dxj
asked on
DRIVER_OVERRAN_STACK_BUFFER (f7) A driver has overrun a stack-based buffer
So is there any way to determine what driver has overrun the stack? It references a corrupted security cookie. Would this be an OS dll or app dll. The caused by is a generic win32k.sys. I see this a lot. How does this get corrupted so often?
Thanx
Kernel Complete Dump File: Full address space is available
**************************
WARNING: Dump file has been truncated. Data may be missing.
**************************
Symbol search path is: SRV*C:\WINNT\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) MP (4 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp.080413-2111
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Tue Jul 23 11:03:33.228 2013 (GMT-5)
System Uptime: 94 days 15:47:10.545
Loading Kernel Symbols
..........................
Loading User Symbols
............
Loading unloaded module list
.......
**************************
* *
* Bugcheck Analysis *
* *
**************************
Use !analyze -v to get detailed debugging information.
BugCheck F7, {0, 986e, ffff6791, 0}
Probably caused by : win32k.sys ( win32k!xxxResolveDesktop+8
Followup: MachineOwner
---------
2: kd> !analyze -v
**************************
* *
* Bugcheck Analysis *
* *
**************************
DRIVER_OVERRAN_STACK_BUFFE
A driver has overrun a stack-based buffer. This overrun could potentially
allow a malicious user to gain control of this machine.
DESCRIPTION
A driver overran a stack-based buffer (or local variable) in a way that would
have overwritten the function's return address and jumped back to an arbitrary
address when the function returned. This is the classic "buffer overrun"
hacking attack and the system has been brought down to prevent a malicious user
from gaining complete control of it.
Do a kb to get a stack backtrace -- the last routine on the stack before the
buffer overrun handlers and bugcheck call is the one that overran its local
variable(s).
Arguments:
Arg1: 00000000, Actual security check cookie from the stack
Arg2: 0000986e, Expected security check cookie
Arg3: ffff6791, Complement of the expected security check cookie
Arg4: 00000000, zero
Debugging Details:
------------------
FAULTING_IP:
win32k!xxxResolveDesktop+8
bf8bd6db e84335f4ff call win32k!_SEH_epilog (bf800c23)
GSFAILURE_FUNCTION: win32k!xxxResolveDesktop
GSFAILURE_MODULE_COOKIE: 0000986e win32k!__security_cookie [ bf99bbb4 ]
GSFAILURE_CORRUPTED_COOKIE
SECURITY_COOKIE: Expected 0000986e found 00000000
GSFAILURE_ANALYSIS_TEXT: !gs output:
Stack buffer overrun analysis follows:
Corruption occured in win32k!xxxResolveDesktop or one of its callers
Real canary at 0xbf99bbb4 (win32k!__security_cookie)
Real canary complement at : 0xbf99bbb0: 0xffff6791
Corrupted canary at 0xbaa77cc0: 0x00000000
Corrupted cookie value (0x00000000) too generic, skipping read bit-flip check
EBP/ESP check skipped: No saved EBP in exception context
Function win32k!xxxResolveDesktop:
Funtion has no locals
no candidate buffer found
Stack buffer overrun analysis complete.
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xF7
LAST_CONTROL_TRANSFER: from bf911df3 to 804f9f33
STACK_TEXT:
baa77bc8 bf911df3 000000f7 00000000 0000986e nt!KeBugCheckEx+0x1b
baa77be8 bf8bd6db e1163c76 75b73f5e 00000000 win32k!__report_gsfailure+
baa77cdc bf878f92 00000a08 baa77d18 baa77d2c win32k!xxxResolveDesktop+0
baa77d4c 8054161c 00000a08 0053fea8 00000000 win32k!NtUserResolveDeskto
baa77d4c 7c90e4f4 00000a08 0053fea8 00000000 nt!KiFastCallEntry+0xfc
0053fe18 75b64e59 75b6541a 00000a08 0053fea8 ntdll!KiFastSystemCallRet
0053fe64 75b661bc 00172da4 00000038 00172eb4 winsrv!NtUserResolveDeskto
0053feb0 75b4356d 00180f98 00000000 00000000 winsrv!ConsoleClientConnec
0053fed0 75b44a47 0053feec 0053ffd8 00000005 CSRSRV!CsrSrvClientConnect
0053fff4 00000000 00000080 00000000 00000000 CSRSRV!CsrApiRequestThread
STACK_COMMAND: kb
FOLLOWUP_IP:
win32k!xxxResolveDesktop+8
bf8bd6db e84335f4ff call win32k!_SEH_epilog (bf800c23)
FAULTING_SOURCE_CODE:
SYMBOL_STACK_INDEX: 2
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: win32k!xxxResolveDesktop+8
MODULE_NAME: win32k
IMAGE_NAME: win32k.sys
DEBUG_FLR_IMAGE_TIMESTAMP:
FAILURE_BUCKET_ID: 0xF7_win32k!xxxResolveDesk
BUCKET_ID: 0xF7_win32k!xxxResolveDesk
Followup: MachineOwner
---------
Thanx
Kernel Complete Dump File: Full address space is available
**************************
WARNING: Dump file has been truncated. Data may be missing.
**************************
Symbol search path is: SRV*C:\WINNT\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) MP (4 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp.080413-2111
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Tue Jul 23 11:03:33.228 2013 (GMT-5)
System Uptime: 94 days 15:47:10.545
Loading Kernel Symbols
..........................
Loading User Symbols
............
Loading unloaded module list
.......
**************************
* *
* Bugcheck Analysis *
* *
**************************
Use !analyze -v to get detailed debugging information.
BugCheck F7, {0, 986e, ffff6791, 0}
Probably caused by : win32k.sys ( win32k!xxxResolveDesktop+8
Followup: MachineOwner
---------
2: kd> !analyze -v
**************************
* *
* Bugcheck Analysis *
* *
**************************
DRIVER_OVERRAN_STACK_BUFFE
A driver has overrun a stack-based buffer. This overrun could potentially
allow a malicious user to gain control of this machine.
DESCRIPTION
A driver overran a stack-based buffer (or local variable) in a way that would
have overwritten the function's return address and jumped back to an arbitrary
address when the function returned. This is the classic "buffer overrun"
hacking attack and the system has been brought down to prevent a malicious user
from gaining complete control of it.
Do a kb to get a stack backtrace -- the last routine on the stack before the
buffer overrun handlers and bugcheck call is the one that overran its local
variable(s).
Arguments:
Arg1: 00000000, Actual security check cookie from the stack
Arg2: 0000986e, Expected security check cookie
Arg3: ffff6791, Complement of the expected security check cookie
Arg4: 00000000, zero
Debugging Details:
------------------
FAULTING_IP:
win32k!xxxResolveDesktop+8
bf8bd6db e84335f4ff call win32k!_SEH_epilog (bf800c23)
GSFAILURE_FUNCTION: win32k!xxxResolveDesktop
GSFAILURE_MODULE_COOKIE: 0000986e win32k!__security_cookie [ bf99bbb4 ]
GSFAILURE_CORRUPTED_COOKIE
SECURITY_COOKIE: Expected 0000986e found 00000000
GSFAILURE_ANALYSIS_TEXT: !gs output:
Stack buffer overrun analysis follows:
Corruption occured in win32k!xxxResolveDesktop or one of its callers
Real canary at 0xbf99bbb4 (win32k!__security_cookie)
Real canary complement at : 0xbf99bbb0: 0xffff6791
Corrupted canary at 0xbaa77cc0: 0x00000000
Corrupted cookie value (0x00000000) too generic, skipping read bit-flip check
EBP/ESP check skipped: No saved EBP in exception context
Function win32k!xxxResolveDesktop:
Funtion has no locals
no candidate buffer found
Stack buffer overrun analysis complete.
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xF7
LAST_CONTROL_TRANSFER: from bf911df3 to 804f9f33
STACK_TEXT:
baa77bc8 bf911df3 000000f7 00000000 0000986e nt!KeBugCheckEx+0x1b
baa77be8 bf8bd6db e1163c76 75b73f5e 00000000 win32k!__report_gsfailure+
baa77cdc bf878f92 00000a08 baa77d18 baa77d2c win32k!xxxResolveDesktop+0
baa77d4c 8054161c 00000a08 0053fea8 00000000 win32k!NtUserResolveDeskto
baa77d4c 7c90e4f4 00000a08 0053fea8 00000000 nt!KiFastCallEntry+0xfc
0053fe18 75b64e59 75b6541a 00000a08 0053fea8 ntdll!KiFastSystemCallRet
0053fe64 75b661bc 00172da4 00000038 00172eb4 winsrv!NtUserResolveDeskto
0053feb0 75b4356d 00180f98 00000000 00000000 winsrv!ConsoleClientConnec
0053fed0 75b44a47 0053feec 0053ffd8 00000005 CSRSRV!CsrSrvClientConnect
0053fff4 00000000 00000080 00000000 00000000 CSRSRV!CsrApiRequestThread
STACK_COMMAND: kb
FOLLOWUP_IP:
win32k!xxxResolveDesktop+8
bf8bd6db e84335f4ff call win32k!_SEH_epilog (bf800c23)
FAULTING_SOURCE_CODE:
SYMBOL_STACK_INDEX: 2
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: win32k!xxxResolveDesktop+8
MODULE_NAME: win32k
IMAGE_NAME: win32k.sys
DEBUG_FLR_IMAGE_TIMESTAMP:
FAILURE_BUCKET_ID: 0xF7_win32k!xxxResolveDesk
BUCKET_ID: 0xF7_win32k!xxxResolveDesk
Followup: MachineOwner
---------
ASKER
Ok I'll try it. Thank you. I do not see any indication that the command took. The command window just flashes back to the previous prompt. So at C:\ I type verifier/standard/all then enter. The cmd window just flashes back to C:
Make sure there is space ...you can copy paste the command.
Ded9
Ded9
ASKER
Ok thank you I have successfully done this on Win Server. Win XP I could not get it to work. I t takes a while for the machine to BSOD. If you would like me to close the question, I can.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you as mentioned I do not identified my error/fix, due to the infrequency of the failure, but I definitely picked up new knowledge I can use to isolate the problem,
Enable driver verifier
1) Open an elevated command prompt
2) Type "verifier /standard /all" (no quotes)
3) Reboot your machine
4) Use machine again until it crashes
After the crash & reboot, go into safe mode with networking
Disable driver verifier
1) Open an elevated command prompt
2) Type "verifier /reset" (no quotes)
3) Reboot your machine
Ded9