VMware

VMWare Player 16.0.0 build-16894299 crashing in vmhgfs.sys, buffer overflow

Leave a comment
This post was originally published on this site

Guest OS  windows 10 Home version 2004, build 19041.572, 64bit

VM processor core: i9-9900K

8GB RAM

 

The VM has crashed 3 times in the last 3 days.

Is this a known defect? Will this be fixed?

 

This is the output from analyzing the latest memory.dmp file using “windbg !analyze -v”

 

*******************************************************************************

*                                                                             *

*                        Bugcheck Analysis                                    *

*                                                                             *

*******************************************************************************

KERNEL_SECURITY_CHECK_FAILURE (139)

A kernel component has corrupted a critical data structure.  The corruption

could potentially allow a malicious user to gain control of this machine.

Arguments:

Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).

Arg2: ffffc6086eb1de70, Address of the trap frame for the exception that caused the bugcheck

Arg3: ffffc6086eb1ddc8, Address of the exception record for the exception that caused the bugcheck

Arg4: 0000000000000000, Reserved

 

Debugging Details:

——————

KEY_VALUES_STRING: 1

 

    Key  : Analysis.CPU.Sec

    Value: 2

 

    Key  : Analysis.DebugAnalysisProvider.CPP

    Value: Create: 8007007e on DESKTOP-4O0Q2SP

 

    Key  : Analysis.DebugData

    Value: CreateObject

 

    Key  : Analysis.DebugModel

    Value: CreateObject

 

    Key  : Analysis.Elapsed.Sec

    Value: 17

 

    Key  : Analysis.Memory.CommitPeak.Mb

    Value: 76

 

    Key  : Analysis.System

    Value: CreateObject

 

VIRTUAL_MACHINE:  VMware

BUGCHECK_CODE:  139

BUGCHECK_P1: 3

BUGCHECK_P2: ffffc6086eb1de70

BUGCHECK_P3: ffffc6086eb1ddc8

BUGCHECK_P4: 0

 

TRAP_FRAME:  ffffc6086eb1de70 — (.trap 0xffffc6086eb1de70)

NOTE: The trap frame does not contain all registers.

Some register values may be zeroed or incorrect.

rax=ffff9506c32c2518 rbx=0000000000000000 rcx=0000000000000003

rdx=ffff9506c32c2470 rsi=0000000000000000 rdi=0000000000000000

rip=fffff803312f7159 rsp=ffffc6086eb1e008 rbp=0000000000000000

r8=ffff9506c32c2518  r9=0000000000000000 r10=fffff803312f7140

r11=0000000000000000 r12=0000000000000000 r13=0000000000000000

r14=0000000000000000 r15=0000000000000000

iopl=0         nv up ei pl nz ac po cy

vmhgfs+0x7159:

fffff803`312f7159 cd29            int     29h

Resetting default scope

 

EXCEPTION_RECORD:  ffffc6086eb1ddc8 — (.exr 0xffffc6086eb1ddc8)

ExceptionAddress: fffff803312f7159 (vmhgfs+0x0000000000007159)

   ExceptionCode: c0000409 (Security check failure or stack buffer overrun)

  ExceptionFlags: 00000001

NumberParameters: 1

   Parameter[0]: 0000000000000003

Subcode: 0x3 FAST_FAIL_CORRUPT_LIST_ENTRY

 

BLACKBOXBSD: 1 (!blackboxbsd)

BLACKBOXNTFS: 1 (!blackboxntfs)

BLACKBOXPNP: 1 (!blackboxpnp)

BLACKBOXWINLOGON: 1

 

PROCESS_NAME:  SABnzbd.exe

ERROR_CODE: (NTSTATUS) 0xc0000409 – The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

 

EXCEPTION_CODE_STR:  c0000409

EXCEPTION_PARAMETER1:  0000000000000003

EXCEPTION_STR:  0xc0000409

 

STACK_TEXT: 

ffffc608`6eb1db48 fffff803`2a406569 : 00000000`00000139 00000000`00000003 ffffc608`6eb1de70 ffffc608`6eb1ddc8 : nt!KeBugCheckEx

ffffc608`6eb1db50 fffff803`2a406990 : ffffffff`ffffffff ffffc608`00000006 ffffc608`6eb1dd90 00000000`000001b0 : nt!KiBugCheckDispatch+0x69

ffffc608`6eb1dc90 fffff803`2a404d23 : ffff9506`bce04fc0 ffff9506`00000130 00000000`00000000 00000000`00000000 : nt!KiFastFailDispatch+0xd0

ffffc608`6eb1de70 fffff803`312f7159 : fffff803`2a2831df 00000000`00000002 fffff803`2a2dc59c ffff9506`c3cacb20 : nt!KiRaiseSecurityCheckFailure+0x323

ffffc608`6eb1e008 fffff803`2a2831df : 00000000`00000002 fffff803`2a2dc59c ffff9506`c3cacb20 00000000`00000000 : vmhgfs+0x7159

ffffc608`6eb1e010 fffff803`2a28311c : 00000000`00000000 ffff9506`c3e34000 ffff9506`c26e25e0 00000000`00000000 : nt!IoCsqInsertIrpEx+0xaf

ffffc608`6eb1e050 fffff803`312f7649 : ffff9506`c390c060 ffff9506`c3e34000 00000000`00000000 00000000`00000000 : nt!IoCsqInsertIrp+0xc

ffffc608`6eb1e080 fffff803`313114f5 : 00000000`00000000 ffffc608`6eb1e110 ffff9506`c3e34080 00000000`00000000 : vmhgfs+0x7649

ffffc608`6eb1e0b0 fffff803`312f1c60 : ffff9506`c32c2470 ffff9506`c32c2470 ffff9506`c32c2470 ffff9506`c32c2588 : vmhgfs+0x214f5

ffffc608`6eb1e150 fffff803`2a2cd805 : 00000000`00000200 00000000`00000000 ffff9506`bd4abc30 ffffc907`e3445140 : vmhgfs+0x1c60

ffffc608`6eb1e1b0 fffff803`2e29f188 : ffff9506`c32c25d0 ffff9506`c4346280 ffff9506`c32c2470 00000000`00000008 : nt!IofCallDriver+0x55

ffffc608`6eb1e1f0 fffff803`2e29ecd9 : ffffc907`e3445140 00000000`00000000 fffff803`2e298000 ffff9506`c046cda0 : mup!MupiCallUncProvider+0xb8

ffffc608`6eb1e260 fffff803`2e29e9af : 00000000`00000000 00000000`00000008 ffff9506`c4346280 ffff9506`c046cda0 : mup!MupStateMachine+0x59

ffffc608`6eb1e290 fffff803`2a2cd805 : ffff9506`c3091760 ffff9506`c046cda0 00000000`00000000 ffff9506`bd4abc30 : mup!MupCreate+0x1cf

ffffc608`6eb1e300 fffff803`27566ccf : ffff9506`c4346300 ffffc608`6eb1e3f0 ffffc608`6eb1e3f9 fffff803`27565b37 : nt!IofCallDriver+0x55

ffffc608`6eb1e340 fffff803`2759bbd4 : ffffc608`6eb1e3f0 ffff9506`c43462d8 ffff9506`c02daa50 00000000`00000000 : FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x28f

ffffc608`6eb1e3b0 fffff803`2a2cd805 : 00000000`00000000 ffff9506`bdf65cb0 00000000`00000000 00000000`00000000 : FLTMGR!FltpCreate+0x324

ffffc608`6eb1e460 fffff803`2a2cedf4 : 00000000`00000003 ffff9506`c32c2470 00000000`6d4e6f49 fffff803`2a2cea23 : nt!IofCallDriver+0x55

ffffc608`6eb1e4a0 fffff803`2a6c3c3d : ffffc608`6eb1e760 ffff9506`bdf65cb0 ffff9506`c4346318 00000000`00000000 : nt!IoCallDriverWithTracing+0x34

ffffc608`6eb1e4f0 fffff803`2a6ec3ae : ffff9506`bdf65cb0 00000000`0000005c ffff9506`c02f3ab0 ffff9506`c02f3a01 : nt!IopParseDevice+0x117d

ffffc608`6eb1e660 fffff803`2a6f566a : ffff9506`c02f3a00 ffffc608`6eb1e8c8 0000019b`00000040 ffff9506`bd58b220 : nt!ObpLookupObjectName+0x3fe

ffffc608`6eb1e830 fffff803`2a5ff52f : ffff9506`00000000 00000046`a17fd758 00000000`00000000 00000000`00000001 : nt!ObOpenObjectByNameEx+0x1fa

ffffc608`6eb1e960 fffff803`2a5ff109 : 00000046`a17fd718 ffff9506`c02e7d70 00000046`a17fd758 00000046`a17fd720 : nt!IopCreateFile+0x40f

ffffc608`6eb1ea00 fffff803`2a405fb5 : 00000000`00000364 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtCreateFile+0x79

ffffc608`6eb1ea90 00007ffc`bba2c834 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x25

00000046`a17fd698 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffc`bba2c834

 

SYMBOL_NAME:  vmhgfs+7159

MODULE_NAME: vmhgfs

IMAGE_NAME:  vmhgfs.sys

STACK_COMMAND:  .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET:  7159

FAILURE_BUCKET_ID:  0x139_3_CORRUPT_LIST_ENTRY_vmhgfs!unknown_function

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {41c84fcb-beb7-4dce-be02-2ac90e4af17e}

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.