Analysis of another BSOD occuring because of ERAM

1. Break instruction exception - code 80000003 (first chance)
2. *******************************************************************************
3. * *
4. * You are seeing this message because you pressed either *
5. * CTRL+C (if you run console kernel debugger) or, *
6. * CTRL+BREAK (if you run GUI kernel debugger), *
7. * on your debugger machine's keyboard. *
8. * *
9. * THIS IS NOT A BUG OR A SYSTEM CRASH *
10. * *
11. * If you did not intend to break into the debugger, press the "g" key, then *
12. * press the "Enter" key now. This message might immediately reappear. If it *
13. * does, press "g" and "Enter" again. *
14. * *
15. *******************************************************************************
16. nt!DbgBreakPointWithStatus:
17. fffff800`02700200 cc int 3
18. kd> g
19. Will breakin at next boot.
20.  
21. *** Fatal System Error: 0x000000c4
22. (0x0000000000000081,0xFFFFFA80082B7BE0,0xFFFFFFFFFFFF8042,0x0000000000000000)
23.  
24. Break instruction exception - code 80000003 (first chance)
25.  
26. A fatal system error has occurred.
27. Debugger entered on first try; Bugcheck callbacks have not been invoked.
28.  
29. A fatal system error has occurred.
30.  
31. Connected to Windows 7 7601 x64 target at (Wed Nov 21 13:39:54.897 2018 (UTC - 5:00)), ptr64 TRUE
32. Loading Kernel Symbols
33. ...............................................................
34. .............................................
35.  
36. Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
37. Run !sym noisy before .reload to track down problems loading symbols.
38.  
39. ...................
40. .......
41. Loading User Symbols
42.  
43. Loading unloaded module list
44. ......Unable to enumerate user-mode unloaded modules, Win32 error 0n30
45. ERROR: FindPlugIns 8007007b
46. ERROR: Some plugins may not be available [8007007b]
47. *******************************************************************************
48. * *
49. * Bugcheck Analysis *
50. * *
51. *******************************************************************************
52.  
53. Use !analyze -v to get detailed debugging information.
54.  
55. BugCheck C4, {81, fffffa80082b7be0, ffffffffffff8042, 0}
56.  
57. Probably caused by : eram.sys ( eram!EramReadWrite+144 )
58.  
59. Followup: MachineOwner
60. ---------
61.  
62. nt!DbgBreakPointWithStatus:
63. fffff800`02700200 cc int 3
64. kd> !analyze -v
65. ERROR: FindPlugIns 8007007b
66. ERROR: Some plugins may not be available [8007007b]
67. *******************************************************************************
68. * *
69. * Bugcheck Analysis *
70. * *
71. *******************************************************************************
72.  
73. DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
74. A device driver attempting to corrupt the system has been caught. This is
75. because the driver was specified in the registry as being suspect (by the
76. administrator) and the kernel has enabled substantial checking of this driver.
77. If the driver attempts to corrupt the system, bugchecks 0xC4, 0xC1 and 0xA will
78. be among the most commonly seen crashes.
79. Arguments:
80. Arg1: 0000000000000081, MmMapLockedPages called without MDL_MAPPING_CAN_FAIL
81. Arg2: fffffa80082b7be0, MDL address.
82. Arg3: ffffffffffff8042, MDL flags.
83. Arg4: 0000000000000000, 0.
84.  
85. Debugging Details:
86. ------------------
87.  
88.  
89. KEY_VALUES_STRING: 1
90.  
91.  
92. STACKHASH_ANALYSIS: 1
93.  
94. TIMELINE_ANALYSIS: 1
95.  
96.  
97. DUMP_CLASS: 1
98.  
99. DUMP_QUALIFIER: 0
100.  
101. BUILD_VERSION_STRING: 7601.24291.amd64fre.win7sp1_ldr_escrow.181110-1429
102.  
103. DUMP_TYPE: 0
104.  
105. BUGCHECK_P1: 81
106.  
107. BUGCHECK_P2: fffffa80082b7be0
108.  
