search

jonomango / hv

Lightweight Intel VT-x Hypervisor.
MIT License
406 stars 87 forks source link

BSOD win10 2004/10.0.19041.1 #27

Open VMHolePuncher opened 1 year ago

VMHolePuncher commented 1 year ago

Get this bsod after about a minute of running the hv + um example.

fffff803`7cbf70d0 48894c2408      mov     qword ptr [rsp+8],rcx ss:0018:fffffe0c`ca527550=000000000000000a
7: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000000ccddcced, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000001, bitfield :
    bit 0 : value 0 = read operation, 1 = write operation
    bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff8037ca8bdb6, address which referenced memory

Debugging Details:
------------------

KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.mSec
    Value: 2311

    Key  : Analysis.Elapsed.mSec
    Value: 2358

    Key  : Analysis.IO.Other.Mb
    Value: 0

    Key  : Analysis.IO.Read.Mb
    Value: 0

    Key  : Analysis.IO.Write.Mb
    Value: 0

    Key  : Analysis.Init.CPU.mSec
    Value: 374

    Key  : Analysis.Init.Elapsed.mSec
    Value: 4467

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 97

    Key  : Bugcheck.Code.KiBugCheckData
    Value: 0xa

    Key  : Bugcheck.Code.LegacyAPI
    Value: 0xa

    Key  : Failure.Bucket
    Value: AV_nt!RtlRbRemoveNode

    Key  : Failure.Hash
    Value: {9b43c07a-2da2-b63c-46ab-1c788c8a28c1}

    Key  : Hypervisor.Enlightenments.Value
    Value: 0

    Key  : Hypervisor.Enlightenments.ValueHex
    Value: 0

    Key  : Hypervisor.Flags.AnyHypervisorPresent
    Value: 0

    Key  : Hypervisor.Flags.ApicEnlightened
    Value: 0

    Key  : Hypervisor.Flags.ApicVirtualizationAvailable
    Value: 1

    Key  : Hypervisor.Flags.AsyncMemoryHint
    Value: 0

    Key  : Hypervisor.Flags.CoreSchedulerRequested
    Value: 0

    Key  : Hypervisor.Flags.CpuManager
    Value: 0

    Key  : Hypervisor.Flags.DeprecateAutoEoi
    Value: 0

    Key  : Hypervisor.Flags.DynamicCpuDisabled
    Value: 0

    Key  : Hypervisor.Flags.Epf
    Value: 0

    Key  : Hypervisor.Flags.ExtendedProcessorMasks
    Value: 0

    Key  : Hypervisor.Flags.HardwareMbecAvailable
    Value: 1

    Key  : Hypervisor.Flags.MaxBankNumber
    Value: 0

    Key  : Hypervisor.Flags.MemoryZeroingControl
    Value: 0

    Key  : Hypervisor.Flags.NoExtendedRangeFlush
    Value: 0

    Key  : Hypervisor.Flags.NoNonArchCoreSharing
    Value: 0

    Key  : Hypervisor.Flags.Phase0InitDone
    Value: 0

    Key  : Hypervisor.Flags.PowerSchedulerQos
    Value: 0

    Key  : Hypervisor.Flags.RootScheduler
    Value: 0

    Key  : Hypervisor.Flags.SynicAvailable
    Value: 0

    Key  : Hypervisor.Flags.UseQpcBias
    Value: 0

    Key  : Hypervisor.Flags.Value
    Value: 16908288

    Key  : Hypervisor.Flags.ValueHex
    Value: 1020000

    Key  : Hypervisor.Flags.VpAssistPage
    Value: 0

    Key  : Hypervisor.Flags.VsmAvailable
    Value: 0

    Key  : Hypervisor.RootFlags.AccessStats
    Value: 0

    Key  : Hypervisor.RootFlags.CrashdumpEnlightened
    Value: 0

    Key  : Hypervisor.RootFlags.CreateVirtualProcessor
    Value: 0

    Key  : Hypervisor.RootFlags.DisableHyperthreading
    Value: 0

    Key  : Hypervisor.RootFlags.HostTimelineSync
    Value: 0

    Key  : Hypervisor.RootFlags.HypervisorDebuggingEnabled
    Value: 0

    Key  : Hypervisor.RootFlags.IsHyperV
    Value: 0

