Crash Dump Analysis Patterns (Part 6b)

NULL Data Pointer is a special version of the more general Invalid Pointer pattern like NULL Code Pointer. The effective address is below 0xFFFF and it is usually a register with 0 value and the small offset, for example:

0: kd> r
Last set context:
eax=8923b008 ebx=00000000 ecx=00000000 edx=8923b008 esi=891312d0 edi=89f0b300
eip=8081c7c4 esp=f1b5d7a4 ebp=f1b5d7a4 iopl=0 nv up ei ng nz ac pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010296
nt!IoIsOperationSynchronous+0xe:
8081c7c4 f6412c02  test    byte ptr [ecx+2Ch],2   ds:0023:0000002c=??

Here, after disassembling the function backwards, we see the succession of dereferences starting from [EBP+8] and this means that a pointer to a structure (an IRP here) was passed to the function and it had a data pointer in it, pointing to another structure and the latter contained an NULL pointer:  

0: kd> ub 8081c7c4
nt!IoIsOperationSynchronous:
8081c7b6 8bff            mov     edi,edi
8081c7b8 55              push    ebp
8081c7b9 8bec            mov     ebp,esp
8081c7bb 8b4508          mov     eax,dword ptr [ebp+8]
8081c7be 8b4860          mov     ecx,dword ptr [eax+60h]
8081c7c1 8b4918          mov     ecx,dword ptr [ecx+18h]

Next post will feature a full case study.

Note: pointers are discussed in great detail in my latest book: Windows Debugging: Practical Foundations

- Dmitry Vostokov @ DumpAnalysis.org -

9 Responses to “Crash Dump Analysis Patterns (Part 6b)”

  1. Crash Dump Analysis » Blog Archive » NULL Data Pointer Pattern: case study Says:

    […] (0×7DA) - The Year of Dump Analysis Here is the promised case study for the previous post about data NULL pointers. The complete dump has this […]

  2. Crash Dump Analysis » Blog Archive » Null data pointer, incorrect stack trace, changed environment, hooked functions and coincidental symbolic information: pattern cooperation Says:

    […] GUI-enhancing hooking and patching 3rd-party products. The dump was analyzed and it shows the data NULL pointer access […]

  3. Crash Dump Analysis » Blog Archive » Sentinel Pointers Says:

    […] can think that ESI was 0 but it was 0xFFFFFFFF. Adding 0xAC to it produced an effective NULL data pointer 0xAB through integer addition overflow if we consider addition as unsigned. It is easy to see the […]

  4. Crash Dump Analysis » Blog Archive » Null data pointer, pass through functions and platformorphic fault: pattern cooperation Says:

    […] We got a bugcheck when a accessing a NULL data pointer: […]

  5. Crash Dump Analysis » Blog Archive » WOW64 process, NULL data pointer, stack overflow, main thread, incorrect stack trace, nested exceptions, hidden exception, manual dump, multiple exceptions and virtualized system: pattern cooperation Says:

    […] 32-bit WOW64 process was crashing when accessing a direct NULL data pointer with the following stack […]

  6. Crash Dump Analysis » Blog Archive » NULL data pointer, stack trace, inline function optimization and platformorphic fault: pattern cooperation Says:

    […] clearly have an instance of a NULL pointer data access. If we try to match this stack trace to known faults in database we would probably […]

  7. Crash Dump Analysis » Blog Archive » Icons for Memory Dump Analysis Patterns (Part 10) Says:

    […] we introduce an icon for NULL Pointer (data) […]

  8. Dmitry Vostokov Says:

    Another example that also shows .cxr command in x64 context:

    0:006> k
    # Child-SP RetAddr Call Site
    00 000000a9`be019378 00007ffe`1b11918f ntdll!NtWaitForMultipleObjects+0xa
    01 000000a9`be019380 00007ffe`1b11908e KERNELBASE!WaitForMultipleObjectsEx+0xef
    02 000000a9`be019680 00007ffe`1b92155c KERNELBASE!WaitForMultipleObjects+0xe
    03 000000a9`be0196c0 00007ffe`1b921088 kernel32!BasepReportFault+0×54c
    04 000000a9`be019c30 00007ffe`1b1403cd kernel32!BasepReportFault+0×78
    05 000000a9`be019c60 00007ffe`1dd8dbf6 KERNELBASE!UnhandledExceptionFilter+0×1fd
    06 000000a9`be019d60 00007ffe`1dd65680 ntdll!LdrpLogFatalUserCallbackException+0×56
    07 000000a9`be019e90 00007ffe`1dd6666d ntdll!KiUserCallbackDispatcherHandler+0×20
    08 000000a9`be019ed0 00007ffe`1dce3c00 ntdll!RtlpExecuteHandlerForException+0xd
    09 000000a9`be019f00 00007ffe`1dd6577a ntdll!RtlDispatchException+0×370
    0a 000000a9`be01a600 00007ffd`f98e8f69 ntdll!KiUserExceptionDispatch+0×3a
    0b 000000a9`be01ad00 00007ffd`f98e5c94 edgehtml!CWebPlatformTridentHost::LoadNewWindowContent+0×35
    0c 000000a9`be01ad90 00007ffe`1b84b0b3 edgehtml!CWebPlatform::LoadNewWindowContent+0×64
    0d 000000a9`be01ae10 00007ffe`1b80521e rpcrt4!Invoke+0×73
    0e 000000a9`be01aea0 00007ffe`1b83aaba rpcrt4!NdrStubCall2+0×34e
    0f 000000a9`be01b4f0 00007ffe`1d414b1b rpcrt4!NdrStubCall3+0xea
    10 000000a9`be01b560 00007ffe`1d4c25b2 combase!CStdStubBuffer_Invoke+0×6b
    11 000000a9`be01b5a0 00007ffe`1d490845 combase!CoGetContextToken+0×262
    12 000000a9`be01b610 00007ffe`1d47f95e combase!CoCreateFreeThreadedMarshaler+0×5735
    13 000000a9`be01b830 00007ffe`1d48219e combase!CoGetObjectContext+0×9bce
    14 000000a9`be01bb00 00007ffe`1d4842bf combase!CoGetObjectContext+0xc40e
    15 000000a9`be01bcb0 00007ffe`1d47da9c combase!CoGetObjectContext+0xe52f
    16 000000a9`be01bf40 00007ffe`1ba300dc combase!CoGetObjectContext+0×7d0c
    17 000000a9`be01c090 00007ffe`1ba2fc07 user32!UserCallWinProcCheckWow+0×1fc
    18 000000a9`be01c180 00007ffe`1d4865e9 user32!DispatchMessageWorker+0×1a7
    19 000000a9`be01c200 00007ffe`1d486b8f combase!CoGetObjectContext+0×10859
    1a 000000a9`be01c270 00007ffe`1d491c2d combase!CoGetObjectContext+0×10dff
    1b 000000a9`be01c2d0 00007ffe`1d48d7a9 combase!CoCreateFreeThreadedMarshaler+0×6b1d
    1c 000000a9`be01c420 00007ffe`1d48e215 combase!CoCreateFreeThreadedMarshaler+0×2699
    1d 000000a9`be01c600 00007ffe`1d41475b combase!CoCreateFreeThreadedMarshaler+0×3105
    1e 000000a9`be01c7c0 00007ffe`1b8aa340 combase!NdrOleDllGetClassObject+0xf2b
    1f 000000a9`be01c830 00007ffe`1d414544 rpcrt4!NdrpClientCall3+0×460
    20 000000a9`be01cc20 00007ffe`1d51f192 combase!NdrOleDllGetClassObject+0xd14
    21 000000a9`be01cfb0 00007ffe`1d4a8b8d combase!ObjectStublessClient32+0xfc32
    22 000000a9`be01d000 00007ffe`1d4a8a65 combase!CoWaitForMultipleHandles+0×3cd
    23 000000a9`be01d070 00007ffe`1d49849d combase!CoWaitForMultipleHandles+0×2a5
    24 000000a9`be01d110 00007ffe`1d49cc3a combase!CoCreateFreeThreadedMarshaler+0xd38d
    25 000000a9`be01d2e0 00007ffe`1d48b6d0 combase!CoCreateFreeThreadedMarshaler+0×11b2a
    26 000000a9`be01d3e0 00007ffe`1d4113f7 combase!CoCreateFreeThreadedMarshaler+0×5c0
    27 000000a9`be01d430 00007ffe`1d94bd66 combase!CStdStubBuffer2_QueryInterface+0×117
    28 000000a9`be01d460 00007ffd`f05ebef0 oleaut32!VariantClear+0×176
    29 000000a9`be01d490 00007ffd`f05ed839 eModel!CIEFrameAuto::SetOwner+0×2b0
    2a 000000a9`be01d4f0 00007ffd`f05f7892 eModel!CBrowserTabBase::v_OnDestroy+0×69
    2b 000000a9`be01d520 00007ffd`f05f5247 eModel!CBrowserTab::v_OnDestroy+0×12
    2c 000000a9`be01d550 00007ffd`f05f1b1b eModel!CBrowserTab::v_WndProc+0×447
    2d 000000a9`be01d710 00007ffe`1ba300dc eModel!CBrowserTab::s_WndProc+0×5b
    2e 000000a9`be01d760 00007ffe`1ba2fe52 user32!UserCallWinProcCheckWow+0×1fc
    2f 000000a9`be01d850 00007ffe`1ba3d3fe user32!DispatchClientMessage+0xa2
    30 000000a9`be01d8b0 00007ffe`1dd65714 user32!_fnDWORD+0×3e
    31 000000a9`be01d910 00007ffe`1ba5061a ntdll!KiUserCallbackDispatcherContinue
    32 000000a9`be01d998 00007ffd`f05f6c8c user32!NtUserDestroyWindow+0xa
    33 000000a9`be01d9a0 00007ffd`f05f6ebb eModel!CBrowserTab::_DoFinalCleanup+0×35c
    34 000000a9`be01da50 00007ffd`f05f6620 eModel!CBrowserTab::_OnConfirmedClose+0×2f
    35 000000a9`be01da80 00007ffd`f05cf026 eModel!CBrowserTab::OnClose+0×170
    36 000000a9`be01dae0 00007ffd`f063065b eModel!CTabWindow::_TabWindowThreadProc+0×7a6
    37 000000a9`be01fd40 00007ffe`1326856f eModel!LCIETab_ThreadProc+0×2bb
    38 000000a9`be01fe70 00007ffe`1b912d92 iertutil!IEGetTabWindowExports+0×2f
    39 000000a9`be01fea0 00007ffe`1dcd9f64 kernel32!BaseThreadInitThunk+0×22
    3a 000000a9`be01fed0 00000000`00000000 ntdll!RtlUserThreadStart+0×34

