search

safing / portmaster

🏔 Love Freedom - ❌ Block Mass Surveillance
https://safing.io
GNU General Public License v3.0
8.77k stars 274 forks source link

BSOD "KERNEL_MODE_HEAP_CORRUPTION" with portmaster-kext_v1-1-2.sys #1587

Closed LetItGlow closed 1 week ago

LetItGlow commented 2 weeks ago

System: Windows 10 Prof x64, Build 10.0.19045.4412

What happened:

Windows Crashes with a BSOD after a portscan, essentially DoS yourself.

What did you expect to happen?:

Nothing, except the system being stable. Strangely, this actually worked normally before.

How did you reproduce it?:

  1. Use the PortScan made by "the Sz": https://www.the-sz.com
  2. Enter an IP of your router or whatever existing unblocked device in your network.
  3. Scan ports "1-5001"
  4. Set speed to "fast"
  5. Check "use ping instead of ARP"
  6. Click "Scan" and then click "Scan" again after completion.
  7. Enjoy the blue light coming from the BSOD.

Debug Information:

What debug? The system is down. I only have a crash dump of the kernel.

STACK_TEXT:  
fffffe02`6325a508 fffff800`715949ac     : 00000000`0000013a 00000000`00000011 ffffa588`87e00100 ffffa588`87d3db80 : nt!KeBugCheckEx
fffffe02`6325a510 fffff800`71594a0c     : 00000000`00000011 00000000`00000000 ffffa588`87e00100 01000000`00100000 : nt!RtlpHeapHandleError+0x40
fffffe02`6325a550 fffff800`71594639     : 00000000`00000060 ffffa588`87d3d000 ffffa588`8d541808 ffffa588`9832bec0 : nt!RtlpHpHeapHandleError+0x58
fffffe02`6325a580 fffff800`714474f2     : ffffa588`8d541808 fffff800`71234f8d 00000000`00000000 ffffa588`8d541808 : nt!RtlpLogHeapFailure+0x45
fffffe02`6325a5b0 fffff800`71233ab2     : ffffa588`87e00340 00000000`000000ff 00000000`00000000 ffffa588`00000000 : nt!RtlpHpLfhSubsegmentFreeBlock+0x1b0b22
fffffe02`6325a660 fffff800`719b70b9     : ffffa588`00000000 00000000`00000000 ffffa588`97b078f0 01000000`00100000 : nt!ExFreeHeapPool+0x362
fffffe02`6325a740 fffff800`701b8ec4     : ffffa588`8d541790 fffff800`00000000 fffffe02`6325a7b8 ffffa588`00000001 : nt!ExFreePool+0x9
fffffe02`6325a770 ffffa588`8d541790     : fffff800`00000000 fffffe02`6325a7b8 ffffa588`00000001 00000000`00040286 : portmaster_kext_v1_1_2+0x8ec4
fffffe02`6325a778 fffff800`00000000     : fffffe02`6325a7b8 ffffa588`00000001 00000000`00040286 fffff800`701b66d7 : 0xffffa588`8d541790
fffffe02`6325a780 fffffe02`6325a7b8     : ffffa588`00000001 00000000`00040286 fffff800`701b66d7 00000000`000000d0 : 0xfffff800`00000000
fffffe02`6325a788 ffffa588`00000001     : 00000000`00040286 fffff800`701b66d7 00000000`000000d0 fffff800`7161c741 : 0xfffffe02`6325a7b8
fffffe02`6325a790 00000000`00040286     : fffff800`701b66d7 00000000`000000d0 fffff800`7161c741 00000000`00000001 : 0xffffa588`00000001
fffffe02`6325a798 fffff800`701b66d7     : 00000000`000000d0 fffff800`7161c741 00000000`00000001 ffffa588`99326f60 : 0x40286
fffffe02`6325a7a0 00000000`000000d0     : fffff800`7161c741 00000000`00000001 ffffa588`99326f60 00000000`00000000 : portmaster_kext_v1_1_2+0x66d7
fffffe02`6325a7a8 fffff800`7161c741     : 00000000`00000001 ffffa588`99326f60 00000000`00000000 00000000`00000000 : 0xd0
fffffe02`6325a7b0 00000000`00000000     : ffffa588`9832bec0 ffffa588`9778f240 00000000`00000001 00000000`00000000 : nt!ObpReferenceObjectByHandleWithTag+0x231

