search

asamy / ksm

A fast, hackable and simple x64 VT-x hypervisor for Windows and Linux. Builtin userspace sandbox and introspection engine.
https://asamy.github.io/ksm/
GNU General Public License v2.0
826 stars 181 forks source link

sandbox: BSOD (AV) on Windows 7 due to handle duplication #14

Closed asamy closed 7 years ago

asamy commented 7 years ago

The following occurs after a bit of sandboxing an app, I haven't looked much into it, but I suspect that some service (svchost.exe in this case) is trying to duplicate handle of the sandboxed app and it somehow just fails... Here's the stack dump:

fffff880`07d1f650 fffff800`02b6481b : 00000000`00000002 fffff880`07d1f758 fffffa80`03d85170 fffffa80`040c1b30 : nt!ObpIncrementHandleCountEx+0x411
fffff880`07d1f710 fffff800`02b64d48 : fffff8a0`01ca9400 fffff800`00000040 fffffa80`018d6a20 00000000`00000001 : nt!ObDuplicateObject+0x21b
fffff880`07d1f9f0 fffff800`0288a8d3 : fffffa80`03d97910 00000000`0077ee38 fffff880`07d1fa88 fffffa80`00000000 : nt!NtDuplicateObject+0x138
fffff880`07d1fa70 00000000`76f716da : 000007fe`fd0f3b45 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`0077ee18 000007fe`fd0f3b45 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!ZwDuplicateObject+0xa
00000000`0077ee20 00000000`76e15e6b : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNELBASE!DuplicateHandle+0x35
00000000`0077ee70 000007fe`f104a3af : 00000000`002a7458 000007fe`f0f96c98 00000000`002a7458 00000000`000000d0 : kernel32!DuplicateHandleImplementation+0x15b
00000000`0077ef90 000007fe`f1045445 : 00000000`00000648 00000000`00000001 00000000`00000648 000007fe`f1054070 : wersvc!ReportCrash+0x257
00000000`0077f020 000007fe`f1045230 : 00000000`0039dff8 00000000`00000000 00000000`00000000 00000000`002a7450 : wersvc!CWerService::DispatchPortRequestWorkItem+0x1cd
00000000`0077f690 00000000`76f32a21 : 00000000`003a5140 00000000`00000000 00000000`00000000 00000000`003a51f0 : wersvc!CWerService::StaticDispatchPortRequestWorkItem+0x18
00000000`0077f6c0 00000000`76f40c26 : 00000000`770245e8 00000000`003a3418 00000000`770245c0 00000000`77024610 : ntdll!TppSimplepExecuteCallback+0x91
00000000`0077f710 00000000`76e1652d : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!TppWorkerThread+0x5ff
00000000`0077fa10 00000000`76f4c521 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd
00000000`0077fa40 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d

Log:

