Direct From The Source Ogp
Understanding Kernel Stack Overflows
Omer Amin, Escalation Engineer
Microsoft Global Escalation Services Team
Kernel stack overflows are a common error in many cases reported to us by customers. These are caused by drivers taking up too much space on the kernel stack. This results in a kernel stack overflow, which will then crash the system with one of the following bugchecks:
■ STOp 0x7F: UNEXpECTED_KERNEL_MODE_TRAp with parameter 1 set to EXCEpTION_DOUBLE_FAULT, which is caused by running off the end of a kernel stack.
■ STOp 0x1E: KMODE_EXCEpTION_NOT_HANDLED, 0x7E: SYSTEM_THREAD_ EXCEpTION_NOT_HANDLED, or 0x8E: KERNEL_MODE_EXCEpTION_NOT_ HANDLED, with an exception code of STATUS_ACCESS_VIOLATION, which indicates a memory access violation.
■ STOp 0x2B: pANIC_STACK_SWITCH, which usually occurs when a kernel-mode driver uses too much stack space.
Each thread in the system is allocated with a kernel mode stack. Code running on any kernel-mode thread (whether it is a system thread or a thread created by a driver) uses that thread's kernel-mode stack unless the code is a deferred procedure call (DpC), in which case it uses the processor's DpC stack on certain platforms.
The stack grows negatively. This means that the beginning (bottom) of the stack has a higher address than the end (top) of the stack. For example, let's say the beginning of your stack is 0x80f1000, and this is where your stack pointer (ESp) is pointing. If you push a DWORD value onto the stack, its address would be 0x80f0ffc. The next DWORD value would be stored at 0x80f0ff8 and so on up to the limit (top) of the allocated stack. The top of the stack is bordered by a guard page to detect overruns.
The size of the kernel-mode stack varies among different hardware platforms. For example, on 32-bit platforms, the kernel-mode stack is 12 KB, and on 64-bit platforms, the kernel-mode stack is 24 KB. The stack sizes are hard limits that are imposed by the system, and all drivers need to use space conservatively so that they can coexist. When we reach the top of the stack, one more push instruction is going to cause an exception, which in turn can lead to a Stop error. This could be either a simple push instruction or something along the lines of a call instruction that also pushes the return address onto the stack.
Post a comment