    0:006> .cxr 000000a9`be01a600
    rax=0000000001000002 rbx=0000000000000009 rcx=0000000000000000
    rdx=000000a9be2d1300 rsi=000000a9be01ade0 rdi=0000000000000000
    rip=00007ffdf98e8f69 rsp=000000a9be01ad00 rbp=000000a9be2d1190
    r8=000000a9be2d1190 r9=000000a9be01ade0 r10=00007ffdf98e5c30
    r11=0000000000001000 r12=00007ffdf1b47382 r13=000000a9c01fc358
    r14=000000a9be2d1300 r15=000000a9be01b5a0
    iopl=0 nv up ei pl zr na po nc
    cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
    edgehtml!CWebPlatformTridentHost::LoadNewWindowContent+0×35:
    00007ffd`f98e8f69 488b07 mov rax,qword ptr [rdi] ds:00000000`00000000=????????????????

    0:006> kc
    *** Stack trace for last set context - .thread/.cxr resets it
    # Call Site
    00 edgehtml!CWebPlatformTridentHost::LoadNewWindowContent
    01 edgehtml!CWebPlatform::LoadNewWindowContent
    02 rpcrt4!Invoke
    03 rpcrt4!NdrStubCall2
    04 rpcrt4!NdrStubCall3
    05 combase!CStdStubBuffer_Invoke
    06 combase!CoGetContextToken
    07 combase!CoCreateFreeThreadedMarshaler
    08 combase!CoGetObjectContext
    09 combase!CoGetObjectContext
    0a combase!CoGetObjectContext
    0b combase!CoGetObjectContext
    0c user32!UserCallWinProcCheckWow
    0d user32!DispatchMessageWorker
    0e combase!CoGetObjectContext
    0f combase!CoGetObjectContext
    10 combase!CoCreateFreeThreadedMarshaler
    11 combase!CoCreateFreeThreadedMarshaler
    12 combase!CoCreateFreeThreadedMarshaler
    13 combase!NdrOleDllGetClassObject
    14 rpcrt4!NdrpClientCall3
    15 combase!NdrOleDllGetClassObject
    16 combase!ObjectStublessClient32
    17 combase!CoWaitForMultipleHandles
    18 combase!CoWaitForMultipleHandles
    19 combase!CoCreateFreeThreadedMarshaler
    1a combase!CoCreateFreeThreadedMarshaler
    1b combase!CoCreateFreeThreadedMarshaler
    1c combase!CStdStubBuffer2_QueryInterface
    1d oleaut32!VariantClear
    1e eModel!CIEFrameAuto::SetOwner
    1f eModel!CBrowserTabBase::v_OnDestroy
    20 eModel!CBrowserTab::v_OnDestroy
    21 eModel!CBrowserTab::v_WndProc
    22 eModel!CBrowserTab::s_WndProc
    23 user32!UserCallWinProcCheckWow
    24 user32!DispatchClientMessage
    25 user32!_fnDWORD
    26 ntdll!KiUserCallbackDispatcherContinue
    27 user32!NtUserDestroyWindow
    28 eModel!CBrowserTab::_DoFinalCleanup
    29 eModel!CBrowserTab::_OnConfirmedClose
    2a eModel!CBrowserTab::OnClose
    2b eModel!CTabWindow::_TabWindowThreadProc
    2c eModel!LCIETab_ThreadProc
    2d iertutil!IEGetTabWindowExports
    2e kernel32!BaseThreadInitThunk
    2f ntdll!RtlUserThreadStart

