Wireshark-dev: Re: [Wireshark-dev] Npcap 0.03 call for test

From: Yang Luo <hsluoyb@xxxxxxxxx>
Date: Mon, 10 Aug 2015 18:40:41 +0800
Hi Jim, Pascal,

This IRQL_NOT_LESS_OR_EQUAL (a) BSoD seems to be caused by NdisAcquireSpinLock call in function NPF_StartUsingOpenInstance has referred to freed Open struct memory, I have tried to fix it in latest installer, you may try it at:
https://svn.nmap.org/nmap-exp/yang/NPcap-LWF/npcap-nmap-0.03-r6.exe

Cheers,
Yang


On Fri, Aug 7, 2015 at 9:51 AM, Jim Young <jyoung@xxxxxxx> wrote:

Hello Yang,


After installing 0.03-r5 on my Windows 8.1 system I too am see a BSOD when starting Wireshark, tshark or dumpcap.


Like Pascal's Bugcheck Analysis my crashes are also reporting bug check string: IRQL_NOT_LESS_OR_EQUAL (a)

2: kd> .symfix C:\Symbols

2: kd> .reload

Loading Kernel Symbols

...............................................................

................................................................

.......................................

Loading User Symbols

.....................................

Loading unloaded module list

........

2: kd> !analyze -v

*******************************************************************************

*                                                                             *

*                        Bugcheck Analysis                                    *

*                                                                             *

*******************************************************************************


IRQL_NOT_LESS_OR_EQUAL (a)

An attempt was made to access a pageable (or completely invalid) address at an

interrupt request level (IRQL) that is too high.  This is usually

caused by drivers using improper addresses.

If a kernel debugger is available get the stack backtrace.

Arguments:

Arg1: 000000000000a620, memory referenced

Arg2: 0000000000000002, IRQL

Arg3: 0000000000000001, bitfield :

bit 0 : value 0 = read operation, 1 = write operation

bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)

Arg4: fffff802a914e0cc, address which referenced memory


Debugging Details:

------------------


*** ERROR: Module load completed but symbols could not be loaded for npf.sys

*** ERROR: Symbol file could not be found.  Defaulted to export symbols for packet.dll - 


WRITE_ADDRESS: unable to get nt!MmNonPagedPoolStart

unable to get nt!MmSizeOfNonPagedPoolInBytes

 000000000000a620 


CURRENT_IRQL:  2


FAULTING_IP: 

nt!KeAcquireSpinLockRaiseToDpc+1c

fffff802`a914e0cc f0480fba2900    lock bts qword ptr [rcx],0


DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT


BUGCHECK_STR:  AV


PROCESS_NAME:  dumpcap.exe


ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre


TRAP_FRAME:  ffffd0009e22a600 -- (.trap 0xffffd0009e22a600)

NOTE: The trap frame does not contain all registers.

Some register values may be zeroed or incorrect.

rax=0000000000000002 rbx=0000000000000000 rcx=000000000000a620

rdx=ffffe00024ae9a70 rsi=0000000000000000 rdi=0000000000000000

rip=fffff802a914e0cc rsp=ffffd0009e22a790 rbp=ffffd0009e22ab80

 r8=ffffe00022bf3610  r9=000000000000000e r10=0000000000000801

r11=ffffe00025387040 r12=0000000000000000 r13=0000000000000000

r14=0000000000000000 r15=0000000000000000

iopl=0         nv up ei pl zr na po nc

nt!KeAcquireSpinLockRaiseToDpc+0x1c:

fffff802`a914e0cc f0480fba2900    lock bts qword ptr [rcx],0 ds:00000000`0000a620=????????????????

