libusbk
libusbk copied to clipboard
Published
20 hours ago •
mcuee
mcuee
BSOD when unplugging USB device during activity
While doing tests of removing USB device abruptly (i.e. physically upluggin it) during activity (basically reading on a data enpoint in a loop) I systematically got a BSOD.
My stack is an application using libusb-1.0, libubsK.dll and libuskK.sys (latest signed versions)
Analysis of the minidump using WinDbg gave the following output, in which libusbK.sys is clearly identified as doing something wrong.
It is a bit beyond my knowledge, could someone have a look at it? I guess it's easily reproducible.. Thanks
Here is WinDbg output:
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: fffffe80dfc26870, Address of the trap frame for the exception that caused the BugCheck
Arg3: fffffe80dfc267c8, Address of the exception record for the exception that caused the BugCheck
Arg4: 0000000000000000, Reserved
Debugging Details:
------------------
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 1781
Key : Analysis.Elapsed.mSec
Value: 11773
Key : Analysis.IO.Other.Mb
Value: 1
Key : Analysis.IO.Read.Mb
Value: 4
Key : Analysis.IO.Write.Mb
Value: 12
Key : Analysis.Init.CPU.mSec
Value: 109
Key : Analysis.Init.Elapsed.mSec
Value: 60213
Key : Analysis.Memory.CommitPeak.Mb
Value: 114
Key : Bugcheck.Code.LegacyAPI
Value: 0x139
Key : Dump.Attributes.AsUlong
Value: 1808
Key : Dump.Attributes.DiagDataWrittenToHeader
Value: 1
Key : Dump.Attributes.ErrorCode
Value: 0
Key : Dump.Attributes.KernelGeneratedTriageDump
Value: 1
Key : Dump.Attributes.LastLine
Value: Dump completed successfully.
Key : Dump.Attributes.ProgressPercentage
Value: 0
Key : FailFast.Name
Value: CORRUPT_LIST_ENTRY
Key : FailFast.Type
Value: 3
Key : Failure.Bucket
Value: 0x139_3_CORRUPT_LIST_ENTRY_libusbK!unknown_function
Key : Failure.Hash
Value: {3e2f28bf-7cbf-dc2c-f08f-3b94cf8f94c5}
Key : Hypervisor.Enlightenments.ValueHex
Value: 1417df84
Key : Hypervisor.Flags.AnyHypervisorPresent
Value: 1
Key : Hypervisor.Flags.ApicEnlightened
Value: 0
Key : Hypervisor.Flags.ApicVirtualizationAvailable
Value: 1
Key : Hypervisor.Flags.AsyncMemoryHint
Value: 0
Key : Hypervisor.Flags.CoreSchedulerRequested
Value: 0
Key : Hypervisor.Flags.CpuManager
Value: 1
Key : Hypervisor.Flags.DeprecateAutoEoi
Value: 1
Key : Hypervisor.Flags.DynamicCpuDisabled
Value: 1
Key : Hypervisor.Flags.Epf
Value: 0
Key : Hypervisor.Flags.ExtendedProcessorMasks
Value: 1
Key : Hypervisor.Flags.HardwareMbecAvailable
Value: 1
Key : Hypervisor.Flags.MaxBankNumber
Value: 0
Key : Hypervisor.Flags.MemoryZeroingControl
Value: 0
Key : Hypervisor.Flags.NoExtendedRangeFlush
Value: 0
Key : Hypervisor.Flags.NoNonArchCoreSharing
Value: 1
Key : Hypervisor.Flags.Phase0InitDone
Value: 1
