Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Some executables cause BSOD in WinPE #160

Open
lesderid opened this issue Jun 29, 2023 · 2 comments · May be fixed by #163
Open

Some executables cause BSOD in WinPE #160

lesderid opened this issue Jun 29, 2023 · 2 comments · May be fixed by #163

Comments

@lesderid
Copy link

lesderid commented Jun 29, 2023
edited

Running some MSYS2 executables (e.g. fish) under WinPE (Windows Server 2022, specifically 20348.1) causes a crash in ntfs.sys:

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the BugCheck
Arg2: fffff80625609454, Address of the instruction which caused the BugCheck
Arg3: ffffbb0539194290, Address of the context record for the exception that caused the BugCheck
Arg4: 0000000000000000, zero.

[...]

PROCESS_NAME:  fish.exe

STACK_TEXT:  
ffffbb05`39194cb0 fffff806`2560573c     : ffffd485`cb2f0a68 ffffd485`cd83fb00 00000000`00ff00ff ffffbb05`39194f28 : Ntfs!NtfsFindStartingNode+0x5d4
ffffbb05`39194d80 fffff806`25602872     : ffffd485`cd83fb00 ffffbb05`39195130 ffffd485`cd83fb00 00000000`00000000 : Ntfs!NtfsCommonCreate+0x56c
ffffbb05`39195020 fffff806`21276425     : ffffd485`c956f030 ffffd485`cd83fb00 ffffbb05`39195300 ffffd485`cdd9b630 : Ntfs!NtfsFsdCreate+0x202
ffffbb05`391952a0 fffff806`20f4637a     : ffffd485`cd83fb00 ffffbb05`39195390 ffffbb05`39195399 fffff806`20f450b3 : nt!IofCallDriver+0x55
ffffbb05`391952e0 fffff806`20f7a264     : ffffbb05`39195390 ffffd485`cd83fc60 ffffd485`c9512cd0 fffff806`21688e9b : FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x27a
ffffbb05`39195350 fffff806`21276425     : ffffd485`c9512c00 ffffd485`c95596b0 00000000`00000000 00000000`00000000 : FLTMGR!FltpCreate+0x314
ffffbb05`39195400 fffff806`21687331     : ffffd485`cbc14a20 ffffd485`c95596b0 ffffbb05`39195701 00000000`00000040 : nt!IofCallDriver+0x55
ffffbb05`39195440 fffff806`21745e27     : 00000038`00000068 ffffd485`cbc14a20 d485cdd9`b790ffff ffffd485`cdd9b7c0 : nt!IopParseDevice+0x891
ffffbb05`39195600 fffff806`2168b9f5     : fffff806`21745d60 ffffbb05`39195770 ffffd485`c8cfb6c0 ffffd485`cdd9b7c0 : nt!IopParseFile+0xc7
ffffbb05`39195670 fffff806`2168ae91     : 00000000`00000000 ffffbb05`391958a0 00000000`00000040 ffffd485`c8cfb6c0 : nt!ObpLookupObjectName+0x625
ffffbb05`39195810 fffff806`216b5d9f     : 00000000`00000000 00000000`00000001 ffffd485`cbc14a20 00000007`ffffb0d0 : nt!ObOpenObjectByNameEx+0x1f1
ffffbb05`39195940 fffff806`216b58e8     : 00000007`ffffb090 00000000`00000000 00000007`ffffb0d0 00000007`ffffb0c0 : nt!IopCreateFile+0x40f
ffffbb05`391959e0 fffff806`21437735     : 00000000`00000000 00000007`ffffb0c0 00000008`00025508 00000008`00000068 : nt!NtOpenFile+0x58
ffffbb05`39195a70 00007ffc`d416efa4     : 00000001`80113101 00000007`ffffb270 00000008`000253d0 00000008`000254c8 : nt!KiSystemServiceCopyEnd+0x25
00000007`ffffafb8 00000001`80113101     : 00000007`ffffb270 00000008`000253d0 00000008`000254c8 00000000`00000080 : ntdll!NtOpenFile+0x14
00000007`ffffafc0 00000007`ffffb270     : 00000008`000253d0 00000008`000254c8 00000000`00000080 00000007`00000007 : msys_2_0!cuserid+0x29bc1
00000007`ffffafc8 00000008`000253d0     : 00000008`000254c8 00000000`00000080 00000007`00000007 00000000`00004020 : 0x00000007`ffffb270
00000007`ffffafd0 00000008`000254c8     : 00000000`00000080 00000007`00000007 00000000`00004020 00000000`00000060 : 0x00000008`000253d0
