Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

- #52

Closed
koemeet opened this issue Mar 28, 2018 · 9 comments
Closed

- #52

koemeet opened this issue Mar 28, 2018 · 9 comments

Comments

@koemeet
Copy link

koemeet commented Mar 28, 2018
edited
Loading

@koemeet koemeet changed the title Unexpected KMODE trap (only on Win 10 CU) when writing guest CR3 in vmexit Unexpected KMODE trap (only on Win 10 CU) when switching to guest CR3 in vmexit Mar 28, 2018
@tandasat
Copy link
Owner

Does this reproduce where ever the code snippet is added to VM-exit handling code? VmmpHandleGdtrOrIdtrAccess already has the same code already and I believed it worked on Win10 CU.

@koemeet
Copy link
Author

koemeet commented Mar 29, 2018
edited
Loading

1 similar comment
@koemeet
Copy link
Author

koemeet commented Mar 29, 2018
edited
Loading

@tandasat
Copy link
Owner

I quickly looked into why it bug checked. I believe the code is hitting the rule #GP .. If an attempt is made to write a 1 to any reserved bit in CR3. described under MOV—Move to/from Control Registers. Changing lower 12bits of CR3 when the PCID Enable bit of CR4 is clear would meet that condition as PCID is disabled and those lower bits would be treated as reserved (or must be zero bits).

Try temporarily enable the PCID bit while changing CR3.

@koemeet
Copy link
Author

koemeet commented Mar 29, 2018
edited
Loading

1 similar comment
@koemeet
Copy link
Author

koemeet commented Mar 29, 2018
edited
Loading

tandasat added a commit that referenced this issue Apr 1, 2018
@tandasat
Fix #52; use kernel-mode CR3
97d6ccc
@tandasat
Copy link
Owner

tandasat commented Apr 1, 2018

The issue was that VmcsField::kGuestCr3 could store an user-mode CR3 (_KPROCESS::UserDirectoryTableBase) which could not be used in the kernel-mode when VM-exit occurred in the user-mode.

For example, if a process whose kernel address space is shadowed due to the Meltdown patch, its CR3 value does not map full kernel address space when it is running in the user-mode. When such a process triggers VM-exit from the user-mode (eg, via CPUID or SIDT), a processor stores the user-mode CR3 into kGuestCr3, instead of a kernel-mode CR3. If a VMM tries to load such value, it would be missing some critical kernel virtual address space and trigger exceptions causing the bug check.

To address this issue, you have to get the kernel CR3 in VM-exit handling code. I added VmmpGetKernelCr3 you can use for that work.

@koemeet
Copy link
Author

koemeet commented Apr 1, 2018
edited
Loading

@tandasat
Copy link
Owner

tandasat commented Apr 1, 2018

You are welcome 👍

@hzqst hzqst mentioned this issue Jun 11, 2018
Closed
@koemeet koemeet changed the title Unexpected KMODE trap (only on Win 10 CU) when switching to guest CR3 in vmexit - Mar 27, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@koemeet @tandasat