search

ionescu007 / SimpleVisor

SimpleVisor is a simple, portable, Intel VT-x hypervisor with two specific goals: using the least amount of assembly code (10 lines), and having the smallest amount of VMX-related code to support dynamic hyperjacking and unhyperjacking (that is, virtualizing the host state from within the host). It works on Windows and UEFI.
http://ionescu007.github.io/SimpleVisor/
1.69k stars 259 forks source link

Fix bugcheck on Windows 10 RS4 #24

Closed tandasat closed 6 years ago

tandasat commented 6 years ago

Windows 10 RS4 uses the invpcid instruction. This instruction is disabled by the hypervisor, and execution of it causes #UD, which triggers bugcheck.

This change is to allow the kernel to execute the instruction.

tandasat commented 6 years ago

Logs of the described bugcheck is here:


Microsoft (R) Windows Debugger Version 10.0.17030.1002 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

Opened \\.\pipe\com_1
Waiting to reconnect...
Connected to Windows 10 17046 x64 target at (Sat Nov 25 18:51:14.318 2017 (UTC - 8:00)), ptr64 TRUE
Kernel Debugger connection established.  (Initial Breakpoint requested)

************* Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       srv*c:\Symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: srv*c:\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows 10 Kernel Version 17046 MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 17046.1000.amd64fre.rs_prerelease.171118-1403
Machine Name:
Kernel base = 0xfffff801`81c9c000 PsLoadedModuleList = 0xfffff801`82009d90
Debug session time: Sat Nov 25 18:51:11.864 2017 (UTC - 8:00)
System Uptime: 0 days 0:01:34.599

// ......

The SHV has been installed.
KDTARGET: Refreshing KD connection

*** Fatal System Error: 0x0000003b
                       (0x00000000C000001D,0xFFFFF80181D07B81,0xFFFFF005EEE5E110,0x0000000000000000)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows 10 17046 x64 target at (Sat Nov 25 18:51:45.134 2017 (UTC - 8:00)), ptr64 TRUE
Loading Kernel Symbols
..................................

Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.

.............................
................................................................
............................................
Loading User Symbols
.....
Loading unloaded module list
............
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 3B, {c000001d, fffff80181d07b81, fffff005eee5e110, 0}

Probably caused by : ntkrnlmp.exe ( nt!KiFlushRangeWorker+71 )

Followup:     MachineOwner
---------

nt!DbgBreakPointWithStatus:
fffff801`81e45080 int     3
0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c000001d, Exception code that caused the bugcheck
Arg2: fffff80181d07b81, Address of the instruction which caused the bugcheck
Arg3: fffff005eee5e110, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

Debugging Details:
------------------

DUMP_CLASS: 1

DUMP_QUALIFIER: 0

BUILD_VERSION_STRING:  17046.1000.amd64fre.rs_prerelease.171118-1403

DUMP_TYPE:  0

BUGCHECK_P1: c000001d

BUGCHECK_P2: fffff80181d07b81

BUGCHECK_P3: fffff005eee5e110

BUGCHECK_P4: 0

EXCEPTION_CODE: (NTSTATUS) 0xc000001d - {EXCEPTION}  Illegal Instruction  An attempt was made to execute an illegal instruction.

FAULTING_IP: 
nt!KiFlushRangeWorker+71
fffff801`81d07b81 invpcid esi,oword ptr [rsp]

CONTEXT:  fffff005eee5e110 -- (.cxr 0xfffff005eee5e110)
rax=00000000024d0002 rbx=fffff005eee5eb88 rcx=ffffb2877c586580
rdx=ffffb2877be512c0 rsi=0000000000000000 rdi=fffff005eee5ef30
rip=fffff80181d07b81 rsp=fffff005eee5eb10 rbp=0000000000000000
 r8=0000000000000014  r9=0000000000000002 r10=fffff005eee5ef28
r11=0000000000000000 r12=0000000000000001 r13=fffff005eee5ef28
r14=0000000000000001 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
nt!KiFlushRangeWorker+0x71:
fffff801`81d07b81 invpcid esi,oword ptr [rsp] ss:0018:fffff005`eee5eb10=00000000024d00020000000000000001
Resetting default scope

CPU_COUNT: 2

CPU_MHZ: b58

CPU_VENDOR:  GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 8e

CPU_STEPPING: 9

CPU_MICROCODE: 6,8e,9,0 (F,M,S,R)  SIG: 62'00000000 (cache) 62'00000000 (init)

DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

BUGCHECK_STR:  0x3B

PROCESS_NAME:  OneDrive.exe

CURRENT_IRQL:  c

ANALYSIS_SESSION_HOST:  WL-76N6RC2

ANALYSIS_SESSION_TIME:  11-25-2017 18:52:22.0669

ANALYSIS_VERSION: 10.0.17030.1002 amd64fre

LAST_CONTROL_TRANSFER:  from fffff80181d0791a to fffff80181d07b81

STACK_TEXT:  
fffff005`eee5eb10 fffff801`81d0791a : 55555555`55555555 fffff005`eee5ef10 00000000`00000000 00000000`00000000 : nt!KiFlushRangeWorker+0x71
fffff005`eee5eb50 fffff801`81d26487 : fffff005`eee5f310 fffff005`eee5ef10 fffff005`eee5ee60 00000000`00000001 : nt!MiFlushTbList+0x2aa
fffff005`eee5eca0 fffff801`81d0a331 : ffffb287`00000000 ffffb287`7be512c0 0a000000`14b7c867 fffff005`eee5f7f0 : nt!MiDeletePteList+0x47
fffff005`eee5ed60 fffff801`8216221b : ffffb287`7c586580 ffffb287`7be51630 00000000`04501903 ffffb287`69f75370 : nt!MiDecommitPages+0x12c1
fffff005`eee5f7b0 fffff801`821ed949 : 00000000`00000000 ffffb287`7c3aa6b0 ffffb287`7c484cb0 ffffb287`7c586580 : nt!MiDecommitRegion+0x6b
fffff005`eee5f820 fffff801`821ed78d : 00000000`00003000 00000000`00000001 00000000`00000000 00000000`024d0000 : nt!MiFreeToSubAllocatedRegion+0x15d
fffff005`eee5f880 fffff801`821064ac : ffffb287`7c586580 00000000`00000001 00000000`024d0000 ffffb287`7c586580 : nt!MmDeleteTeb+0x61
fffff005`eee5f8f0 fffff801`82142686 : fffff005`00000000 00000000`0482e600 00000000`024d0000 fffff801`81e4abd3 : nt!PspExitThread+0x42c
fffff005`eee5f9f0 fffff801`8213fe6a : 00000000`00000000 00000000`00000000 ffffb287`7c586580 00000000`0482ef40 : nt!PspTerminateThreadByPointer+0x96
fffff005`eee5fa30 fffff801`81e4abd3 : 00000000`00000000 ffffb287`7c586580 fffff005`eee5fb00 ffffb287`7c3ce700 : nt!NtTerminateThread+0x4a
fffff005`eee5fa80 00000000`65f71e5c : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`0482ef38 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : wow64cpu!CpupSyscallStub+0xc

THREAD_SHA1_HASH_MOD_FUNC:  314421c59b3d053d5e28ce9e05d77dd439853aac

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  e2a09be2008fbed5c1c23dd82167ea879661a71b

THREAD_SHA1_HASH_MOD:  1c11ccead189a0df87a3b1fdb174e50a7cf21b26

FOLLOWUP_IP: 
nt!KiFlushRangeWorker+71
fffff801`81d07b81 invpcid esi,oword ptr [rsp]

FAULT_INSTR_CODE:  82380f66

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  nt!KiFlushRangeWorker+71

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  5a10d416

STACK_COMMAND:  .cxr 0xfffff005eee5e110 ; kb

BUCKET_ID_FUNC_OFFSET:  71

FAILURE_BUCKET_ID:  0x3B_nt!KiFlushRangeWorker

BUCKET_ID:  0x3B_nt!KiFlushRangeWorker

PRIMARY_PROBLEM_CLASS:  0x3B_nt!KiFlushRangeWorker

TARGET_TIME:  2017-11-26T02:51:44.000Z

OSBUILD:  17046

OSSERVICEPACK:  0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK:  272

PRODUCT_TYPE:  1

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

OSEDITION:  Windows 10 WinNt TerminalServer SingleUserTS

OS_LOCALE:  

USER_LCID:  0

OSBUILD_TIMESTAMP:  2017-11-18 16:45:10

BUILDDATESTAMP_STR:  171118-1403

BUILDLAB_STR:  rs_prerelease

BUILDOSVER_STR:  10.0.17046.1000.amd64fre.rs_prerelease.171118-1403

ANALYSIS_SESSION_ELAPSED_TIME:  100d

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:0x3b_nt!kiflushrangeworker

FAILURE_ID_HASH:  {3b5ccff4-377a-f01b-b3d0-fbcb3674f985}

Followup:     MachineOwner
---------
rianquinn commented 6 years ago

I am surprised this did not come up earlier as we had a similar issue about a year ago. This is what we use for our control setup:

https://github.com/Bareflank/hypervisor/blob/dev/bfvmm/src/vmcs/arch/intel_x64/vmcs_intel_x64.cpp#L678