No this is kernelspace, an so while all addresses are 'virtual' an unmapped address is an address that hasn't been mapped in the page tables. Normally critical kernel drivers and data are marked as non-pagable (note: The Linux Kernel doesn't page, NTKernel does a legacy of when it was first written and memory constraints of the time). So if a driver needs to access pagable data it must not be part of the storage flow (and Crowdstrike is almost certainly part of it), and at the correct IRQL (the Interrupt priority level, anything above dispatch, AKA the scheduler, has severe restraints on what can happen there).
So no an unmapped address is a completely different BSOD, usually PAGE_FAULT_IN_UNPAGED_AREA which is a very bad sign
PAGE_FAULT_IN_NONPAGED_AREA[1]... was the BSOD that occurred in this case. That's basically the first sign that it was a bad pointer dereference in the first place.
(DRIVER_)IRQL_NOT_LESS_OR_EQUAL[2][3] is not this case, but it's probably one of the most common reasons drivers crash the system generally. Like you said it's basically attempting to access pageable memory at a time that paging isn't allowed (i.e. when at DISPATCH_LEVEL or higher).
leeter|1 year ago
So no an unmapped address is a completely different BSOD, usually PAGE_FAULT_IN_UNPAGED_AREA which is a very bad sign
jkrejcha|1 year ago
(DRIVER_)IRQL_NOT_LESS_OR_EQUAL[2][3] is not this case, but it's probably one of the most common reasons drivers crash the system generally. Like you said it's basically attempting to access pageable memory at a time that paging isn't allowed (i.e. when at DISPATCH_LEVEL or higher).
[1]: https://learn.microsoft.com/en-us/windows-hardware/drivers/d...
[2]: https://learn.microsoft.com/en-us/windows-hardware/drivers/d...
[3]: https://learn.microsoft.com/en-us/windows-hardware/drivers/d...
saagarjha|1 year ago
loeg|1 year ago
two_handfuls|1 year ago
cratermoon|1 year ago
blirio|1 year ago