[Winpcap-bugs] WinPcap 4.1.1 - BSOD
Boaz Brickner
boaz.brickner at gmail.com
Fri Nov 13 14:20:11 PST 2009
Hi,
I've uploaded a small console application that causes the crash to the ftp
site.
I hope that all needed dlls are there. If you're missing any, let me know.
If the application runs without causing a BSOD crash, try to download
something while running the application. I've found it useful to try to see
a youtube movie while downloading.
If this doesn't work either, you might need to disable all network devices
but your main network device and to disable IPv6 support from the main
network device.
I hope you'll crash :)
Boaz.
On Fri, Nov 13, 2009 at 21:35, Gianluca Varenni <
gianluca.varenni at cacetech.com> wrote:
> That would be great. I'm still using VS2005 SP1 professional edition, I
> haven't migrated to 2008.
>
> Have a nice day
> GV
>
>
> ----- Original Message -----
> *From:* Boaz Brickner <boaz.brickner at gmail.com>
> *To:* Gianluca Varenni <gianluca.varenni at cacetech.com>
> *Cc:* winpcap-bugs at winpcap.org
> *Sent:* Friday, November 13, 2009 10:18 AM
> *Subject:* Re: [Winpcap-bugs] WinPcap 4.1.1 - BSOD
>
> The entire code is available here (change set 30721):
> http://pcapdotnet.codeplex.com/SourceControl/ListDownloadableCommits.aspx
>
> I'm not sure exactly what test causes it, if you can't compile and run the
> code, I will try to create an executable that causes a BSOD.
>
> Boaz.
>
> On Fri, Nov 13, 2009 at 19:20, Gianluca Varenni <
> gianluca.varenni at cacetech.com> wrote:
>
>> This time I was able to get the crash dump correctly.
>>
>> In this case the driver asserted on a bad condition that should never
>> happen.
>>
>> Are you able to provide me the binaries to run the test?
>>
>> Have a nice day
>> GV
>>
>>
>> ----- Original Message -----
>> *From:* Boaz Brickner <boaz.brickner at gmail.com>
>> *To:* Gianluca Varenni <gianluca.varenni at cacetech.com>
>> *Cc:* winpcap-bugs at winpcap.org
>> *Sent:* Friday, November 13, 2009 12:05 AM
>> *Subject:* Re: [Winpcap-bugs] WinPcap 4.1.1 - BSOD
>>
>> Hi,
>>
>> It seems the zip file was corrupted.
>> I've rezipped it, uploaded it, and here are the different parameters on
>> the zip file.
>>
>> BoazMEMORY3.zip
>> 56478352 bytes
>>
>> ADLER32: cf6243a1
>> CRC32: 0ac90d25
>> MD2: 5a6af575a6321cd270af60dfd3e9ad22
>> MD4: b922517648db0a9f75f79aeb0ef9c68b
>> MD5: 6001d5fda98dc209f54b43a41c18930a
>> SHA1: ee5b542b4fead9b4b0a91f91847527fca6ea83ea
>> SHA256: 373ec76e3ba7431c83c9508219ae20b1a132a714c8eddf296405d7ea8ba141e1
>> SHA384:
>> 45ca4d2049dde87e6ec313d48356b839b817fe51c96bfcf5c9fcbe45e066915959efe7ef403363fe4424e1c38091fb72
>> SHA512:
>> 270ba74400a79a889e1480f3f37f51de1a728895a10de502b78ccd1bff982a0b2a6701b67c9eaa4cc3db2fcf44c524b8ecb401dd53afb7604806933c8daddb64
>> RIPEMD128: 02b0cf064234ec8ba6190a4584f29d3d
>> RIPEMD160: d55ebced51778c48a14ef0fcf5772925466cea34
>> TIGER128: 2ca256a32a6178908ef849b5298ab5ec
>> TIGER160: 2ca256a32a6178908ef849b5298ab5ecb0b45815
>> TIGER192: 2ca256a32a6178908ef849b5298ab5ecb0b458152e4a6294
>> GOST: 5284d47812e1256d7894b187a3f54b3da0c9f5de3ec0a247d01a1da9b2f7d789
>>
>> On Fri, Nov 13, 2009 at 01:52, Gianluca Varenni <
>> gianluca.varenni at cacetech.com> wrote:
>>
>>> It looks like the file got corrupted during the upload.
