Nested-Virtualization - IA32_GS_BASE / IA32_KERNEL_GS_BASE remark


Background:
   Debugging with Nested-VMM hang issue when injecting nested #DB, and the infinite #PF occur, the system will be freeze.
 Phenomenon:

After Emulation of VMExit (L0 VMRESUME to L1), then causing VMExit Reason is 28 (CR access), and after that the Kernel GS Base is changed.
Try to intercept WRMSR and find the instruction which modify IA32_KERNEL_GS_BASE, therefore, as a follow screen capture: 0xFFFFF80002ADB369, which is in area of nt!SwapContext. Matched VMExit Reason
PS. Because I take this screen capture at different time, so that address is not the same… and above: 0xFFFFF80002ADB369, there is a 0Xfffff80002a9c369
Analyze:
-    Take a look at the red box in the following screen capture, the function will be directly execute WRMSR into a 0C0000102H (IA32_KERNEL_GS_BASE) MSR with actually qword ptr [r8+80h], r8 is an address of the current thread’s User Mode Scheduling Control Block (UMC_CONTROL_BLOCK), and the offset 80h which is corresponding current thread TEB (since RSI register is KTHREAD of current thread).

-      As a result, the 0C0000102H MSR register now stored TEB of current Thread or UMS TEB.


So, what is the problem?



Analyze:
-   User Mode INT 3 VMExit 
à  L0 Save Guest context (such as, GS base in 0C000101H MSR, usually are TEB) into VMCS12’s Guest GS Base for VMRESUME Emulation uses (Current GS Base MSR is TEB, so supposed Kernel GS Base is KPCR) 
à Emulated VMExit (L0 VMRESUME to L1's VMExit Handler, it is actually running in Guest Mode) 
à During L1's handling its VMExit, Context switch may occur, it WRMSR in IA32_KERNEL_GS_BASE with TEB 
à Finally, L1 executes VMRESUME and L0 start emulation, resume to L2 And fill the VMCS12’s Guest GS into current GS Base MSR, now Current GS Base is TEB, and Kernel GS Base is TEB  

Problem:
- If now Guest OS execute any function( such as , #DB event injection) which depend on SWAPGS , #DB (since user mode #DB need to SWAPGS, but ISR can’t correctly get KPCR) , #PF depend on SWAPGS too , infinite loop with #PF, System freeze.
The Whole process as following flow chart:

Root Cause:
     After Emulation of VMExit, IRQL is APC(until L1's VMM Exit Handler raise it up to DPC level), Thread switch is possible, others still could change the MSR register without exiting. Even it can exit, we still can’t stop it.
Solution:
      Therefore, we should ensure the kernel GS base MSR consistency after VMExit and before VMEntry.
source
       https://github.com/Kelvinhack/kHypervisor
Location: United States

Comments

Post a Comment

Popular posts from this blog

Android Kernel Development - Kernel compilation and Hello World

Image
Introduction Due to the lack of the material that clearly kick off the  android kernel development , hopefully it will gives the clearer  guide to develop your own android driver and debugging it. p.s. Due to the version differential, this article  is not ensure all of the Android Version , SDK version,  source  code , and   Emulator is compatible , however,  the door of   research is always opened,   just   feel   free   to contact me  and play together :P All the materials   are also  saved   in   the VM  ,   you can just directly leverage  the  existing VM Image for  development or  alternatively, as a research and studying, follow the following guide  to create your own workplace.  Android kernel didn't have dynamically insmod like the other linux, so this tutorial is trying to build a new Android Kernel and make test our kernel driver as well. Material Ubuntu 18.04.2 LTS  Android studio Android ndk-r10 Android SDK Goldfish v3.10 VMWare 15   
Read more

How does Nested-Virtualization works?

Image
What is Nested virtualization? ----------------------------------------------------------------------------------------------------- Nowadays, Software Security is becoming more important criteria in the industry, and in recent years, virtualization as a popular topic for protecting / attacking a software, however, most of the virtualization technology framework (bluepill-liked) is not provide an ability that let a guest virtualize one more layer, we called it "Nested Virtualization", level 2. Basic Virtual Machine Monitor Architecture ------------------------------------------------------------------------------------------------------ Figure[1] Host VMM trap any type of event which wants to monitor, such as, Interrupt, exception, privileged register access, one of this event is VMX instruction, after VMM loaded, VMM can always monitor a any one of the  VMX instructions, which provide a good chance for us. As following chart: Figure[2] VMM Life Cycle
Read more

Understanding ACPI and Device Tree

Image
This blog document and help to understand how ACPI works AML (ACPI Machine Language) AML is compiled binary that written in the ACPI Source Language (ASL) and it is interpreted binary that interpreted by AML interpreter during OS runtime. AML is provided by hardware manufacture and embedded in the firmware, it provides the entire device base hierarchy (all thing that equipped on your motherboard, and cannot be removed.) and function to OS that could interface the dedicated hardware, like PCI-ISA bridge or processor, controlling the power, turn on/off, etc. AML operated by different object type, and defined in definition block in firmware table (DSDT / SSDT) AML object type Scope String   Constant Package Control Method Device   ACPI Object  Naming Convention 1. All object names are 32 bits long. 2. The first byte of a name must be one of 'A' - 'Z', '_'. 3. Each of the remaining bytes of a name must be one of 'A' - 'Z', '0' - '
Read more