Closed elmeyer closed 1 year ago
Thanks for the report. After a quick look, it appears the error originates from the call to InsertTailList
in windivert_reflect_open_event
. This could be caused by memory corruption.
Do you have any PoC code to replicate the problem? If so, please send it to basil at reqrypt.org
.
Thanks for your reply. I have no reliable PoC code to share at this time. We will advise the customer to check for memory errors; since I concur that memory corruption is a likely cause, I will close this issue and re-open only if the customer's memory diagnostics come back clean.
I was thinking of memory corruption caused by a software bug, such as use-after-free. However, without PoC, it will be hard to track down. Any additional clues could also help, such as what handles were being open, how frequently the problem occurs, etc.?
Hi, a customer using WinDivert 2.2.2 has provided a memory dump after encountering a BSOD with
DRIVER_IRQL_NOT_LESS_OR_EQUAL
. I have analyzed it in WinDbg and can provide the following results:Arg1
is what makes me think that this is a null pointer access.Showing call parameters with the CodeMachine Kernel Debugger Extension DLL results in this output:
The
WDFREQUEST
being dispatched is anIOCTL
with the following parameters:As per https://github.com/basil00/Divert/blob/v2.2.2/include/windivert_device.h#L309, the function is
IOCTL_WINDIVERT_STARTUP
. The only place I can see that makes sense for the function call at index03
iswindivert_reflect_open_event
from https://github.com/basil00/Divert/blob/v2.2.2/sys/windivert.c#L3298.I have extracted the
context_s
object pointed to from the parameter given to what is presumablywindivert_reflect_open_event
, and dumped it quick and dirty in Go (apologies for the nonexistent formatting):The dumped memory section holding this
context_s
object is attached. I cannot attach the entire memory dump both for privacy and size reasons, as it is 8 GB compressed and 24 GB uncompressed (the system has 768 GB of physical memory). In case it helps, here is the output of!vm
:Output of `!vm`
