Win8 Blue Screen DRIVER_OVERRAN_STACK_BUFFER

Hi,

The attached DMP file is of the DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1) bug check.

This indicates that a kernel-mode driver attempted to access pageable memory at a process IRQL that was too high.

A driver tried to access an address that is pageable (or that is completely invalid) while the IRQL was too high. This bug check is usually caused by drivers that have used improper addresses.

0: kd> k
Child-SP          RetAddr           Call Site
fffff803`34b9b308 fffff803`35c5d769 nt!KeBugCheckEx
fffff803`34b9b310 fffff803`35c5bfe0 nt!KiBugCheckDispatch+0x69
fffff803`34b9b450 fffff880`024c719f nt!KiPageFault+0x260
fffff803`34b9b5e0 fffff880`0248253d tcpip!IppFragmentPackets+0x55f
fffff803`34b9b740 fffff880`0248395e tcpip!IppDispatchSendPacketHelper+0x9d
fffff803`34b9b860 fffff880`02490b4a tcpip!IppPacketizeDatagrams+0x2ce
fffff803`34b9b980 fffff880`024bbdca tcpip!IppSendDatagramsCommon+0x6ca
fffff803`34b9bb40 fffff880`0246db45 tcpip!TcpTcbHeaderSend+0x7b2
fffff803`34b9bdc0 fffff880`02498764 tcpip!TcpTcbCarefulDatagram+0xe05
fffff803`34b9bff0 fffff880`02497580 tcpip!TcpTcbReceive+0x474
fffff803`34b9c150 fffff880`02498c71 tcpip!TcpMatchReceive+0x1f0
fffff803`34b9c2c0 fffff880`02496b57 tcpip!TcpPreValidatedReceive+0x381
fffff803`34b9c3a0 fffff880`024b8dba tcpip!IpFlcReceivePreValidatedPackets+0x5e7
fffff803`34b9c540 fffff803`35cb3a06 tcpip!FlReceiveNetBufferListChainCalloutRoutine+0xda
fffff803`34b9c640 fffff803`35cb6465 nt!KeExpandKernelStackAndCalloutInternal+0xe6
fffff803`34b9c740 fffff880`024b8eee nt!KeExpandKernelStackAndCalloutEx+0x25
fffff803`34b9c780 fffff880`020bbb06 tcpip!FlReceiveNetBufferListChain+0xae
fffff803`34b9c800 fffff880`020bb560 ndis!ndisMIndicateNetBufferListsToOpen+0x126
fffff803`34b9c8b0 fffff880`020bb843 ndis!ndisInvokeNextReceiveHandler+0x650
fffff803`34b9c980 fffff880`056338d4 ndis!NdisMIndicateReceiveNetBufferLists+0xd3
fffff803`34b9ca30 fffffa80`05c26b00 e1c63x64+0x268d4
fffff803`34b9ca38 fffffa80`08ddf000 0xfffffa80`05c26b00
fffff803`34b9ca40 fffffa80`08d061a0 0xfffffa80`08ddf000
fffff803`34b9ca48 fffffa80`05c26c20 0xfffffa80`08d061a0
fffff803`34b9ca50 fffffa80`00000801 0xfffffa80`05c26c20
fffff803`34b9ca58 00000000`00000000 0xfffffa80`00000801

DRIVER_OVERRAN_STACK_BUFFER (F7)

This indicates that a driver has overrun a stack-based buffer.

A driver overran a stack-based buffer (or local variable) in a way that would have overwritten the function's return address and jumped back to an arbitrary address when the function returned.

1: kd> k
Child-SP          RetAddr           Call Site
fffff880`0ab8c328 fffff800`5ee36d66 nt!KeBugCheckEx
fffff880`0ab8c330 fffff800`5ee36deb hal!_report_gsfailure+0x26
fffff880`0ab8c370 fffff800`5ef3253d hal!_GSHandlerCheck+0x13
fffff880`0ab8c3a0 fffff800`5ef5a404 nt!RtlpExecuteHandlerForException+0xd
fffff880`0ab8c3d0 fffff800`5ef34296 nt!RtlDispatchException+0x458
fffff880`0ab8cae0 fffff800`5eec5842 nt!KiDispatchException+0x455
fffff880`0ab8d1a0 fffff800`5eec359f nt!KiExceptionDispatch+0xc2
fffff880`0ab8d380 fffff880`0259923f nt!KiInvalidOpcodeFault+0x11f
fffff880`0ab8d518 00000000`00000011 tcpip!IppFragmentPackets+0x5ff
fffff880`0ab8d678 fffff800`5ee262a1 0x11
fffff880`0ab8d680 00000000`00000000 hal!HalpApicRequestInterrupt+0x1e5

tcpip.sys is mentioned in the stack and calls into KiInvalidOpcodeFault.

ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY (FC)

This indicates that an attempt was made to execute non-executable memory.

----------------------

Remove and replace Kaspersky with Windows 8's built-in Windows Defender for temporary troubleshooting purposes as it's causing NETBIOS conflicts:

Kaspersky removal - http://support.kaspersky.com/common/service.aspx?el=1464

Windows Defender (how to turn on after removal) - http://www.eightforums.com/tutorials/21962-windows-defender-turn-off-windows-8-a.html

Regards,

Patrick