DRIVER_OVERRAN_STACK_BUFFER (f7)
A driver has overrun a stack-based buffer. This overrun could potentially
allow a malicious user to gain control of this machine.
DESCRIPTION
A driver overran a stack-based buffer (or local variable) in a way that would
have overwritten the function's return address and jumped back to an arbitrary
address when the function returned. This is the classic "buffer overrun"
hacking attack and the system has been brought down to prevent a malicious user
from gaining complete control of it.
Do a kb to get a stack backtrace -- the last routine on the stack before the
buffer overrun handlers and bugcheck call is the one that overran its local
variable(s).
Arguments:
Arg1: 00006987ff960d48, Actual security check cookie from the stack
Arg2: 00003b0e2c5d196a, Expected security check cookie
Arg3: ffffd466d2205dcd, Complement of the expected security check cookie
Arg4: 0000000000000000, zero
Debugging Details:
------------------
KEY_VALUES_STRING: 1
Key : Analysis.CPU.Sec
Value: 5
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on DESKTOP-HH6FM2D
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.Sec
Value: 46
Key : Analysis.Memory.CommitPeak.Mb
Value: 69
Key : Analysis.System
Value: CreateObject
BUGCHECK_CODE: f7
BUGCHECK_P1: 6987ff960d48
BUGCHECK_P2: 3b0e2c5d196a
BUGCHECK_P3: ffffd466d2205dcd
BUGCHECK_P4: 0
SECURITY_COOKIE: Expected 00003b0e2c5d196a found 00006987ff960d48
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXPNP: 1 (!blackboxpnp)
BLACKBOXWINLOGON: 1
PROCESS_NAME: dwm.exe
STACK_TEXT:
ffffc40f`39fadaf8 fffff804`6f6682ab : 00000000`000000f7 00006987`ff960d48 00003b0e`2c5d196a ffffd466`d2205dcd : nt!KeBugCheckEx
ffffc40f`39fadb00 00000000`000000f7 : 00006987`ff960d48 00003b0e`2c5d196a ffffd466`d2205dcd 00000000`00000000 : atikmdag+0xe82ab
ffffc40f`39fadb08 00006987`ff960d48 : 00003b0e`2c5d196a ffffd466`d2205dcd 00000000`00000000 00000000`00000000 : 0xf7
ffffc40f`39fadb10 00003b0e`2c5d196a : ffffd466`d2205dcd 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00006987`ff960d48
ffffc40f`39fadb18 ffffd466`d2205dcd : 00000000`00000000 00000000`00000000 00000000`00000000 fffff804`6f667fee : 0x00003b0e`2c5d196a
ffffc40f`39fadb20 00000000`00000000 : 00000000`00000000 00000000`00000000 fffff804`6f667fee ffffad88`c72bc000 : 0xffffd466`d2205dcd
SYMBOL_NAME: atikmdag+e82ab
MODULE_NAME: atikmdag
IMAGE_NAME: atikmdag.sys
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: e82ab
FAILURE_BUCKET_ID: 0xF7_MISSING_GSFRAME_atikmdag!unknown_function
OS_VERSION: 10.0.18362.1
BUILDLAB_STR: 19h1_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {deacbb19-74cd-edab-fe73-2dddaa9b4bde}
Followup: MachineOwner
---------
DRIVER_OVERRAN_STACK_BUFFER (f7)
A driver has overrun a stack-based buffer. This overrun could potentially
allow a malicious user to gain control of this machine.
DESCRIPTION
A driver overran a stack-based buffer (or local variable) in a way that would
have overwritten the function's return address and jumped back to an arbitrary
address when the function returned. This is the classic "buffer overrun"
hacking attack and the system has been brought down to prevent a malicious user
from gaining complete control of it.
Do a kb to get a stack backtrace -- the last routine on the stack before the
buffer overrun handlers and bugcheck call is the one that overran its local
variable(s).
