search

Zero-Tang / NoirVisor

The Grimoire Hypervisor solution for x86 Processors with experimental nested virtualization support. Remastering with Rust in progress.
MIT License
474 stars 81 forks source link

Windows 10 1809 - DRIVER_IRQL_NOT_LESS_OR_EQUAL after call NoirBuildHypervisor() #2

Closed YangKi1902 closed 5 years ago

YangKi1902 commented 5 years ago

Hello, i got BSOD with code DRIVER_IRQL_NOT_LESS_OR_EQUAL after call NoirBuildHypervisor(), cause by this block code :

void inline noir_cpuid(u32 ia,u32 ic,u32 a,u32 b,u32 c,u32 d) { u32 info[4];

if defined(_msvc)

__cpuidex(info,ia,ic);

endif

if(a)a=info[0]; // BSOD if(b)b=info[1]; if(c)c=info[2]; if(d)d=info[3]; }

here my crash dump log :

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1) An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. If kernel debugger is available get stack backtrace. Arguments: Arg1: ffffd38e8d360ee0, memory referenced Arg2: 0000000000000002, IRQL Arg3: 0000000000000001, value 0 = read operation, 1 = write operation Arg4: fffff80749142e58, address which referenced memory

Debugging Details:

KEY_VALUES_STRING: 1

STACKHASH_ANALYSIS: 1

TIMELINE_ANALYSIS: 1

DUMP_CLASS: 1

DUMP_QUALIFIER: 401

BUILD_VERSION_STRING: 17763.1.amd64fre.rs5_release.180914-1434

SYSTEM_MANUFACTURER: Micro-Star International Co., Ltd.

SYSTEM_PRODUCT_NAME: GT72 2QD

SYSTEM_SKU: To be filled by O.E.M.

SYSTEM_VERSION: REV:0.C

BIOS_VENDOR: American Megatrends Inc.

BIOS_VERSION: E1781IMS.316

BIOS_DATE: 09/23/2015

BASEBOARD_MANUFACTURER: Micro-Star International Co., Ltd.

BASEBOARD_PRODUCT: MS-1781

BASEBOARD_VERSION: REV:0.C

DUMP_TYPE: 1

BUGCHECK_P1: ffffd38e8d360ee0

BUGCHECK_P2: 2

BUGCHECK_P3: 1

BUGCHECK_P4: fffff80749142e58

WRITE_ADDRESS: ffffd38e8d360ee0 Nonpaged pool

CURRENT_IRQL: 2

FAULTING_IP: NoirVisor!noir_cpuid+48 [e:\source\noirvisor\src\include\intrin.h @ 119] fffff807`49142e58 8901 mov dword ptr [rcx],eax

CPU_COUNT: 8

CPU_MHZ: a86

CPU_VENDOR: GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 47

CPU_STEPPING: 1

CPU_MICROCODE: 6,47,1,0 (F,M,S,R) SIG: 1D'00000000 (cache) 1D'00000000 (init)

BLACKBOXBSD: 1 (!blackboxbsd)

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

BUGCHECK_STR: AV

PROCESS_NAME: System

ANALYSIS_SESSION_HOST: DESKTOP-6P18NJQ

ANALYSIS_SESSION_TIME: 05-05-2019 22:32:52.0722

ANALYSIS_VERSION: 10.0.17763.132 amd64fre

DPC_STACK_BASE: FFFFF8074BFDDFB0

TRAP_FRAME: fffff8074bfdd730 -- (.trap 0xfffff8074bfdd730) NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=0000000000000000 rbx=0000000000000000 rcx=ffffd38e8d360ee0 rdx=0000000000000121 rsi=0000000000000000 rdi=0000000000000000 rip=fffff80749142e58 rsp=fffff8074bfdd8c0 rbp=fffff8074bfddd60 r8=000000002c100800 r9=ffffd38e8d360ee4 r10=ffffd38e8d360eec r11=0000000080000021 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei ng nz na pe nc NoirVisor!noir_cpuid+0x48: fffff80749142e58 8901 mov dword ptr [rcx],eax ds:ffffd38e8d360ee0=???????? Resetting default scope