The logs complain about; 240614 08:56:39.616 xt/service:035 > WARN 001 kext: old driver service was found

Which is odd, because Portmaster should update itself automatically and it says "up to date".

github-actions[bot] commented 2 weeks ago

Greetings and welcome to our community! As this is the first issue you opened here, we wanted to share some useful infos with you:

Raphty commented 2 weeks ago

We are currently testing a new kext that should be more resilient. You can test it by switching to the beta channel https://wiki.safing.io/en/FAQ/SwitchReleaseChannel

LetItGlow commented 2 weeks ago

While that fixed that particular problem, it introduced another, which killed my entire IPv4 network system and I have no idea how to restore that. I have to use IPv6 to post here.

Araxeus commented 2 weeks ago

my Windows 10 crashed 6 times today. I have only just discovered it was because of portmaster,

This is completely unexpectable for me, I have lost alot of time and work because of this.

You should have immediately hotfixed this on release channel, by reverting to previous versions if necessary.

I have uninstalled and not planning on coming back.

Kernel bugcheck analysis

``` Microsoft (R) Windows Debugger Version 10.0.27553.1004 AMD64 Windows 10 Kernel Version 19041 MP (12 procs) Free x64 Product: WinNt, suite: TerminalServer SingleUserTS Personal Kernel base = 0xfffff802`05000000 PsLoadedModuleList = 0xfffff802`05c2a360 ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* ERNEL_MODE_HEAP_CORRUPTION (13a) The kernel mode heap manager has detected corruption in a heap. Arguments: Arg1: 0000000000000011, Type of corruption detected Arg2: ffffb984a5c00100, Address of the heap that reported the corruption Arg3: ffffb984b62f7540, Address at which the corruption was detected Arg4: 0000000000000000 Debugging Details: ------------------ fffff80205cfb390: Unable to get MiVisibleState Unable to get NonPagedPoolStart Unable to get NonPagedPoolEnd Unable to get PagedPoolStart Unable to get PagedPoolEnd HeapDbgInitExtension Failed KEY_VALUES_STRING: 1 Key : Analysis.CPU.mSec Value: 3265 Key : Analysis.Elapsed.mSec Value: 6880 Key : Analysis.IO.Other.Mb Value: 2 Key : Analysis.IO.Read.Mb Value: 0 Key : Analysis.IO.Write.Mb Value: 25 Key : Analysis.Init.CPU.mSec Value: 483 Key : Analysis.Init.Elapsed.mSec Value: 39352 Key : Analysis.Memory.CommitPeak.Mb Value: 94 Key : Bugcheck.Code.LegacyAPI Value: 0x13a Key : Bugcheck.Code.TargetModel Value: 0x13a Key : Dump.Attributes.AsUlong Value: 8 Key : Dump.Attributes.KernelGeneratedTriageDump Value: 1 Key : Failure.Bucket Value: 0x13a_11_PMas_portmaster_kext_v1_1_2!unknown_function Key : Failure.Hash Value: {38f08178-bf1c-fabf-7c9b-d78dd082202e} Key : Hypervisor.Enlightenments.Value Value: 68673420 Key : Hypervisor.Enlightenments.ValueHex Value: 417df8c Key : Hypervisor.Flags.AnyHypervisorPresent Value: 1 Key : Hypervisor.Flags.ApicEnlightened Value: 0 Key : Hypervisor.Flags.ApicVirtualizationAvailable Value: 1 Key : Hypervisor.Flags.AsyncMemoryHint Value: 0 Key : Hypervisor.Flags.CoreSchedulerRequested Value: 0 Key : Hypervisor.Flags.CpuManager Value: 1 Key : Hypervisor.Flags.DeprecateAutoEoi Value: 1 Key : Hypervisor.Flags.DynamicCpuDisabled Value: 1 Key : Hypervisor.Flags.Epf Value: 0 Key : Hypervisor.Flags.ExtendedProcessorMasks Value: 1 Key : Hypervisor.Flags.HardwareMbecAvailable Value: 1 Key : Hypervisor.Flags.MaxBankNumber Value: 0 Key : Hypervisor.Flags.MemoryZeroingControl Value: 0 Key : Hypervisor.Flags.NoExtendedRangeFlush Value: 0 Key : Hypervisor.Flags.NoNonArchCoreSharing Value: 1 Key : Hypervisor.Flags.Phase0InitDone Value: 1 Key : Hypervisor.Flags.PowerSchedulerQos Value: 0 Key : Hypervisor.Flags.RootScheduler Value: 0 Key : Hypervisor.Flags.SynicAvailable Value: 1 Key : Hypervisor.Flags.UseQpcBias Value: 0 Key : Hypervisor.Flags.Value Value: 21631230 Key : Hypervisor.Flags.ValueHex Value: 14a10fe Key : Hypervisor.Flags.VpAssistPage Value: 1 Key : Hypervisor.Flags.VsmAvailable Value: 