Arguments:
Arg1: 00006987ff960d48, Actual security check cookie from the stack
Arg2: 00003b0e2c5d196a, Expected security check cookie
Arg3: ffffd466d2205dcd, Complement of the expected security check cookie
Arg4: 0000000000000000, zero
Debugging Details:
------------------
KEY_VALUES_STRING: 1
Key : Analysis.CPU.Sec
Value: 5
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on DESKTOP-HH6FM2D
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.Sec
Value: 43
Key : Analysis.Memory.CommitPeak.Mb
Value: 69
Key : Analysis.System
Value: CreateObject
BUGCHECK_CODE: f7
BUGCHECK_P1: 6987ff960d48
BUGCHECK_P2: 3b0e2c5d196a
BUGCHECK_P3: ffffd466d2205dcd
BUGCHECK_P4: 0
SECURITY_COOKIE: Expected 00003b0e2c5d196a found 00006987ff960d48
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXPNP: 1 (!blackboxpnp)
BLACKBOXWINLOGON: 1
CUSTOMER_CRASH_COUNT: 1
PROCESS_NAME: dwm.exe
STACK_TEXT:
ffffc40f`39fadaf8 fffff804`6f6682ab : 00000000`000000f7 00006987`ff960d48 00003b0e`2c5d196a ffffd466`d2205dcd : nt!KeBugCheckEx
ffffc40f`39fadb00 00000000`000000f7 : 00006987`ff960d48 00003b0e`2c5d196a ffffd466`d2205dcd 00000000`00000000 : atikmdag+0xe82ab
ffffc40f`39fadb08 00006987`ff960d48 : 00003b0e`2c5d196a ffffd466`d2205dcd 00000000`00000000 00000000`00000000 : 0xf7
ffffc40f`39fadb10 00003b0e`2c5d196a : ffffd466`d2205dcd 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00006987`ff960d48
ffffc40f`39fadb18 ffffd466`d2205dcd : 00000000`00000000 00000000`00000000 00000000`00000000 fffff804`6f667fee : 0x00003b0e`2c5d196a
ffffc40f`39fadb20 00000000`00000000 : 00000000`00000000 00000000`00000000 fffff804`6f667fee ffffad88`c72bc000 : 0xffffd466`d2205dcd
SYMBOL_NAME: atikmdag+e82ab
MODULE_NAME: atikmdag
IMAGE_NAME: atikmdag.sys
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: e82ab
FAILURE_BUCKET_ID: 0xF7_MISSING_GSFRAME_atikmdag!unknown_function
OS_VERSION: 10.0.18362.1
BUILDLAB_STR: 19h1_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {deacbb19-74cd-edab-fe73-2dddaa9b4bde}
Followup: MachineOwner
---------
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: ffffffffffffff83, memory referenced.
Arg2: 0000000000000002, value 0 = read operation, 1 = write operation.
Arg3: fffff8074b7c1a91, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000002, (reserved)
Debugging Details:
------------------
Could not read faulting driver name
KEY_VALUES_STRING: 1
Key : Analysis.CPU.Sec
Value: 3
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on DESKTOP-HH6FM2D
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.Sec
Value: 3
Key : Analysis.Memory.CommitPeak.Mb
Value: 67
Key : Analysis.System
Value: CreateObject
BUGCHECK_CODE: 50
BUGCHECK_P1: ffffffffffffff83
BUGCHECK_P2: 2
BUGCHECK_P3: fffff8074b7c1a91
BUGCHECK_P4: 2
READ_ADDRESS: fffff8074b7723b8: Unable to get MiVisibleState
Unable to get NonPagedPoolStart
Unable to get NonPagedPoolEnd
Unable to get PagedPoolStart
Unable to get PagedPoolEnd
fffff8074b6293b8: Unable to get Flags value from nt!KdVersionBlock
fffff8074b6293b8: Unable to get Flags value from nt!KdVersionBlock
unable to get nt!MmSpecialPagesInUse
ffffffffffffff83
MM_INTERNAL_CODE: 2
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXWINLOGON: 1
CUSTOMER_CRASH_COUNT: 1
PROCESS_NAME: chrome.exe
TRAP_FRAME: fffffa8afc186d40 -- (.trap 0xfffffa8afc186d40)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=000000000000007b rbx=0000000000000000 rcx=fffffa8afc187000
rdx=0000000000000025 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8074b7c1a91 rsp=fffffa8afc186ed8 rbp=000000000000ffdf
r8=fffff8074bb49502 r9=fffffa8afc186ff0 r10=fffffa8afc187002
r11=fffffa8afc186f98 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na pe nc
nt!AlpcpCancelMessagesByRequestor+0x17d:
fffff807`4b7c1a91 006683 add byte ptr [rsi-7Dh],ah ds:ffffffff`ffffff83=??
