Bad Drivers

One of the things that Microsoft did in engineering the Windows 8 kernel was to eliminate and mitigate entire categories of kernel-mode memory exploits, by hardening the implementation with various new checks and removing code that would swallow multiple exceptions. The upside of this is that the kernel is more tamper-resistant. The downside (or upside, depending on how you look at it) is that buggy drivers now cause immediate kernel panics as soon as an offending operation is performed.

In other words, leaky, exploitable in-kernel drivers from days of old now cause the system to blue screen immediately when they do something wrong. This is actually the correct behavior and should help new driver devs catch problems early, but it also means my mid-2009 13″ MacBook Pro (model 5,5) has been blue screening like crazy ever since I installed Boot Camp 4.

It also means that, when these bugchecks are happening on Windows 8, they aren’t necessarily happening on Windows 7, or Vista, or XP. These could be points for investigation, by people wanting to develop exploits on those systems, because they would know exactly where the driver is doing something wrong in kernel memory.

Anyway, I got down and dirty and took a look at the minidumps being generated by the Boot Camp Services. There’s no official support for Windows 8 from Apple yet, but having drivers that are buggy on Windows 7 but that don’t immediately error out is probably also not a great thing.

Apple, take note, your Hardware Abstraction Layer driver is buggy:

Loading Dump File [C:WindowsMinidump21013-6162-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:symbols*
Executable search path is:
Windows 8 Kernel Version 9200 MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 9200.16461.amd64fre.win8_gdr.121119-1606
Machine Name:
Kernel base = 0xfffff803dfc78000 PsLoadedModuleList = 0xfffff803dff42a80
Debug session time: Sun Feb 10 12:36:21.739 2013 (UTC - 6:00)
System Uptime: 0 days 0:00:30.493
Loading Kernel Symbols
Loading User Symbols
Loading unloaded module list
* *
* Bugcheck Analysis *
* *

Use !analyze -v to get detailed debugging information.

BugCheck 19, {20, fffffa800942bb50, fffffa800942bc10, c0c0001}

*** WARNING: Unable to verify timestamp for MacHALDriver.sys
*** ERROR: Module load completed but symbols could not be loaded for MacHALDriver.sys
Probably caused by : MacHALDriver.sys ( MacHALDriver+1714 )

Followup: MachineOwner

0: kd> !analyze -v
* *
* Bugcheck Analysis *
* *

The pool is already corrupt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be walked to figure out a possible cause of
the problem, and then special pool applied to the suspect tags or the driver
verifier to a suspect driver.
Arg1: 0000000000000020, a pool block header size is corrupt.
Arg2: fffffa800942bb50, The pool entry we were looking for within the page.
Arg3: fffffa800942bc10, The next pool entry.
Arg4: 000000000c0c0001, (reserved)

Debugging Details:


POOL_ADDRESS: GetPointerFromAddress: unable to read from fffff803dffce168
GetUlongFromAddress: unable to read from fffff803dffce1f8
fffffa800942bb50 Nonpaged pool

PROCESS_NAME: Bootcamp.exe
IRP_ADDRESS: ffffffffffffff89
LAST_CONTROL_TRANSFER: from fffff803dfee8b95 to fffff803dfcf3340

fffff8800a1db8f8 fffff803dfee8b95 : 0000000000000019 0000000000000020 fffffa800942bb50 fffffa800942bc10 : nt!KeBugCheckEx
fffff8800a1db900 fffff803dfd2c229 : fffffa800942bb60 fffffa80095f9640 0000000000000001 0000000020206f49 : nt!ExFreePool+0xad3
fffff8800a1db9e0 fffff803dfd2a8ea : 0000000000000001 fffff8800a1dbaf0 0035003700000000 fffff8a002e9a2e0 : nt!IopCompleteRequest+0x79
fffff8800a1dbab0 fffff88008d39714 : 0000000000000000 00000000c0000000 fffffa800942bb80 000000009c402484 : nt!IopfCompleteRequest+0xa5a
fffff8800a1dbb90 0000000000000000 : 00000000c0000000 fffffa800942bb80 000000009c402484 0000000000000000 : MacHALDriver+0x1714


fffff880`08d39714 ?? ???

SYMBOL_NAME: MacHALDriver+1714
IMAGE_NAME: MacHALDriver.sys
FAILURE_BUCKET_ID: 0x19_20_MacHALDriver+1714
BUCKET_ID: 0x19_20_MacHALDriver+1714

Followup: MachineOwner

Update: The only way to fix these crashes was to uninstall the Boot Camp Services package from Windows. Unfortunately, that leaves the keyboard-backlighting inoperable, and probably some other stuff I can’t see, like processor throttling/idling (the Mac feels warmer during normal use now). Also, the weird thing about the crashes when they were happening was that they were inconsistent/nondeterministic, sometimes I’d get a blue screen right after logging in, and sometimes the system would run solid for hours until I had the misfortune of surreptitiously POKEing the wrong memory-mapped hardware address by trying to change the backlight levels or whatever.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.