Bugcheck 7e SysThreadExceptionNotHandled forNtfsPositionCachedLcnByLength+0x158. Attempted to dereference nullptr

T

TomTheFurry

Not sure if this is the correct place to post this, but got a random Bugcheck when doing not much at all. Also not sure where to upload the MEMORY.DMP. I believe this is a nullptr dereference in NTFS system. Posting this DUMP because not sure if this could potancially be exploited or not. The below so some of the WinDbg.exe result:


Microsoft (R) Windows Debugger Version 10.0.19041.685 AMD64

Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Users\tomle\Desktop\window BSOD\MEMORY.DMP]

Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.


************* Path validation summary **************

Response Time (ms) Location

Deferred SRV*C:\Windows\symbol_cache*Symbol information

Symbol search path is: SRV*C:\Windows\symbol_cache*Symbol information

Executable search path is:

Windows 10 Kernel Version 19041 MP (8 procs) Free x64

Product: WinNt, suite: TerminalServer SingleUserTS Personal

Built by: 19041.1.amd64fre.vb_release.191206-1406

Machine Name:

Kernel base = 0xfffff802`17a00000 PsLoadedModuleList = 0xfffff802`1862a390

Debug session time: Mon Feb 15 14:50:36.956 2021 (UTC + 8:00)

System Uptime: 3 days 21:14:33.959

Loading Kernel Symbols

...............................................................

....Page 66dfd2 not present in the dump file. Type ".hh dbgerr004" for details

.......Page 361621 not present in the dump file. Type ".hh dbgerr004" for details

.....................................................

............................................................

Loading User Symbols


Loading unloaded module list

...............................

For analysis of this file, run !analyze -v

3: kd> !analyze -v

*******************************************************************************

* *

* Bugcheck Analysis *

* *

*******************************************************************************


SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)

This is a very common bugcheck. Usually the exception address pinpoints

the driver/function that caused the problem. Always note this address

as well as the link date of the driver/image that contains this address.

Arguments:

Arg1: ffffffffc0000005, The exception code that was not handled

Arg2: fffff8021c73f350, The address that the exception occurred at

Arg3: fffff50e181669f8, Exception Record Address

Arg4: fffff50e18166230, Context Record Address


Debugging Details:

------------------


KEY_VALUES_STRING: 1


Key : AV.Dereference

Value: NullClassPtr


Key : AV.Fault

Value: Read


Key : Analysis.CPU.Sec

Value: 1


Key : Analysis.DebugAnalysisProvider.CPP

Value: Create: 8007007e on DESKTOP-JLN4ALO


Key : Analysis.DebugData

Value: CreateObject


Key : Analysis.DebugModel

Value: CreateObject


Key : Analysis.Elapsed.Sec

Value: 1


Key : Analysis.Memory.CommitPeak.Mb

Value: 72


Key : Analysis.System

Value: CreateObject


BUGCHECK_CODE: 7e


BUGCHECK_P1: ffffffffc0000005


BUGCHECK_P2: fffff8021c73f350


BUGCHECK_P3: fffff50e181669f8


BUGCHECK_P4: fffff50e18166230


EXCEPTION_RECORD: fffff50e181669f8 -- (.exr 0xfffff50e181669f8)

ExceptionAddress: fffff8021c73f350 (Ntfs!NtfsPositionCachedLcnByLength+0x0000000000000158)

ExceptionCode: c0000005 (Access violation)

ExceptionFlags: 00000000

NumberParameters: 2

Parameter[0]: 0000000000000000

Parameter[1]: 0000000000000002

Attempt to read from address 0000000000000002


CONTEXT: fffff50e18166230 -- (.cxr 0xfffff50e18166230)

rax=0000000000000000 rbx=000000000000ffff rcx=000000000000ffff

rdx=000000000002fffd rsi=0000000000000000 rdi=ffff8d8a48757000

rip=fffff8021c73f350 rsp=fffff50e18166c30 rbp=ffff8d8a6977bb28

r8=000000000000006f r9=0000000000000060 r10=0000000000000000

r11=000000000000007f r12=0000000000000000 r13=000000000000ffff

r14=0000000000000000 r15=ffff8d8a4afb2790

iopl=0 nv up ei pl zr na po nc

cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00050246

Ntfs!NtfsPositionCachedLcnByLength+0x158:

fffff802`1c73f350 450fb74202 movzx r8d,word ptr [r10+2] ds:002b:00000000`00000002=????

Resetting default scope


BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXNTFS: 1 (!blackboxntfs)


BLACKBOXPNP: 1 (!blackboxpnp)


BLACKBOXWINLOGON: 1


PROCESS_NAME: System


READ_ADDRESS: 0000000000000002


ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.


EXCEPTION_CODE_STR: c0000005


EXCEPTION_PARAMETER1: 0000000000000000


EXCEPTION_PARAMETER2: 0000000000000002


EXCEPTION_STR: 0xc0000005


STACK_TEXT:

fffff50e`18166c30 fffff802`1c7d4619 : ffff8d8a`6977000c 00000000`00000002 00000000`00000000 00000000`00000000 : Ntfs!NtfsPositionCachedLcnByLength+0x158

fffff50e`18166c90 fffff802`1c73fb29 : ffff8d8a`6977bb28 00000000`00000001 00000000`187e3e95 fffff50e`18166dc0 : Ntfs!NtfsGetCachedLengthInsertionPoint+0x94dfd

fffff50e`18166ce0 fffff802`1c61ee1d : fffff50e`18166dc0 ffff8d8a`6977bb28 ffff8d8a`6977bb28 00000000`00000000 : Ntfs!NtfsInsertCachedLcnAtIndex+0x29

fffff50e`18166d50 fffff802`1c61ec31 : ffffda01`d0cd0998 ffff8d8a`642de050 ffffda01`d0cd0998 00000000`00000000 : Ntfs!NtfsInsertCachedLcn+0x1c9

fffff50e`18166e00 fffff802`1c7403b3 : ffffda01`d0cd0998 00000000`00000000 ffff8d8a`642de050 00000000`00000000 : Ntfs!NtfsInsertCachedRunInTier+0x55

fffff50e`18166ea0 fffff802`1c78d368 : 00000000`00000000 00000000`0000d000 00000000`187e3ea2 00000000`00000001 : Ntfs!NtfsAddCachedRun+0x12b

fffff50e`18166f20 fffff802`1c78c9fd : ffffda01`d67cf180 ffffda01`d67cf180 00000000`00000000 00000000`00000001 : Ntfs!NtfsScanEntireBitmap+0x2e4

fffff50e`18167360 fffff802`1c7953d4 : ffffda01`d0cd0998 ffffda01`d67cf180 ffffda01`d67cf250 00000000`00000000 : Ntfs!NtfsInitializeClusterAllocation+0x9d

fffff50e`181673e0 fffff802`1c751f23 : ffffda01`d0cd0998 00000000`0191bdda 00000000`1c625700 fffff802`1c632ee9 : Ntfs!NtfsMountVolume+0x1f44

fffff50e`18167850 fffff802`1c625da4 : ffffda01`d0cd0998 fffff802`1c625750 00000000`00000000 ffffda01`d0cd0998 : Ntfs!NtfsCommonFileSystemControl+0xcf

fffff50e`18167920 fffff802`17c25975 : ffffda01`d53ce040 ffffda01`d53ce040 ffffda01`bfa937f0 ffffda01`00000000 : Ntfs!NtfsFspDispatch+0x654

fffff50e`18167a70 fffff802`17d17e25 : ffffda01`d53ce040 00000000`00000080 ffffda01`bfaa8040 00000000`00000000 : nt!ExpWorkerThread+0x105

fffff50e`18167b10 fffff802`17dfd0d8 : ffffa181`047d7180 ffffda01`d53ce040 fffff802`17d17dd0 00000000`00000000 : nt!PspSystemThreadStartup+0x55

fffff50e`18167b60 00000000`00000000 : fffff50e`18168000 fffff50e`18161000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x28


SYMBOL_NAME: Ntfs!NtfsPositionCachedLcnByLength+158


MODULE_NAME: Ntfs


IMAGE_NAME: Ntfs.sys


IMAGE_VERSION: 10.0.19041.804


STACK_COMMAND: .cxr 0xfffff50e18166230 ; kb


BUCKET_ID_FUNC_OFFSET: 158


FAILURE_BUCKET_ID: AV_Ntfs!NtfsPositionCachedLcnByLength


OS_VERSION: 10.0.19041.1


BUILDLAB_STR: vb_release


OSPLATFORM_TYPE: x64


OSNAME: Windows 10


FAILURE_ID_HASH: {52a2066e-ad61-9d2e-3f73-2941a33fb6fc}


Followup: MachineOwner

---------


3: kd> !blackboxbsd

Version: 176

Product type: 1


Auto advanced boot: FALSE

Advanced boot menu timeout: 30

Last boot succeeded: TRUE

Last boot shutdown: FALSE

Sleep in progrees: FALSE


Power button timestamp: 0

System running: TRUE

Connected standby in progress: FALSE

User shutdown in progress: FALSE

System shutdown in progress: FALSE

Sleep in progress: 0

Connected standby scenario instance id: 0

Connected standby entry reason: 0

Connected standby exit reason: 0

System sleep transitions to on: 7

Last reference time: 0x1d70340b2773287

Last reference time checksum: 0x5f2c04f6

Last update boot id: 47


Boot attempt count: 1

Last boot checkpoint: TRUE

Checksum: 0xa9

Last boot id: 47

Last successful shutdown boot id: 46

Last reported abnormal shutdown boot id: 46


Error info boot id: 0

Error info repeat count: 0

Error info other error count: 0

Error info code: 0

Error info other error count: 0


Power button last press time: 0

Power button cumulative press count: 0

Power button last press boot id: 0

Power button last power watchdog stage: 0

Power button watchdog armed: FALSE

Power button shutdown in progress: FALSE

Power button last release time: 0

Power button cumulative release count: 0

Power button last release boot id: 0

Power button error count: 0

Power button current connected standby phase: 0

Power button transition latest checkpoint id: 0

Power button transition latest checkpoint type: 0

Power button transition latest checkpoint sequence number: 0

3: kd> !blackboxntfs


NTFS Blackbox Data


0 Slow I/O Timeout Records Found

0 Oplock Break Timeout Records Found

3: kd> !blackboxpnp

PnpActivityId : {00000000-0000-0000-0000-000000000000}

PnpActivityTime : 132577628684205557

PnpEventInformation: 3

PnpEventInProgress : 0

PnpProblemCode : 24

PnpVetoType : 0

DeviceId : SWD\DAFUPnPProvider\uuid:19a577e7-175b-455f-9759-b6757a43b521

VetoString :


3: kd> lmvm Ntfs

Browse full module list

start end module name

fffff802`1c600000 fffff802`1c8d9000 Ntfs (pdb symbols) c:\windows\symbol_cache\ntfs.pdb\30F114E4EFF4527B4FB599B6B8E107811\ntfs.pdb

Loaded symbol image file: Ntfs.sys

Image path: \SystemRoot\System32\Drivers\Ntfs.sys

Image name: Ntfs.sys

Browse all global symbols functions data

Image was built with /Brepro flag.

Timestamp: B1068108 (This is a reproducible build file hash, not a timestamp)

CheckSum: 002C225D

ImageSize: 002D9000

File version: 10.0.19041.804

Product version: 10.0.19041.804

File flags: 0 (Mask 3F)

File OS: 40004 NT Win32

File type: 3.7 Driver

File date: 00000000.00000000

Translations: 0409.04b0

Information from resource tables:

CompanyName: Microsoft Corporation

ProductName: Microsoft® Windows® Operating System

InternalName: ntfs.sys

OriginalFilename: ntfs.sys

ProductVersion: 10.0.19041.804

FileVersion: 10.0.19041.804 (WinBuild.160101.0800)

FileDescription: NT File System Driver

LegalCopyright: © Microsoft Corporation. All rights reserved.



Side note:


1 - I have windows file history/backup enabled, saving into the Backup Drive, and after restarting the computer, Windows prompted me about drive errrors on my Backup Drive. ChkDsk reports that it discovered free space marked as allocated in the volume bitmap, and fixed it afterwards. The Backup Drive(B:) is a HDD. Main Drive(C:) is a m.2 SSD. Have another 2 drives (D: E:). E drive stores old system data, and the drive is reported multiple times to be failing, though sometimes the error count resetted itself. It stills work fine in normal use however.


2 - I have a Bugcheck a week before about PageHashError - CRC error (Hash Mismatch), with one bit fliped. Doing a memory check (from Windows) reports problems with memory. However, using the trusty MemCheck86 reports no errors after 4 passes. So I believed that was just a cosmic bit flip, as I don't have ECC memory.

Continue reading...
 

Similar threads

C
Replies
0
Views
358
CleanPinch123
C
C
Replies
0
Views
433
CleanPinch123
C
B
Replies
0
Views
547
Bhim Charan Murmu
B
Back
Top Bottom