
85ac0c50 85197fe1 83bbec90 ac3e1d08 00000000 Ntfs!NtfsDecrementCloseCounts+0xad
85ac0cb0 8517d126 83bbec90 ac3e1d08 ac3e1c18 Ntfs!NtfsCommonClose+0x4d9
85ac0d44 81c78e18 00000000 00000000 82f64828 Ntfs!NtfsFspClose+0x117
85ac0d7c 81e254a8 00000000 85acb680 00000000 nt!ExpWorkerThread+0xfd
85ac0dc0 81c9145e 81c78d1b 00000000 00000000 nt!PspSystemThreadStartup+0x9d
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
FOLLOWUP_IP: Ntfs!NtfsDeleteScb+1f2 8517cd79 8b06 mov eax,dword ptr [esi]
SYMBOL_STACK_INDEX: 9
SYMBOL_NAME: Ntfs!NtfsDeleteScb+1f2
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: Ntfs
IMAGE_NAME: Ntfs.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4549aceb
STACK_COMMAND: .cxr 0xffffffff85ac06e0 ; kb
FAILURE_BUCKET_ID: 0x24_Ntfs!NtfsDeleteScb+1f2
BUCKET_ID: 0x24_Ntfs!NtfsDeleteScb+1f2
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment