Npcap 1.81 Bug Report -BSoD

[muhammedrumaiz]

Issue -
Npcap Version 1.81 got installed in servers along with Solarwinds agent but post which servers are getting crashed one by one.
Issue is noticed currently in 2016 servers only.

As of now uninstalled the npcap but got reinstalled after a reboot.

Memory.DMP -

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: ffff8882181330e8, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000001, value 0 = read operation, 1 = write operation
Arg4: fffff800f5577150, address which referenced memory

Debugging Details:

Unable to load image \SystemRoot\system32\DRIVERS\npcap.sys, Win32 error 0n2

KEY_VALUES_STRING: 1

Key  : Analysis.CPU.mSec
Value: 6671

Key  : Analysis.Elapsed.mSec
Value: 7855

Key  : Analysis.IO.Other.Mb
Value: 0

Key  : Analysis.IO.Read.Mb
Value: 1

Key  : Analysis.IO.Write.Mb
Value: 0

Key  : Analysis.Init.CPU.mSec
Value: 4655

Key  : Analysis.Init.Elapsed.mSec
Value: 13858

Key  : Analysis.Memory.CommitPeak.Mb
Value: 104

Key  : Bugcheck.Code.KiBugCheckData
Value: 0xd1

Key  : Bugcheck.Code.LegacyAPI
Value: 0xd1

Key  : Failure.Bucket
Value: AV_npcap!unknown_function

Key  : Failure.Hash
Value: {75627e3d-b2d1-3073-f887-d35f6796fe71}

Key  : Hypervisor.Enlightenments.Value
Value: 8992

Key  : Hypervisor.Enlightenments.ValueHex
Value: 2320

Key  : Hypervisor.Flags.AnyHypervisorPresent
Value: 1

Key  : Hypervisor.Flags.ApicEnlightened
Value: 0

Key  : Hypervisor.Flags.CpuManager
Value: 0

Key  : Hypervisor.Flags.DeprecateAutoEoi
Value: 0

Key  : Hypervisor.Flags.DynamicCpuDisabled
Value: 0

Key  : Hypervisor.Flags.ExtendedProcessorMasks
Value: 0

Key  : Hypervisor.Flags.MaxBankNumber
Value: 0

Key  : Hypervisor.Flags.NoExtendedRangeFlush
Value: 1

Key  : Hypervisor.Flags.Phase0InitDone
Value: 1

Key  : Hypervisor.Flags.SynicAvailable
Value: 0

Key  : Hypervisor.Flags.Value
Value: 12296

Key  : Hypervisor.Flags.ValueHex
Value: 3008

Key  : Hypervisor.Flags.VsmAvailable
Value: 0

Key  : Hypervisor.RootFlags.Value
Value: 0

Key  : Hypervisor.RootFlags.ValueHex
Value: 0

Key  : WER.OS.Branch
Value: rs1_release

Key  : WER.OS.Version
Value: 10.0.14393.8519

BUGCHECK_CODE: d1

BUGCHECK_P1: ffff8882181330e8

BUGCHECK_P2: 2

BUGCHECK_P3: 1

BUGCHECK_P4: fffff800f5577150

FILE_IN_CAB: MEMORY.DMP

VIRTUAL_MACHINE: VMware

WRITE_ADDRESS: unable to get nt!PspSessionIdBitmap
Unable to read MiSystemVaType memory at fffffff000000000
ffff8882181330e8

PROCESS_NAME: sqlservr.exe

TRAP_FRAME: ffff88804e795df0 -- (.trap 0xffff88804e795df0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=000000007266744e rbx=0000000000000000 rcx=0000000000000000
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800f5577150 rsp=ffff88804e795f80 rbp=ffff88804e796000
r8=fffffffffffffff0 r9=ffff88804e795fe0 r10=ffffe78c033f9d80
r11=0000000000000002 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
npcap+0x7150:
fffff800f5577150 897c85b0 mov dword ptr [rbp+rax*4-50h],edi ss:0018:ffff8882181330e8=????????
Resetting default scope

STACK_TEXT:
ffff88804e795ca8 fffff8018db78569 : 000000000000000a ffff8882181330e8 0000000000000002 0000000000000001 : nt!KeBugCheckEx
ffff88804e795cb0 fffff8018db75077 : ffff88804e795cf0 0000000000000000 0000001000020000 0000000000000006 : nt!KiBugCheckDispatch+0x69
ffff88804e795df0 fffff800f5577150 : ffffe78c11d54000 ffff88804e795f9c 0002f8c01ed50000 0000000100000003 : nt!KiPageFault+0x437
ffff88804e795f80 fffff800f55766b0 : 00000035a3e0eae7 ffffe78c046d4830 ffffe78c101c5090 00000035a3e0eae7 : npcap+0x7150
ffff88804e796040 fffff800f5576a52 : ffffe78c046d4830 ffffe78c046d4830 0000000000000000 ffffe78c04684a01 : npcap+0x66b0
ffff88804e7960f0 fffff800f3bd48cf : fffff800f3bddae0 ffff88804e796220 ffffe78c04677c70 ffff88804e796718 : npcap+0x6a52
ffff88804e796120 fffff800f4612796 : ffffe78c046858b0 ffffe78c11c2caf0 ffff888000000000 0000000000000000 : NDIS!NdisSendNetBufferLists+0x23f
ffff88804e796250 fffff800f4611ff4 : 00000000000001db 06575e4cdf035e00 ffff88804e796351 ffffe78c11c2cc60 : tcpip!FlFastSendPackets+0x106
ffff88804e7962a0 fffff800f4647a2c : ffff88804e796800 ffffe78c00000014 ffffe78c04670470 ffff88804e7968f0 : tcpip!IpNlpFastContinueSendDatagram+0x5b4
ffff88804e7963a0 fffff800f461195d : ffff88804e7968f0 0000000000000007 fffff800f47bc000 ffffe78c0ec299c0 : tcpip!IppSendDatagramsCommon+0xdfc
ffff88804e796620 fffff800f464032b : 0000000000000000 0000000000000101 ffffe78c0ec20002 ffffe78c069bc140 : tcpip!IpNlpFastSendDatagram+0x38d
ffff88804e796700 fffff800f463d205 : ffffe78c1197d9f0 0000000000000000 ffffe78c1228b1f0 ffffe78c0ec299c0 : tcpip!TcpTcbSend+0x72b
ffff88804e796ac0 fffff800f463d116 : 0000000003ea4639 ffff88804e796df0 ffff88804e796b68 0000000000000000 : tcpip!TcpEnqueueTcbSendOlmNotifySendComplete+0xa5
ffff88804e796af0 fffff800f463c4ab : 0000000000000000 fffff80000000224 ffff88804e797501 fffff8018da492f1 : tcpip!TcpEnqueueTcbSend+0xab6
ffff88804e796c10 fffff8018da49275 : ffff88804e797501 ffff88804e796d10 ffff88804e797150 fffff800f463c480 : tcpip!TcpTlConnectionSendCalloutRoutine+0x2b
ffff88804e796c90 fffff800f46136f6 : ffffe78c0ec5f4f0 0000000000000000 0000000000000000 ffffe78c03b91bb0 : nt!KeExpandKernelStackAndCalloutInternal+0x85
ffff88804e796ce0 fffff800f551bb31 : ffffe78c0ec5f4f0 ffff88804e797540 000000000000019f 000000000000019f : tcpip!TcpTlConnectionSend+0x76
ffff88804e796d50 fffff800f550239d : ffffe78c0ec5f4f0 0000022800000000 ffffe78c1158c4f0 0000000000000000 : afd!AfdFastConnectionSend+0x3a1
ffff88804e796f10 fffff8018df1d7e1 : 0000000000000000 0000000000000004 ffffe78c0fec9080 ffff88804e797540 : afd!AfdFastIoDeviceControl+0x40d
ffff88804e797290 fffff8018df1cff6 : e78c02c55de04e8d 0000000000000000 0000000000000000 0000022c60555bd0 : nt!IopXxxControlFile+0x7e1
ffff88804e7973e0 fffff8018db77d93 : 0000000000000000 0000000000000001 0000000000000000 fffff80100000002 : nt!NtDeviceIoControlFile+0x56
ffff88804e797450 00007ffb21c864b4 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x13
000000cca47fd1f8 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x00007ffb`21c864b4