``` 2: kd> !vm Page File: \??\C:\pagefile.sys Current: 805306368 Kb Free Space: 805306360 Kb Minimum: 805306368 Kb Maximum: 846712400 Kb Physical Memory: 200966360 ( 803865440 Kb) Available Pages: 64282507 ( 257130028 Kb) ResAvail Pages: 65657869 ( 262631476 Kb) Locked IO Pages: 0 ( 0 Kb) Free System PTEs: 4295155904 (17180623616 Kb) Modified Pages: 18561 ( 74244 Kb) Modified PF Pages: 18560 ( 74240 Kb) Modified No Write Pages: 25 ( 100 Kb) NonPagedPool 0: 543 ( 2172 Kb) NonPagedPoolNx 0: 104934 ( 419736 Kb) NonPagedPool 1: 585 ( 2340 Kb) NonPagedPoolNx 1: 82906 ( 331624 Kb) NonPagedPool Usage: 1129 ( 4516 Kb) NonPagedPoolNx Usage: 1427253 ( 5709012 Kb) NonPagedPool Max: 4294967296 (17179869184 Kb) PagedPool 0: 110694 ( 442776 Kb) PagedPool 1: 55404 ( 221616 Kb) PagedPool 2: 155678 ( 622712 Kb) PagedPool Usage: 321776 ( 1287104 Kb) PagedPool Maximum: 4160749568 (16642998272 Kb) Processor Commit: 10273 ( 41092 Kb) Session Commit: 3550 ( 14200 Kb) Syspart SharedCommit 0 Shared Commit: 18227 ( 72908 Kb) Special Pool: 0 ( 0 Kb) Kernel Stacks: 35349 ( 141396 Kb) Pages For MDLs: 114866244 ( 459464976 Kb) ContigMem Pages: 0 ( 0 Kb) Pages For AWE: 0 ( 0 Kb) NonPagedPool Commit: 1505015 ( 6020060 Kb) PagedPool Commit: 321777 ( 1287108 Kb) Driver Commit: 19857 ( 79428 Kb) Boot Commit: 2359501 ( 9438004 Kb) SmallNonPagedPtesCommit: 0 ( 0 Kb) SlabAllocatorPages: 0 ( 0 Kb) SkPagesInUnchargedSlabs: 0 ( 0 Kb) System PageTables: 6030 ( 24120 Kb) VAD/PageTable Bitmaps: 10974 ( 43896 Kb) ProcessLockedFilePages: 14 ( 56 Kb) Pagefile Hash Pages: 0 ( 0 Kb) Sum System Commit: 119156811 ( 476627244 Kb) Total Private: 17448907 ( 69795628 Kb) Misc/Transient Commit: 72758 ( 291032 Kb) Committed pages: 136678476 ( 546713904 Kb) Commit limit: 402292952 ( 1609171808 Kb) Pid ImageName Commit SharedCommit Debt 35cc DcsAddMem.exe 65665288 Kb 1932 Kb 0 Kb 374c Dcsx.exe 621416 Kb 26636 Kb 0 Kb 151c MsMpEng.exe 458836 Kb 8756 Kb 0 Kb 3620 ngs-pulsar-amd64.exe 276536 Kb 8688 Kb 0 Kb 1640 java.exe 264656 Kb 6144 Kb 0 Kb 3ce4 dsm_om_connsvc64.exe 251112 Kb 6180 Kb 0 Kb 65cc rocketagent-x64.exe 199744 Kb 8712 Kb 0 Kb df8 svchost.exe 188220 Kb 11076 Kb 0 Kb b18 lsass.exe 137496 Kb 4520 Kb 0 Kb 1534 vmms.exe 136488 Kb 6324 Kb 0 Kb 39c8 DcsTmy.exe 123144 Kb 6400 Kb 0 Kb 2074 WmiPrvSE.exe 90996 Kb 8872 Kb 0 Kb 196c WmiPrvSE.exe 76960 Kb 9424 Kb 0 Kb 2eac powershell.exe 67716 Kb 6564 Kb 0 Kb 1934 clussvc.exe 59748 Kb 6132 Kb 0 Kb 3c74 Veeam.Backup.MountServic 43300 Kb 6200 Kb 0 Kb cc8 svchost.exe 40844 Kb 8596 Kb 0 Kb 2b30 WmiPrvSE.exe 39204 Kb 9020 Kb 0 Kb 1450 dsm_sa_datamgr64.exe 35816 Kb 6232 