109. BUGCHECK_P3: ffffffffffff8042
110.  
111. BUGCHECK_P4: 0
112.  
113. BUGCHECK_STR: 0xc4_81
114.  
115. CPU_COUNT: 1
116.  
117. CPU_MHZ: a98
118.  
119. CPU_VENDOR: GenuineIntel
120.  
121. CPU_FAMILY: 6
122.  
123. CPU_MODEL: 5e
124.  
125. CPU_STEPPING: 3
126.  
127. CPU_MICROCODE: 6,5e,3,0 (F,M,S,R) SIG: 0'00000000 (cache) 0'00000000 (init)
128.  
129. DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
130.  
131. PROCESS_NAME: System
132.  
133. CURRENT_IRQL: 2
134.  
135. ANALYSIS_SESSION_HOST: BRYAN-PC
136.  
137. ANALYSIS_SESSION_TIME: 11-21-2018 13:40:23.0511
138.  
139. ANALYSIS_VERSION: 10.0.17763.132 amd64fre
140.  
141. LAST_CONTROL_TRANSFER: from fffff800027b45d2 to fffff80002700200
142.  
143. STACK_TEXT:
144. fffff880`02f99568 fffff800`027b45d2 : 00000000`00000081 fffffa80`067b1660 00000000`00000065 fffff800`026d12c8 : nt!DbgBreakPointWithStatus
145. fffff880`02f99570 fffff800`027b53c2 : ffffffff`00000003 00000000`00000000 fffff800`02709050 00000000`000000c4 : nt!KiBugCheckDebugBreak+0x12
146. fffff880`02f995d0 fffff800`026f9aa4 : fffff880`04aab2c5 00000000`00000000 fffffa80`08227f40 fffff880`04aab2c5 : nt!KeBugCheck2+0x722
147. fffff880`02f99ca0 fffff800`02b5f4fc : 00000000`000000c4 00000000`00000081 fffffa80`082b7be0 ffffffff`ffff8042 : nt!KeBugCheckEx+0x104
148. fffff880`02f99ce0 fffff800`02b727ba : fffffa80`082b7be0 00000000`00000002 fffffa80`07690700 00000000`00000000 : nt!VerifierBugCheckIfAppropriate+0x3c
149. fffff880`02f99d20 fffff880`01877784 : fffff980`2a9bae50 00000000`00000002 fffffa80`08227f40 fffff800`02b77ec6 : nt!VerifierMmMapLockedPages+0x4a
150. fffff880`02f99d60 fffff800`02b7bd56 : fffffa80`07690700 fffff980`2a9bae50 fffff880`02f95001 00000000`00000002 : eram!EramReadWrite+0x144 [c:\eram\eram.c @ 490]
151. fffff880`02f99de0 fffff880`04aab2c5 : fffffa80`07a958b0 00000000`00000002 00000000`00000000 fffffa80`08227f40 : nt!IovCallDriver+0x566
152. fffff880`02f99e40 fffff880`04a86abc : fffff980`22c46f80 fffff980`2a9bae50 fffffa80`07a95700 fffffa80`00000001 : fastfat!FatCommonRead+0xb75
153. fffff880`02f99f60 fffff800`02b7bd56 : fffff980`2a9bae50 fffff980`2a9bae50 fffff880`02f9b000 fffff880`02f95000 : fastfat!FatFsdRead+0x1a0
154. fffff880`02f99ff0 fffff880`0109583f : fffff980`2a9bafb0 fffff880`02f9a0a0 fffff980`2a4c2e10 fffffa80`0839ae20 : nt!IovCallDriver+0x566
155. fffff880`02f9a050 fffff880`010946df : fffffa80`074f0530 fffffa80`074f0530 fffff980`2a9bae00 fffff980`2a9bae50 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x24f
156. fffff880`02f9a0e0 fffff800`02b7bd56 : fffff980`2a9bae50 00000000`00000002 fffffa80`082b7b70 fffffa80`06845b18 : fltmgr!FltpDispatch+0xcf
157. fffff880`02f9a140 fffff800`0272dae1 : fffff980`2a9bae50 fffffa80`074f0530 fffffa80`082b7be0 fffffa80`0892e290 : nt!IovCallDriver+0x566