  9. Dmitry Vostokov Says:

    0:004> r
    rax=0000000000000000 rbx=000000dd5253ce30 rcx=000000d515923a00
    rdx=0000000000000000 rsi=0000000000000002 rdi=000000dd5253c940
    rip=00007ffd1fbc98cc rsp=000000dd5253d060 rbp=000000dd5253d220
    r8=000000d515923a00 r9=00000000ffffffff r10=0000000000000000
    r11=000000dd5253d3c8 r12=00007ffd20002460 r13=000000dd636a3101
    r14=000000dd51738000 r15=0000000000000c00
    iopl=0 nv up ei pl nz na pe nc
    cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010200
    edgehtml!COmWindowProxy::PrivateAddRef+0×3c:
    00007ffd`1fbc98cc 488b7868 mov rdi,qword ptr [rax+68h] ds:00000000`00000068=????????????????

    0:004> k
    # Child-SP RetAddr Call Site
    00 000000dd`5253d060 00007ffd`1fbc9850 edgehtml!COmWindowProxy::PrivateAddRef+0×3c
    01 000000dd`5253d090 00007ffd`1fbc97eb edgehtml!CEventPathBuilder::SetProxy+0×20
    02 000000dd`5253d0c0 00007ffd`1fbcb79b edgehtml!CEventPathBuilder::AppendWindowTarget+0×47
    03 000000dd`5253d0f0 00007ffd`1fbc5189 edgehtml!CWindow::BuildEventPath+0×1b
    04 000000dd`5253d120 00007ffd`1faec7f1 edgehtml!CEventMgr::Dispatch+0×5c9
    05 000000dd`5253d3d0 00007ffd`1faeb7cc edgehtml!CMessagePort::HandlePostMessage+0×10d
    06 000000dd`5253d450 00007ffd`1fc4b667 edgehtml!CMessageDispatcher::ProcessNotification+0×5c
    07 000000dd`5253d480 00007ffd`1fd521d1 edgehtml!GlobalWndOnPaintPriorityMethodCall+0×457
    08 000000dd`5253d570 00007ffd`43a900dc edgehtml!GlobalWndProc+0×101
    09 000000dd`5253d5f0 00007ffd`43a8fe52 user32!UserCallWinProcCheckWow+0×1fc
    0a 000000dd`5253d6e0 00007ffd`43a9d3fe user32!DispatchClientMessage+0xa2
    0b 000000dd`5253d740 00007ffd`462f5714 user32!_fnDWORD+0×3e
    0c 000000dd`5253d7a0 00007ffd`43aaffba ntdll!KiUserCallbackDispatcherContinue
    0d 000000dd`5253d828 00007ffd`43a8fca7 user32!NtUserDispatchMessage+0xa
    0e 000000dd`5253d830 00007ffd`19c6eee8 user32!DispatchMessageWorker+0×247
    0f 000000dd`5253d8b0 00007ffd`19cd0bdb eModel!CTabWindow::_TabWindowThreadProc+0×5b8
    10 000000dd`5253fb10 00007ffd`3630864f eModel!LCIETab_ThreadProc+0×2bb
    11 000000dd`5253fc40 00007ffd`45f42d92 iertutil!_IsoThreadProc_WrapperToReleaseScope+0×1f
    12 000000dd`5253fc70 00007ffd`46269f64 kernel32!BaseThreadInitThunk+0×22
    13 000000dd`5253fca0 00000000`00000000 ntdll!RtlUserThreadStart+0×34

Leave a Reply