Resetting default scope


LAST_CONTROL_TRANSFER:  from fffff802a91d27e9 to fffff802a91c6ca0


STACK_TEXT:  

ffffd000`9e22a4b8 fffff802`a91d27e9 : 00000000`0000000a 00000000`0000a620 00000000`00000002 00000000`00000001 : nt!KeBugCheckEx

ffffd000`9e22a4c0 fffff802`a91d103a : 00000000`00000001 00000000`00000000 00000000`00000000 ffffd000`9e22a730 : nt!KiBugCheckDispatch+0x69

ffffd000`9e22a600 fffff802`a914e0cc : 00000000`00000001 ffffc001`00000000 ffffc001`6f840a01 00000000`00000000 : nt!KiPageFault+0x23a

ffffd000`9e22a790 fffff801`c221b19a : 00000000`00000000 ffffe000`2529b080 00000000`00000001 ffffd000`9e22ab80 : nt!KeAcquireSpinLockRaiseToDpc+0x1c

ffffd000`9e22a7c0 fffff801`c221ba38 : 00000000`00001ef0 ffffe000`24ae9a00 00000000`00000000 ffffd000`00000000 : npf+0x319a

ffffd000`9e22a7f0 fffff802`a949b77f : 00000000`00000001 ffffe000`24ae9a70 ffffe000`24ae9a70 00000000`00000001 : npf+0x3a38

ffffd000`9e22a880 fffff802`a949ad22 : ffffd000`9e22aa38 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0xa4f

ffffd000`9e22aa20 fffff802`a91d24b3 : ffffe000`25299080 ffffd000`001f0003 00000004`a71ecc08 00000004`00000000 : nt!NtDeviceIoControlFile+0x56

ffffd000`9e22aa90 00007fff`16ff123a : 00007fff`14375fe3 00007f71`9a924c5b 00000000`00000003 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13

00000004`a71ecbb8 00007fff`14375fe3 : 00007f71`9a924c5b 00000000`00000003 00000000`00000000 00000000`00000013 : ntdll!NtDeviceIoControlFile+0xa

00000004`a71ecbc0 00007fff`16b01bb0 : 00000000`00001ef0 00007fff`16f9713a 00000000`00000020 00000000`00000000 : KERNELBASE!DeviceIoControl+0x121

00000004`a71ecc30 00007fff`0f4c3d65 : 00000004`a73a4960 00000004`a71ecf20 ffffffff`ffffffff 00000004`a71ecf20 : KERNEL32!DeviceIoControlImplementation+0x80

00000004`a71ecc80 00000004`a73a4960 : 00000004`a71ecf20 ffffffff`ffffffff 00000004`a71ecf20 00000000`00000000 : packet+0x3d65

00000004`a71ecc88 00000004`a71ecf20 : ffffffff`ffffffff 00000004`a71ecf20 00000000`00000000 00000000`00000000 : 0x00000004`a73a4960

00000004`a71ecc90 ffffffff`ffffffff : 00000004`a71ecf20 00000000`00000000 00000000`00000000 00000004`a71eccd0 : 0x00000004`a71ecf20

00000004`a71ecc98 00000004`a71ecf20 : 00000000`00000000 00000000`00000000 00000004`a71eccd0 00000000`00000000 : 0xffffffff`ffffffff

00000004`a71ecca0 00000000`00000000 : 00000000`00000000 00000004`a71eccd0 00000000`00000000 00000004`a73a4960 : 0x00000004`a71ecf20



STACK_COMMAND:  kb


FOLLOWUP_IP: 

npf+319a

fffff801`c221b19a 4032ff          xor     dil,dil


SYMBOL_STACK_INDEX:  4


SYMBOL_NAME:  npf+319a


FOLLOWUP_NAME:  MachineOwner


MODULE_NAME: npf


IMAGE_NAME:  npf.sys


DEBUG_FLR_IMAGE_TIMESTAMP:  55c32fb5


FAILURE_BUCKET_ID:  AV_npf+319a


BUCKET_ID:  AV_npf+319a


ANALYSIS_SOURCE:  KM


FAILURE_ID_HASH_STRING:  km:av_npf+319a


FAILURE_ID_HASH:  {bf4ae29b-3505-fe6e-b8b7-41bfb9d08cf8}


Followup: MachineOwner

---------


Best regards,

Jim Y.


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe