So here is what happened
It was a NULL pointer from the memory unsafe C++ language. Let's decode this stack trace dump, though I am not an expert C++ language programmer.
Let's start with the basic memory in your computer is laid out as one giant array of numbers. We represent these numbers here as hexadecimal, which is base 16 (hexadecimal) because it's easier to work with.
The problem here is that the computer tried to read memory address 0x9c (aka 156), which is an invalid region of memory for any program. So any program that tries to read from this region WILL IMMEDIATELY GET KILLED BY WINDOWS. That is what you see here with this stack dump. You might as what is stack dump ? Well stack dump (or thread dump) is a process in which it reveals information about an application's thread activity that can help you diagnose problems and better optimize application and JVM performance. DevOps usually use these techniques for RCA ( Root Cause Analysis) and can help fine tune the performance ( V12 Technologies can help you with Managed DevOps services)
So far this looks like a programmer error as there is no reason to read the memory address 0x9c. Crowdstrike is using C++ and use address 0x0 as a special value to mean "there's nothing here", don't try to access it or you'll die and programmers in C++ are supposed to check for this when they pass objects around by "checking full null". Usually you'll see something like this:
string* p = get_name(); if (p == NULL) { print("Could not get name"); }
The string* part means we have a "pointer" to the start of the string value. If it's null, then there's nothing there, don't try to access it.
So let's take a generic object with stuff in it:
struct Obj { int a; int b; };
if we create a pointer to it:
Obj* obj = new Obj();
We can get it's start address, let's say its something random like
0x9030=36912 (using small numbers)
Then the address of:
obj is 0x9030 obj->a is 0x9030 + 0x4 obj->b is 0x9030 + 0x8
Each member is an offset from the start address.
Now let's assume the following:
Obj* obj = NULL;
Then the address of:
obj is 0 obj->a is 0 + 4 obj->b is 0 + 8
So if I do this on a
NULL pointer: print(obj->a);
The program stack dump like what you'll see above. It will cannot read value 0x000000004
In this stack dump you see that it's trying to read memory value 0x9c. In human numbers, this is the value 156. So what happened is that the programmer forgot to check that the object it's working with isn't valid, it tried to access one of the objects member variables
NULL + 0x9C = 0x9C = 156.
That's an invalid region of memory. And what's bad about this is that this is a special program called a system driver, which has PRIVLIDGED access to the computer. So the operating system is forced to, out of an abundance of caution, crash immediately
This is what is causing the blue screen of death. A computer can recover from a crash in non-privileged code by simply terminating the program, but not a system driver. When your computer crashes, 95% of the time it's because it's a crash in the system drivers.
I am sure there are lots of question behind it , who is the famous programmer ? had the programmer done a check for NULL, or if they used modern tooling that checks these sorts of things, didn't they have automated testing ? etc... ?
Well, The damage has been done and there were a lot industries and people being affected, it's a learning but I would be very concerned if this happened again but keep an eye on the forced update by Crowdstrike. I would also like to point that updates are critical and should be dealt with extreme caution (for those who take it lightly).
---
If you are looking for Managed DevOps services, Managed Cloud services, Disaster Recovery Services and Cloud Migration Services, Please visit us at https://www.v12technologies.com for more details or email to vs@v12technologies.com
Credit: Thanks to Zach Vorhies for the analysis.
Source: https://lnkd.in/g5BZKx6G
Comments