LAST_CONTROL_TRANSFER: from fffff807497c5d69 to fffff807497b45e0

STACK_TEXT:
fffff8074bfdd5e8 fffff807497c5d69 : 000000000000000a ffffd38e8d360ee0 0000000000000002 0000000000000001 : nt!KeBugCheckEx fffff8074bfdd5f0 fffff807497c218e : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiBugCheckDispatch+0x69 fffff8074bfdd730 fffff80749142e58 : 0000000000000000 2c10080000000121 fffff8074829af80 fffff8074914241d : nt!KiPageFault+0x44e fffff8074bfdd8c0 fffff8074914241d : 0000ffff80000001 007fffff00000000 ffffd38e8d360ee0 ffffd38e8d360ee4 : NoirVisor!noir_cpuid+0x48 [e:\source\noirvisor\src\include\intrin.h @ 119] fffff8074bfdd8e0 fffff80749141774 : ffffd3868d362090 fffff8074bfdd960 fffff8074918de02 0000000000000000 : NoirVisor!nvc_vt_setup_cpuid_cache+0x13d [e:\source\noirvisor\src\vt_core\vt_main.c @ 406] fffff8074bfdd930 fffff8074918ddfa : ffffd3868d362090 0000000000000036 fffff8074bfddb00 fffff8074918de02 : NoirVisor!nvc_vt_subvert_processor_i+0xa4 [e:\source\noirvisor\src\vt_core\vt_main.c @ 423] fffff8074bfddae0 ffffd3868d362090 : 0000000000000036 fffff8074bfddb00 fffff8074918de02 0000000000000001 : NoirVisor!nvc_vt_subvert_processor_a+0x32 [E:\Source\NoirVisor\src\xpf_core\windows\vt_hv64.asm @ 130] fffff8074bfddae8 0000000000000036 : fffff8074bfddb00 fffff8074918de02 0000000000000001 ffffd3868d362090 : 0xffffd3868d362090 fffff8074bfddaf0 fffff8074bfddb00 : fffff8074918de02 0000000000000001 ffffd3868d362090 0000000000000036 : 0x36 fffff8074bfddaf8 fffff8074918de02 : 0000000000000001 ffffd3868d362090 0000000000000036 fffff8074829af80 : 0xfffff8074bfddb00 fffff8074bfddb00 0000000000000001 : ffffd3868d362090 0000000000000036 fffff8074829af80 fffff8074bfddb98 : NoirVisor!nvc_vt_subvert_processor_a+0x3a [E:\Source\NoirVisor\src\xpf_core\windows\vt_hv64.asm @ 138] fffff8074bfddb08 ffffd3868d362090 : 0000000000000036 fffff8074829af80 fffff8074bfddb98 fffff8074bfddd60 : 0x1 fffff8074bfddb10 0000000000000036 : fffff8074829af80 fffff8074bfddb98 fffff8074bfddd60 ffffd3868d302280 : 0xffffd3868d362090 fffff8074bfddb18 fffff8074829af80 : fffff8074bfddb98 fffff8074bfddd60 ffffd3868d302280 fffff80748298180 : 0x36 fffff8074bfddb20 fffff8074bfddb98 : fffff8074bfddd60 ffffd3868d302280 fffff80748298180 000000000000004d : 0xfffff8074829af80 fffff8074bfddb28 fffff8074bfddd60 : ffffd3868d302280 fffff80748298180 000000000000004d 0000000000000003 : 0xfffff8074bfddb98 fffff8074bfddb30 ffffd3868d302280 : fffff80748298180 000000000000004d 0000000000000003 206f742064656461 : 0xfffff8074bfddd60 fffff8074bfddb38 fffff80748298180 : 000000000000004d 0000000000000003 206f742064656461 ffffd3868d36a0bc : 0xffffd3868d302280 fffff8074bfddb40 000000000000004d : 0000000000000003 206f742064656461 ffffd3868d36a0bc 0000000000000000 : 0xfffff80748298180 fffff8074bfddb48 0000000000000003 : 206f742064656461 ffffd3868d36a0bc 0000000000000000 0000000000000000 : 0x4d fffff8074bfddb50 206f742064656461 : ffffd3868d36a0bc 0000000000000000 0000000000000000 fffff8074bfdde70 : 0x3 fffff8074bfddb58 ffffd3868d36a0bc : 0000000000000000 0000000000000000 fffff8074bfdde70 0000000000000001 : 0x206f742064656461 fffff8074bfddb60 0000000000000000 : 0000000000000000 fffff8074bfdde70 0000000000000001 0000000000000286 : 0xffffd3868d36a0bc

