BsoD Kernel security

Sloowdown

Reputable
Feb 11, 2016
1
0
4,510
0
Hi!

Ive been haveing alot of issues with BsoD:s lately
I cant figure out why this keep happening.
Its always the same, Kernel_security_check_failure.
Here is the latest dump:

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: ffffd0013a290200, Address of the trap frame for the exception that caused the bugcheck
Arg3: ffffd0013a290158, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved

Debugging Details:
------------------


TRAP_FRAME: ffffd0013a290200 -- (.trap 0xffffd0013a290200)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffff901447d3068 rbx=0000000000000000 rcx=0000000000000003
rdx=fffff901427f9f20 rsi=0000000000000000 rdi=0000000000000000
rip=fffff960001d77d8 rsp=ffffd0013a290390 rbp=fffff901427f9f20
r8=fffff960004b3764 r9=0000000034616c47 r10=0000000000000080
r11=ffffd0013a290370 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz ac pe cy
win32k!PushThreadGuardedObject+0x54:
fffff960`001d77d8 cd29 int 29h
Resetting default scope

EXCEPTION_RECORD: ffffd0013a290158 -- (.exr 0xffffd0013a290158)
ExceptionAddress: fffff960001d77d8 (win32k!PushThreadGuardedObject+0x0000000000000054)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 0000000000000003

DEFAULT_BUCKET_ID: LIST_ENTRY_CORRUPT

BUGCHECK_STR: 0x139

PROCESS_NAME: windbg.exe

CURRENT_IRQL: 0

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_PARAMETER1: 0000000000000003

ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre

LAST_CONTROL_TRANSFER: from fffff80253362ee9 to fffff802533573a0

STACK_TEXT:
ffffd001`3a28fed8 fffff802`53362ee9 : 00000000`00000139 00000000`00000003 ffffd001`3a290200 ffffd001`3a290158 : nt!KeBugCheckEx
ffffd001`3a28fee0 fffff802`53363210 : 00000000`40000340 00000017`00000400 0000002e`00000432 fffff901`400cb618 : nt!KiBugCheckDispatch+0x69
ffffd001`3a290020 fffff802`53362434 : 00000000`00000000 00000000`00000000 00000000`000000f0 00000000`00000080 : nt!KiFastFailDispatch+0xd0
ffffd001`3a290200 fffff960`001d77d8 : 00000000`00000004 00000000`00000400 fffff901`444e6848 fffff901`444e67c0 : nt!KiRaiseSecurityCheckFailure+0xf4
ffffd001`3a290390 fffff960`001d78cd : ffffd001`3a290490 ffffd001`3a290440 00000000`00000001 00000000`00000000 : win32k!PushThreadGuardedObject+0x54
ffffd001`3a2903c0 fffff960`0033b04b : 00000000`00000000 fffff960`001f25bd 00000000`00002912 fffff960`001fd2c1 : win32k!RGNMEMOBJTMP::RGNMEMOBJTMP+0xb9
ffffd001`3a2903f0 fffff960`002b6146 : fffff901`444e67c0 00000000`00000001 fffff901`444e05e0 fffff901`444e05e0 : win32k!vSpUpdateDirtyRgn+0x14b
ffffd001`3a290500 fffff960`002b696e : 00000000`000011b4 00000000`00000001 fffff901`4478f010 ffffd001`3a2907f0 : win32k!GreUpdateSprite+0x516
ffffd001`3a2906f0 fffff960`001d686e : 00000321`00000008 00000000`00000001 00000000`00000000 fffff901`40000cf0 : win32k!GreUpdateSpriteDevLockEnd+0x34e
ffffd001`3a290a00 fffff960`001d70da : ffffd001`3a290bf0 00000000`00000000 fffff901`40000660 fffff901`4074c2f0 : win32k!DEVLOCKOBJ::vFlushSpriteUpdates+0x14a
ffffd001`3a290a50 fffff960`001d71b7 : fffff901`400c8010 fffff960`001cdb1e 00000000`00000001 fffff901`4073bd60 : win32k!DEVLOCKOBJ::bUnMapTrgSurfaceView+0x3e
ffffd001`3a290a80 fffff960`0033be44 : fffff901`40000cf0 fffff901`400c72b0 fffff901`00000000 fffff901`4074c2f0 : win32k!DEVLOCKOBJ::~DEVLOCKOBJ+0xc7
ffffd001`3a290ac0 fffff960`0030c182 : 00000000`00000000 ffffd001`3a290d10 00000000`00000018 00000000`00000060 : win32k!GreDrawStream+0x714
ffffd001`3a290ce0 fffff802`53362bb3 : ffffe001`223c7080 ff606060`ff606060 ff606060`ff606060 00000000`00000060 : win32k!NtGdiDrawStream+0x92
ffffd001`3a290e40 00007ffa`a0a8411a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
000000ba`f5f5be68 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffa`a0a8411a


STACK_COMMAND: kb

FOLLOWUP_IP:
win32k!PushThreadGuardedObject+54
fffff960`001d77d8 cd29 int 29h

SYMBOL_STACK_INDEX: 4

SYMBOL_NAME: win32k!PushThreadGuardedObject+54

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: win32k

IMAGE_NAME: win32k.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 568eaf97

IMAGE_VERSION: 6.3.9600.18190

BUCKET_ID_FUNC_OFFSET: 54

FAILURE_BUCKET_ID: 0x139_3_win32k!PushThreadGuardedObject

BUCKET_ID: 0x139_3_win32k!PushThreadGuardedObject

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:0x139_3_win32k!pushthreadguardedobject

FAILURE_ID_HASH: {3988df90-06e2-3155-a3b6-02654de2a73e}

Followup: MachineOwner
---------

1: kd> .trap 0xffffd0013a290200
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffff901447d3068 rbx=0000000000000000 rcx=0000000000000003
rdx=fffff901427f9f20 rsi=0000000000000000 rdi=0000000000000000
rip=fffff960001d77d8 rsp=ffffd0013a290390 rbp=fffff901427f9f20
r8=fffff960004b3764 r9=0000000034616c47 r10=0000000000000080
r11=ffffd0013a290370 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz ac pe cy
win32k!PushThreadGuardedObject+0x54:
fffff960`001d77d8 cd29 int 29h


If anyone have any information to share on this i would be so happy!

 

ASK THE COMMUNITY