Kb 0 Kb 3fec Veeam.StandBy.Service.ex 35028 Kb 6492 Kb 0 Kb c84 svchost.exe 34984 Kb 9152 Kb 0 Kb b10 services.exe 29848 Kb 7000 Kb 0 Kb d40 svchost.exe 27392 Kb 8720 Kb 0 Kb cb8 svchost.exe 25416 Kb 6028 Kb 0 Kb 15b8 TeamViewer_Service.exe 24920 Kb 6148 Kb 0 Kb 2d54 rhs.exe 23424 Kb 2036 Kb 0 Kb 277c WmiPrvSE.exe 22208 Kb 8592 Kb 0 Kb cc0 svchost.exe 18288 Kb 8596 Kb 0 Kb 1500 svchost.exe 17872 Kb 6360 Kb 0 Kb 27a8 WmiPrvSE.exe 16528 Kb 8592 Kb 0 Kb 2d4c rhs.exe 16184 Kb 2036 Kb 0 Kb 7b70 vmwp.exe 15336 Kb 6016 Kb 0 Kb bc8 svchost.exe 15200 Kb 7008 Kb 0 Kb 6be0 vmwp.exe 14984 Kb 6016 Kb 0 Kb 5cbc vmwp.exe 14620 Kb 6016 Kb 0 Kb 7bcc vmwp.exe 14252 Kb 6016 Kb 0 Kb 6ff4 vmwp.exe 14144 Kb 6016 Kb 0 Kb 6494 vmwp.exe 14136 Kb 6016 Kb 0 Kb 13a4 VeeamHvIntegrationSvc.ex 14056 Kb 6128 Kb 0 Kb 2eec vmwp.exe 14032 Kb 6016 Kb 0 Kb 5c7c vmwp.exe 14028 Kb 6016 Kb 0 Kb 133c vmwp.exe 13908 Kb 6016 Kb 0 Kb 2e08 vmwp.exe 13892 Kb 6016 Kb 0 Kb 6d4c vmwp.exe 13672 Kb 6016 Kb 0 Kb 1dc0 NisSrv.exe 13604 Kb 2052 Kb 0 Kb 3ca8 vmwp.exe 13576 Kb 6016 Kb 0 Kb 6180 vmwp.exe 13516 Kb 6016 Kb 0 Kb 5d70 vmwp.exe 13156 Kb 6016 Kb 0 Kb 984 dwm.exe 13120 Kb 16756 Kb 0 Kb 6088 vmwp.exe 12756 Kb 6016 Kb 0 Kb 6cd4 vmwp.exe 12576 Kb 6016 Kb 0 Kb f10 KaseyaEndpoint.exe 12524 Kb 6124 Kb 0 Kb 6ab8 vmwp.exe 12448 Kb 6016 Kb 0 Kb 150c AgentMon.exe 12344 Kb 9500 Kb 0 Kb 7144 vmwp.exe 12300 Kb 6016 Kb 0 Kb 5628 vmwp.exe 12208 Kb 6016 Kb 0 Kb 7268 rundll32.exe 12152 Kb 9008 Kb 0 Kb 7264 rundll32.exe 11716 Kb 9008 Kb 0 Kb 6518 vmwp.exe 11672 Kb 6016 Kb 0 Kb 5e84 vmwp.exe 11592 Kb 6016 Kb 0 Kb 74e4 rundll32.exe 11588 Kb 9008 Kb 0 Kb 76d0 LogonUI.exe 11344 Kb 13804 Kb 0 Kb b88 svchost.exe 11308 Kb 6452 Kb 0 Kb 6568 vmwp.exe 11176 Kb 6016 Kb 0 Kb 5844 rundll32.exe 11044 Kb 8696 Kb 0 Kb 7494 rundll32.exe 10984 Kb 8688 Kb 0 Kb 236c vmcompute.exe 10908 Kb 2036 Kb 0 Kb 6bb8 rundll32.exe 10856 Kb 8688 Kb 0 Kb 5d28 rundll32.exe 10852 Kb 8696 Kb 0 Kb 2e10 rhs.exe 10784 Kb 2032 Kb 0 Kb b58 rundll32.exe 10712 Kb 8688 Kb 0 Kb 7750 rundll32.exe 10708 Kb 8688 Kb 0 Kb 723c rundll32.exe 10660 Kb 9008 Kb 0 Kb 71ec rundll32.exe 10568 Kb 8688 Kb 0 Kb 62b0 rundll32.exe 10564 Kb 8688 Kb 0 Kb 773c rundll32.exe 10460 Kb 8688 Kb 0 Kb 7608 rundll32.exe 10372 Kb 8696 Kb 0 Kb 6444 rundll32.exe 10364 Kb 8688 Kb 0 Kb 14e0 svchost.exe 10360 Kb 6172 Kb 0 Kb 2a70 rundll32.exe 10172 