1 Key : Hypervisor.RootFlags.AccessStats Value: 1 Key : Hypervisor.RootFlags.CrashdumpEnlightened Value: 1 Key : Hypervisor.RootFlags.CreateVirtualProcessor Value: 1 Key : Hypervisor.RootFlags.DisableHyperthreading Value: 0 Key : Hypervisor.RootFlags.HostTimelineSync Value: 1 Key : Hypervisor.RootFlags.HypervisorDebuggingEnabled Value: 0 Key : Hypervisor.RootFlags.IsHyperV Value: 1 Key : Hypervisor.RootFlags.LivedumpEnlightened Value: 1 Key : Hypervisor.RootFlags.MapDeviceInterrupt Value: 1 Key : Hypervisor.RootFlags.MceEnlightened Value: 1 Key : Hypervisor.RootFlags.Nested Value: 0 Key : Hypervisor.RootFlags.StartLogicalProcessor Value: 1 Key : Hypervisor.RootFlags.Value Value: 1015 Key : Hypervisor.RootFlags.ValueHex Value: 3f7 BUGCHECK_CODE: 13a BUGCHECK_P1: 11 BUGCHECK_P2: ffffb984a5c00100 BUGCHECK_P3: ffffb984b62f7540 BUGCHECK_P4: 0 FILE_IN_CAB: 061524-9515-01.dmp DUMP_FILE_ATTRIBUTES: 0x8 Kernel Generated Triage Dump POOL_ADDRESS: Unable to get NonPagedPoolStart Unable to get NonPagedPoolEnd Unable to get PagedPoolStart Unable to get PagedPoolEnd unable to get nt!MmSpecialPagesInUse ffffb984b62f7540 FREED_POOL_TAG: PMas CUSTOMER_CRASH_COUNT: 1 PROCESS_NAME: portmaster-cor STACK_TEXT: fffffb0f`88a26dc8 fffff802`055949ac : 00000000`0000013a 00000000`00000011 ffffb984`a5c00100 ffffb984`b62f7540 : nt!KeBugCheckEx fffffb0f`88a26dd0 fffff802`05594a0c : 00000000`00000011 00000000`00000000 ffffb984`a5c00100 01000000`00100000 : nt!RtlpHeapHandleError+0x40 fffffb0f`88a26e10 fffff802`05594639 : 00000000`00000060 ffffb984`b62f0000 ffffb984`ba299838 ffffb984`b4fccd40 : nt!RtlpHpHeapHandleError+0x58 fffffb0f`88a26e40 fffff802`054474f2 : ffffb984`ba299838 fffff802`05234f8d 00000000`00000000 ffffb984`ba299838 : nt!RtlpLogHeapFailure+0x45 fffffb0f`88a26e70 fffff802`05233ab2 : ffffb984`a5c00340 00000000`000000ff 00000000`00000000 ffffb984`00000000 : nt!RtlpHpLfhSubsegmentFreeBlock+0x1b0b22 fffffb0f`88a26f20 fffff802`059b70b9 : ffffb984`00000000 00000000`00000000 ffffb984`b5cdcd00 01000000`00100000 : nt!ExFreeHeapPool+0x362 fffffb0f`88a27000 fffff802`b0e08ec4 : ffffb984`ba2997c0 4d3d8ce2`00000000 fffffb0f`88a27078 13d195fb`00000001 : nt!ExFreePool+0x9 fffffb0f`88a27030 ffffb984`ba2997c0 : 4d3d8ce2`00000000 fffffb0f`88a27078 13d195fb`00000001 52a9254a`692936d7 : portmaster_kext_v1_1_2+0x8ec4 fffffb0f`88a27038 4d3d8ce2`00000000 : fffffb0f`88a27078 13d195fb`00000001 52a9254a`692936d7 fffff802`b0e066d7 : 0xffffb984`ba2997c0 fffffb0f`88a27040 fffffb0f`88a27078 : 13d195fb`00000001 52a9254a`692936d7 fffff802`b0e066d7 00000000`000000d8 : 0x4d3d8ce2`00000000 fffffb0f`88a27048 13d195fb`00000001 : 52a9254a`692936d7 fffff802`b0e066d7 00000000`000000d8 fffff802`0561c741 : 0xfffffb0f`88a27078 fffffb0f`88a27050 52a9254a`692936d7 : fffff802`b0e066d7 00000000`000000d8 fffff802`0561c741 00000000`00000001 : 0x13d195fb`00000001 fffffb0f`88a27058 fffff802`b0e066d7 : 00000000`000000d8 fffff802`0561c741 00000000`00000001 ffffb984`a5bcfe60 : 0x52a9254a`692936d7 fffffb0f`88a27060 00000000`000000d8 : fffff802`0561c741 00000000`00000001 ffffb984`a5bcfe60 00000000`00000000 : portmaster_kext_v1_1_2+0x66d7 fffffb0f`88a27068 fffff802`0561c741 : 00000000`00000001 ffffb984`a5bcfe60 00000000`00000000 00000000`00000000 : 0xd8 fffffb0f`88a27070 00000000`00000000 : ffffb984`b4fccd40 ffffb984`b4807080 00000000`00000001 00000000`00000000 : nt!ObpReferenceObjectByHandleWithTag+0x231 SYMBOL_NAME: portmaster_kext_v1_1_2+8ec4 MODULE_NAME: portmaster_kext_v1_1_2 IMAGE_NAME: portmaster-kext_v1-1-2.sys STACK_COMMAND: .cxr; .ecxr ; kb BUCKET_ID_FUNC_OFFSET: 8ec4 FAILURE_BUCKET_ID: 0x13a_11_PMas_portmaster_kext_v1_1_2!unknown_function OSPLATFORM_TYPE: x64 OSNAME: Windows 10 FAILURE_ID_HASH: {38f08178-bf1c-fabf-7c9b-d78dd082202e} Followup: MachineOwner --------- ```

Might be helpful to know that from my testing, it only happened while I played video files (tried different players, codecs, and updated gpu drivers - I didnt realise video crashing pc was related to portmaster)

System Information

