PAGE FAULT IN NONPAGED AREA in HTTP.sys (BSOD or crash due to HTTP.sys)

  • Thread starter Thread starter PiyushParsai
  • Start date Start date
P

PiyushParsai

Guest
We are facing BSOD in Microsoft Kernel Mode device driver – “HTTP.sys”.
This is used by Katana that is Open Web Interface for .NET (OWIN) implementation for Microsoft servers and frameworks.
Our service uses Owin.dll (Microsoft module) – and this is User mode process.

0: kd> !analyze -v

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: fffff80574552798, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff80574610f29, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000000, (reserved)
Debugging Details:
------------------
SYMSRV: BYINDEX: 0x20
ntkrnlmp.exe
D59E6482a6e000
SYMSRV: RESULT: 0x00000000
SYMSRV: BYINDEX: 0x21
HTTP.sys
F649550613a000
SYMSRV: RESULT: 0x00000000
KEY_VALUES_STRING: 1

PROCESSES_ANALYSIS: 1
SERVICE_ANALYSIS: 1
STACKHASH_ANALYSIS: 1
TIMELINE_ANALYSIS: 1

DUMP_CLASS: 1
DUMP_QUALIFIER: 401
BUILD_VERSION_STRING: 17763.1.amd64fre.rs5_release.180914-1434
SYSTEM_MANUFACTURER: VMware, Inc.
VIRTUAL_MACHINE: VMware
SYSTEM_PRODUCT_NAME: VMware Virtual Platform
SYSTEM_VERSION: None
BIOS_VENDOR: Phoenix Technologies LTD
BIOS_VERSION: 6.00
BIOS_DATE: 04/05/2016
BASEBOARD_MANUFACTURER: Intel Corporation
BASEBOARD_PRODUCT: 440BX Desktop Reference Platform
BASEBOARD_VERSION: None
DUMP_TYPE: 1
BUGCHECK_P1: fffff80574552798
BUGCHECK_P2: 0
BUGCHECK_P3: fffff80574610f29
BUGCHECK_P4: 0
READ_ADDRESS: fffff80574552798
FAULTING_IP:
HTTP!UlGenerateVariableHeaders+359
fffff805`74610f29 498b84d080270400 mov rax,qword ptr [r8+rdx*8+42780h]
MM_INTERNAL_CODE: 0
IMAGE_NAME: HTTP.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 0
MODULE_NAME: HTTP
FAULTING_MODULE: fffff80574590000 HTTP
CPU_COUNT: 4
CPU_MHZ: ae9
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: 3e
CPU_STEPPING: 7
CPU_MICROCODE: 6,3e,7,0 (F,M,S,R) SIG: 714'00000000 (cache) 714'00000000 (init)
BLACKBOXBSD: 1 (!blackboxbsd)

BLACKBOXPNP: 1 (!blackboxpnp)

