Crash if CET shadow stack is in use

[p0358]

There's s reproducible crash (both in game and your DX11 sample), if game is compiled with linker option /CETCOMPAT, which enforces CET shadow stack protections (available on Ryzen 5000 and higher CPU series). This vastly improves the programs' security against stack overflow RCEs, so we're not willing to give up on this feature. It's worth noting that we didn't run into any issues using this feature in the game with AMD drivers during normal usage, without AMD Anti-Lag 2. However, with Anti-Lag 2, it crashes shortly after startup (but not immediately).

To reproduce it's enough to enable this in your sample's solution (and have the minimum CPU requirement of Ryzen 5000 or I think Intel 11th gen; in my case Ryzen 7000):

This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr
(3a80.135f0): Security check failure or stack buffer overrun - code c0000409 (first/second chance not available)
Subcode: 0x30 FAST_FAIL_SET_CONTEXT_DENIED 

+------------------------------------------------------------------------+
| This target supports Hardware-enforced Stack Protection. A HW based    |
| "Shadow Stack" may be available to assist in debugging and analysis.   |
| See aka.ms/userhsp for more info.                                      |
|                                                                        |
| dps @ssp                                                               |
|                                                                        |
+------------------------------------------------------------------------+

For analysis of this file, run !analyze -v
ntdll!RcContinueExit+0x13:
00007ffc`dba11a91 cd29            int     29h
0:000> dps @ssp
0000007a`168fef90  00007ffc`c403301f amdxx64!AmdD3D11CreateDeviceAndSwapChainExt+0x34a7f
0000007a`168fef98  00007ffc`c402aa33 amdxx64!AmdD3D11CreateDeviceAndSwapChainExt+0x2c493
0000007a`168fefa0  00007ffc`c4024da4 amdxx64!AmdD3D11CreateDeviceAndSwapChainExt+0x26804
0000007a`168fefa8  00007ff7`c84deefe*** WARNING: Unable to verify checksum for sample_dx11d.exe
 sample_dx11d!AMD::AntiLag2DX11::Update+0x11e [C:\Users\p0358\Downloads\AntiLag2-SDK\ffx_antilag2_dx11.h @ 175]
0000007a`168fefb0  00007ff7`c84dd01f sample_dx11d!PreMessagePump+0x2f [C:\Users\p0358\Downloads\AntiLag2-SDK\sample_dx11\src\Sample.cpp @ 287]
0000007a`168fefb8  00007ff7`c84e86c4 sample_dx11d!DXUTPreMessagePump+0x34 [C:\Users\p0358\Downloads\AntiLag2-SDK\sample_dx11\dxut\Core\DXUT.cpp @ 2806]
0000007a`168fefc0  00007ff7`c84e818e sample_dx11d!DXUTMainLoop+0x25e [C:\Users\p0358\Downloads\AntiLag2-SDK\sample_dx11\dxut\Core\DXUT.cpp @ 1642]
0000007a`168fefc8  00007ff7`c84dbafb sample_dx11d!wWinMain+0x13b [C:\Users\p0358\Downloads\AntiLag2-SDK\sample_dx11\src\Sample.cpp @ 257]
0000007a`168fefd0  00007ff7`c85b7282 sample_dx11d!invoke_main+0x32 [D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 123]
0000007a`168fefd8  00007ff7`c85b7132 sample_dx11d!__scrt_common_main_seh+0x132 [D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 288]
0000007a`168fefe0  00007ff7`c85b6fee sample_dx11d!__scrt_common_main+0xe [D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 331]
0000007a`168fefe8  00007ff7`c85b731e sample_dx11d!wWinMainCRTStartup+0xe [D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_wwinmain.cpp @ 17]
0000007a`168feff0  00007ffc`db757374 kernel32!BaseThreadInitThunk+0x14
0000007a`168feff8  00007ffc`db9bcc91 ntdll!RtlUserThreadStart+0x21
0000007a`168ff000  ????????`????????
0000007a`168ff008  ????????`????????
0:000> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

Failed to find runtime module (coreclr.dll or clr.dll or libcoreclr.so), 0x80004002
Extension commands need it in order to have something to do.
For more information see https://go.microsoft.com/fwlink/?linkid=2135652
Failed to find runtime module (coreclr.dll or clr.dll or libcoreclr.so), 0x80004002
Extension commands need it in order to have something to do.
For more information see https://go.microsoft.com/fwlink/?linkid=2135652

KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.mSec
    Value: 530

    Key  : Analysis.Elapsed.mSec
    Value: 533

    Key  : Analysis.IO.Other.Mb
    Value: 1

    Key  : Analysis.IO.Read.Mb
    Value: 6

    Key  : Analysis.IO.Write.Mb
    Value: 6

    Key  : Analysis.Init.CPU.mSec
    Value: 234

    Key  : Analysis.Init.Elapsed.mSec
    Value: 188795

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 163

    Key  : FailFast.Name
    Value: SET_CONTEXT_DENIED

    Key  : FailFast.Type
    Value: 48

    Key  : Failure.Bucket
    Value: FAIL_FAST_SET_CONTEXT_DENIED_c0000409_amdxx64.dll!Unknown

    Key  : Failure.Hash
    Value: {78ddba46-75a8-6cb0-3a63-e64b82e1e90c}

    Key  : Timeline.OS.Boot.DeltaSec
    Value: 2474707

    Key  : Timeline.Process.Start.DeltaSec
    Value: 7

    Key  : WER.OS.Branch
    Value: vb_release

    Key  : WER.OS.Version
    Value: 10.0.19041.1

FILE_IN_CAB:  sample_dx11d.exe.14976.dmp

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

CONTEXT:  (.ecxr)
rax=00000000c000060a rbx=0000000000000000 rcx=0000000000000030
rdx=0000000000000000 rsi=0000000000000000 rdi=000001e672563830
rip=00007ffcdba11a91 rsp=0000007a165ff8f0 rbp=0000007a165ff8f0
 r8=0000007a165ff8e8  r9=0000007a165ff8f0 r10=0000000000000000
r11=0000000000000246 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000001
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!RcContinueExit+0x13:
00007ffc`dba11a91 cd29            int     29h
Resetting default scope

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 00007ffcdba11a91 (ntdll!RcContinueExit+0x0000000000000013)
   ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
  ExceptionFlags: 00000001
NumberParameters: 1
   Parameter[0]: 0000000000000030
Subcode: 0x30 FAST_FAIL_SET_CONTEXT_DENIED 

PROCESS_NAME:  sample_dx11d.exe

ERROR_CODE: (NTSTATUS) 0xc0000409 - System wykry  w tej aplikacji przekroczenie buforu opartego na stosie. Przekroczenie mo e umo liwi  z o liwemu u ytkownikowi uzyskanie kontroli nad t  aplikacj .

EXCEPTION_CODE_STR:  c0000409

EXCEPTION_PARAMETER1:  0000000000000030

STACK_TEXT:  
0000007a`165ff8f0 00007ffc`c403301f     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RcContinueExit+0x13
0000007a`165ff940 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : amdxx64!AmdD3D11CreateDeviceAndSwapChainExt+0x34a7f

STACK_COMMAND:  ~0s; .ecxr ; kb

SYMBOL_NAME:  amdxx64+34a7f

MODULE_NAME: amdxx64

IMAGE_NAME:  amdxx64.dll

FAILURE_BUCKET_ID:  FAIL_FAST_SET_CONTEXT_DENIED_c0000409_amdxx64.dll!Unknown

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

IMAGE_VERSION:  32.0.11029.1008

FAILURE_ID_HASH:  {78ddba46-75a8-6cb0-3a63-e64b82e1e90c}

Followup:     MachineOwner
---------

It doesn't look like the symbol server for AMD is working properly, hence no symbols for the driver. Version of driver is 24.7.1

[gareththomasamd]

thanks for reporting! We are actively investigating this.

[gareththomasamd]

Do you already have a contact at AMD? If so please reach out to them to get in touch with me.

[p0358]

I don't have one

[p0358]

Any updates?

Do you already have a contact at AMD? If so please reach out to them to get in touch with me.

I could just send you an e-mail or something if that's still up-to-date.

Btw, Microsoft now enabled CET enforcement for .NET 9 by default, so I suspect more people could run into this issue in some time:

https://learn.microsoft.com/en-us/dotnet/core/compatibility/interop/9.0/cet-support

[gareththomasamd]

The fix is coming out in a future driver. Will update the thread again when I have a better idea of date.

[gareththomasamd]

This will be fixed in the November driver. Thanks for reporting!