******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* KERNEL_SECURITY_CHECK_FAILURE (139) A kernel component has corrupted a critical data structure. The corruption could potentially allow a malicious user to gain control of this machine. Arguments: Arg1: 0000000000000002, Stack cookie instrumentation code detected a stack-based buffer overrun. Arg2: fffff8016c46a790, Address of the trap frame for the exception that caused the BugCheck Arg3: fffff8016c46a6e8, Address of the exception record for the exception that caused the BugCheck Arg4: 0000000000000000, Reserved Debugging Details: ------------------ KEY_VALUES_STRING: 1 Key : Analysis.CPU.mSec Value: 1312 Key : Analysis.DebugAnalysisManager Value: Create Key : Analysis.Elapsed.mSec Value: 1990 Key : Analysis.Init.CPU.mSec Value: 218 Key : Analysis.Init.Elapsed.mSec Value: 2841 Key : Analysis.Memory.CommitPeak.Mb Value: 112 Key : FailFast.Name Value: STACK_COOKIE_CHECK_FAILURE Key : FailFast.Type Value: 2 Key : WER.OS.Branch Value: co_release Key : WER.OS.Timestamp Value: 2021-06-04T16:28:00Z Key : WER.OS.Version Value: 10.0.22000.1 FILE_IN_CAB: 042322-12906-01.dmp TAG_NOT_DEFINED_202b: *** Unknown TAG in analysis list 202b BUGCHECK_CODE: 139 BUGCHECK_P1: 2 BUGCHECK_P2: fffff8016c46a790 BUGCHECK_P3: fffff8016c46a6e8 BUGCHECK_P4: 0 TRAP_FRAME: fffff8016c46a790 -- (.trap 0xfffff8016c46a790) NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000002 rdx=0000000000000c80 rsi=0000000000000000 rdi=0000000000000000 rip=fffff801eb43aee5 rsp=fffff8016c46a928 rbp=ffffa40b25a28098 r8=ffffa40b281d2050 r9=0000000000000000 r10=ffffa40b12010300 r11=fffff8016c46a890 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei ng nz ac pe cy NetAdapterCx!RtlFailFast+0x5 [inlined in NetAdapterCx!__report_gsfailure+0x5]: fffff801`eb43aee5 cd29 int 29h Resetting default scope EXCEPTION_RECORD: fffff8016c46a6e8 -- (.exr 0xfffff8016c46a6e8) ExceptionAddress: fffff801eb43aee5 (NetAdapterCx!RtlFailFast+0x0000000000000005) ExceptionCode: c0000409 (Security check failure or stack buffer overrun) ExceptionFlags: 00000001 NumberParameters: 1 Parameter[0]: 0000000000000002 Subcode: 0x2 FAST_FAIL_STACK_COOKIE_CHECK_FAILURE BLACKBOXBSD: 1 (!blackboxbsd) BLACKBOXNTFS: 1 (!blackboxntfs) BLACKBOXPNP: 1 (!blackboxpnp) BLACKBOXWINLOGON: 1 CUSTOMER_CRASH_COUNT: 1 PROCESS_NAME: System FAULTING_LOCAL_VARIABLE_NAME: translatedEntries GSFAILURE_FUNCTION: NetAdapterCx!RxScaling::SetIndirectionEntries GSFAILURE_MODULE_COOKIE: NetAdapterCx!