Key : Hypervisor.Flags.PowerSchedulerQos
Value: 0
Key : Hypervisor.Flags.RootScheduler
Value: 0
Key : Hypervisor.Flags.SynicAvailable
Value: 1
Key : Hypervisor.Flags.UseQpcBias
Value: 0
Key : Hypervisor.Flags.Value
Value: 21631230
Key : Hypervisor.Flags.ValueHex
Value: 14a10fe
Key : Hypervisor.Flags.VpAssistPage
Value: 1
Key : Hypervisor.Flags.VsmAvailable
Value: 1
Key : Hypervisor.RootFlags.AccessStats
Value: 1
Key : Hypervisor.RootFlags.CrashdumpEnlightened
Value: 1
Key : Hypervisor.RootFlags.CreateVirtualProcessor
Value: 1
Key : Hypervisor.RootFlags.DisableHyperthreading
Value: 0
Key : Hypervisor.RootFlags.HostTimelineSync
Value: 1
Key : Hypervisor.RootFlags.HypervisorDebuggingEnabled
Value: 0
Key : Hypervisor.RootFlags.IsHyperV
Value: 1
Key : Hypervisor.RootFlags.LivedumpEnlightened
Value: 1
Key : Hypervisor.RootFlags.MapDeviceInterrupt
Value: 1
Key : Hypervisor.RootFlags.MceEnlightened
Value: 1
Key : Hypervisor.RootFlags.Nested
Value: 0
Key : Hypervisor.RootFlags.StartLogicalProcessor
Value: 1
Key : Hypervisor.RootFlags.Value
Value: 1015
Key : Hypervisor.RootFlags.ValueHex
Value: 3f7
BUGCHECK_CODE: 139
BUGCHECK_P1: 3
BUGCHECK_P2: fffffe80dfc26870
BUGCHECK_P3: fffffe80dfc267c8
BUGCHECK_P4: 0
FILE_IN_CAB: 092723-15156-01.dmp
DUMP_FILE_ATTRIBUTES: 0x1808
Kernel Generated Triage Dump
TRAP_FRAME: fffffe80dfc26870 -- (.trap 0xfffffe80dfc26870)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffffe80dfc26cb8 rbx=0000000000000000 rcx=0000000000000003
rdx=fffffe80dc7f6838 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8000a91511d rsp=fffffe80dfc26a00 rbp=ffff9304dea3abb0
r8=00000000000005c0 r9=fffff8000a990c08 r10=0000000000000000
r11=fffffe80dfc269e0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
Wdf01000!RtlFailFast+0x5:
fffff800`0a91511d cd29 int 29h
Resetting default scope
EXCEPTION_RECORD: fffffe80dfc267c8 -- (.exr 0xfffffe80dfc267c8)
ExceptionAddress: fffff8000a91511d (Wdf01000!RtlFailFast+0x0000000000000005)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 0000000000000003
Subcode: 0x3 FAST_FAIL_CORRUPT_LIST_ENTRY
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXPNP: 1 (!blackboxpnp)
BLACKBOXWINLOGON: 1
CUSTOMER_CRASH_COUNT: 1
PROCESS_NAME: System
ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
EXCEPTION_CODE_STR: c0000409
EXCEPTION_PARAMETER1: 0000000000000003
EXCEPTION_STR: 0xc0000409
STACK_TEXT:
fffffe80`dfc26548 fffff800`094477a9 : 00000000`00000139 00000000`00000003 fffffe80`dfc26870 fffffe80`dfc267c8 : nt!KeBugCheckEx
fffffe80`dfc26550 fffff800`09447d32 : ffff9304`e15f6dc0 fffff800`0a906e46 00006cfb`35d39300 ffff9304`aa010000 : nt!KiBugCheckDispatch+0x69
fffffe80`dfc26690 fffff800`09445b06 : 00000000`00000009 fffff800`0927d847 ffff9304`d9de8aa0 00000000`00000000 : nt!KiFastFailDispatch+0xb2