158. fffff880`02f9a1a0 fffff800`027ce853 : 00000000`00000000 00000000`00000000 fffffa80`082b7b70 00000000`00000000 : nt! ?? ::FNODOBFM::`string'+0x21761
159. fffff880`02f9a230 fffff800`027d5860 : ffffffff`ffffffff 00000000`00000000 00000000`c0033333 ffffffff`ffffffff : nt!MiIssueHardFault+0x363
160. fffff880`02f9a2d0 fffff800`027d8883 : 00000000`00000000 fffff980`23200000 00000000`00000000 fffffa80`067b1660 : nt!MmAccessFault+0x4820
161. fffff880`02f9a420 fffff800`026af6d4 : fffff980`23200000 fffff880`02f9a611 00000000`00000000 fffff800`026bf601 : nt!MmCheckCachedPageStates+0x693
162. fffff880`02f9a590 fffff800`026a9310 : 00000000`00000002 fffffa80`00000000 00000000`00000001 fffff880`02f9a720 : nt!CcMapAndRead+0xc4
163. fffff880`02f9a5f0 fffff800`0296d3ea : fffffa80`00040000 fffff880`02f9a768 00000000`00000400 00000000`00000000 : nt!CcPinFileData+0x570
164. fffff880`02f9a6b0 fffff880`04a86f99 : 00000000`00000000 00000000`00000000 00000000`00000400 fffffa80`07a958b0 : nt!CcPinRead+0xde
165. fffff880`02f9a760 fffff880`04aaba31 : fffff980`2a556f80 fffffa80`07a95801 00000000`00000002 fffff880`04a8b400 : fastfat!FatMarkVolume+0x19d
166. fffff880`02f9a830 fffff880`04aab8e6 : fffff980`2a556f80 fffff980`2a490ea0 fffff980`2a490e01 fffff980`2a490ea0 : fastfat!FatCommonShutdown+0x101
167. fffff880`02f9a8d0 fffff800`02b7bd56 : fffff980`2a490ea0 fffff980`2a490ea0 fffffa80`067fbe01 00000000`00000002 : fastfat!FatFsdShutdown+0x46
168. fffff880`02f9a910 fffff880`010946af : fffffa80`07a34cb0 00000000`00000002 fffffa80`07a34cb0 fffffa80`07b17800 : nt!IovCallDriver+0x566
169. fffff880`02f9a970 fffff800`02b7bd56 : fffff980`2a490ea0 00000000`00000002 fffff980`2a490ea0 fffff800`0299459c : fltmgr!FltpDispatch+0x9f
170. fffff880`02f9a9d0 fffff800`0291be1c : fffffa80`067fbe40 fffff800`028767a0 fffff800`028d7050 fffffa80`08bd90e0 : nt!IovCallDriver+0x566
171. fffff880`02f9aa30 fffff800`0291bfb2 : 00000000`00000001 00000000`00000001 fffff800`028767a0 00000000`00000000 : nt!IopShutdownBaseFileSystems+0xac
172. fffff880`02f9aab0 fffff800`0291cd36 : fffff800`0291cb50 fffff800`028767a0 00000000`00000001 00000000`00000001 : nt!IoShutdownSystem+0x122
173. fffff880`02f9ab30 fffff800`02694b39 : fffff800`0291cb50 fffff800`0293f601 fffff800`028d8f00 fffffa80`00000000 : nt!PopGracefulShutdown+0x1e6
174. fffff880`02f9ab70 fffff800`029a7d10 : 00000000`00000000 fffff800`0284a180 00000000`00000080 00000000`00000001 : nt!ExpWorkerThread+0x111
175. fffff880`02f9ac00 fffff800`026ff9a6 : fffff800`0284a180 fffffa80`067b1660 fffffa80`067b1b50 00000000`00000000 : nt!PspSystemThreadStartup+0x194
176. fffff880`02f9ac40 00000000`00000000 : fffff880`02f9b000 fffff880`02f95000 fffff880`06c8f5a0 00000000`00000000 : nt!KiStartSystemThread+0x16
177.  
