PC just freezes after starting ksm_um.exe

[no-realm]

Type of this issue (please specify)

• This is a bug in the upstream tree as-is unmodified. (only added debug print messages)

System information

1. CPU: Intel i7 3770K (Codename: Ivy Bridge)
2. Kernel: NT Kernel (ntkrnlmp.exe)
3. Kernel version: 10.0.14393 Build number: ?
4. OS: Windows 10 x64

Build Configuration

• ENABLE_DBGPRINT
• ENABLE_FILEPRINT
• EPAGE_HOOK
• INTROSPECT_ENGINE
• PMEM_SANDBOX
• ENABLE_RESUBV

I have to mention that this also happens when I just enable _EPAGEHOOK

Issue description

My issues is, that after I start the user mode application (ksm_um.exe), my PC just freezes. I have waited up to about 10 minutes without anything happening. No crash, nothing. The last log entry in the log file is right before the DPC call. After that, nothing gets through. When I tested other hypervisors, I always got some kind of feedback (good or bad) like a BSOD which would help to track down the issue.

[asamy]

No, it wasn't.

I can't reproduce, if you can find which part is broken, I will look into it. You can do that by disabling features until you find what could be wrong. See comments in this issue for what and where.

[593749519]

Tried several combinations ,finally found:

1. comment SECONDARY_EXEC_ENABLE_VMFUNC | SECONDARY_EXEC_ENABLE_VE in vcpu.c
2. change err |= vmcs_write(GUEST_IDTR_BASE, idtr->base); in vcpu.c

then run ksm_um.exe, no frozen or crash. but after a while, system hang too.

[asamy]

What did you change the GUEST_IDTR_BASE to?

Also, if you're gonna change the IDTR, then comment out SECONDARY_EXEC_DESC_TABLE_EXITING. See if that solves the hanging problem.

[593749519]

change from vcpu->idt.base to idtr->base.
Tried you proposal, seems it doesn't hang now.

but if I disable SECONDARY_EXEC_ENABLE_VMFUNC, it seems I can't use the ept related tricks(ept hook, introspect...)

[asamy]

Yep, that's because they require vmfunc. You can use VMFUNC without #VE.

However, if you want to fix that freeze/crash, can you try backporting #VE handling and IDT shadowing to how v1.4 does them? v1.4 is commit 0cb7dd565450c8539b30998e8f3de3716f0835ce.

[593749519]

I revert to ksm-1.4, comment #VE and SECONDARY_EXEC_DESC_TABLE_EXITING, change GUESTR_IDTR_BASE to idtr->base, the epage_hook works fine.

Hope the current version has this bug fixed.

[asamy]

I don't understand what you changed from the current modifications you already made anyways.

There is a reason why I told you to only backport these specific parts, v1.4 is v1.4.

If you don't want to work on fixing it or help to fix it, then it won't be fixed any time soon.

[hzqst]

@asamy I am able to repro this issue and fixed by commenting out the ShadowIDT feature. That's because the shadowed idtr.base you allocated by yourself is not mapped by EPROCESS:::UserDirectoryBase that means the guest OS is no way to access idtr.base in this situation, whch lead to infinite PageFault (also the PageFault entry is not available). This occurs only when KPTI/KvaShadow is enabled for OS.

[asamy]

@hzqst That's a different issue, pretty sure this was posted before KPTI was even discovered and reported. What you reported, can be related, however. So can you open an issue with that? I can look into this later.

[DebugBuggin]

I'm getting SYSTEM_THREAD_EXCEPTION_NOT_HANDLED bluescreen both when I try the epage hook example in the driver or if I try your test binary. I'm win10 1709 and latest gen i5. This happens both in vmware 14 and on normal windows. Also I have cpu overclocking disabled. Here's a memory dump of the epage hook test

111818-10812-01.zip

[lakeyo-dopra]

I have found this problem is caused by : mov cr8, rax， in nt!KiGenericCallDpcWorker+0x111: win10 1903 ， but i do not know why