Nested-Virtualization - IA32_GS_BASE / IA32_KERNEL_GS_BASE remark


Background:
   Debugging with Nested-VMM hang issue when injecting nested #DB, and the infinite #PF occur, the system will be freeze.
 Phenomenon:

After Emulation of VMExit (L0 VMRESUME to L1), then causing VMExit Reason is 28 (CR access), and after that the Kernel GS Base is changed.
Try to intercept WRMSR and find the instruction which modify IA32_KERNEL_GS_BASE, therefore, as a follow screen capture: 0xFFFFF80002ADB369, which is in area of nt!SwapContext. Matched VMExit Reason
PS. Because I take this screen capture at different time, so that address is not the same… and above: 0xFFFFF80002ADB369, there is a 0Xfffff80002a9c369
Analyze:
-    Take a look at the red box in the following screen capture, the function will be directly execute WRMSR into a 0C0000102H (IA32_KERNEL_GS_BASE) MSR with actually qword ptr [r8+80h], r8 is an address of the current thread’s User Mode Scheduling Control Block (UMC_CONTROL_BLOCK), and the offset 80h which is corresponding current thread TEB (since RSI register is KTHREAD of current thread).

-      As a result, the 0C0000102H MSR register now stored TEB of current Thread or UMS TEB.


So, what is the problem?



Analyze:
-   User Mode INT 3 VMExit 
à  L0 Save Guest context (such as, GS base in 0C000101H MSR, usually are TEB) into VMCS12’s Guest GS Base for VMRESUME Emulation uses (Current GS Base MSR is TEB, so supposed Kernel GS Base is KPCR) 
à Emulated VMExit (L0 VMRESUME to L1's VMExit Handler, it is actually running in Guest Mode) 
à During L1's handling its VMExit, Context switch may occur, it WRMSR in IA32_KERNEL_GS_BASE with TEB 
à Finally, L1 executes VMRESUME and L0 start emulation, resume to L2 And fill the VMCS12’s Guest GS into current GS Base MSR, now Current GS Base is TEB, and Kernel GS Base is TEB  

Problem:
- If now Guest OS execute any function( such as , #DB event injection) which depend on SWAPGS , #DB (since user mode #DB need to SWAPGS, but ISR can’t correctly get KPCR) , #PF depend on SWAPGS too , infinite loop with #PF, System freeze.
The Whole process as following flow chart:

Root Cause:
     After Emulation of VMExit, IRQL is APC(until L1's VMM Exit Handler raise it up to DPC level), Thread switch is possible, others still could change the MSR register without exiting. Even it can exit, we still can’t stop it.
Solution:
      Therefore, we should ensure the kernel GS base MSR consistency after VMExit and before VMEntry.
source
       https://github.com/Kelvinhack/kHypervisor
Location: United States

Comments

Post a Comment

Popular posts from this blog

How does Nested-Virtualization works?

Image
What is Nested virtualization? ----------------------------------------------------------------------------------------------------- Nowadays, Software Security is becoming more important criteria in the industry, and in recent years, virtualization as a popular topic for protecting / attacking a software, however, most of the virtualization technology framework (bluepill-liked) is not provide an ability that let a guest virtualize one more layer, we called it "Nested Virtualization", level 2. Basic Virtual Machine Monitor Architecture ------------------------------------------------------------------------------------------------------ Figure[1] Host VMM trap any type of event which wants to monitor, such as, Interrupt, exception, privileged register access, one of this event is VMX instruction, after VMM loaded, VMM can always monitor a any one of the  VMX instructions, which provide a good chance for us. As following chart: Figure[2] VMM Life Cycle ...
Read more

Understanding ACPI and Device Tree

Image
This blog document and help to understand how ACPI works AML (ACPI Machine Language) AML is compiled binary that written in the ACPI Source Language (ASL) and it is interpreted binary that interpreted by AML interpreter during OS runtime. AML is provided by hardware manufacture and embedded in the firmware, it provides the entire device base hierarchy (all thing that equipped on your motherboard, and cannot be removed.) and function to OS that could interface the dedicated hardware, like PCI-ISA bridge or processor, controlling the power, turn on/off, etc. AML operated by different object type, and defined in definition block in firmware table (DSDT / SSDT) AML object type Scope String   Constant Package Control Method Device   ACPI Object  Naming Convention 1. All object names are 32 bits long. 2. The first byte of a name must be one of 'A' - 'Z', '_'. 3. Each of the remaining bytes of a name must be one of 'A' - 'Z', '0' - ...
Read more

Windows Mini Class and Class Driver internal research notes

Image
Background ------------------------------------- This is a first windows driver research notes in my blogger. And I will try to keep it simple and clear in this article, for who wants to understand the internal behavior of Class And Mini-Class Driver. ------------------------------------- Audience ------------------------------------- For who wants to understand Mini-Class and Class Driver internal. And understanding more about Hid Device stack. ------------------------------------- Introduction ------------------------------------- First, We are going to take a example of HidUsb and HidClass, the former is a Mini-Class Driver of a HidClass. We can simply think the relationships between them, is a child and parent relationship, Hidusb is one of the child of HidClass. HidClass can be thought as a helper module( like Dll do) in kernel mode, for helping all Driver who wants to join a hid family. ------------------------------------- Research ----...
Read more