Windows蓝屏分析
USBXHCI 引起的DRIVER_IRQL_NOT_LESS_OR_EQUAL蓝屏分析
2022-02-25
228
0
错误内存为0000000000000024,可以看到是一个NULL地址。
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 0000000000000024, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff80310ce8109, address which referenced memory
堆栈信息为:
0: kd> k
# Child-SP RetAddr Call Site
00 fffff803`0826d4d8 fffff803`059df1e9 nt!KeBugCheckEx
01 fffff803`0826d4e0 fffff803`059db5d4 nt!KiBugCheckDispatch+0x69
02 fffff803`0826d620 fffff803`10ce8109 nt!KiPageFault+0x454
03 fffff803`0826d7b0 fffff803`0a009af2 USBXHCI!Control_WdfEvtIoDefault+0xf9
04 (Inline Function) --------`-------- Wdf01000!FxIoQueueIoDefault::Invoke+0x34 [minkernel\wdf\framework\shared\inc\private\common\fxioqueuecallbacks.hpp @ 59]
05 fffff803`0826d870 fffff803`0a009357 Wdf01000!FxIoQueue::DispatchRequestToDriver+0x2c2 [minkernel\wdf\framework\shared\irphandlers\io\fxioqueue.cpp @ 3414]
06 fffff803`0826d910 fffff803`0a008a49 Wdf01000!FxIoQueue::DispatchEvents+0x617 [minkernel\wdf\framework\shared\irphandlers\io\fxioqueue.cpp @ 3125]
07 (Inline Function) --------`-------- Wdf01000!FxIoQueue::DispatchInternalEvents+0x21 [minkernel\wdf\framework\shared\inc\private\common\fxioqueue.hpp @ 1032]
08 (Inline Function) --------`-------- Wdf01000!FxIoQueue::RequestCompletedCallback+0x92 [minkernel\wdf\framework\shared\inc\private\common\fxioqueue.hpp @ 687]
09 (Inline Function) --------`-------- Wdf01000!FxRequest::PostProcessCompletion+0xa4 [minkernel\wdf\framework\shared\core\fxrequest.cpp @ 909]
0a fffff803`0826d9f0 fffff803`0a00845b Wdf01000!FxRequest::CompleteInternal+0x2e9 [minkernel\wdf\framework\shared\core\fxrequest.cpp @ 872]
0b (Inline Function) --------`-------- Wdf01000!FxRequest::Complete+0x31 [minkernel\wdf\framework\shared\inc\private\common\fxrequest.hpp @ 805]
0c fffff803`0826da80 fffff803`10ce6d36 Wdf01000!imp_WdfRequestComplete+0x8b [minkernel\wdf\framework\shared\core\fxrequestapi.cpp @ 436]
0d fffff803`0826dae0 fffff803`10ce6ec9 USBXHCI!Control_Transfer_Complete+0x1c6
0e fffff803`0826db60 fffff803`10ce5eb6 USBXHCI!Control_Transfer_CompleteCancelable+0x135
0f fffff803`0826dbb0 fffff803`10ce7e5c USBXHCI!Control_ProcessTransferCompletion+0x6a
10 fffff803`0826dbe0 fffff803`0a014031 USBXHCI!Control_WdfEvtDpcForTransferCompletion+0x2c
11 (Inline Function) --------`-------- Wdf01000!FxDpc::DpcHandler+0x5f [minkernel\wdf\framework\kmdf\src\core\fxdpc.cpp @ 319]
12 fffff803`0826dc10 fffff803`0588946c Wdf01000!FxDpc::FxDpcThunk+0x71 [minkernel\wdf\framework\kmdf\src\core\fxdpc.cpp @ 361]
13 fffff803`0826dc60 fffff803`05888aae nt!KiExecuteAllDpcs+0x2ec
14 fffff803`0826dda0 fffff803`059d47e5 nt!KiRetireDpcList+0x1ae
15 fffff803`0826dfb0 fffff803`059d45d0 nt!KxRetireDpcList+0x5
16 fffff608`637a2e00 fffff803`059d3e95 nt!KiDispatchInterruptContinue
17 fffff608`637a2e30 fffff803`059cf431 nt!KiDpcInterruptBypass+0x25
18 fffff608`637a2e40 00007ffd`e6593679 nt!KiInterruptDispatch+0xb1
19 0000002a`050ff8a8 00000000`00000000 0x00007ffd`e6593679
查看trap信息
0: kd> .trap 0xfffff8030826d620
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffff940a31db8270 rbx=0000000000000000 rcx=ffff940a31dc49e0
rdx=00006bf5ce247f28 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80310ce8109 rsp=fffff8030826d7b0 rbp=0000000000000000
r8=fffff80310d0f050 r9=ffff940a319bbd20 r10=000000000000002e
r11=fffff8030826d808 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na pe nc
USBXHCI!Control_WdfEvtIoDefault+0xf9:
fffff803`10ce8109 448b4b24 mov r9d,dword ptr [rbx+24h] ds:00000000`00000024=????????
可以看到rbx为NULL,确定为NULL地址引起的。
反汇编Control_WdfEvtIoDefault
0: kd> uf USBXHCI!Control_WdfEvtIoDefault+0xf9
USBXHCI!Control_WdfEvtIoDefault:
fffff803`10ce8010 48895c2418 mov qword ptr [rsp+18h],rbx
fffff803`10ce8015 55 push rbp
fffff803`10ce8016 56 push rsi
fffff803`10ce8017 57 push rdi
fffff803`10ce8018 4154 push r12
fffff803`10ce801a 4155 push r13
fffff803`10ce801c 4156 push r14
fffff803`10ce801e 4157 push r15
fffff803`10ce8020 4881ec80000000 sub rsp,80h
fffff803`10ce8027 488b0502850200 mov rax,qword ptr [USBXHCI!_security_cookie (fffff803`10d10530)]
fffff803`10ce802e 4833c4 xor rax,rsp
fffff803`10ce8031 4889442478 mov qword ptr [rsp+78h],rax
fffff803`10ce8036 4c8be2 mov r12,rdx
fffff803`10ce8039 488bf9 mov rdi,rcx
fffff803`10ce803c 4032ed xor bpl,bpl
fffff803`10ce803f 440f20c6 mov rsi,cr8
fffff803`10ce8043 4084f6 test sil,sil
fffff803`10ce8046 7514 jne USBXHCI!Control_WdfEvtIoDefault+0x4c (fffff803`10ce805c) Branch
USBXHCI!Control_WdfEvtIoDefault+0x38:
fffff803`10ce8048 b102 mov cl,2
fffff803`10ce804a 4c8b1537c10200 mov r10,qword ptr [USBXHCI!_imp_KfRaiseIrql (fffff803`10d14188)]
fffff803`10ce8051 e8eabfbaf4 call nt!KzRaiseIrql (fffff803`05894040)
fffff803`10ce8056 408ae8 mov bpl,al
fffff803`10ce8059 4084f6 test sil,sil
USBXHCI!Control_WdfEvtIoDefault+0x4c:
fffff803`10ce805c 410f94c7 sete r15b
fffff803`10ce8060 488d4c2450 lea rcx,[rsp+50h]
fffff803`10ce8065 bb28000000 mov ebx,28h
fffff803`10ce806a 33d2 xor edx,edx
fffff803`10ce806c 448bc3 mov r8d,ebx
fffff803`10ce806f 4532f6 xor r14b,r14b
fffff803`10ce8072 e849effdff call USBXHCI!memset (fffff803`10cc6fc0)
fffff803`10ce8077 488b0d62890200 mov rcx,qword ptr [USBXHCI!WdfFunctions_01023 (fffff803`10d109e0)]
fffff803`10ce807e 4c8d442450 lea r8,[rsp+50h]
fffff803`10ce8083 66895c2450 mov word ptr [rsp+50h],bx
fffff803`10ce8088 498bd4 mov rdx,r12
fffff803`10ce808b 488b8150080000 mov rax,qword ptr [rcx+850h]
fffff803`10ce8092 488b0d1f870200 mov rcx,qword ptr [USBXHCI!WdfDriverGlobals (fffff803`10d107b8)]
fffff803`10ce8099 ff1591c30200 call qword ptr [USBXHCI!_guard_dispatch_icall_fptr (fffff803`10d14430)]
fffff803`10ce809f 488b053a890200 mov rax,qword ptr [USBXHCI!WdfFunctions_01023 (fffff803`10d109e0)]
fffff803`10ce80a6 488bd7 mov rdx,rdi
fffff803`10ce80a9 4c8b05b0720200 mov r8,qword ptr [USBXHCI!WDF_TR_DATA_TYPE_INFO+0x18 (fffff803`10d0f360)]
fffff803`10ce80b0 488b0d01870200 mov rcx,qword ptr [USBXHCI!WdfDriverGlobals (fffff803`10d107b8)]
fffff803`10ce80b7 488b5c2458 mov rbx,qword ptr [rsp+58h] //rbx来源
fffff803`10ce80bc 488b8050060000 mov rax,qword ptr [rax+650h]
fffff803`10ce80c3 ff1567c30200 call qword ptr [USBXHCI!_guard_dispatch_icall_fptr (fffff803`10d14430)]
fffff803`10ce80c9 488b0d10890200 mov rcx,qword ptr [USBXHCI!WdfFunctions_01023 (fffff803`10d109e0)]
fffff803`10ce80d0 498bd4 mov rdx,r12
fffff803`10ce80d3 4c8b058e6f0200 mov r8,qword ptr [USBXHCI!WDF_REQUEST_DATA_TYPE_INFO+0x18 (fffff803`10d0f068)]
fffff803`10ce80da 488bf8 mov rdi,rax
fffff803`10ce80dd 488b8150060000 mov rax,qword ptr [rcx+650h]
fffff803`10ce80e4 488b0dcd860200 mov rcx,qword ptr [USBXHCI!WdfDriverGlobals (fffff803`10d107b8)]
fffff803`10ce80eb ff153fc30200 call qword ptr [USBXHCI!_guard_dispatch_icall_fptr (fffff803`10d14430)]
fffff803`10ce80f1 4c8be8 mov r13,rax
fffff803`10ce80f4 4c8b4f30 mov r9,qword ptr [rdi+30h]
fffff803`10ce80f8 488b4f38 mov rcx,qword ptr [rdi+38h]
fffff803`10ce80fc 4889442448 mov qword ptr [rsp+48h],rax
fffff803`10ce8101 450fb69187000000 movzx r10d,byte ptr [r9+87h]
fffff803`10ce8109 448b4b24 mov r9d,dword ptr [rbx+24h] //错误来源
fffff803`10ce810d 44894c2440 mov dword ptr [rsp+40h],r9d
fffff803`10ce8112 448b8990000000 mov r9d,dword ptr [rcx+90h]
fffff803`10ce8119 488b4950 mov rcx,qword ptr [rcx+50h]
fffff803`10ce811d 4c89642438 mov qword ptr [rsp+38h],r12
fffff803`10ce8122 44894c2430 mov dword ptr [rsp+30h],r9d
fffff803`10ce8127 4489542428 mov dword ptr [rsp+28h],r10d
fffff803`10ce812c e8b3070000 call USBXHCI!WPP_RECORDER_SF_DDqDq (fffff803`10ce88e4)
fffff803`10ce8131 4d8bcd mov r9,r13
fffff803`10ce8134 4c8bc3 mov r8,rbx
fffff803`10ce8137 498bd4 mov rdx,r12
fffff803`10ce813a 488bcf mov rcx,rdi
fffff803`10ce813d e88ae8ffff call USBXHCI!Control_TransferData_Initialize (fffff803`10ce69cc)
fffff803`10ce8142 488d5f60 lea rbx,[rdi+60h]
fffff803`10ce8146 488bcb mov rcx,rbx
fffff803`10ce8149 4c8b1578c10200 mov r10,qword ptr [USBXHCI!_imp_KeAcquireSpinLockRaiseToDpc (fffff803`10d142c8)]
fffff803`10ce8150 e8eb9ab3f4 call nt!KeAcquireSpinLockRaiseToDpc (fffff803`05821c40)
fffff803`10ce8155 4c89af58010000 mov qword ptr [rdi+158h],r13
fffff803`10ce815c 4c8d051d010000 lea r8,[USBXHCI!Control_WdfEvtRequestCancel (fffff803`10ce8280)]
fffff803`10ce8163 884768 mov byte ptr [rdi+68h],al
fffff803`10ce8166 4183a58000000000 and dword ptr [r13+80h],0
fffff803`10ce816e 4183a58400000000 and dword ptr [r13+84h],0
fffff803`10ce8176 498b5518 mov rdx,qword ptr [r13+18h]
fffff803`10ce817a 41c7457001000000 mov dword ptr [r13+70h],1
fffff803`10ce8182 488b0557880200 mov rax,qword ptr [USBXHCI!WdfFunctions_01023 (fffff803`10d109e0)]
fffff803`10ce8189 488b0d28860200 mov rcx,qword ptr [USBXHCI!WdfDriverGlobals (fffff803`10d107b8)]
fffff803`10ce8190 488b80480c0000 mov rax,qword ptr [rax+0C48h]
fffff803`10ce8197 ff1593c20200 call qword ptr [USBXHCI!_guard_dispatch_icall_fptr (fffff803`10d14430)]
fffff803`10ce819d 85c0 test eax,eax
fffff803`10ce819f 796b jns USBXHCI!Control_WdfEvtIoDefault+0x1fc (fffff803`10ce820c) Branch
USBXHCI!Control_WdfEvtIoDefault+0x191:
fffff803`10ce81a1 488b4f38 mov rcx,qword ptr [rdi+38h]
fffff803`10ce81a5 41b926000000 mov r9d,26h
fffff803`10ce81ab 4c8b4730 mov r8,qword ptr [rdi+30h]
fffff803`10ce81af b203 mov dl,3
fffff803`10ce81b1 89442438 mov dword ptr [rsp+38h],eax
fffff803`10ce81b5 8b8190000000 mov eax,dword ptr [rcx+90h]
fffff803`10ce81bb 450fb69087000000 movzx r10d,byte ptr [r8+87h]
fffff803`10ce81c3 458d41e8 lea r8d,[r9-18h]