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
BUGCHECK_STR: AV
PROCESS_NAME: HmNmxGatewayWinSvc.exe
CURRENT_IRQL: 2
ANALYSIS_SESSION_HOST: VMRND8DEV117
ANALYSIS_SESSION_TIME: 03-27-2020 01:23:21.0522
ANALYSIS_VERSION: 10.0.18362.1 amd64fre
TRAP_FRAME: ffff8106612c9e90 -- (.trap 0xffff8106612c9e90)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffff805745d572c rbx=0000000000000000 rcx=0000000000000019
rdx=ffffffffffff0003 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80574610f29 rsp=ffff8106612ca020 rbp=ffff9a8c65ec348b
r8=fffff80574590000 r9=ffff8106612ca0a8 r10=00000000000007e4
r11=0000000000000003 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
HTTP!UlGenerateVariableHeaders+0x359:
fffff805`74610f29 498b84d080270400 mov rax,qword ptr [r8+rdx*8+42780h] ds:fffff805`74552798=????????????????
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff805714a051c to fffff8057145f9c0
STACK_TEXT:
ffff8106`612c9ba8 fffff805`714a051c : 00000000`00000050 fffff805`74552798 00000000`00000000 ffff8106`612c9e90 : nt!KeBugCheckEx
ffff8106`612c9bb0 fffff805`7133eb36 : ffff8106`612c9f08 ffff8000`00000000 ffff9a8c`65ec3491 fffff805`74552798 : nt!MiSystemFault+0x19376c
ffff8106`612c9cf0 fffff805`7146d4c9 : 00000000`00000000 ffff8106`612ca200 ffff9a8c`65ec3491 ffff0000`00020000 : nt!MmAccessFault+0x1a6
ffff8106`612c9e90 fffff805`74610f29 : 01d6027d`f8eb6672 ffff8106`00000000 00000000`00000000 ffff9a8c`65ec3491 : nt!KiPageFault+0x349
ffff8106`612ca020 fffff805`7460f32a : 00000000`00000000 ffff9a8c`64d1c010 0000017b`80ac3520 00000000`00000000 : HTTP!UlGenerateVariableHeaders+0x359
ffff8106`612ca110 fffff805`7461a2d3 : 00000000`00000000 00000000`00000000 ffff9a8c`662ab090 00000000`00000000 : HTTP!UlFastSendHttpResponse+0x74a
ffff8106`612ca3b0 fffff805`74618db3 : 00000001`2607c148 00000000`00000000 fffff805`745d1aa8 00000035`2607d920 : HTTP!UlpSendResponseOrEntityBodyFastIo+0x1513
ffff8106`612ca840 fffff805`74592fc8 : ffff9a8c`65d39080 ffff8106`00000000 ffff9a8c`60914980 00000000`11b17f01 : HTTP!UlSendHttpResponseFastIo+0x23
ffff8106`612ca890 fffff805`718fc1db : ffff9a8c`6615da50 ffff8106`612cab80 00000000`00000038 ffff9a8c`661f5080 : HTTP!UxFastIoDeviceControl+0x98
ffff8106`612ca8e0 fffff805`71890d56 : ffff9a8c`00000000 00000000`00000000 00000000`00000000 0000017b`802fef10 : nt!IopXxxControlFile+0x81b
ffff8106`612caa20 fffff805`71470c05 : 0000017b`80ae09e8 00000000`00000000 00000000`00000000 fffff805`7192ac1f : nt!NtDeviceIoControlFile+0x56
ffff8106`612caa90 00007ffd`63a7f844 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x25
00000035`2607d878 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffd`63a7f844

THREAD_SHA1_HASH_MOD_FUNC: 5e2fb550fdae3c63f85921213a32ada657c38121
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 10e0813773c2d5bd3c7b003f0bfa99546e79210c
THREAD_SHA1_HASH_MOD: 0dfbd82ebf6d0bee3aab4f993c9f4b791a2021a7
FOLLOWUP_IP:
HTTP!UlGenerateVariableHeaders+359
fffff805`74610f29 498b84d080270400 mov rax,qword ptr [r8+rdx*8+42780h]
FAULT_INSTR_CODE: d0848b49
SYMBOL_STACK_INDEX: 4
SYMBOL_NAME: HTTP!UlGenerateVariableHeaders+359
FOLLOWUP_NAME: MachineOwner
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 359
FAILURE_BUCKET_ID: AV_R_INVALID_HTTP!UlGenerateVariableHeaders
BUCKET_ID: AV_R_INVALID_HTTP!UlGenerateVariableHeaders
PRIMARY_PROBLEM_CLASS: AV_R_INVALID_HTTP!UlGenerateVariableHeaders
TARGET_TIME: 2020-03-25T08:19:32.000Z
OSBUILD: 17763
OSSERVICEPACK: 0
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 272
PRODUCT_TYPE: 3
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 Server TerminalServer SingleUserTS
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: unknown_date
BUILDDATESTAMP_STR: 180914-1434
BUILDLAB_STR: rs5_release
BUILDOSVER_STR: 10.0.17763.1.amd64fre.rs5_release.180914-1434
ANALYSIS_SESSION_ELAPSED_TIME: 1cd5
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:av_r_invalid_http!ulgeneratevariableheaders
FAILURE_ID_HASH: {8d7d4985-c9c4-e5f9-fa78-1894f861712c}
Followup: MachineOwner
The crash occurs immediately after our service has started. This can be seen from the Event viewer logs sequence also.
This crash occurred when the HTTP.sys is trying to read its registry configuration (the key – “UrlAclInfo”):
0: kd> !address fffff80574610f29
Usage: Module
Base Address: fffff805`74590000
End Address: fffff805`746ca000
Region Size: 00000000`0013a000
VA Type: BootLoaded
Module name: HTTP.sys
Module path: [\SystemRoot\system32\drivers\HTTP.sys]
0: kd> ub HTTP!UlGenerateVariableHeaders+0x359
HTTP!UlGenerateVariableHeaders+0x32a:
fffff805`74610efa 89442460 mov dword ptr [rsp+60h],eax
fffff805`74610efe 4489442458 mov dword ptr [rsp+58h],r8d
fffff805`74610f03 4c8d05f6f0f7ff lea r8,[HTTP!UlIsValidApiVersion <PERF> (HTTP+0x0) (fffff805`74590000)]
fffff805`74610f0a 4b8b84d818270400 mov rax,qword ptr [r8+r11*8+42718h]
fffff805`74610f12 44894c2450 mov dword ptr [rsp+50h],r9d
fffff805`74610f17 4c8d8c2488000000 lea r9,[rsp+88h]
fffff805`74610f1f 4489542448 mov dword ptr [rsp+48h],r10d
fffff805`74610f24 4889442440 mov qword ptr [rsp+40h],rax
0: kd> u fffff80574610f29
HTTP!UlGenerateVariableHeaders+0x359:
fffff805`74610f29 498b84d080270400 mov rax,qword ptr [r8+rdx*8+42780h]
fffff805`74610f31 4533c0 xor r8d,r8d
fffff805`74610f34 894c2438 mov dword ptr [rsp+38h],ecx
fffff805`74610f38 8d531e lea edx,[rbx+1Eh]
fffff805`74610f3b 4889442430 mov qword ptr [rsp+30h],rax
fffff805`74610f40 488d0df97cfdff lea rcx,[HTTP!g_UlDateString (fffff805`745e8c40)]
fffff805`74610f47 488d050232fcff lea rax,[HTTP!`string' (fffff805`745d4150)]
fffff805`74610f4e 4889442428 mov qword ptr [rsp+28h],rax

