Understanding Bit Flips

I will not take all the credit for writing this tutorial about how to debug and understand potential flipped bits in CPU registers. I would to say thanks to Vir Gnarus for helping to understand this very important method.

Okay, let’s see with the tutorial, it took me a while to find the thread I used again, so be grateful 😉

CONTEXT: fffff880095630f0 — (.cxr 0xfffff880095630f0)
rax=fffffa800f5177c8 rbx=fffffa800f5177c0
rcx=f7fffa800f5177c8
rdx=fffffa800d01ebf0 rsi=00000000014a2e00 rdi=fffffa800f616640
rip=fffff800030c7ccb rsp=fffff88009563ad0 rbp=00000000014a2e70
r8=0000000000000000 r9=0000000000000000 r10=fffffa800cb045d0
r11=00000000001f0003 r12=fffff88002fd5180 r13=fffffa800f5177c8
r14=fffffa800f4e09d8 r15=fffffa800f5177c8
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246
nt!KiInsertQueue+0xab:
fffff800`030c7ccb 48894108 mov qword ptr [rcx+8],rax ds:002b:f7fffa80`0f5177d0=????????????????

As we can see from the above Context Switch, the register which the CPU was reading from has a 7 in the middle of it’s memory address. This is the flipped bit.

3: kd> .formats f7fffa800f5177c8
Evaluate expression:
Hex: f7fffa80`0f5177c8
Decimal: -576466799360378936
Octal: 1737777650001724273710
Binary: 11110111 11111111 11111010 10000000 00001111 01010001 01110111 11001000
Chars: …..Qw.
Time: ***** Invalid FILETIME
Float: low 1.03276e-029 high -1.03837e+034
Double: -1.05588e+270
   

3: kd> .formats fffffa800f5177c8
Evaluate expression:
Hex: fffffa80`0f5177c8
Decimal: -6047056955448
Octal: 1777777650001724273710
Binary: 11111111 11111111 11111010 10000000 00001111 01010001 01110111 11001000
Chars: …..Qw.
Time: ***** Invalid FILETIME
Float: low 1.03276e-029 high -1.#QNAN
Double: -1.#QNAN

Using the .formats command, we can gain the binary representation of the memory address contained within the CPU registers, and then compare these two binary instructions to give us a confirmation of a flipped bit. As you can see, the address with the random 7, has a 0 instead of a 1 in the beginning of it’s address, this indicates a flipped bit.

The crash resulted, because the corrupted memory addresses within the CPU registers were being accessed.  The usual causes for these bit flips can be a result of the CPU, PSU and motherboard. A large number of bits being changed, can be due to a the hard-drive or the RAM being at fault.

Advertisements

About 0x14c

I'm a Computer Science student and writer. My primary interests are Graph Theory, Number Theory, Programming Language Theory, Logic and Windows Debugging.
This entry was posted in Debugging. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s