Crash Dump Analysis Patterns (Part 6b)
NULL Data Pointer is a special version of the more general Invalid Pointer pattern like NULL Code Pointer. The effective address is below 0xFFFF and it is usually a register with 0 value and the small offset, for example:
0: kd> r
Last set context:
eax=8923b008 ebx=00000000 ecx=00000000 edx=8923b008 esi=891312d0 edi=89f0b300
eip=8081c7c4 esp=f1b5d7a4 ebp=f1b5d7a4 iopl=0 nv up ei ng nz ac pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010296
nt!IoIsOperationSynchronous+0xe:
8081c7c4 f6412c02 test byte ptr [ecx+2Ch],2 ds:0023:0000002c=??
Here, after disassembling the function backwards, we see the succession of dereferences starting from [EBP+8] and this means that a pointer to a structure (an IRP here) was passed to the function and it had a data pointer in it, pointing to another structure and the latter contained an NULL pointer:
0: kd> ub 8081c7c4
nt!IoIsOperationSynchronous:
8081c7b6 8bff mov edi,edi
8081c7b8 55 push ebp
8081c7b9 8bec mov ebp,esp
8081c7bb 8b4508 mov eax,dword ptr [ebp+8]
8081c7be 8b4860 mov ecx,dword ptr [eax+60h]
8081c7c1 8b4918 mov ecx,dword ptr [ecx+18h]
Next post will feature a full case study.
Note: pointers are discussed in great detail in my latest book: Windows Debugging: Practical Foundations
- Dmitry Vostokov @ DumpAnalysis.org -
April 15th, 2009 at 3:05 pm
[…] (0×7DA) - The Year of Dump Analysis Here is the promised case study for the previous post about data NULL pointers. The complete dump has this […]
April 28th, 2009 at 5:55 pm
[…] GUI-enhancing hooking and patching 3rd-party products. The dump was analyzed and it shows the data NULL pointer access […]
May 13th, 2009 at 4:20 pm
[…] can think that ESI was 0 but it was 0xFFFFFFFF. Adding 0xAC to it produced an effective NULL data pointer 0xAB through integer addition overflow if we consider addition as unsigned. It is easy to see the […]
June 20th, 2009 at 12:29 am
[…] We got a bugcheck when a accessing a NULL data pointer: […]
July 12th, 2009 at 6:09 pm
[…] 32-bit WOW64 process was crashing when accessing a direct NULL data pointer with the following stack […]
July 27th, 2009 at 8:03 pm
[…] clearly have an instance of a NULL pointer data access. If we try to match this stack trace to known faults in database we would probably […]
March 24th, 2010 at 11:16 am
[…] we introduce an icon for NULL Pointer (data) […]
October 7th, 2016 at 6:44 am
Another example that also shows .cxr command in x64 context:
0:006> k
# Child-SP RetAddr Call Site
00 000000a9`be019378 00007ffe`1b11918f ntdll!NtWaitForMultipleObjects+0xa
01 000000a9`be019380 00007ffe`1b11908e KERNELBASE!WaitForMultipleObjectsEx+0xef
02 000000a9`be019680 00007ffe`1b92155c KERNELBASE!WaitForMultipleObjects+0xe
03 000000a9`be0196c0 00007ffe`1b921088 kernel32!BasepReportFault+0×54c
04 000000a9`be019c30 00007ffe`1b1403cd kernel32!BasepReportFault+0×78
