mysterious SrvOpen/VNetRoot corruption

1. 4: kd> !analyze -v
2. *******************************************************************************
3. * *
4. * Bugcheck Analysis *
5. * *
6. *******************************************************************************
7.  
8. ATTEMPTED_WRITE_TO_READONLY_MEMORY (be)
9. An attempt was made to write to readonly memory. The guilty driver is on the
10. stack trace (and is typically the current instruction pointer).
11. When possible, the guilty driver's name (Unicode string) is printed on
12. the bugcheck screen and saved in KiBugCheckDriver.
13. Arguments:
14. Arg1: fffff804272ee429, Virtual address for the attempted write.
15. Arg2: 01000001de5ec121, PTE contents.
16. Arg3: ffffa20c46501ff0, (reserved)
17. Arg4: 000000000000000a, (reserved)
18.  
19.  
20. 4: kd> .cxr; k
21. Resetting default scope
22. Child-SP RetAddr Call Site
23. ffffa20c`46501df8 fffff804`21d50e57 nt!KeBugCheckEx
24. ffffa20c`46501e00 fffff804`21c1f786 nt!MiRaisedIrqlFault+0x363
25. ffffa20c`46501e50 fffff804`21e3c356 nt!MmAccessFault+0x3e6
26. ffffa20c`46501ff0 fffff804`22d621e9 nt!KiPageFault+0x356
27. ffffa20c`46502180 fffff804`22d6241c rdpdr!SmartPtr<DrDevice>::operator=+0x25
28. ffffa20c`465021b0 fffff804`22d78a74 rdpdr!GetDeviceFromRxContext+0x4c
29. ffffa20c`465021e0 fffff804`2a4bc419 rdpdr!DrIoControl+0x54
30. ffffa20c`46502270 fffff804`2a4cdb52 rdbss!RxLowIoSubmit+0x1a9
31. ffffa20c`465022e0 fffff804`2a473e86 rdbss!RxCommonDeviceControl+0x1c2
32. ffffa20c`46502350 fffff804`2a4ae9e6 rdbss!RxFsdCommonDispatch+0x616
33. ffffa20c`465024c0 fffff804`22d701f9 rdbss!RxFsdDispatch+0x86
34. ffffa20c`46502510 fffff804`21c37595 rdpdr!DrPeekDispatch+0x1e9
35. ffffa20c`46502570 fffff804`27a2e918 nt!IofCallDriver+0x55
36. ffffa20c`465025b0 fffff804`27a2e476 mup!MupiCallUncProvider+0xb8
37. ffffa20c`46502620 fffff804`27a2e3ad mup!MupStateMachine+0x56
38. ffffa20c`46502650 fffff804`21c37595 mup!MupFsdIrpPassThrough+0x16d
39. ffffa20c`465026c0 fffff804`26328282 nt!IofCallDriver+0x55
40. ffffa20c`46502700 fffff804`26325353 FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x652
41. ffffa20c`46502780 fffff804`21c37595 FLTMGR!FltpDispatch+0xa3
42. ffffa20c`465027e0 fffff804`220606be nt!IofCallDriver+0x55
43. ffffa20c`46502820 fffff804`220b4d2d nt!IopSynchronousServiceTail+0x33e
44. ffffa20c`465028c0 fffff804`220b4de6 nt!IopXxxControlFile+0xc7d
45. ffffa20c`46502a00 fffff804`21e404e5 nt!NtDeviceIoControlFile+0x56
46. ffffa20c`46502a70 00007ffd`7acffa74 nt!KiSystemServiceCopyEnd+0x25
47. 0000002c`12d7f788 00000000`00000000 0x00007ffd`7acffa74
48.  
49.  
50. 4: kd> .frame /c /r 4
51. 04 ffffa20c`46502180 fffff804`22d6241c rdpdr!SmartPtr<DrDevice>::operator=+0x25
52. rax=0000000000000000 rbx=fffff804272ee419 rcx=0000000000000000
53. rdx=fffff804272ee419 rsi=ffffc78283ff7810 rdi=ffffa20c46502278
54. rip=fffff80422d621e9 rsp=ffffa20c46502180 rbp=ffffa20c46502278
55. r8=0000000000000000 r9=ffffc7828229d410 r10=fffff80421c33940
56. r11=ffffa20c46502320 r12=ffffc7828229d400 r13=ffffc7827abb2060
57. r14=fffff80422d6b950 r15=fffff80422d6b000
58. iopl=0 nv up ei pl nz na pe nc
59. cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00040202
60. rdpdr!SmartPtr<DrDevice>::operator=+0x25:
61. fffff804`22d621e9 f0ff4310 lock inc dword ptr [rbx+10h] ds:002b:fffff804`272ee429=00a024b4
62.  
