5.45.0 driver incompatible with Core isolation->memory integrity, crashes Win 10 always BSOD with KERNEL_SECURITY_CHECK_FAILURE

[skygunner]

With either upgrade or fresh installed Sandboxie, Try to run any program in the sandbox will crash the system, always BSOD, stop code is KERNEL_SECURITY_CHECK_FAILURE. Old or newly created sandbox all have the same problem.

How to reproduce: Core isolation->memory integrity turned on; Driver version 5.45.0.0 (double checked); try to run any program inside a sandbox. Windows 20H2 Build 19042.685 should not be the cause.

The old version 5.43.7 was running fine with memory integrity turned on. So the new change in the driver could have caused this.

[skygunner]

121020-9078-01.dmp 10/12/2020 8:33:47 PM 0x00000139 0000000000000000 0000000000000000 0000000000000000 fffff80239502bd4 SbieDrv.sys SbieDrv.sys+19cfc x64 ntoskrnl.exe+3f5780 C:\Windows\Minidump\121020-9078-01.dmp 16 15 19041 1,712,204 10/12/2020 8:36:51 PM

Might be the driver's problem?

[superkryodev]

Just to say no such issue encountered on the same Windows build

[NewKidOnTheBlock]

What is your SbieDrv.sys's exact version? (You can hover with the mouse of the file and it should show a balloon tool tip)

[superkryodev]

What is your SbieDrv.sys's exact version? (You can hover with the mouse of the file and it should show a balloon tool tip)

5.45.0 x64

[DavidXanatos]

could you please upload the crash dump

[NewKidOnTheBlock]

I meant this file here:

[superkryodev]

I meant this file here: The same. Although I see your installation is from the combined win10/win7 release (with .w10 and rc4 drivers), which was later updated by separate builds.

[skygunner]

121020-9078-01.zip

The crash dump file. But the problem can be reproduced with memory integrity turned on.

[DavidXanatos]

The crash is located in a function that wasn't recently changed. It may be that the switch wo VS 2019 or the use of the NX pool flags caused that incompatibility, I'm looking into it.

[DavidXanatos]

I have found a workaround for the issue, it will be included in the next build.

[rugabunda]

same problem

FAILURE_BUCKET_ID: 0x139_0_LEGACY_GS_VIOLATION_SbieDrv!unknown_function

Minidump:

Microsoft (R) Windows Debugger Version 10.0.19041.1 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

Symbol search path is: srv*
Executable search path is: 
Windows 10 Kernel Version 19041 MP (12 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff802`14200000 PsLoadedModuleList = 0xfffff802`14e2a2b0
Debug session time: Thu Dec 17 15:51:45.544 2020 (UTC - 7:00)
System Uptime: 0 days 0:00:58.312
Loading Kernel Symbols
...............................................................
................................................................
................................................................
..........................
Loading User Symbols
Loading unloaded module list
.........
For analysis of this file, run !analyze -v
8: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure.  The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000000, A stack-based buffer has been overrun.
Arg2: 0000000000000000, Address of the trap frame for the exception that caused the bugcheck
Arg3: 0000000000000000, Address of the exception record for the exception that caused the bugcheck
Arg4: fffff80214902bd4, Reserved

Debugging Details:
------------------

*** WARNING: Unable to verify timestamp for SbieDrv.sys

KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.Sec
    Value: 1
    Key  : Analysis.DebugAnalysisProvider.CPP
    Value: Create: 8007007e on DEVICE
    Key  : Analysis.DebugData
    Value: CreateObject
    Key  : Analysis.DebugModel
    Value: CreateObject
    Key  : Analysis.Elapsed.Sec
    Value: 2
    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 72
    Key  : Analysis.System
    Value: CreateObject

TAG_NOT_DEFINED_202b:  *** Unknown TAG in analysis list 202b

BUGCHECK_CODE:  139

BUGCHECK_P1: 0
BUGCHECK_P2: 0
BUGCHECK_P3: 0
BUGCHECK_P4: fffff80214902bd4

TRAP_FRAME:  0000000000000000 -- (.trap 0x0)

EXCEPTION_RECORD:  0000000000000000 -- (.exr 0x0)
Cannot read Exception record @ 0000000000000000

BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXPNP: 1 (!blackboxpnp)
BLACKBOXWINLOGON: 1

CUSTOMER_CRASH_COUNT:  1

PROCESS_NAME:  firefox.exe

STACK_TEXT:  
ffffb48b`792c9ea8 fffff802`145fe28b : 00000000`00000139 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KeBugCheckEx
ffffb48b`792c9eb0 fffff802`25bc9cfc : 00000000`00000000 00000000`00000000 ca873f18`a6100000 00000000`0012019f : nt!guard_icall_bugcheck+0x1b
ffffb48b`792c9ee0 00000000`00000000 : 00000000`00000000 ca873f18`a6100000 00000000`0012019f 00000000`00000000 : SbieDrv+0x19cfc

SYMBOL_NAME:  SbieDrv+19cfc
MODULE_NAME: SbieDrv
IMAGE_NAME:  SbieDrv.sys
STACK_COMMAND:  .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET:  19cfc
FAILURE_BUCKET_ID:  0x139_0_LEGACY_GS_VIOLATION_SbieDrv!unknown_function
OS_VERSION:  10.0.19041.1
BUILDLAB_STR:  vb_release
OSPLATFORM_TYPE:  x64
OSNAME:  Windows 10
FAILURE_ID_HASH:  {4dedc7d1-ac4f-3bef-7ce2-b040e49ed7a7}
Followup:     MachineOwner
---------