ksm: CPU 0: DriverEntry: We're mapped at FFFFF88004B63000 (size: 114688 bytes (112 KB), on 28 pages)
ksm: CPU 0: ksm_init: 3 physical memory ranges
ksm: CPU 0: DriverEntry: ready
ksm: CPU 0: DriverEntry: ret: 0x00000000
ksm: CPU 0: DriverDispatch: ksm_um.exe: IOCTL: 0x8008E008
ksm: CPU 0: __ksm_init_cpu: ksm_um.exe: Started: 1
ksm: CPU 1: __ksm_init_cpu: vmtoolsd.exe: Started: 1
ksm: CPU 0: ept_handle_violation: 0: PA 00000000FD5C00C0 VA FFFFF8800377B0C0 (0 AR --- - 1 AC r--)
ksm: CPU 1: ept_handle_violation: 0: PA 00000000FD5C4000 VA FFFFF8800377F000 (0 AR --- - 1 AC r--)
ksm: CPU 0: ept_handle_violation: 0: PA 00000000FDFEC024 VA FFFFF880037B2024 (0 AR --- - 1 AC r--)
ksm: CPU 0: ept_handle_violation: 0: PA 00000000FD5EA008 VA FFFFF880009B3008 (0 AR --- - 1 AC r--)
ksm: CPU 0: ept_handle_violation: 0: PA 00000000FD5C2818 VA FFFFF8800377D818 (0 AR --- - 2 AC -w-)
ksm: CPU 0: ept_handle_violation: 0: PA 00000000FD5C5820 VA FFFFF88003780820 (0 AR --- - 1 AC r--)
ksm: CPU 0: ept_handle_violation: 0: PA 00000000FD5C40D4 VA FFFFF8800377F0D4 (0 AR --- - 1 AC r--)
ksm: CPU 0: ept_handle_violation: 0: PA 00000000FD5EB010 VA FFFFF880037AB010 (0 AR --- - 1 AC r--)
ksm: CPU 1: ept_handle_violation: 0: PA 00000000FD5EA1B8 VA FFFFF880009B31B8 (0 AR --- - 1 AC r--)
ksm: CPU 0: ept_handle_violation: 0: PA 00000000FD4EC040 VA FFFFF880009AF040 (0 AR --- - 2 AC -w-)
ksm: CPU 1: ept_handle_violation: 0: PA 00000000FD4EC040 VA FFFFF880009AF040 (0 AR --- - 2 AC -w-)
ksm: CPU 0: DriverDispatch: ksm_um.exe: IOCTL: 0x8008E000
ksm: CPU 0: ept_handle_violation: 3: PA 00000000FD5EB010 VA FFFFF880037AB010 (0 AR --- - 1 AC r--)
ksm: CPU 1: ept_handle_violation: 3: PA 0000000063957C80 VA 00000000002EDC80 (5 AR r-x - 2 AC -w-)
ksm: CPU 1: ksm_sandbox_handle_ept: allocating cow page for 0000000063957C80
ksm: CPU 1: ept_handle_violation: 3: PA 0000000064888254 VA 00000000002EF254 (5 AR r-x - 3 AC rw-)
ksm: CPU 1: ksm_sandbox_handle_ept: allocating cow page for 0000000064888254
ksm: CPU 1: ept_handle_violation: 3: PA 00000000647C3F9C VA 0000000000B7F9C (5 AR r-x - 3 AC rw-)
ksm: CPU 1: ksm_sandbox_handle_ept: allocating cow page for 00000000647C3F9C
ksm: CPU 0: ept_handle_violation: 3: PA 000000005F9F30AC VA 000000013F7310AC (5 AR r-x - 3 AC rw-)
ksm: CPU 0: ksm_sandbox_handle_ept: allocating cow page for 000000005F9F30AC
ksm: CPU 0: ept_handle_violation: 3: PA 0000000064888368 VA 00000000002EF368 (5 AR r-x - 2 AC -w-)
ksm: CPU 0: ksm_sandbox_handle_ept: allocating cow page for 0000000064888368
ksm: CPU 0: ept_handle_violation: 3: PA 00000000632341B0 VA 000000013F7321B0 (5 AR r-x - 3 AC rw-)
ksm: CPU 0: ksm_sandbox_handle_ept: allocating cow page for 00000000632341B0
ksm: CPU 0: ept_handle_violation: 3: PA 0000000051A80068 VA 000007FFFFFDE068 (5 AR r-x - 2 AC -w-)
ksm: CPU 0: ksm_sandbox_handle_ept: allocating cow page for 0000000051A80068
ksm: CPU 0: ept_handle_violation: 3: PA 000000005FB6CA90 VA 00000000000BCA90 (5 AR r-x - 2 AC -w-)
ksm: CPU 0: ksm_sandbox_handle_ept: allocating cow page for 000000005FB6CA90
ksm: CPU 0: ept_handle_violation: 3: PA 00000000647C3F98 VA 00000000000B7F98 (5 AR r-x - 3 AC rw-)
ksm: CPU 0: ksm_sandbox_handle_ept: allocating cow page for 00000000647C3F98
ksm: CPU 0: ept_handle_violation: 3: PA 0000000063957DF0 VA 00000000002EDDF0 (5 AR r-x - 2 AC -w-)
ksm: CPU 0: ksm_sandbox_handle_ept: allocating cow page for 0000000063957DF0
ksm: CPU 1: ept_handle_violation: 3: PA 00000000643CDB00 VA 00000000002EEB00 (5 AR r-x - 2 AC -w-)
ksm: CPU 1: ksm_sandbox_handle_ept: allocating cow page for 00000000643CDB00
ksm: CPU 1: ept_handle_violation: 3: PA 0000000064A4A440 VA 0000000077052440 (5 AR r-x - 3 AC rw-)
ksm: CPU 1: ksm_sandbox_handle_ept: allocating cow page for 0000000064A4A440
ksm: CPU 1: ept_handle_violation: 3: PA 000000005EC71000 VA FFFFF8800A8E4000 (5 AR r-x - 2 AC -w-)
ksm: CPU 1: ksm_sandbox_handle_ept: allocating cow page for 000000005EC71000
ksm: CPU 1: ept_handle_violation: 3: PA 00000000FD4EC040 VA FFFFF880009AF040 (0 AR --- - 2 AC -w-)
ksm: CPU 1: ept_handle_violation: 3: PA 0000000051A80068 VA 000007FFFFFD
68 (5 AR r-x - 2 AC -w-)
ksm: CPU 1: ksm_sandbox_handle_ept: allocating cow page for 0000000051A80068
ksm: CPU 1: ept_handle_violation: 3: PA 000000005F9A0328 VA 0000000076F0B328 (5 AR r-x - 3 AC rw-)
ksm: CPU 1: ksm_sandbox_handle_ept: allocating cow page for 000000005F9A0328
ksm: CPU 1: ept_handle_violation: 3: PA 00000000658E4BF8 VA 00000000000BABF8 (5 AR r-x - 2 AC -w-)
ksm: CPU 1: ksm_sandbox_handle_ept: allocating cow page for 00000000658E4BF8
ksm: CPU 1: ept_handle_violation: 3: PA 000000005EEF2000 VA FFFFF70001081000 (5 AR r-x - 2 AC -w-)
ksm: CPU 1: ksm_sandbox_handle_ept: allocating cow page for 000000005EEF2000
ksm: CPU 1: ept_handle_violation: 3: PA 000000005EBF3000 VA 0000000000060000 (5 AR r-x - 2 AC -w-)
ksm: CPU 1: ksm_sandbox_handle_ept: allocating cow page for 000000005EBF3000
ksm: CPU 1: ept_handle_violation: 3: PA 0000000065001250 VA 000007FFFFFDF250 (5 AR r-x - 2 AC -w-)
ksm: CPU 1: ksm_sandbox_handle_ept: allocating cow page for 0000000065001250
asamy commented 7 years ago

That was fixed.