fffff803`10ce81c7 488b4950 mov rcx,qword ptr [rcx+50h]
fffff803`10ce81cb 89442430 mov dword ptr [rsp+30h],eax
fffff803`10ce81cf 488d0552df0100 lea rax,[USBXHCI!WPP_f8d05c40f4743b0f34f8f34095e537bc_Traceguids (fffff803`10d06128)]
fffff803`10ce81d6 4489542428 mov dword ptr [rsp+28h],r10d
fffff803`10ce81db 4889442420 mov qword ptr [rsp+20h],rax
fffff803`10ce81e0 e80b12feff call USBXHCI!WPP_RECORDER_SF_DDD (fffff803`10cc93f0)
fffff803`10ce81e5 418ad7 mov dl,r15b
fffff803`10ce81e8 41c7457003000000 mov dword ptr [r13+70h],3
fffff803`10ce81f0 488bcf mov rcx,rdi
fffff803`10ce81f3 e89cebffff call USBXHCI!Control_Transfer_CompleteCancelable (fffff803`10ce6d94)
fffff803`10ce81f8 8a5768 mov dl,byte ptr [rdi+68h]
fffff803`10ce81fb 488bcb mov rcx,rbx
fffff803`10ce81fe 4c8b15bbc00200 mov r10,qword ptr [USBXHCI!_imp_KeReleaseSpinLock (fffff803`10d142c0)]
fffff803`10ce8205 e856d6c1f4 call nt!KeReleaseSpinLock (fffff803`05905860)
fffff803`10ce820a eb32 jmp USBXHCI!Control_WdfEvtIoDefault+0x22e (fffff803`10ce823e) Branch
USBXHCI!Control_WdfEvtIoDefault+0x1fc:
fffff803`10ce820c 837f6c02 cmp dword ptr [rdi+6Ch],2
fffff803`10ce8210 750a jne USBXHCI!Control_WdfEvtIoDefault+0x20c (fffff803`10ce821c) Branch
USBXHCI!Control_WdfEvtIoDefault+0x202:
fffff803`10ce8212 c7476c03000000 mov dword ptr [rdi+6Ch],3
fffff803`10ce8219 41b601 mov r14b,1
USBXHCI!Control_WdfEvtIoDefault+0x20c:
fffff803`10ce821c 8a5768 mov dl,byte ptr [rdi+68h]
fffff803`10ce821f 488bcb mov rcx,rbx
fffff803`10ce8222 4c8b1597c00200 mov r10,qword ptr [USBXHCI!_imp_KeReleaseSpinLock (fffff803`10d142c0)]
fffff803`10ce8229 e832d6c1f4 call nt!KeReleaseSpinLock (fffff803`05905860)
fffff803`10ce822e 4584f6 test r14b,r14b
fffff803`10ce8231 740b je USBXHCI!Control_WdfEvtIoDefault+0x22e (fffff803`10ce823e) Branch
USBXHCI!Control_WdfEvtIoDefault+0x223:
fffff803`10ce8233 418ad7 mov dl,r15b
fffff803`10ce8236 488bcf mov rcx,rdi
fffff803`10ce8239 e8badaffff call USBXHCI!Control_MapTransfer (fffff803`10ce5cf8)
USBXHCI!Control_WdfEvtIoDefault+0x22e:
fffff803`10ce823e 4084f6 test sil,sil
fffff803`10ce8241 750f jne USBXHCI!Control_WdfEvtIoDefault+0x242 (fffff803`10ce8252) Branch
USBXHCI!Control_WdfEvtIoDefault+0x233:
fffff803`10ce8243 408acd mov cl,bpl
fffff803`10ce8246 4c8b1543bf0200 mov r10,qword ptr [USBXHCI!_imp_KeLowerIrql (fffff803`10d14190)]
fffff803`10ce824d e80ebcbaf4 call nt!KzLowerIrql (fffff803`05893e60)
USBXHCI!Control_WdfEvtIoDefault+0x242:
fffff803`10ce8252 488b4c2478 mov rcx,qword ptr [rsp+78h]
fffff803`10ce8257 4833cc xor rcx,rsp
fffff803`10ce825a e8d19dfdff call USBXHCI!_security_check_cookie (fffff803`10cc2030)
fffff803`10ce825f 488b9c24d0000000 mov rbx,qword ptr [rsp+0D0h]
fffff803`10ce8267 4881c480000000 add rsp,80h
fffff803`10ce826e 415f pop r15
fffff803`10ce8270 415e pop r14
fffff803`10ce8272 415d pop r13
fffff803`10ce8274 415c pop r12
fffff803`10ce8276 5f pop rdi
fffff803`10ce8277 5e pop rsi
fffff803`10ce8278 5d pop rbp
fffff803`10ce8279 c3 ret
