7 Replies Latest reply on Mar 8, 2016 10:06 AM by anandchoubey

    BSOD with McAfee Endpoint security

    anandchoubey

      Hi,

       

      We are facing BSOD with McAfee if GTI is enabled in McAfee End Point security Firewall. If GTI is disabled and any firewall rule is set like block/allow ports then issue is not observed.

      As soon as Chrome is started then crashed is faced. I believe, issue is during  UDP packet processing as chrome sends QUIC protocol udp packets otherwise things work fine.

       

      Product: McAfee End Point Security version 10.1.0, component firewall version 10.1.0.

      McAfee driver name is mfewfpk.sys

      Timestamp:        Wed Nov 18 21:55:32 2015 (564CA67C)

      Netskope driver name is: stadrv6x64.sys

       

      Crash stack is:

      # Child-SP          RetAddr           Call Site

      00 ffffd000`2bdcf0d8 fffff800`2b04ecf1 nt!KeBugCheckEx

      01 ffffd000`2bdcf0e0 fffff801`ece04a20 nt!ExFreePool+0x1d1

      02 ffffd000`2bdcf1c0 fffff801`ed0f1ed2 NETIO! ?? ::FNODOBFM::`string'+0x9bb0

      03 ffffd000`2bdcf210 fffff801`ed0e1c2e fwpkclnt!FwppFreeDeepCloneNetBufferList+0x22

      04 ffffd000`2bdcf240 fffff801`f20d2130 fwpkclnt!FwpsFreeCloneNetBufferList0+0x1ce

      05 ffffd000`2bdcf280 fffff801`f20cd031 stadrv6x64!FreePendedPacket+0x40

      06 ffffd000`2bdcf2b0 fffff801`f20cc567 stadrv6x64!ProcessOutboundPkt+0x2c9

      07 ffffd000`2bdcf350 fffff801`ecddf28d stadrv6x64!InspectTxTcpClassify+0x273

      08 ffffd000`2bdcf3b0 fffff801`ecdde060 NETIO!ProcessCallout+0x77d

      09 ffffd000`2bdcf520 fffff801`ecddcc0f NETIO!ArbitrateAndEnforce+0x4a0

      0a ffffd000`2bdcf710 fffff801`ecfb29a9 NETIO!KfdClassify+0x32f

      0b ffffd000`2bdcfb60 fffff801`ecf4858e tcpip!ProcessOutboundTransportLayerClassify+0x859

      0c ffffd000`2bdcfc90 fffff801`eceb9994 tcpip! ?? ::FNODOBFM::`string'+0x615e

      0d ffffd000`2bdcffb0 fffff801`eceb7e58 tcpip!IppInspectLocalDatagramsOut+0xf64

      0e ffffd000`2bdd02c0 fffff801`ecfd1eee tcpip!IppSendDatagramsCommon+0x408

      0f ffffd000`2bdd04c0 fffff801`ed0f4f30 tcpip!IppInspectInjectTlSend+0x16e

      10 ffffd000`2bdd05f0 fffff800`2ae2e6f5 fwpkclnt!FwppInjectionStackCallout+0xa0

      11 ffffd000`2bdd0680 fffff801`ed0f6886 nt!KeExpandKernelStackAndCalloutInternal+0x85

      12 ffffd000`2bdd06d0 fffff801`ed0f4e4e fwpkclnt!NetioExpandKernelStackAndCallout+0x52

      13 ffffd000`2bdd0710 fffff801`ed0f6553 fwpkclnt!FwppInjectTransportSendAsync+0x552

      14 ffffd000`2bdd0910 fffff801`ed190b12 fwpkclnt!FwpsInjectTransportSendAsync0+0x63

      15 ffffd000`2bdd0980 fffff800`2aea3870 mfewfpk+0x10b12

      16 ffffd000`2bdd0a10 fffff800`2ae6e6a9 nt!IopProcessWorkItem+0xf0

      17 ffffd000`2bdd0a80 fffff800`2af005a5 nt!ExpWorkerThread+0xe9

      18 ffffd000`2bdd0b10 fffff800`2af64626 nt!PspSystemThreadStartup+0x41

      19 ffffd000`2bdd0b60 00000000`00000000 nt!KiStartSystemThread+0x16

       

      Detail analysis:

       

      My more analysis show, McAfee driver(mfewfpk) makes clone of UDP packet and later forwards this UDP packet in different thread (i.e. out of band processing) if GTI is enabled, forwarded UDP packet does not have space left for IP header formation, Netskope driver (stadrv6x64) makes clone of incoming net buffer, Netskope driver assumes IP header space is already available so it retreats the cloned netbuffer for IP header formation since there is no space left for IP header, retreat process corrupts cloned netbuffer therefore FwpsFreeCloneNetBufferList0 leads to crash while releasing the cloned buffer but it looks like same issue is not observed with TCP packet.

      This analysis shows issue is in McAfee as it does not form right UDP packet.

       

      Please help me resolve this issue.

       

      Regards,

      Anand