05 000000a9`be019c60 00007ffe`1dd8dbf6 KERNELBASE!UnhandledExceptionFilter+0×1fd
06 000000a9`be019d60 00007ffe`1dd65680 ntdll!LdrpLogFatalUserCallbackException+0×56
07 000000a9`be019e90 00007ffe`1dd6666d ntdll!KiUserCallbackDispatcherHandler+0×20
08 000000a9`be019ed0 00007ffe`1dce3c00 ntdll!RtlpExecuteHandlerForException+0xd
09 000000a9`be019f00 00007ffe`1dd6577a ntdll!RtlDispatchException+0×370
0a 000000a9`be01a600 00007ffd`f98e8f69 ntdll!KiUserExceptionDispatch+0×3a
0b 000000a9`be01ad00 00007ffd`f98e5c94 edgehtml!CWebPlatformTridentHost::LoadNewWindowContent+0×35
0c 000000a9`be01ad90 00007ffe`1b84b0b3 edgehtml!CWebPlatform::LoadNewWindowContent+0×64
0d 000000a9`be01ae10 00007ffe`1b80521e rpcrt4!Invoke+0×73
0e 000000a9`be01aea0 00007ffe`1b83aaba rpcrt4!NdrStubCall2+0×34e
0f 000000a9`be01b4f0 00007ffe`1d414b1b rpcrt4!NdrStubCall3+0xea
10 000000a9`be01b560 00007ffe`1d4c25b2 combase!CStdStubBuffer_Invoke+0×6b
11 000000a9`be01b5a0 00007ffe`1d490845 combase!CoGetContextToken+0×262
12 000000a9`be01b610 00007ffe`1d47f95e combase!CoCreateFreeThreadedMarshaler+0×5735
13 000000a9`be01b830 00007ffe`1d48219e combase!CoGetObjectContext+0×9bce
14 000000a9`be01bb00 00007ffe`1d4842bf combase!CoGetObjectContext+0xc40e
15 000000a9`be01bcb0 00007ffe`1d47da9c combase!CoGetObjectContext+0xe52f
16 000000a9`be01bf40 00007ffe`1ba300dc combase!CoGetObjectContext+0×7d0c
17 000000a9`be01c090 00007ffe`1ba2fc07 user32!UserCallWinProcCheckWow+0×1fc
18 000000a9`be01c180 00007ffe`1d4865e9 user32!DispatchMessageWorker+0×1a7
19 000000a9`be01c200 00007ffe`1d486b8f combase!CoGetObjectContext+0×10859
1a 000000a9`be01c270 00007ffe`1d491c2d combase!CoGetObjectContext+0×10dff
1b 000000a9`be01c2d0 00007ffe`1d48d7a9 combase!CoCreateFreeThreadedMarshaler+0×6b1d
1c 000000a9`be01c420 00007ffe`1d48e215 combase!CoCreateFreeThreadedMarshaler+0×2699
1d 000000a9`be01c600 00007ffe`1d41475b combase!CoCreateFreeThreadedMarshaler+0×3105
1e 000000a9`be01c7c0 00007ffe`1b8aa340 combase!NdrOleDllGetClassObject+0xf2b
1f 000000a9`be01c830 00007ffe`1d414544 rpcrt4!NdrpClientCall3+0×460
20 000000a9`be01cc20 00007ffe`1d51f192 combase!NdrOleDllGetClassObject+0xd14
21 000000a9`be01cfb0 00007ffe`1d4a8b8d combase!ObjectStublessClient32+0xfc32
22 000000a9`be01d000 00007ffe`1d4a8a65 combase!CoWaitForMultipleHandles+0×3cd
23 000000a9`be01d070 00007ffe`1d49849d combase!CoWaitForMultipleHandles+0×2a5
24 000000a9`be01d110 00007ffe`1d49cc3a combase!CoCreateFreeThreadedMarshaler+0xd38d
25 000000a9`be01d2e0 00007ffe`1d48b6d0 combase!CoCreateFreeThreadedMarshaler+0×11b2a
26 000000a9`be01d3e0 00007ffe`1d4113f7 combase!CoCreateFreeThreadedMarshaler+0×5c0
27 000000a9`be01d430 00007ffe`1d94bd66 combase!CStdStubBuffer2_QueryInterface+0×117
28 000000a9`be01d460 00007ffd`f05ebef0 oleaut32!VariantClear+0×176
29 000000a9`be01d490 00007ffd`f05ed839 eModel!CIEFrameAuto::SetOwner+0×2b0