178.  
179. THREAD_SHA1_HASH_MOD_FUNC: 07d10f8729e4a10d7e1cd59b8b0a833eec9384bf
180.  
181. THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 6e5ccf8ad4b20d22b22b828d1e7886ce8a6f3c84
182.  
183. THREAD_SHA1_HASH_MOD: e512cdf6de5c59baf1f1c62cdee7073972af92c8
184.  
185. FOLLOWUP_IP:
186. eram!EramReadWrite+144 [c:\eram\eram.c @ 490]
187. fffff880`01877784 4889442460 mov qword ptr [rsp+60h],rax
188.  
189. FAULT_INSTR_CODE: 24448948
190.  
191. FAULTING_SOURCE_LINE: c:\eram\eram.c
192.  
193. FAULTING_SOURCE_FILE: c:\eram\eram.c
194.  
195. FAULTING_SOURCE_LINE_NUMBER: 490
196.  
197. FAULTING_SOURCE_CODE:
198. 486: pTransAddr = NULL;
199. 487: if (pIrp->MdlAddress != NULL) /* with address */
200. 488: {
201. 489: /* address translation */
202. > 490: pTransAddr = MmGetSystemAddressForMdl(pIrp->MdlAddress);
203. 491: }
204. 492: /* Set success */
205. 493: ntStat = STATUS_SUCCESS;
206. 494: /* Set the data length */
207. 495: pIrp->IoStatus.Information = 0;
208.  
209.  
210. SYMBOL_STACK_INDEX: 6
211.  
212. SYMBOL_NAME: eram!EramReadWrite+144
213.  
214. FOLLOWUP_NAME: MachineOwner
215.  
216. MODULE_NAME: eram
217.  
218. IMAGE_NAME: eram.sys
219.  
220. DEBUG_FLR_IMAGE_TIMESTAMP: 5bf574b7
221.  
222. STACK_COMMAND: .thread ; .cxr ; kb
223.  
224. FAILURE_BUCKET_ID: X64_0xc4_81_VRF_eram!EramReadWrite+144
225.  
226. BUCKET_ID: X64_0xc4_81_VRF_eram!EramReadWrite+144
227.  
228. PRIMARY_PROBLEM_CLASS: X64_0xc4_81_VRF_eram!EramReadWrite+144
229.  
230. TARGET_TIME: 2018-11-21T18:39:49.000Z
231.  
232. OSBUILD: 7601
233.  
234. OSSERVICEPACK: 1000
235.  
236. SERVICEPACK_NUMBER: 0
237.  
238. OS_REVISION: 0
239.  
240. SUITE_MASK: 784
241.  
242. PRODUCT_TYPE: 1
243.  
244. OSPLATFORM_TYPE: x64
245.  
246. OSNAME: Windows 7
247.  
248. OSEDITION: Windows 7 WinNt (Service Pack 1) TerminalServer SingleUserTS Personal
249.  
250. OS_LOCALE:
251.  
252. USER_LCID: 0
253.  
254. OSBUILD_TIMESTAMP: 2018-11-10 19:44:59
255.  
256. BUILDDATESTAMP_STR: 181110-1429
257.  
258. BUILDLAB_STR: win7sp1_ldr_escrow
259.  
260. BUILDOSVER_STR: 6.1.7601.24291.amd64fre.win7sp1_ldr_escrow.181110-1429
261.  
262. ANALYSIS_SESSION_ELAPSED_TIME: 61c
263.  
264. ANALYSIS_SOURCE: KM
265.  
266. FAILURE_ID_HASH_STRING: km:x64_0xc4_81_vrf_eram!eramreadwrite+144
267.  
268. FAILURE_ID_HASH: {33edf415-9b76-1d64-5320-59d2189dbf11}
269.  
270. Followup: MachineOwner
271. ---------