__security_cookie [ fffff801eb444cc0 ] GSFAILURE_FRAME_COOKIE: 000052da6c46a930 GSFAILURE_FRAME_COOKIE_COMPLEMENT: ffffffffffffffff GSFAILURE_CORRUPTED_COOKIE: 000052da6c46a930 [ fffff8016c46b380 ] SECURITY_COOKIE: Expected 0000000000000000 found 000052da6c46a930 GSFAILURE_OVERRUN_LOCAL: translatedEntries (fffff8016c46a980 to fffff8016c46b37f) GSFAILURE_ANALYSIS_TEXT: !gs output: Corruption occurred in NetAdapterCx!RxScaling::SetIndirectionEntries or one of its callees Analyzing __report_gsfailure frame (5)... LEA usage: Function @0xFFFFF801`EB42826C - 0xFFFFF801`EB42852F is NOT using LEA Error reading module canary at 0xFFFFF801`EB444CC0. Fatal error - aborting analysis! Mem->Reg @ 0xFFFFF801`EB428285: mov rax,qword ptr [FFFFF801EB444CC0h] (NetAdapterCx!__security_cookie) Canary addr at gsfailure frame: 0xFFFFF801`6C46B380 Canary at gsfailure frame: 0xFFFFAADB`00000000 Canary Complement addr at gsfailure frame not found. (Non-fatal) Canary complement at gsfailure frame: 0xFFFFFFFF`FFFFFFFF Analyzing faulting frame(5)... Mem->Reg @ 0xFFFFF801`EB428285: mov rax,qword ptr [FFFFF801EB444CC0h] (NetAdapterCx!__security_cookie) Stack canary at 0xFFFFF801`6C46B380: 0xFFFFAADB`00000000 (Type: 3 = XOR with SP) Canary value in Rcx: 0x00000000`00000000 Stack Canary Address:0xFFFFF801`6C46B380 Expected Canary: 0xFFFFF801`6C46A930 Canary on Stack: 0xFFFFAADB`00000000 Canary in register matches module canary Stack Canary does NOT match module canary Rcx Value (0x00000000`00000000) disagrees with Stack Canary (0x000052DA`6C46A930) , but CX is NULL; skipcheck for CX Not sure why the real canary differs from the canary at gsfailure frame Function prolog (64-bit) is *not* using frame pointer Function NetAdapterCx!RxScaling::SetIndirectionEntries: 0xFFFFF801`6C46A970 - 0xFFFFF801`6C46A974 processorNumber _PROCESSOR_NUMBER 0xFFFFF801`6C46A974 - 0xFFFFF801`6C46A980 ----- NA ---- - Not Allocated - 0xFFFFF801`6C46A980 - 0xFFFFF801`6C46B380 translatedEntries RxScaling::TranslatedIndirectionEntries 0xFFFFF801`6C46B380 - 0xFFFFF801`6C46B388 --- Canary -- Canary (0xFFFFAADB`00000000 ) 0xFFFFF801`6C46B388 - 0xFFFFF801`6C46B3B0 ----- NA ---- - Not Allocated - 0xFFFFF801`6C46B3B0 - 0xFFFFF801`6C46B3B8 ----- BP ---- Saved BP (0xFFFFF402`EA31C010 ) 0xFFFFF801`6C46B3B8 - 0xFFFFF801`6C46B3C0 -- RetAddr -- RA (0xFFFFF801`EB4239FA - OK) ------------------------------------------------------ Candidate buffer : translatedEntries 0xFFFFF801`6C46A980 to 0xFFFFF801`6C46B37F 0xFFFFF8016C46A980 48 25 03 de f4 5b 00 00-00 00 00 00 00 00 00 00 H%...[.......... 0xFFFFF8016C46A990 48 25 03 de f4 5b 00 00-00 00 00 00 00 00 00 00 H%...[.......... ... 0xFFFFF8016C46B364 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 0xFFFFF8016C46B374 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ Stack buffer overrun analysis completed successfully. GS_FALSE_POSITIVE: TRUE ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application. EXCEPTION_CODE_STR: c0000409 EXCEPTION_PARAMETER1: 0000000000000002 STACK_TEXT: fffff801`6c46a468 fffff801`70e295a9 : 00000000`00000139 00000000`00000002 fffff801`6c46a790 fffff801`6c46a6e8 : nt!KeBugCheckEx fffff801`6c46a470 fffff801`70e299f2 : 00000000`00000103 00000000`00000000 ffffa40b`2701c150 ffffa40b`2375ed20 : nt!KiBugCheckDispatch+0x69 fffff801`6c46a5b0 fffff801`70e27cd2 : ffffa40b`22f8f050 fffff801`eb4332f4 ffffa40b`1aeffec0 ffffa40b`26bc0302 : nt!KiFastFailDispatch+0xb2 fffff801`6c46a790 fffff801`eb43aee5 : fffff801`eb42852f ffffa40b`25a28084 ffffa40b`25a28098 ffffa40b`25a28cbc : nt!KiRaiseSecurityCheckFailure+0x312 fffff801`6c46a928 fffff801`eb42852f : ffffa40b`25a28084 ffffa40b`25a28098 ffffa40b`25a28cbc ffffa40b`26bc0370 : NetAdapterCx!__report_gsfailure+0x5 [minkernel\tools\gs_support\kmodefastfail\gs_report.c @ 37] fffff801`6c46a930 fffff801`eb4239fa : 00000001`ffffffff 000000ca`00000002 00000000`00000000 ffffa40b`235f9c70 : NetAdapterCx!RxScaling::SetIndirectionEntries+0x2c3 [minio\netcx\translator\rxscaling.cpp @ 760] fffff801`6c46b3c0 fffff801`eb40a504 : 00000000`00000000 fffff801`734db050 fffff402`ea31c010 ffffa40b`25f9d920 : NetAdapterCx!NetClientAdapterNdisOidRequestHandler+0xba [minio\netcx\translator\nxtranslationapp.cpp @ 305] fffff801`6c46b4e0 fffff801`734a0cf4 : ffffa40b`00000000 ffffa40b`234d5030 ffffa40b`25752ab0 fffff801`733f620c : NetAdapterCx!EvtNdisSynchronousOidRequestHandler+0x54 [minio\netcx\adapter\nxadapter.cpp @ 2569] fffff801`6c46b510 fffff801`734a0f95 : ffffa40b`234d5030 fffff801`6c46b639 00000000`00000000 fffff402`ea31c010 : ndis!ndisMInvokeSynchronousOidRequest+0x7c fffff801`6c46b560 fffff801`73470bbd : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ndis!ndisSynchronousOidRequestInternal+0x221 fffff801`6c46b6a0 fffff801`70c447e1 : fffff801`6c46ba40 00000000`00000000 00000000`00000000 00000000`00000000 : ndis!ndisEmulateRSSv1Dpc+0x1d fffff801`6c46b6d0 fffff801`70c437e2 : 00000000`00000000 fffff801`6c46b9d0 fffff801`6c16a180 00000000`000204f3 : nt!KiExecuteAllDpcs+0x491 fffff801`6c46b8d0 fffff801`70e1a8ee : 00000000`00000000 fffff801`6c16a180 fffff801`71735bc0 ffffa40b`1c6be580 : nt!KiRetireDpcList+0x2a2 fffff801`6c46bb80 00000000`00000000 : fffff801`6c46c000 fffff801`6c465000 00000000`00000000 00000000`00000000 : nt!KiIdleLoop+0x9e FAULTING_SOURCE_LINE: minio\netcx\translator\rxscaling.cpp FAULTING_SOURCE_FILE: minio\netcx\translator\rxscaling.cpp FAULTING_SOURCE_LINE_NUMBER: 760 FAULTING_SOURCE_CODE: No source found for 'minio\netcx\translator\rxscaling.cpp' SYMBOL_NAME: NetAdapterCx!RxScaling::SetIndirectionEntries+2c3 MODULE_NAME: NetAdapterCx IMAGE_NAME: NetAdapterCx.sys IMAGE_VERSION: 10.0.22000.613 STACK_COMMAND: .cxr; .ecxr ; kb BUCKET_ID_FUNC_OFFSET: 2c3 FAILURE_BUCKET_ID: 0x139_MATCHED_FRAME_COOKIE_NetAdapterCx!RxScaling::SetIndirectionEntries OS_VERSION: 10.0.22000.1 BUILDLAB_STR: co_release OSPLATFORM_TYPE: x64 OSNAME: Windows 10 FAILURE_ID_HASH: {fe27b144-0a3b-2d81-6be9-99398f653b8a} Followup: MachineOwner ---------