``` OS: Windows 10 (Home) x86_64 Host: B560 AORUS PRO AX (-CF) Kernel: WIN32_NT 10.0.19045.4529 (22H2) Display (M27Q): 2560x1440 @ 170Hz [External] CPU: 11th Gen Intel(R) Core(TM) i5-11600K (12) @ 4.90 GHz GPU: NVIDIA GeForce RTX 3060 Ti (7.84 GiB) [Discrete] Memory: 31.87 GiB Disk (C:\): 1.78 TiB / 1.86 TiB (96%) - NTFS ```

LetItGlow commented 1 week ago

Ok, so there was a unfortunate chain of events those 3 days.

At this point, I don't know, it it was Portmasters fault or the cumulative Windows Update 22H2 for June 2024 being installed in a broken state.

Uninstalling the Beta of Portmaster completely wrecked the system to a point, IPv4 was nearly unusable. Even the troubleshoot did not work reliable, even being attempted several times.

In the end, I had to reinstall Windows.

I think, this can be closed, because bugreports done for a piece of software on an unstable system are unreliable.

Raphty commented 1 week ago

@LetItGlow thanks for letting us know, if you have found more issues in the future open a new issue please.

thanks for helping us with the beta!

Araxeus commented 1 week ago

Lmao your program corrupts the windows kernel and you havent patched it, but close the issue? Is this a joke?

How about a warning on your website that installing portmaster might corrupt your windows? Do you think think its expected behavior or what?

Yes im very aggressive, its because your behavior is extremely irresponsible