63.  
64.  
65.  
66.  
67.  
68.  
69.  
70.  
71. NTSTATUS rdbss!RxLowIoSubmit(PRX_CONTEXT RxContext, PIRP Irp, PFCB Fcb, PLOWIO_COMPLETION_ROUTINE CompletionRoutine)
72. {
73. ...
74. routine = get_routine();
75. routine(RxContext); // rdpdr!DrIoControl; RxContext == ffffc782`7abb2060
76. ...
77. }
78.  
79.  
80. NTSTATUS rdpdr!DrIoControl(PRX_CONTEXT RxContext)
81. {
82. // RxContext == ffffc782`7abb2060
83.  
84. SmartPtr<DrDevice> Device{};
85. GetDeviceFromRxContext(RxContext, Device);
86. ...
87. }
88.  
89.  
90. BOOL rdpdr!GetDeviceFromRxContext(PRX_CONTEXT RxContext, SmartPtr<DrDevice>& Device)
91. {
92. // RxContext == ffffc782`7abb2060
93. // &Device == ffffa20c`46502230+48 == ffffa20c`46502278, on stack; *Device == 0
94.  
95. PMRX_SRV_OPEN SrvOpen = RxContext->pRelevantSrvOpen; // [ffffc782`7abb2060+48] == xxx1 (?) rax
96. PMRX_V_NET_ROOT VNetRoot = SrvOpen->pVNetRoot; // [xxx1+28] == ffffc782`83ff7810 rsi
97. ...
98. VirtualChannel* Channel = [VNetRoot+0x28]; // fffff804`272ee419 Ntfs!NtfsCommonFlushBuffers+0x335 !!! INVALID DATA !!!
99. Device = Channel; // SmartPtr<DrDevice>::operator=(VirtualChannel*)
100. }
101.  
102.  
103. DrDevice& SmartPtr<DrDevice>::operator=(DrDevice* this, VirtualChannel* Channel)
104. {
105. // &Device == ffffa20c`46502230+48 == ffffa20c`46502278, on stack; *Device == 0
106. // Channel == fffff804`272ee419 Ntfs!NtfsCommonFlushBuffers+0x335 !!! INVALID !!!
107.  
108. auto* prevObject = [this+0x00]; // 0/nullptr (empty smartptr)
109. if (prevObject)
110. prevObject->Release(); // skipped here
111. [this+0x00] = Channel;
112. Channel->AddRef(); // lock inc [channel+0x10] << can't write to fffff804`272ee419+0x10 == fffff804`272ee429, BSOD
113. return *this;
114. }
115.  
116.  
117.  
118.  
119.  
120.  
121. Potential further investigation:
122.  
123. ::RxContext
124. dps ffffc782`7abb2060+48-20 L8
125. !pool ffffc782`7abb2060+48 2
126.  
127. ::SrvOpen
128. dps poi(ffffc782`7abb2060+48)-20 L8
129. !pool poi(ffffc782`7abb2060+48) 2
130.  
131. ::VNetRoot
132. dps ffffc782`83ff7810-20 L8
133. !pool ffffc782`83ff7810 2
134.  
135.  
136. But that'll hardly give actionable data.
137. So far we only know that either SrvOpen (== RxContext->pRelevantSrvOpen), or VNetRoot (== SrvOpen->pVNetRoot) was overwritten with bogus data. I'd say chance of bitflip is medium or below medium. NGL, situation looks suspicious.
138.  
139. What I would do:
140. 1. Badmem theory: test host with memcheck for at least some hours (if downtime is acceptable).
141. 2. Attacker theory: use gflags.exe to enable *Kernel Flags*: Heap tail checking, Heap free checking, Page Heap (if ammount of memory allows that). That'll force bsod the very moment something overflows the pool, so it'll be much easier to find the culprit.
142.