00000007`ffffafd8 00000000`00000080     : 00000007`00000007 00000000`00004020 00000000`00000060 00000000`00000005 : 0x00000008`000254c8
00000007`ffffafe0 00000007`00000007     : 00000000`00004020 00000000`00000060 00000000`00000005 00000007`ffffb160 : 0x80
00000007`ffffafe8 00000000`00004020     : 00000000`00000060 00000000`00000005 00000007`ffffb160 00000001`801766ac : 0x00000007`00000007
00000007`ffffaff0 00000000`00000060     : 00000000`00000005 00000007`ffffb160 00000001`801766ac 00000007`ffffb310 : 0x4020
00000007`ffffaff8 00000000`00000005     : 00000007`ffffb160 00000001`801766ac 00000007`ffffb310 00000000`00001e01 : 0x60
00000007`ffffb000 00000007`ffffb160     : 00000001`801766ac 00000007`ffffb310 00000000`00001e01 00000000`00000180 : 0x5
00000007`ffffb008 00000001`801766ac     : 00000007`ffffb310 00000000`00001e01 00000000`00000180 00000007`ffffb050 : 0x00000007`ffffb160
00000007`ffffb010 00000007`ffffb310     : 00000000`00001e01 00000000`00000180 00000007`ffffb050 00000001`8026f480 : msys_2_0!truncl+0xac
00000007`ffffb018 00000000`00001e01     : 00000000`00000180 00000007`ffffb050 00000001`8026f480 00000007`00000080 : 0x00000007`ffffb310
00000007`ffffb020 00000000`00000180     : 00000007`ffffb050 00000001`8026f480 00000007`00000080 00000007`ffffb080 : 0x1e01
00000007`ffffb028 00000007`ffffb050     : 00000001`8026f480 00000007`00000080 00000007`ffffb080 00000000`00000644 : 0x180
00000007`ffffb030 00000001`8026f480     : 00000007`00000080 00000007`ffffb080 00000000`00000644 00000000`00000000 : 0x00000007`ffffb050
00000007`ffffb038 00000007`00000080     : 00000007`ffffb080 00000000`00000644 00000000`00000000 00000000`00000028 : msys_2_0!sys_nerr+0x24140
00000007`ffffb040 00000007`ffffb080     : 00000000`00000644 00000000`00000000 00000000`00000028 01d9ab0f`2761782a : 0x00000007`00000080
00000007`ffffb048 00000000`00000644     : 00000000`00000000 00000000`00000028 01d9ab0f`2761782a 00000000`0000000a : 0x00000007`ffffb080
00000007`ffffb050 00000000`00000000     : 00000000`00000028 01d9ab0f`2761782a 00000000`0000000a 00000000`00000200 : 0x644

[...]

NtOpenFile was called with ObjectAttributes.ObjectName containing \??\X:\msys\dev\.

(I realise this is probably not a supported configuration. It also arguably isn't an MSYS2 bug, as it's a user mode program that causes a kernel mode crash. I'm creating this issue mostly so there's a record of it.)
@lesderid
Copy link
Author

lesderid commented Jul 5, 2023

After further debugging, it seems that WinPE doesn't like mmap. The arguments (prot and flags), file size, and file path don't seem to matter.

@lesderid
Copy link
Author

lesderid commented Jul 9, 2023
edited

I was able to fix it, but I'm not sure yet how to properly trigger the bug outside of MSYS. I might try to figure this out first before I submit the patch, to make sure I'm not missing anything.

lesderid added a commit to lesderid/msys2-runtime that referenced this issue Jul 13, 2023
@lesderid
Use init_reopen_attr in mmap
94f9378 
Calling mmap on a file stored on a volume with buggy file re-opening
currently bugchecks. This commit solves this by using the
init_reopen_attr helper function.

Fixes msys2#160
@lesderid lesderid linked a pull request Jul 13, 2023 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix crash on WinPE lesderid/msys2-runtime
1 participant
@lesderid