>>>
>>> Can you please upload it again, and provide me the SHA1 or MD5 checksum
>>> of the zip file?
>>>
>>> Have a nice day
>>> GV
>>>
>>>
>>> ----- Original Message -----
>>> *From:* Boaz Brickner <boaz.brickner at gmail.com>
>>> *To:* Gianluca Varenni <gianluca.varenni at cacetech.com>
>>> *Cc:* winpcap-bugs at winpcap.org
>>> *Sent:* Thursday, November 12, 2009 3:05 PM
>>> *Subject:* Re: [Winpcap-bugs] WinPcap 4.1.1 - BSOD
>>>
>>> Hi,
>>>
>>> I've just uploaded a 45 MB zip file containing the kernel dump.
>>> I hope this helps.
>>>
>>> Boaz.
>>>
>>> On Thu, Nov 12, 2009 at 23:45, Gianluca Varenni <
>>> gianluca.varenni at cacetech.com> wrote:
>>>
>>>> Would it be possible for you to enable kernel crash dumps and try to
>>>> crash your machine as well?
>>>>
>>>> Have a nice day
>>>> GV
>>>>
>>>> ----- Original Message -----
>>>> *From:* Boaz Brickner <boaz.brickner at gmail.com>
>>>> *To:* Gianluca Varenni <gianluca.varenni at cacetech.com>
>>>> *Cc:* winpcap-bugs at winpcap.org
>>>> *Sent:* Thursday, November 12, 2009 1:41 PM
>>>> *Subject:* Re: [Winpcap-bugs] WinPcap 4.1.1 - BSOD
>>>>
>>>> Hi,
>>>>
>>>> I've uploaded 2 Windows XP mini dumps to
>>>> ftp://www.winpcap.org/pub/incoming/ and I hope it got there.
>>>> There are also 6 Windows 7 mini dumps publicly available in
>>>> http://www.sevenforums.com/crashes-debugging/37276-bsod-windows-7-professional-64-bit.html
>>>>
>>>> Thank you,
>>>>
>>>> Boaz.
>>>>
>>>> On Thu, Nov 12, 2009 at 22:22, Gianluca Varenni <
>>>> gianluca.varenni at cacetech.com> wrote:
>>>>
>>>>> I analyzed the stack trace that you sent below, and it's definitely a
>>>>> NULL pointer dereference, that should not happen (in the sense that such
>>>>> pointer should not be null, it comes from the OS itself). In order to
>>>>> further investigate the problem, however, I need to have a kernel memory
>>>>> dump, so that I can get a look at the variables on the stack...
>>>>>
>>>>>
>>>>> Have a nice day
>>>>> GV
>>>>>
>>>>>
>>>>> ----- Original Message -----
>>>>> *From:* Boaz Brickner <boaz.brickner at gmail.com>
>>>>> *To:* winpcap-bugs at winpcap.org
>>>>> *Sent:* Thursday, November 12, 2009 11:03 AM
>>>>> *Subject:* [Winpcap-bugs] WinPcap 4.1.1 - BSOD
>>>>>
>>>>> Hi,
>>>>>
>>>>> I'm working on a new wrapper for WinPcap in .Net call Pcap.Net.
>>>>> I've recently tried to upgrade Pcap.Net project (
>>>>> http://pcapdotnet.codeplex.com) to WinPcap 4.1.1 to support Windows 7
>>>>> (I've used WinPcap 4.0.2 before).
>>>>>
>>>>> When I run my different unit tests that use all kinds of WinPcap's
>>>>> features while using my network drive, I'm getting a Blue Screen Of Death
>>>>> (BSOD) - Windows Crash.
>>>>> I've managed to get BSOD both on Windows 7 Professional 64 bit and on
>>>>> Windows XP SP3 32 bit (two different computer systems).
>>>>> Before I've upgraded to WinPcap 4.1.1 I've never got a BSOD (Windows XP
>>>>> SP3).
>>>>>
>>>>> *It seems this BSOD is caused by WinPcap's npf driver.*
>>>>>
>>>>> At first I thought this problem is caused by Windows 7 or a combination
>>>>> of Windows 7 and WinPcap.
>>>>> After I've seen that this problem also appears on my Windows XP that
>>>>> never experienced this problem before, I believe this is not the case and it
>>>>> is caused by WinPcap 4.1.1 alone.
>>>>>
>>>>> Since a full reboot is needed after the BSOD appears, I'm having a hard
>>>>> time figuring out what exactly causes this problem.
>>>>>
>>>>> If you want to try and recreate this problem you are welcome to use
>>>>> WinPcap 4.1.1 and download the latest source from Pcap.Net project site
>>>>> (changeset 30721):
>>>>>
>>>>>
>>>>> http://pcapdotnet.codeplex.com/SourceControl/ListDownloadableCommits.aspx
>>>>>
>>>>> If you're having troubles compiling and running the unit tests using
>>>>> Visual Studio Team Suite 2008 SP1, you are welcome to contact me and I'll
>>>>> try to help you with it. Sometimes more than one run of all the unit tests
>>>>> may be needed to cause the crash and you might need to do use your network
>>>>> drive (by downloading a file for example) to make the BSOD appear.
>>>>>
>>>>>
>>>>> Also see my post on Windows 7 forums:
>>>>>
>>>>> http://www.sevenforums.com/crashes-debugging/37276-bsod-windows-7-professional-64-bit.html
>>>>>
>>>>> *
>>>>> Details from Windows 7 mini dump (note that npf.sys is specifically
>>>>> referenced):*
>>>>>
>>>>> IRQL_NOT_LESS_OR_EQUAL (a)
>>>>> An attempt was made to access a pageable (or completely invalid)
>>>>> address at an
>>>>> interrupt request level (IRQL) that is too high. This is usually
>>>>> caused by drivers using improper addresses.
>>>>> If a kernel debugger is available get the stack backtrace.
>>>>> Arguments:
>>>>> Arg1: 0000000000003178, memory referenced
>>>>> Arg2: 0000000000000002, IRQL
>>>>> Arg3: 0000000000000001, bitfield :
>>>>> bit 0 : value 0 = read operation, 1 = write operation
>>>>> bit 3 : value 0 = not an execute operation, 1 = execute operation
>>>>> (only on chips which support this level of status)
>>>>> Arg4: fffff80003eccb75, address which referenced memory
>>>>>
>>>>> Debugging Details:
>>>>> ------------------
>>>>>
>>>>>
>>>>> WRITE_ADDRESS: GetPointerFromAddress: unable to read from
>>>>> fffff800040fa0e0
>>>>> 0000000000003178
>>>>>
>>>>> CURRENT_IRQL: 2
>>>>>
>>>>> FAULTING_IP:
>>>>> nt!KeAcquireSpinLockRaiseToDpc+55
>>>>> fffff800`03eccb75 f0480fba2900 lock bts qword ptr [rcx],0
>>>>>
>>>>> CUSTOMER_CRASH_COUNT: 1
>>>>>
>>>>> DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
>>>>>
>>>>> BUGCHECK_STR: 0xA
>>>>>
>>>>> PROCESS_NAME: VSTestHost.exe
>>>>>
>>>>> TRAP_FRAME: fffff8800909b7b0 -- (.trap 0xfffff8800909b7b0)
>>>>> NOTE: The trap frame does not contain all registers.
>>>>> Some register values may be zeroed or incorrect.
>>>>> rax=0000000000000002 rbx=0000000000000000 rcx=0000000000003178
>>>>> rdx=0000000000000085 rsi=0000000000000000 rdi=0000000000000000
>>>>> rip=fffff80003eccb75 rsp=fffff8800909b940 rbp=0000000000003178
>>>>> r8=0000000000000065 r9=0000000000000000 r10=0000000000000000
>>>>> r11=fffff8800909b980 r12=0000000000000000 r13=0000000000000000
>>>>> r14=0000000000000000 r15=0000000000000000
>>>>> iopl=0 nv up ei pl nz na po nc
>>>>> nt!KeAcquireSpinLockRaiseToDpc+0x55:
>>>>> fffff800`03eccb75 f0480fba2900 lock bts qword ptr [rcx],0
>>>>> ds:00000000`00003178=????????????????
>>>>> Resetting default scope
>>>>>
>>>>> LAST_CONTROL_TRANSFER: from fffff80003ec3469 to fffff80003ec3f00
>>>>>
>>>>> STACK_TEXT:
>>>>> fffff880`0909b668 fffff800`03ec3469 : 00000000`0000000a
>>>>> 00000000`00003178 00000000`00000002 00000000`00000001 : nt!KeBugCheckEx
>>>>> fffff880`0909b670 fffff800`03ec20e0 : 00000000`00000000
>>>>> 00000000`00000000 00000000`00000000 fffff800`03eca1a2 :
>>>>> nt!KiBugCheckDispatch+0x69
>>>>> fffff880`0909b7b0 fffff800`03eccb75 : fffffa80`03e5c3f0
>>>>> 00000000`08004870 00000000`00000001 fffffa80`06a57900 : nt!KiPageFault+0x260
>>>>> fffff880`0909b940 fffff880`05c02ef5 : fffffa80`0677d990
>>>>> 00000000`00000000 fffffa80`0677d8c0 00000000`00000000 :
>>>>> nt!KeAcquireSpinLockRaiseToDpc+0x55
>>>>> fffff880`0909b990 fffffa80`0677d990 : 00000000`00000000
>>>>> fffffa80`0677d8c0 00000000`00000000 fffffa80`0677d8c0 : npf+0x2ef5
>>>>> fffff880`0909b998 00000000`00000000 : fffffa80`0677d8c0
>>>>> 00000000`00000000 fffffa80`0677d8c0 fffff880`05c03edf : 0xfffffa80`0677d990
>>>>>
>>>>>
>>>>> STACK_COMMAND: kb
>>>>>
>>>>> FOLLOWUP_IP:
>>>>> npf+2ef5
>>>>> fffff880`05c02ef5 ?? ???
>>>>>
>>>>> SYMBOL_STACK_INDEX: 4
>>>>>
>>>>> SYMBOL_NAME: npf+2ef5
>>>>>
>>>>> FOLLOWUP_NAME: MachineOwner
>>>>>
>>>>> *MODULE_NAME: npf
>>>>>
>>>>> IMAGE_NAME: npf.sys*
>>>>>
>>>>> DEBUG_FLR_IMAGE_TIMESTAMP: 4addfab3
>>>>>
>>>>> FAILURE_BUCKET_ID: X64_0xA_npf+2ef5
>>>>>
>>>>>
>>>>> ------------------------------
>>>>>
>>>>> _______________________________________________
>>>>> Winpcap-bugs mailing list
>>>>> Winpcap-bugs at winpcap.org
>>>>> https://www.winpcap.org/mailman/listinfo/winpcap-bugs
>>>>>
>>>>>
>>>>
>>> ------------------------------
>>>
>>> _______________________________________________
>>> Winpcap-bugs mailing list
>>> Winpcap-bugs at winpcap.org
>>> https://www.winpcap.org/mailman/listinfo/winpcap-bugs
>>>
>>>
>> ------------------------------
>>
>> _______________________________________________
>> Winpcap-bugs mailing list
>> Winpcap-bugs at winpcap.org
>> https://www.winpcap.org/mailman/listinfo/winpcap-bugs
>>
>>
> ------------------------------
>
> _______________________________________________
> Winpcap-bugs mailing list
> Winpcap-bugs at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-bugs
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-bugs/attachments/20091114/4fcbf0a0/attachment-0001.htm
More information about the Winpcap-bugs
mailing list