SYMBOL_NAME: npcap+7150

MODULE_NAME: npcap

IMAGE_NAME: npcap.sys

STACK_COMMAND: .cxr; .ecxr ; kb

BUCKET_ID_FUNC_OFFSET: 7150

FAILURE_BUCKET_ID: AV_npcap!unknown_function

OS_VERSION: 10.0.14393.8519

BUILDLAB_STR: rs1_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {75627e3d-b2d1-3073-f887-d35f6796fe71}

Followup: MachineOwner

Mini DMP -

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: ffff8882181330e8, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000001, value 0 = read operation, 1 = write operation
Arg4: fffff800f5577150, address which referenced memory

Debugging Details:

*** WARNING: Unable to verify timestamp for npcap.sys

KEY_VALUES_STRING: 1

Key  : Analysis.CPU.mSec
Value: 5530

Key  : Analysis.Elapsed.mSec
Value: 6113

Key  : Analysis.IO.Other.Mb
Value: 0

Key  : Analysis.IO.Read.Mb
Value: 0

Key  : Analysis.IO.Write.Mb
Value: 0

Key  : Analysis.Init.CPU.mSec
Value: 4937

Key  : Analysis.Init.Elapsed.mSec
Value: 11684

Key  : Analysis.Memory.CommitPeak.Mb
Value: 80

Key  : Bugcheck.Code.LegacyAPI
Value: 0xd1

Key  : Failure.Bucket
Value: AV_npcap!unknown_function

Key  : Failure.Hash
Value: {75627e3d-b2d1-3073-f887-d35f6796fe71}

Key  : Hypervisor.Enlightenments.Value
Value: 8992

Key  : Hypervisor.Enlightenments.ValueHex
Value: 2320

Key  : Hypervisor.Flags.AnyHypervisorPresent
Value: 1

Key  : Hypervisor.Flags.ApicEnlightened
Value: 0

Key  : Hypervisor.Flags.CpuManager
Value: 0

Key  : Hypervisor.Flags.DeprecateAutoEoi
Value: 0

Key  : Hypervisor.Flags.DynamicCpuDisabled
Value: 0

Key  : Hypervisor.Flags.ExtendedProcessorMasks
Value: 0

Key  : Hypervisor.Flags.MaxBankNumber
Value: 0

Key  : Hypervisor.Flags.NoExtendedRangeFlush
Value: 1

Key  : Hypervisor.Flags.Phase0InitDone
Value: 1

Key  : Hypervisor.Flags.SynicAvailable
Value: 0

Key  : Hypervisor.Flags.Value
Value: 12296

Key  : Hypervisor.Flags.ValueHex
Value: 3008

Key  : Hypervisor.Flags.VsmAvailable
Value: 0

Key  : Hypervisor.RootFlags.Value
Value: 0

Key  : Hypervisor.RootFlags.ValueHex
Value: 0

Key  : WER.OS.Branch
Value: rs1_release

Key  : WER.OS.Version
Value: 10.0.14393.8519

BUGCHECK_CODE: d1

BUGCHECK_P1: ffff8882181330e8

BUGCHECK_P2: 2

BUGCHECK_P3: 1

BUGCHECK_P4: fffff800f5577150

FILE_IN_CAB: 110925-49109-01.dmp

VIRTUAL_MACHINE: VMware

WRITE_ADDRESS: fffff8018ddb2338: Unable to get MiVisibleState
c0000005 Exception in ext.analyze debugger extension.
PC: 00007fff87e006f5 VA: 00007fff8806d000 R/W: 1 Parameter: 00000000`00000000

[muhammedrumaiz]

110925-49109-01.dmp

[muhammedrumaiz]

[fyodor]

Thanks for the report, @muhammedrumaiz . Are you able to test with the latest version of Npcap (1.84) from https://npcap.com? And if so, would you post the dumps for that version? Thank you!

[dmiller-nmap]

The crash dump shows a write to an illegal address in bpf_filter(). The current instruction is a BPF_ST instruction with a very large k offset, which turns out to be not even in the BPF program that was passed to bpf_filter(). I'm stuck trying to find out what could have possibly gone wrong here, because the BPF program appears pretty standard and would have passed validation.