fffffe80`dfc26870 fffff800`0a91511d : fffffe80`dfc26c40 ffff9304`dea3abb0 00000000`00000001 fffffe80`dfc26bd0 : nt!KiRaiseSecurityCheckFailure+0x346
fffffe80`dfc26a00 fffff800`0a9069c6 : fffff800`0aa80500 fffff800`0a929a00 fffffe80`dfc26bd0 00000000`00000004 : Wdf01000!FxIoTarget::SubmitLocked+0xeaad [minkernel\wdf\framework\shared\targets\general\fxiotarget.cpp @ 1536]
fffffe80`dfc26aa0 fffff800`0a953dce : fffffe80`dfc26bd0 fffffe80`dfc26b60 fffffe80`dfc26c40 fffffe80`dfc26cf0 : Wdf01000!FxIoTarget::Submit+0x3e [minkernel\wdf\framework\shared\targets\general\fxiotarget.cpp @ 1649]
fffffe80`dfc26ae0 fffff800`0a954083 : ffff9304`db01aa00 fffff800`00000000 00000000`00000000 fffffe80`dfc26cf0 : Wdf01000!FxIoTarget::SubmitSync+0x126 [minkernel\wdf\framework\shared\targets\general\fxiotarget.cpp @ 1740]
fffffe80`dfc26ba0 fffff800`0a95701c : 00000000`00000000 fffffe80`dfc26c00 00000000`00000000 00000000`00000000 : Wdf01000!FxIoTarget::SubmitSyncRequestIgnoreTargetState+0x93 [minkernel\wdf\framework\shared\targets\general\fxiotarget.cpp @ 2697]
fffffe80`dfc26bf0 fffff800`675033c1 : ffff9304`e5492b70 ffff9304`e15f6dc0 ffff9304`dea3abb0 00000000`00004000 : Wdf01000!imp_WdfUsbTargetPipeResetSynchronously+0x15c [minkernel\wdf\framework\shared\targets\usb\fxusbpipeapi.cpp @ 603]
fffffe80`dfc26e80 ffff9304`e5492b70 : ffff9304`e15f6dc0 ffff9304`dea3abb0 00000000`00004000 ffff9304`e5492fa8 : libusbK+0x33c1
fffffe80`dfc26e88 ffff9304`e15f6dc0 : ffff9304`dea3abb0 00000000`00004000 ffff9304`e5492fa8 ffff9304`d23f1020 : 0xffff9304`e5492b70
fffffe80`dfc26e90 ffff9304`dea3abb0 : 00000000`00004000 ffff9304`e5492fa8 ffff9304`d23f1020 00000000`00000010 : 0xffff9304`e15f6dc0
fffffe80`dfc26e98 00000000`00004000 : ffff9304`e5492fa8 ffff9304`d23f1020 00000000`00000010 00000000`00000000 : 0xffff9304`dea3abb0
fffffe80`dfc26ea0 ffff9304`e5492fa8 : ffff9304`d23f1020 00000000`00000010 00000000`00000000 00006cfb`239a7238 : 0x4000
fffffe80`dfc26ea8 ffff9304`d23f1020 : 00000000`00000010 00000000`00000000 00006cfb`239a7238 00006cfb`1ab6d488 : 0xffff9304`e5492fa8
fffffe80`dfc26eb0 00000000`00000010 : 00000000`00000000 00006cfb`239a7238 00006cfb`1ab6d488 00000000`00004000 : 0xffff9304`d23f1020
fffffe80`dfc26eb8 00000000`00000000 : 00006cfb`239a7238 00006cfb`1ab6d488 00000000`00004000 00000000`00004000 : 0x10
SYMBOL_NAME: libusbK+33c1
MODULE_NAME: libusbK
IMAGE_NAME: libusbK.sys
STACK_COMMAND: .cxr; .ecxr ; kb
BUCKET_ID_FUNC_OFFSET: 33c1
FAILURE_BUCKET_ID: 0x139_3_CORRUPT_LIST_ENTRY_libusbK!unknown_function
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {3e2f28bf-7cbf-dc2c-f08f-3b94cf8f94c5}
Followup: MachineOwner
Hmm, this is beyond my capability as well. I have not seen such issue before.
@TravisRo Needs your help here.
