Skip to content

BSOD & bootloop after KB5032190 #1

New issue
New issue
Closed
Closed
BSOD & bootloop after KB5032190#1
@trungnt2910

Description

@trungnt2910
trungnt2910
opened on Dec 2, 2023
TRAP_FRAME:  ffffdf0924206fb0 -- (.trap 0xffffdf0924206fb0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffff8077df51fa0 rbx=0000000000000000 rcx=0000000000000003
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8077851ac23 rsp=ffffdf0924207140 rbp=ffffdf0924207300
 r8=0000000000000000  r9=7ffffffffffffffc r10=fffff80778437630
r11=0000000000000001 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na pe cy
nt!PsStartSiloMonitor+0xe35f3:
fffff807`7851ac23 cd29            int     29h
Resetting default scope

EXCEPTION_RECORD:  ffffdf0924206f08 -- (.exr 0xffffdf0924206f08)
ExceptionAddress: fffff8077851ac23 (nt!PsStartSiloMonitor+0x00000000000e35f3)
   ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
  ExceptionFlags: 00000001
NumberParameters: 1
   Parameter[0]: 0000000000000003
Subcode: 0x3 FAST_FAIL_CORRUPT_LIST_ENTRY 

PROCESS_NAME:  System

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE_STR:  c0000409

EXCEPTION_PARAMETER1:  0000000000000003

EXCEPTION_STR:  0xc0000409

STACK_TEXT:  
ffffdf09`24206478 fffff807`78166882     : ffffdf09`242065e0 fffff807`77f1afa0 fffff807`757ad180 00000000`00000001 : nt!DbgBreakPointWithStatus
ffffdf09`24206480 fffff807`78165f43     : fffff807`00000003 ffffdf09`242065e0 fffff807`7802fc70 00000000`00000139 : nt!KiBugCheckDebugBreak+0x12
ffffdf09`242064e0 fffff807`78016a87     : ffffcf05`2dc61db8 fffff807`77e96773 ffffcf05`2e1f6a00 00000000`00000000 : nt!KeBugCheck2+0xba3
ffffdf09`24206c50 fffff807`7802bfa9     : 00000000`00000139 00000000`00000003 ffffdf09`24206fb0 ffffdf09`24206f08 : nt!KeBugCheckEx+0x107
ffffdf09`24206c90 fffff807`7802c532     : 00000800`00000000 ffff94ca`7e01dff8 00000000`00000000 00000000`00000000 : nt!KiBugCheckDispatch+0x69
ffffdf09`24206dd0 fffff807`7802a306     : fffff807`00000000 00000000`00001001 00000000`00000000 ffff848c`5c136a40 : nt!KiFastFailDispatch+0xb2
ffffdf09`24206fb0 fffff807`7851ac23     : ffffffff`ffffffff 00000000`00000000 ffffcf05`2e1f6a00 ffffcf05`2e1f6a00 : nt!KiRaiseSecurityCheckFailure+0x346
ffffdf09`24207140 fffff807`7fe9e1f4     : ffff848c`5c134cf0 ffff848c`5c134cf0 ffffdf09`242073a0 ffff848c`5afb026d : nt!PsStartSiloMonitor+0xe35f3
ffffdf09`242071c0 fffff807`7fe9e030     : ffff848c`5a6b3000 ffff848c`5a6b3000 ffff848c`5af31580 fffff807`77f143f5 : Msfs!DriverEntry+0x174
ffffdf09`24207220 fffff807`783e2ac0     : ffff848c`5a6b3000 00000000`00000000 ffff848c`5c134cf0 fffff807`77f141a8 : Msfs!GsDriverEntry+0x20
ffffdf09`24207250 fffff807`7829ad1b     : ffff848c`5a6b3000 00000000`00000000 00000000`00000000 ffffcf05`2e287550 : nt!PnpCallDriverEntry+0x54
ffffdf09`242072a0 fffff807`7876e85b     : ffff848c`5af4c5d8 ffff848c`5af4c5d8 ffffdf09`242074d0 00000000`00000050 : nt!IopLoadDriver+0x523
ffffdf09`24207460 fffff807`78747336     : fffff807`00000000 ffffcf05`2e02abc0 00000000`00000000 fffff807`7543dde0 : nt!IopInitializeSystemDrivers+0x157
ffffdf09`24207500 fffff807`78406f8b     : fffff807`78406f50 fffff807`7885db10 fffff807`78406f50 fffff807`7543dde0 : nt!IoInitSystem+0x52
ffffdf09`24207530 fffff807`77f07287     : ffff848c`59ea0080 fffff807`78406f50 fffff807`7543dde0 00000000`00000000 : nt!Phase1Initialization+0x3b
ffffdf09`24207570 fffff807`7801b8e4     : fffff807`757ad180 ffff848c`59ea0080 fffff807`77f07230 00000000`00000000 : nt!PspSystemThreadStartup+0x57
ffffdf09`242075c0 00000000`00000000     : ffffdf09`24208000 ffffdf09`24201000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x34


SYMBOL_NAME:  Msfs!DriverEntry+174

MODULE_NAME: Msfs

IMAGE_NAME:  Msfs.SYS

IMAGE_VERSION:  10.0.22621.2506

STACK_COMMAND:  .cxr; .ecxr ; kb

BUCKET_ID_FUNC_OFFSET:  174

FAILURE_BUCKET_ID:  0x139_3_CORRUPT_LIST_ENTRY_Msfs!DriverEntry

OS_VERSION:  10.0.22621.1

BUILDLAB_STR:  ni_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {ff3062aa-c31f-4aa1-f93a-d31e5d0d16e0}

Followup:     MachineOwner
---------

Regardless of PatchGuard status and load order, drivers loading after lxmonika would cause a BSOD with KERNEL_SECURITY_CHECK_FAILURE after calling PsStartSiloMonitor.

The relevant disassembly are:

mov     rax, cs:qword_140C37D18
lea     rcx, PspSiloMonitorList
cmp     [rax], rcx
jnz     loc_14091AC1E
loc_14091AC1E:
mov     ecx, 3
; This is nt!PsStartSiloMonitor+0xe35f3 in the stack trace.
int     29h             ; Win8: RtlFailFast(ecx)

Seems like a heuristic has gone wrong.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions