Memory V3Flt2K.sys – PAGE_FAULT_IN_NONPAGED_AREA (50)

It’s analysis “PAGE_FAULT_IN_NONPAGED_AREA (50)” in memory dump

분석 내용

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: fffffa821440c7fe, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffffa6009fe1763, If non-zero, the instruction address which referenced the bad memory
 address.
Arg4: 0000000000000005, (reserved)

Debugging Details:
------------------

PEB is paged out (Peb.Ldr = 000007ff`fffdc018).  Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 000007ff`fffdc018).  Type ".hh dbgerr001" for details

READ_ADDRESS:  fffffa821440c7fe

FAULTING_IP: 
V3Flt2K+11763
fffffa60`09fe1763 0fb70441        movzx   eax,word ptr [rcx+rax*2]

MM_INTERNAL_CODE:  5

IMAGE_NAME:  V3Flt2K.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4afbd730

MODULE_NAME: V3Flt2K

FAULTING_MODULE: fffffa6009fd0000 V3Flt2K

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0x50

PROCESS_NAME:  w3wp.exe

CURRENT_IRQL:  0

TRAP_FRAME:  fffffa600a7f22e0 -- (.trap 0xfffffa600a7f22e0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=00000000ffffffff rbx=0000000000000000 rcx=fffffa801440c800
rdx=fffffa80153355e0 rsi=0000000000000000 rdi=0000000000000000
rip=fffffa6009fe1763 rsp=fffffa600a7f2470 rbp=fffffa8011d1d450
 r8=fffffa801440c800  r9=fffffa800acf5910 r10=0000000000000001
r11=0000000000000002 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz ac po nc
V3Flt2K+0x11763:
fffffa60`09fe1763 0fb70441        movzx   eax,word ptr [rcx+rax*2] ds:24d0:c7fe=????
Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff8000165bce0 to fffff8000164dbd0

STACK_TEXT:  
fffffa60`0a7f21e8 fffff800`0165bce0 : 00000000`00000050 fffffa82`1440c7fe 00000000`00000000 fffffa60`0a7f22e0 : nt!KeBugCheckEx
fffffa60`0a7f21f0 fffff800`0164c759 : 00000000`00000000 00000000`00000000 fffffa80`0bb78700 00000000`00000000 : nt!MmAccessFault+0x4f0
fffffa60`0a7f22e0 fffffa60`09fe1763 : 00000000`00000000 00000000`00000000 fffffa80`11d1d5a0 fffffa60`09fe1182 : nt!KiPageFault+0x119
fffffa60`0a7f2470 fffffa60`09fe1182 : fffffa80`1440c800 fffffa60`09fd632f fffffa80`11d1d500 fffffa60`0a7f2598 : V3Flt2K+0x11763
fffffa60`0a7f2490 fffffa60`09fd64f6 : fffffa80`15335510 fffffa80`153355e0 fffffa80`1440c800 fffffa80`0acf5910 : V3Flt2K+0x11182
fffffa60`0a7f24f0 fffffa60`00d4505a : fffffa80`11d1d500 fffffa60`0a7f2598 fffffa60`0a7f2580 00000000`00000010 : V3Flt2K+0x64f6
fffffa60`0a7f2540 fffffa60`00d4432c : 00000000`00000000 fffffa80`0fb7e300 fffffa80`0c666f00 fffffa80`1000000c : fltmgr!FltpPerformPreCallbacks+0x28a
fffffa60`0a7f2620 fffffa60`00d60256 : fffffa80`09dac040 fffffa80`0c666f20 fffffa80`0fb7e0c0 fffffa60`0a7f26a0 : fltmgr!FltpPassThroughInternal+0x3c
fffffa60`0a7f2650 fffff800`018d5393 : 00000000`00000005 fffffa80`0ccf4b10 00000000`00000040 00000000`00000000 : fltmgr!FltpCreate+0x247
fffffa60`0a7f2700 fffff800`018cf069 : fffffa80`0960dcc0 00000000`00000000 fffffa80`1f44b010 fffff800`018fa501 : nt!IopParseDevice+0x5e3
fffffa60`0a7f28a0 fffff800`018d2f54 : 00000000`00000000 fffffa80`18f14101 00000000`00000040 00000000`00000000 : nt!ObpLookupObjectName+0x5eb
fffffa60`0a7f29b0 fffff800`018df430 : 00120089`80100080 00000000`0909ddb8 fffffa80`1e07e501 fffffa80`1e07e540 : nt!ObOpenObjectByName+0x2f4
fffffa60`0a7f2a80 fffff800`018dff5c : 00000000`0909dd48 00000000`80100080 fffffa80`1d9db060 00000000`0909dd68 : nt!IopCreateFile+0x290
fffffa60`0a7f2b20 fffff800`0164d673 : fffffa80`1d9db060 00000000`0909fcc8 fffffa60`0a7f2bc8 fffff800`018cc4d4 : nt!NtCreateFile+0x78
fffffa60`0a7f2bb0 00000000`777b5fca : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`0909dcd8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x777b5fca


STACK_COMMAND:  kb

FOLLOWUP_IP: 
V3Flt2K+11763
fffffa60`09fe1763 0fb70441        movzx   eax,word ptr [rcx+rax*2]

SYMBOL_STACK_INDEX:  3

SYMBOL_NAME:  V3Flt2K+11763

FOLLOWUP_NAME:  MachineOwner

FAILURE_BUCKET_ID:  X64_0x50_V3Flt2K+11763

BUCKET_ID:  X64_0x50_V3Flt2K+11763

Followup: MachineOwner
---------

3: kd> .trap 0xfffffa600a7f22e0
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=00000000ffffffff rbx=0000000000000000 rcx=fffffa801440c800
rdx=fffffa80153355e0 rsi=0000000000000000 rdi=0000000000000000
rip=fffffa6009fe1763 rsp=fffffa600a7f2470 rbp=fffffa8011d1d450
 r8=fffffa801440c800  r9=fffffa800acf5910 r10=0000000000000001
r11=0000000000000002 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz ac po nc
V3Flt2K+0x11763:
fffffa60`09fe1763 0fb70441        movzx   eax,word ptr [rcx+rax*2] ds:24d0:c7fe=????

3: kd> dd fffffa821440c7fe <-- 잘못된 메모리 영역 참조
fffffa82`1440c7fe  ???????? ???????? ???????? ????????
fffffa82`1440c80e  ???????? ???????? ???????? ????????
fffffa82`1440c81e  ???????? ???????? ???????? ????????
fffffa82`1440c82e  ???????? ???????? ???????? ????????
fffffa82`1440c83e  ???????? ???????? ???????? ????????
fffffa82`1440c84e  ???????? ???????? ???????? ????????
fffffa82`1440c85e  ???????? ???????? ???????? ????????
fffffa82`1440c86e  ???????? ???????? ???????? ????????

3: kd> db fffffa801440c800
fffffa80`1440c800  00 00 0d 17 80 fa ff ff-69 00 63 00 65 00 5c 00  ........i.c.e.. <--깨진부분
fffffa80`1440c810  48 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  H.a.r.d.d.i.s.k.
fffffa80`1440c820  56 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  V.o.l.u.m.e.2..
fffffa80`1440c830  48 00 59 00 55 00 4e 00-44 00 41 00 49 00 5c 00  H.Y.U.N.D.A.I..
fffffa80`1440c840  30 00 34 00 20 00 1c ac-1c bc 8c c1 a4 c2 5c 00  0.4. ..........
fffffa80`1440c850  30 00 34 00 20 00 31 00-30 00 20 00 57 00 65 00  0.4. .1.0. .W.e.

 

조치 방법

안철수 연구소 확인결과 타고객사 유사건으로 확인한 내역이 있어 이에 따른 안정성을 위해 핫픽스를 제공

v3Net7.0 제품에서 메모리 관련 방어 코드 수정

Facebook Comments

Leave A Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.