No this is kernelspace, an so while all addresses are 'virtual' an unmapped address is an address that hasn't been mapped in the page tables. Normally critical kernel drivers and data are marked as non-pagable (note: The Linux Kernel doesn't page, NTKernel does a legacy of when it was first written and memory constraints of the time). So if a driver needs to access pagable data it must not be part of the storage flow (and Crowdstrike is almost certainly part of it), and at the correct IRQL (the Interrupt priority level, anything above dispatch, AKA the scheduler, has severe restraints on what can happen there).
So no an unmapped address is a completely different BSOD, usually PAGE_FAULT_IN_UNPAGED_AREA which is a very bad sign
PAGE_FAULT_IN_NONPAGED_AREA[1]... was the BSOD that occurred in this case. That's basically the first sign that it was a bad pointer dereference in the first place.
(DRIVER_)IRQL_NOT_LESS_OR_EQUAL[2][3] is not this case, but it's probably one of the most common reasons drivers crash the system generally. Like you said it's basically attempting to access pageable memory at a time that paging isn't allowed (i.e. when at DISPATCH_LEVEL or higher).
R8 is 0x9c in that example, which is somewhat typical for null+offset, but in the twitter thread it's 0xffff9c8e0000008a.
So the actual bug is further back. It's not a null pointer dereference, but it somehow results in the mov r8, [rax+r11*8] instruction reading random data (could be anything) into r8, which then gets used as a pointer.
As an example to illustrate the sibling comments’ explanations:
int *array = NULL
int position = 0x9C
int a = *(array[pos]) //equivalent to *(array + 0x9C) - dereferencing NULL+0x9C, which is just 0x9C
This will segfault (or equivalent) due to reading invalid memory at address 0x9C. Most people would call array[pos] a null pointer dereference casually, even though it’s actually a 0x9C pointer dereference, because there’s very little effective difference between them.
Now, whether this case was actually something like this (dereferencing some element of a null array pointer) or something like type confusion (value 0x9C was supposed to be loaded into an int, or char, or some other non-pointer type) isn’t clear to me. But I haven’t dug into it really, someone smarter than me could probably figure out which it is.
What we are witnessing quite starkly in this thread is that the majority of HN commenters are the kinds of people exposed to anti-woke/DEI culture warriors on Twitter.
0x9c (156 dec) is still a very small number, all things considered. To me that sounds like attempting to access an offset from null - for instance, using a null pointer to a struct type, and trying to access one of its member fields.
It is pretty common for null pointers to structures to have members dereferenced at small offsets, and people usually consider those null dereferences despite not literally being 0. (However, the assembly generated in this case does not match that access pattern, and in fact there was an explicit null check before the dereference.)
Such an invalid access of a very small address probably does result from a nullptr error:
struct BigObject {
char stuff[0x9c]; // random fields
int field;
}
BigObject* object = nullptr;
printf("%d", object->field);
That will result in "Attempt to read from address 0x9c". Just because it's not trying to read from literal address 0x0 doesn't mean it's not nullptr error.
In every real world implementation anyone cares about, it's zero. Also I believe it is defined to compare equal to zero in the standard, but don't quote me on that.
> Also I believe it is defined to compare equal to zero in the standard, but don't quote me on that.
That's true for the literal constant 0. For 0 in a variable it is not necessarily true. Basically when a literal 0 is assigned to a pointer or compared to a pointer the compiler takes that 0 to mean whatever bit pattern represents the null pointer on the target system.
What? If you have a null pointer to a class, and try to reference the member that starts 156 bytes from the start of the class, you’ll deference 0x9c (0 + 156)