Resetting default scope
MISALIGNED_IP:
nt!AlpcpCancelMessagesByRequestor+17d
fffff807`4b7c1a91 006683 add byte ptr [rsi-7Dh],ah
STACK_TEXT:
fffffa8a`fc186a98 fffff807`4b3e31d6 : 00000000`00000050 ffffffff`ffffff83 00000000`00000002 fffffa8a`fc186d40 : nt!KeBugCheckEx
fffffa8a`fc186aa0 fffff807`4b2730bf : ffffcb83`38d2ad64 00000000`00000002 00000000`00000000 ffffffff`ffffff83 : nt!MiSystemFault+0x1d64a6
fffffa8a`fc186ba0 fffff807`4b3cf120 : 00000000`00000000 00000000`00000001 ffffcb83`42353501 fffffa8a`fc186fc0 : nt!MmAccessFault+0x34f
fffffa8a`fc186d40 fffff807`4b7c1a91 : 00000000`00000001 ffffcb83`42353510 00000000`00000000 fffffa8a`fc186ff0 : nt!KiPageFault+0x360
fffffa8a`fc186ed8 fffffa8a`fc186f74 : fffffa8a`fc186f76 fffffa8a`fc186f78 fffffa8a`fc186f7a fffffa8a`fc186f7c : nt!AlpcpCancelMessagesByRequestor+0x17d
fffffa8a`fc186f48 fffffa8a`fc186f76 : fffffa8a`fc186f78 fffffa8a`fc186f7a fffffa8a`fc186f7c fffffa8a`fc186f7e : 0xfffffa8a`fc186f74
fffffa8a`fc186f50 fffffa8a`fc186f78 : fffffa8a`fc186f7a fffffa8a`fc186f7c fffffa8a`fc186f7e 00000000`00000000 : 0xfffffa8a`fc186f76
fffffa8a`fc186f58 fffffa8a`fc186f7a : fffffa8a`fc186f7c fffffa8a`fc186f7e 00000000`00000000 00000000`00000000 : 0xfffffa8a`fc186f78
fffffa8a`fc186f60 fffffa8a`fc186f7c : fffffa8a`fc186f7e 00000000`00000000 00000000`00000000 ffff38b2`745b0cb9 : 0xfffffa8a`fc186f7a
fffffa8a`fc186f68 fffffa8a`fc186f7e : 00000000`00000000 00000000`00000000 ffff38b2`745b0cb9 ffffcb83`42353510 : 0xfffffa8a`fc186f7c
fffffa8a`fc186f70 00000000`00000000 : 00000000`00000000 ffff38b2`745b0cb9 ffffcb83`42353510 00000000`00000076 : 0xfffffa8a`fc186f7e
SYMBOL_NAME: nt!AlpcpCancelMessagesByRequestor+17d
IMAGE_NAME: hardware
IMAGE_VERSION: 10.0.18362.356
STACK_COMMAND: .thread ; .cxr ; kb
MODULE_NAME: hardware
FAILURE_BUCKET_ID: IP_MISALIGNED
OS_VERSION: 10.0.18362.1
BUILDLAB_STR: 19h1_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {201b0e5d-db2a-63d2-77be-8ce8ff234750}
Followup: MachineOwner
---------
DRIVER_OVERRAN_STACK_BUFFER (f7)
A driver has overrun a stack-based buffer. This overrun could potentially
allow a malicious user to gain control of this machine.
DESCRIPTION
A driver overran a stack-based buffer (or local variable) in a way that would
have overwritten the function's return address and jumped back to an arbitrary
address when the function returned. This is the classic "buffer overrun"
hacking attack and the system has been brought down to prevent a malicious user
from gaining complete control of it.
Do a kb to get a stack backtrace -- the last routine on the stack before the
buffer overrun handlers and bugcheck call is the one that overran its local
variable(s).
Arguments:
Arg1: 0000438b6610dd48, Actual security check cookie from the stack
Arg2: 0000d1da6686a4db, Expected security check cookie
Arg3: ffffd466d2205dcd, Complement of the expected security check cookie
Arg4: 0000000000000000, zero
Debugging Details:
------------------
KEY_VALUES_STRING: 1
Key : Analysis.CPU.Sec
Value: 5
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on DESKTOP-HH6FM2D
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.Sec
Value: 63
Key : Analysis.Memory.CommitPeak.Mb
Value: 69
Key : Analysis.System
Value: CreateObject
BUGCHECK_CODE: f7
BUGCHECK_P1: 438b6610dd48
BUGCHECK_P2: d1da6686a4db
BUGCHECK_P3: ffffd466d2205dcd
BUGCHECK_P4: 0
SECURITY_COOKIE: Expected 0000d1da6686a4db found 0000438b6610dd48
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXPNP: 1 (!blackboxpnp)
BLACKBOXWINLOGON: 1
CUSTOMER_CRASH_COUNT: 1
PROCESS_NAME: dwm.exe
STACK_TEXT:
ffffc606`5ebfaaf8 fffff806`8b4482ab : 00000000`000000f7 0000438b`6610dd48 0000d1da`6686a4db ffffd466`d2205dcd : nt!KeBugCheckEx
ffffc606`5ebfab00 00000000`000000f7 : 0000438b`6610dd48 0000d1da`6686a4db ffffd466`d2205dcd 00000000`00000000 : atikmdag+0xe82ab
ffffc606`5ebfab08 0000438b`6610dd48 : 0000d1da`6686a4db ffffd466`d2205dcd 00000000`00000000 00000000`00000000 : 0xf7
ffffc606`5ebfab10 0000d1da`6686a4db : ffffd466`d2205dcd 00000000`00000000 00000000`00000000 00000000`00000000 : 0x0000438b`6610dd48
ffffc606`5ebfab18 ffffd466`d2205dcd : 00000000`00000000 00000000`00000000 00000000`00000000 fffff806`8b447fee : 0x0000d1da`6686a4db
ffffc606`5ebfab20 00000000`00000000 : 00000000`00000000 00000000`00000000 fffff806`8b447fee ffff858d`3a023000 : 0xffffd466`d2205dcd
SYMBOL_NAME: atikmdag+e82ab
MODULE_NAME: atikmdag
IMAGE_NAME: atikmdag.sys
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: e82ab
FAILURE_BUCKET_ID: 0xF7_MISSING_GSFRAME_atikmdag!unknown_function
OS_VERSION: 10.0.18362.1
BUILDLAB_STR: 19h1_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {deacbb19-74cd-edab-fe73-2dddaa9b4bde}
Followup: MachineOwner
---------