0: kd> db fffff805`745d4150-40
fffff805`745d4110 3c 00 6e 00 75 00 6c 00-6c 00 3e 00 00 00 00 00 <.n.u.l.l.>.....
fffff805`745d4120 68 00 74 00 74 00 70 00-3a 00 2f 00 2f 00 2b 00 h.t.t.p.:././.+.
fffff805`745d4130 3a 00 00 00 0a 0d 0a 00-45 74 61 67 3a 00 00 00 :.......Etag:...
fffff805`745d4140 25 63 25 30 32 64 25 30-32 64 00 00 00 00 00 00 %c%02d%02d......
fffff805`745d4150 25 73 2c 20 25 30 32 68-64 20 25 73 20 25 30 34 %s, %02hd %s %04
fffff805`745d4160 68 64 20 25 30 32 68 64-3a 25 30 32 68 64 3a 25 hd %02hd:%02hd:%
fffff805`745d4170 30 32 68 64 20 47 4d 54-00 00 00 00 00 00 00 00 02hd GMT........
fffff805`745d4180 01 00 00 00 04 00 04 00-02 00 00 00 08 00 08 00 ................

0: kd> db fffff805`745d4150-90
fffff805`745d40c0 65 00 72 00 73 00 5c 00-55 00 72 00 6c 00 41 00 e.r.s.\.U.r.l.A.
fffff805`745d40d0 63 00 6c 00 49 00 6e 00-66 00 6f 00 00 00 00 00 c.l.I.n.f.o.....
fffff805`745d40e0 5c 00 3f 00 3f 00 5c 00-00 00 00 00 00 00 00 00 \.?.?.\.........
fffff805`745d40f0 5c 00 64 00 6f 00 73 00-64 00 65 00 76 00 69 00 \.d.o.s.d.e.v.i.
fffff805`745d4100 63 00 65 00 73 00 5c 00-55 00 4e 00 43 00 00 00 c.e.s.\.U.N.C...
fffff805`745d4110 3c 00 6e 00 75 00 6c 00-6c 00 3e 00 00 00 00 00 <.n.u.l.l.>.....
fffff805`745d4120 68 00 74 00 74 00 70 00-3a 00 2f 00 2f 00 2b 00 h.t.t.p.:././.+.
fffff805`745d4130 3a 00 00 00 0a 0d 0a 00-45 74 61 67 3a 00 00 00 :.......Etag

Continue reading...
 
You must log in or register to reply here.

Similar threads

S
BSOD's with codes "IRQL_NOT_LESS_OR_EQUAL", "CRITICAL_PROCESS_DIED" and "PAGE_FAULT_IN_NONPAGED_AREA"
Replies
0
Views
17
smape
S
C
help with NTDLL and Hardware_Disk BSOD
Replies
0
Views
3
ChristopherScroggins1
C
T
BSOD - unexpected_store_exception after sleep wakeup or hybernate wakeup
Replies
0
Views
26
TomasTrojcak1
T
C
PC BSOD Everyday, KERNEL_SECURITY_CHECK_FAILURE
Replies
0
Views
48
CainFamily
C
A
Computer crashes after hibernating
Replies
0
Views
7
ab_530
A
Back
Top