THREAD_SHA1_HASH_MOD_FUNC: 039ca5da31788169faa44ab725c95ded1c1d2e73

THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 7b9d839b2926641b9096942e6d1e56703dcbfcab

THREAD_SHA1_HASH_MOD: 3f7d06bd15643dd3e18ca1ae0c3560f55b1b63f3

FOLLOWUP_IP: NoirVisor!noir_cpuid+48 [e:\source\noirvisor\src\include\intrin.h @ 119] fffff807`49142e58 8901 mov dword ptr [rcx],eax

FAULT_INSTR_CODE: 83480189

FAULTING_SOURCE_LINE: e:\source\noirvisor\src\include\intrin.h

FAULTING_SOURCE_FILE: e:\source\noirvisor\src\include\intrin.h

FAULTING_SOURCE_LINE_NUMBER: 119

FAULTING_SOURCE_CODE:
115: u32 info[4]; 116: #if defined(_msvc) 117: __cpuidex(info,ia,ic); 118: #endif

119: if(a)a=info[0]; 120: if(b)b=info[1]; 121: if(c)c=info[2]; 122: if(d)d=info[3]; 123: } 124:

SYMBOL_STACK_INDEX: 3

SYMBOL_NAME: NoirVisor!noir_cpuid+48

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: NoirVisor

IMAGE_NAME: NoirVisor.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 5ccf0170

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: 48

FAILURE_BUCKET_ID: AV_NoirVisor!noir_cpuid

BUCKET_ID: AV_NoirVisor!noir_cpuid

PRIMARY_PROBLEM_CLASS: AV_NoirVisor!noir_cpuid

TARGET_TIME: 2019-05-05T15:30:42.000Z

OSBUILD: 17763

OSSERVICEPACK: 0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK: 272

PRODUCT_TYPE: 1

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS

OS_LOCALE:

USER_LCID: 0

OSBUILD_TIMESTAMP: unknown_date

BUILDDATESTAMP_STR: 180914-1434

BUILDLAB_STR: rs5_release

BUILDOSVER_STR: 10.0.17763.1.amd64fre.rs5_release.180914-1434

ANALYSIS_SESSION_ELAPSED_TIME: 1b33

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:av_noirvisor!noir_cpuid

FAILURE_ID_HASH: {449b3ed9-2691-d0c3-01e9-01134c18e54c}

Followup: MachineOwner

Im tried to fix something but not working, please help me check it. if you need my binary and pdb, here they are : NoirVisor.zip thank you for the good the project.

Zero-Tang commented 5 years ago

Thanks for bringing this bug to my attention. To fix it, I think the code on line 406 of vt_main.c should be changed in following manner: from noir_cpuid(i,0,&cache->ext_leaf[i].eax,&cache->ext_leaf[i].ebx,&cache->ext_leaf[i].ecx,&cache->ext_leaf[i].edx); to noir_cpuid(i,0,&cache->ext_leaf[i-0x80000000].eax,&cache->ext_leaf[i-0x80000000].ebx,&cache->ext_leaf[i-0x80000000].ecx,&cache->ext_leaf[i-0x80000000].edx);

YangKi1902 commented 5 years ago

hello, i have applied your last commit but my computer get hang after that. Because it's a infinity hanging so i have no idea to trace, im tried to disable hook but not working too.

Zero-Tang commented 5 years ago

I will work on this issue one week later.

Zero-Tang commented 5 years ago

Hi, I realized that this issue is about the Hypervisor Platform in Windows 10. The infinite hang is induced by unknown write-msr (index=0x40000xxx) and not advancing the instruction pointer. Fixing this issue would be significantly challenging. I will add this to future project plan.

YangKi1902 commented 5 years ago

hello, thanks for the response, i will try to learning more to help if i can.

Zero-Tang commented 5 years ago

This issue will be closed. Relevant issue is opened in #3 with a relevant title.