Kb 8696 Kb 0 Kb c8c svchost.exe 9912 Kb 1940 Kb 0 Kb 2610 Lua.exe 7648 Kb 2572 Kb 0 Kb 2604 Lua.exe 6924 Kb 2572 Kb 0 Kb 3698 vds.exe 5868 Kb 2040 Kb 0 Kb 14f0 svchost.exe 5576 Kb 6356 Kb 0 Kb 13b8 VeeamDeploymentSvc.exe 5344 Kb 2048 Kb 0 Kb 5c38 conhost.exe 5012 Kb 4484 Kb 0 Kb 35d0 conhost.exe 5000 Kb 4484 Kb 0 Kb 304c rhs.exe 4916 Kb 6124 Kb 0 Kb 139c svchost.exe 4816 Kb 6128 Kb 0 Kb 1524 VeeamTransportSvc.exe 4764 Kb 2024 Kb 0 Kb 1e94 Veeam.Guest.Interaction. 4092 Kb 6140 Kb 0 Kb 14cc IPROSetMonitor.exe 3568 Kb 2052 Kb 0 Kb 14e8 dsm_sa_eventmgr64.exe 3416 Kb 2084 Kb 0 Kb a30 csrss.exe 3300 Kb 14616 Kb 0 Kb 300c MpCmdRun.exe 3288 Kb 6020 Kb 0 Kb 3e3c msdtc.exe 2888 Kb 1944 Kb 0 Kb 15dc svchost.exe 2840 Kb 352 Kb 0 Kb e54 svchost.exe 2668 Kb 1936 Kb 0 Kb 1498 svchost.exe 2636 Kb 6124 Kb 0 Kb 1488 iscsidcb.exe 2544 Kb 2024 Kb 0 Kb 30a8 svchost.exe 2376 Kb 1936 Kb 0 Kb 1628 IntelDCB.exe 2284 Kb 2028 Kb 0 Kb 3ab4 svchost.exe 2252 Kb 332 Kb 0 Kb 21a0 svchost.exe 1924 Kb 340 Kb 0 Kb 1568 VeeamNFSSvc.exe 1844 Kb 2036 Kb 0 Kb 1448 sqlwriter.exe 1788 Kb 6132 Kb 0 Kb 692c winlogon.exe 1620 Kb 9532 Kb 0 Kb 1b30 unsecapp.exe 1596 Kb 2028 Kb 0 Kb 781c conhost.exe 1384 Kb 4576 Kb 0 Kb 2614 conhost.exe 1348 Kb 4576 Kb 0 Kb 2654 conhost.exe 1340 Kb 4576 Kb 0 Kb 3ca0 csrss.exe 1336 Kb 6204 Kb 0 Kb 1f18 conhost.exe 1156 Kb 2004 Kb 0 Kb a84 wininit.exe 1048 Kb 4476 Kb 0 Kb 7840 crashpad_handler-x64.exe 980 Kb 2020 Kb 0 Kb 14ac pcns.exe 880 Kb 2016 Kb 0 Kb 900 smss.exe 408 Kb 232 Kb 0 Kb 4 System 128 Kb 512 Kb 0 Kb 78f4 VeeamAgent.exe 0 Kb 0 Kb 0 Kb 78cc VeeamAgent.exe 0 Kb 0 Kb 0 Kb 75ac VeeamAgent.exe 0 Kb 0 Kb 0 Kb 7448 VeeamAgent.exe 0 Kb 0 Kb 0 Kb 6e64 VeeamAgent.exe 0 Kb 0 Kb 0 Kb 6dec VeeamAgent.exe 0 Kb 0 Kb 0 Kb 6828 VeeamAgent.exe 0 Kb 0 Kb 0 Kb 5fd0 VeeamAgent.exe 0 Kb 0 Kb 0 Kb 5fcc VeeamAgent.exe 0 Kb 0 Kb 0 Kb 5a60 VeeamAgent.exe 0 Kb 0 Kb 0 Kb 587c VeeamAgent.exe 0 Kb 0 Kb 0 Kb 5780 VeeamAgent.exe 0 Kb 0 Kb 0 Kb 5760 VeeamPSDirectCtrl_X64.ex 0 Kb 0 Kb 0 Kb 3b68 VeeamAgent.exe 0 Kb 0 Kb 0 Kb 2d5c VeeamAgent.exe 0 Kb 0 Kb 0 Kb 2aa0 explorer.exe 0 Kb 0 Kb 0 Kb 25a4 logman.exe 0 Kb 0 Kb 0 Kb de0 VeeamAgent.exe 0 Kb 0 Kb 0 Kb b0c smss.exe 0 Kb 0 Kb 0 Kb 78c Secure System 0 Kb 0 Kb 0 Kb ```Please let me know if I can provide any further data. Any help is greatly appreciated. Thanks in advance!
context.mem.zip