2a 000000a9`be01d4f0 00007ffd`f05f7892 eModel!CBrowserTabBase::v_OnDestroy+0×69
2b 000000a9`be01d520 00007ffd`f05f5247 eModel!CBrowserTab::v_OnDestroy+0×12
2c 000000a9`be01d550 00007ffd`f05f1b1b eModel!CBrowserTab::v_WndProc+0×447
2d 000000a9`be01d710 00007ffe`1ba300dc eModel!CBrowserTab::s_WndProc+0×5b
2e 000000a9`be01d760 00007ffe`1ba2fe52 user32!UserCallWinProcCheckWow+0×1fc
2f 000000a9`be01d850 00007ffe`1ba3d3fe user32!DispatchClientMessage+0xa2
30 000000a9`be01d8b0 00007ffe`1dd65714 user32!_fnDWORD+0×3e
31 000000a9`be01d910 00007ffe`1ba5061a ntdll!KiUserCallbackDispatcherContinue
32 000000a9`be01d998 00007ffd`f05f6c8c user32!NtUserDestroyWindow+0xa
33 000000a9`be01d9a0 00007ffd`f05f6ebb eModel!CBrowserTab::_DoFinalCleanup+0×35c
34 000000a9`be01da50 00007ffd`f05f6620 eModel!CBrowserTab::_OnConfirmedClose+0×2f
35 000000a9`be01da80 00007ffd`f05cf026 eModel!CBrowserTab::OnClose+0×170
36 000000a9`be01dae0 00007ffd`f063065b eModel!CTabWindow::_TabWindowThreadProc+0×7a6
37 000000a9`be01fd40 00007ffe`1326856f eModel!LCIETab_ThreadProc+0×2bb
38 000000a9`be01fe70 00007ffe`1b912d92 iertutil!IEGetTabWindowExports+0×2f
39 000000a9`be01fea0 00007ffe`1dcd9f64 kernel32!BaseThreadInitThunk+0×22
3a 000000a9`be01fed0 00000000`00000000 ntdll!RtlUserThreadStart+0×34
0:006> .cxr 000000a9`be01a600
rax=0000000001000002 rbx=0000000000000009 rcx=0000000000000000
rdx=000000a9be2d1300 rsi=000000a9be01ade0 rdi=0000000000000000
rip=00007ffdf98e8f69 rsp=000000a9be01ad00 rbp=000000a9be2d1190
r8=000000a9be2d1190 r9=000000a9be01ade0 r10=00007ffdf98e5c30
r11=0000000000001000 r12=00007ffdf1b47382 r13=000000a9c01fc358
r14=000000a9be2d1300 r15=000000a9be01b5a0
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
edgehtml!CWebPlatformTridentHost::LoadNewWindowContent+0×35:
00007ffd`f98e8f69 488b07 mov rax,qword ptr [rdi] ds:00000000`00000000=????????????????
0:006> kc
*** Stack trace for last set context - .thread/.cxr resets it
# Call Site
00 edgehtml!CWebPlatformTridentHost::LoadNewWindowContent
01 edgehtml!CWebPlatform::LoadNewWindowContent
02 rpcrt4!Invoke
03 rpcrt4!NdrStubCall2
04 rpcrt4!NdrStubCall3
05 combase!CStdStubBuffer_Invoke
06 combase!CoGetContextToken
07 combase!CoCreateFreeThreadedMarshaler
08 combase!CoGetObjectContext
09 combase!CoGetObjectContext
0a combase!CoGetObjectContext
0b combase!CoGetObjectContext
0c user32!UserCallWinProcCheckWow
0d user32!DispatchMessageWorker
0e combase!CoGetObjectContext
0f combase!CoGetObjectContext
10 combase!CoCreateFreeThreadedMarshaler
11 combase!CoCreateFreeThreadedMarshaler
12 combase!CoCreateFreeThreadedMarshaler
13 combase!NdrOleDllGetClassObject
14 rpcrt4!NdrpClientCall3
15 combase!NdrOleDllGetClassObject
16 combase!ObjectStublessClient32
17 combase!CoWaitForMultipleHandles
18 combase!CoWaitForMultipleHandles
19 combase!CoCreateFreeThreadedMarshaler
1a combase!CoCreateFreeThreadedMarshaler
1b combase!CoCreateFreeThreadedMarshaler
1c combase!CStdStubBuffer2_QueryInterface
1d oleaut32!VariantClear
1e eModel!CIEFrameAuto::SetOwner
1f eModel!CBrowserTabBase::v_OnDestroy
20 eModel!CBrowserTab::v_OnDestroy
21 eModel!CBrowserTab::v_WndProc
22 eModel!CBrowserTab::s_WndProc
23 user32!UserCallWinProcCheckWow
24 user32!DispatchClientMessage
25 user32!_fnDWORD
26 ntdll!KiUserCallbackDispatcherContinue
27 user32!NtUserDestroyWindow
28 eModel!CBrowserTab::_DoFinalCleanup
29 eModel!CBrowserTab::_OnConfirmedClose
2a eModel!CBrowserTab::OnClose
2b eModel!CTabWindow::_TabWindowThreadProc
2c eModel!LCIETab_ThreadProc
2d iertutil!IEGetTabWindowExports
2e kernel32!BaseThreadInitThunk
2f ntdll!RtlUserThreadStart
February 19th, 2017 at 10:21 am
0:004> r
rax=0000000000000000 rbx=000000dd5253ce30 rcx=000000d515923a00
rdx=0000000000000000 rsi=0000000000000002 rdi=000000dd5253c940
rip=00007ffd1fbc98cc rsp=000000dd5253d060 rbp=000000dd5253d220
r8=000000d515923a00 r9=00000000ffffffff r10=0000000000000000
r11=000000dd5253d3c8 r12=00007ffd20002460 r13=000000dd636a3101
r14=000000dd51738000 r15=0000000000000c00
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010200
edgehtml!COmWindowProxy::PrivateAddRef+0×3c:
00007ffd`1fbc98cc 488b7868 mov rdi,qword ptr [rax+68h] ds:00000000`00000068=????????????????
0:004> k
# Child-SP RetAddr Call Site
00 000000dd`5253d060 00007ffd`1fbc9850 edgehtml!COmWindowProxy::PrivateAddRef+0×3c
01 000000dd`5253d090 00007ffd`1fbc97eb edgehtml!CEventPathBuilder::SetProxy+0×20
02 000000dd`5253d0c0 00007ffd`1fbcb79b edgehtml!CEventPathBuilder::AppendWindowTarget+0×47
03 000000dd`5253d0f0 00007ffd`1fbc5189 edgehtml!CWindow::BuildEventPath+0×1b
04 000000dd`5253d120 00007ffd`1faec7f1 edgehtml!CEventMgr::Dispatch+0×5c9
05 000000dd`5253d3d0 00007ffd`1faeb7cc edgehtml!CMessagePort::HandlePostMessage+0×10d
06 000000dd`5253d450 00007ffd`1fc4b667 edgehtml!CMessageDispatcher::ProcessNotification+0×5c
07 000000dd`5253d480 00007ffd`1fd521d1 edgehtml!GlobalWndOnPaintPriorityMethodCall+0×457
08 000000dd`5253d570 00007ffd`43a900dc edgehtml!GlobalWndProc+0×101
09 000000dd`5253d5f0 00007ffd`43a8fe52 user32!UserCallWinProcCheckWow+0×1fc
0a 000000dd`5253d6e0 00007ffd`43a9d3fe user32!DispatchClientMessage+0xa2
0b 000000dd`5253d740 00007ffd`462f5714 user32!_fnDWORD+0×3e
0c 000000dd`5253d7a0 00007ffd`43aaffba ntdll!KiUserCallbackDispatcherContinue
0d 000000dd`5253d828 00007ffd`43a8fca7 user32!NtUserDispatchMessage+0xa
0e 000000dd`5253d830 00007ffd`19c6eee8 user32!DispatchMessageWorker+0×247
0f 000000dd`5253d8b0 00007ffd`19cd0bdb eModel!CTabWindow::_TabWindowThreadProc+0×5b8
10 000000dd`5253fb10 00007ffd`3630864f eModel!LCIETab_ThreadProc+0×2bb
11 000000dd`5253fc40 00007ffd`45f42d92 iertutil!_IsoThreadProc_WrapperToReleaseScope+0×1f
12 000000dd`5253fc70 00007ffd`46269f64 kernel32!BaseThreadInitThunk+0×22
13 000000dd`5253fca0 00000000`00000000 ntdll!RtlUserThreadStart+0×34