Tuesday, October 30, 2007

Intel Turbo Memory Drivers BUG!

Few weeks ago I bought two modules of Intel Turbo Memory (ITM) for my laptop Asus G2S-A1, installed it without any problems, then downloaded latest version(1.1.0.1010) of ITM drivers. And tried to install for a few minutes everything was looking ok, driver was successfully installed for first 1Gb ITM module and then Windows tried to install drivers for second ITM module(also 1Gb) . I was very angry when figured out that drivers was NOT designed for simultaneous work with two installed ITM modules. So how I figured it out. I started analization from crash dump( it can be found at c:\Windows\Minidump\Mini%DATE%-%CrashDumpNumber%.dmp, in my case it was Mini101807-01.dmp ), so I opened my dump with WinDbg( can be downloaded from microsoft web site, it’s free :)

And what I have found there, driver Probably caused by : iaNvStor.sys ( iaNvStor+44e7 ) tried to access to unavailable memory, and memory access violation exception was occured at address iaNvStor+44e7 BugCheck 1000007E, {c0000005, a6b494e7, 830e3830, 830e352c}

Here is the detailed crash dump log:

FAULTING_MODULE: 81c00000 nt

DEBUG_FLR_IMAGE_TIMESTAMP: 46929a5f

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

FAULTING_IP:

iaNvStor+44e7

a6b494e7 8b8664010000 mov eax,dword ptr [esi+164h]

EXCEPTION_RECORD: 830e3830 -- (.exr 0xffffffff830e3830)

ExceptionAddress: a6b494e7 (iaNvStor+0x000044e7)

ExceptionCode: c0000005 (Access violation)

ExceptionFlags: 00000000

NumberParameters: 2

Parameter[0]: 00000000

Parameter[1]: 00000164

Attempt to read from address 00000164

CONTEXT: 830e352c -- (.cxr 0xffffffff830e352c)

eax=c0000035 ebx=00000000 ecx=0000bb40 edx=85065d00 esi=00000000 edi=c0000035

eip=a6b494e7 esp=830e38f8 ebp=000026b8 iopl=0 nv up ei ng nz na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010286

iaNvStor+0x44e7:

a6b494e7 8b8664010000 mov eax,dword ptr [esi+164h] ds:0023:00000164=????????

Resetting default scope

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: WRONG_SYMBOLS

BUGCHECK_STR: 0x7E

LAST_CONTROL_TRANSFER: from 81c849f3 to a6b494e7

STACK_TEXT:

WARNING: Stack unwind information not available. Following frames may be wrong.

830e38f4 81c849f3 af7ef008 854705a8 8579d001 iaNvStor+0x44e7

830e38f8 af7ef008 854705a8 8579d001 00000000 nt+0x849f3

830e38fc 854705a8 8579d001 00000000 00000f98 0xaf7ef008

830e3900 8579d001 00000000 00000f98 af7ef008 0x854705a8

830e3904 00000000 00000f98 af7ef008 830e39b8 0x8579d001

FOLLOWUP_IP:

iaNvStor+44e7

a6b494e7 8b8664010000 mov eax,dword ptr [esi+164h]

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: iaNvStor+44e7

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: iaNvStor

IMAGE_NAME: iaNvStor.sys

STACK_COMMAND: .cxr 0xffffffff830e352c ; kb

BUCKET_ID: WRONG_SYMBOLS

Followup: MachineOwner


So two registers (EAX and EDI) contains some 0xC0000035 Kernel status code, such codes returned by Native APIs, so I searched the WDK( Windows Driver Kit ), this code meansSTATUS_OBJECT_NAME_COLLISION”, then I understood that driver trying to create or register the device with the same same and looks like Intel developers didn’t handle this in driver. But it was only my theory, so I disassembled the driver and checked my theory.

As we can see on screenshot, driver trying to register the device in system and set some device state, and moves the result code to EDI register thats explains why we got that error code in EAX and EDI registers.



Weird thing why the ESI register is zero when we got that error, since ESI was not used anywhere in driver code, and there is the rule that EBX, EDI, ESI and EBP registers shouldn’t be changed if we calling some API.



I already reported about this bug, so let’s hope Intel will fix this issue, and will release the driver update for it. Otherwise at least they should mention about that at their site, that you can’t install more than one ITM module.

I hope you liked my post, sorry if something is unclear english isn’t my native language J

With best regards,

int0.