0 Replies Latest reply on Aug 7, 2017 2:53 PM by olegas22

    Heap corruption impacting fcag.exe

    olegas22

      Hello,

       

      While debugging an unrelated problem, I've encountered a heap corruption impacting McAfee DLP (fcag.exe). See the exception information below.  Has anyone else experienced it?

       

      *******************************************************************************

      *                                                                             *

      *                        Exception Analysis                                   *

      *                                                                             *

      *******************************************************************************

       

       

      *** ERROR: Module load completed but symbols could not be loaded for fcag.exe

       

       

      FAULTING_IP:

      ntdll!RtlReportCriticalFailure+2f

      0033:00000000`77d1f3af cc              int     3

       

       

      EXCEPTION_RECORD:  ffffffffffffffff -- (.exr 0xffffffffffffffff)

      .exr 0xffffffffffffffff

      ExceptionAddress: 0000000077d1f3af (ntdll!RtlReportCriticalFailure+0x000000000000002f)

         ExceptionCode: 80000003 (Break instruction exception)

        ExceptionFlags: 00000000

      NumberParameters: 1

         Parameter[0]: 0000000000000000

       

       

      CONTEXT:  0000000000000000 -- (.cxr 0x0;r)

      .cxr 0x0;r

      rax=0000000000000000 rbx=00000000c0000374 rcx=000077dd42bd0000

      rdx=000000000000fffd rsi=0000000000000000 rdi=0000000077d98430

      rip=0000000077d1f3af rsp=0000000003a4d5d0 rbp=000000000a2d7460

      r8=0000000000000065  r9=0000000000000000 r10=0000000000000000

      r11=0000000003a4d160 r12=0000000000000008 r13=0000000000000000

      r14=0000000000000000 r15=0000000000000000

      iopl=0         nv up ei pl nz na pe nc

      cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202

      ntdll!RtlReportCriticalFailure+0x2f:

      0033:00000000`77d1f3af cc              int     3

      .cxr

       

       

      ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION}  Breakpoint  A breakpoint has been reached.

       

       

      EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments are invalid

       

       

      EXCEPTION_PARAMETER1:  0000000000000000

       

       

      NTGLOBALFLAG:  82400

       

       

      APP:  fcag.exe

       

       

      ANALYSIS_VERSION: 6.3.9600.16384 (debuggers(dbg).130821-1623) amd64fre

       

       

      LAST_CONTROL_TRANSFER:  from 0000000077d1f9c6 to 0000000077d1f3af

       

       

      FAULTING_THREAD:  ffffffffffffffff

       

       

      BUGCHECK_STR:  APPLICATION_FAULT_ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy

       

       

      PRIMARY_PROBLEM_CLASS:  ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy

       

       

      DEFAULT_BUCKET_ID:  ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy

       

       

      STACK_TEXT: 

      00000000`77d98498 00000000`77cbd21c ntdll!RtlFreeHeap+0x72

      00000000`77d984a0 00000000`77a61a0a kernel32!HeapFree+0xa

      00000000`77d984a8 00000001`40071600 fcag+0x7c1600

      00000000`77d984b0 00000001`3fa2277c fcag+0x17277c

      00000000`77d984b8 00000001`40035898 fcag+0x785898

      00000000`77d984c0 00000001`40036403 fcag+0x786403

      00000000`77d984c8 00000001`400351d3 fcag+0x7851d3

      00000000`77d984d0 00000001`400356b3 fcag+0x7856b3

      00000000`77d984d8 00000001`400394d1 fcag+0x7894d1

      00000000`77d984e0 00000001`400584a7 fcag+0x7a84a7

      00000000`77d984e8 00000001`40058591 fcag+0x7a8591

      00000000`77d984f0 00000001`4004d346 fcag+0x79d346

      00000000`77d984f8 00000001`4007a68f fcag+0x7ca68f

      00000000`77d98500 00000001`4007a723 fcag+0x7ca723

      00000000`77d98508 00000000`77a559cd kernel32!BaseThreadInitThunk+0xd

      00000000`77d98510 00000000`77c8a561 ntdll!RtlUserThreadStart+0x1d

       

       

       

       

      FOLLOWUP_IP:

      fcag+7c1600

      0033:00000001`40071600 85c0            test    eax,eax

       

       

      SYMBOL_STACK_INDEX:  2

       

       

      SYMBOL_NAME:  fcag+7c1600

       

       

      FOLLOWUP_NAME:  MachineOwner

       

       

      MODULE_NAME: fcag

       

       

      IMAGE_NAME:  fcag.exe

       

       

      DEBUG_FLR_IMAGE_TIMESTAMP:  5922acc9

       

       

      STACK_COMMAND:  dps 77d98498 ; kb

       

       

      FAILURE_BUCKET_ID:  ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy_80000003_fcag.exe!Unknow n

       

       

      BUCKET_ID:  X64_APPLICATION_FAULT_ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy_fc ag+7c1600

       

       

      ANALYSIS_SOURCE:  KM

       

       

      FAILURE_ID_HASH_STRING:  km:actionable_heap_corruption_heap_failure_block_not_busy_80000003_fcag.exe!unk nown

       

       

      FAILURE_ID_HASH:  {2bd8a4a5-436c-3343-0703-f3f2def14598}

       

       

      Followup: MachineOwner

      ---------

       

      Module information is below:

      2: kd> lmvm fcag

      start             end                 module name

      00000001`3f8b0000 00000001`408dd000   fcag       (no symbols)          

          Loaded symbol image file: fcag.exe

          Image path: C:\Program Files\McAfee\DLP\Agent\fcag.exe

          Image name: fcag.exe

          Timestamp:        Mon May 22 04:18:01 2017 (5922ACC9)

          CheckSum:         00FE9ED3

          ImageSize:        0102D000

          File version:     10.0.250.9

          Product version:  10.0.250.0

          File flags:       0 (Mask 17)

          File OS:          4 Unknown Win32

          File type:        7.0 Static library

          File date:        00000000.00000000

          Translations:     0409.04b0

          CompanyName:      McAfee, Inc.

          ProductName:      McAfee DLP Endpoint

          InternalName:     fcag.exe

          OriginalFilename: fcag.exe

          ProductVersion:   10.0.250

          FileVersion:      10.0.250.9

          FileDescription:  McAfee DLP Endpoint Agent

          LegalCopyright:   © 2016 McAfee, Inc. All rights reserved.

       

      I'm assuming McAfee will investigate it further.

       

      Thank you,

      Olegas