    Key  : Hypervisor.RootFlags.LivedumpEnlightened
    Value: 0

    Key  : Hypervisor.RootFlags.MapDeviceInterrupt
    Value: 0

    Key  : Hypervisor.RootFlags.MceEnlightened
    Value: 0

    Key  : Hypervisor.RootFlags.Nested
    Value: 0

    Key  : Hypervisor.RootFlags.StartLogicalProcessor
    Value: 0

    Key  : Hypervisor.RootFlags.Value
    Value: 0

    Key  : Hypervisor.RootFlags.ValueHex
    Value: 0

    Key  : SecureKernel.HalpHvciEnabled
    Value: 0

    Key  : WER.OS.Branch
    Value: vb_release

    Key  : WER.OS.Version
    Value: 10.0.19041.1

BUGCHECK_CODE:  a

BUGCHECK_P1: ccddcced

BUGCHECK_P2: 2

BUGCHECK_P3: 1

BUGCHECK_P4: fffff8037ca8bdb6

FILE_IN_CAB:  MEMORY.DMP

WRITE_ADDRESS:  00000000ccddcced 

BLACKBOXBSD: 1 (!blackboxbsd)

BLACKBOXNTFS: 1 (!blackboxntfs)

BLACKBOXPNP: 1 (!blackboxpnp)

BLACKBOXWINLOGON: 1

PROCESS_NAME:  System

TRAP_FRAME:  fffffe0cca527690 -- (.trap 0xfffffe0cca527690)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000000
rdx=ffffce09d6601980 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8037ca8bdb6 rsp=fffffe0cca527828 rbp=ffffce09d6600040
 r8=00000000ccddccdd  r9=00000000ccddccdd r10=0000000000000000
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na po nc
nt!RtlRbRemoveNode+0xa46:
fffff803`7ca8bdb6 4d897110        mov     qword ptr [r9+10h],r14 ds:00000000`ccddcced=????????????????
Resetting default scope

STACK_TEXT:  
fffffe0c`ca527548 fffff803`7cc09069     : 00000000`0000000a 00000000`ccddcced 00000000`00000002 00000000`00000001 : nt!KeBugCheckEx
fffffe0c`ca527550 fffff803`7cc05369     : 00000000`00000000 fffffe0c`ca527781 ffffffff`ffffffe5 00000000`00004000 : nt!KiBugCheckDispatch+0x69
fffffe0c`ca527690 fffff803`7ca8bdb6     : 00000000`0000004b ffffce09`d6601980 fffff803`7ca5a1b9 ffffce09`d6600040 : nt!KiPageFault+0x469
fffffe0c`ca527828 fffff803`7ca5a1b9     : ffffce09`d6600040 ffffce09`b9800100 ffffce09`b9800100 00000000`00000000 : nt!RtlRbRemoveNode+0xa46
fffffe0c`ca527840 fffff803`7ca59dff     : ffffce09`d6600ca0 ffffce09`d6600ca0 9401df92`00000000 00000000`0000001b : nt!RtlpHpSegFreeRangeRemove+0x19
fffffe0c`ca527870 fffff803`7ca5986b     : ffffffff`ffffffff 00000000`00000067 ffffffff`ffffffff ffffce09`d6600ca0 : nt!RtlpHpSegPageRangeCoalesce+0x1df
fffffe0c`ca5278f0 fffff803`7ca896e2     : ffffce09`b9800000 ffffce09`b9800100 ffffce09`d6600000 a2e64ead`a2e64ead : nt!RtlpHpSegPageRangeShrink+0xeb
fffffe0c`ca527960 fffff803`7d1b1149     : fffff803`00000000 00000000`00000000 00000000`00000000 01000000`00100000 : nt!ExFreeHeapPool+0x6b2
fffffe0c`ca527a40 fffff803`7cab85f5     : ffffce09`d0743080 fffff803`7cae5450 ffffce09`b9c9ac40 ffffce09`00000000 : nt!ExFreePool+0x9
fffffe0c`ca527a70 fffff803`7cb55935     : ffffce09`d0743080 00000000`00000080 ffffce09`b9ca00c0 000fa4ef`bd9bbfff : nt!ExpWorkerThread+0x105
fffffe0c`ca527b10 fffff803`7cbfe728     : ffff9401`df7a1180 ffffce09`d0743080 fffff803`7cb558e0 00000000`00000000 : nt!PspSystemThreadStartup+0x55
fffffe0c`ca527b60 00000000`00000000     : fffffe0c`ca528000 fffffe0c`ca521000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x28

SYMBOL_NAME:  nt!RtlRbRemoveNode+a46

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

STACK_COMMAND:  .cxr; .ecxr ; kb

BUCKET_ID_FUNC_OFFSET:  a46

FAILURE_BUCKET_ID:  AV_nt!RtlRbRemoveNode

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {9b43c07a-2da2-b63c-46ab-1c788c8a28c1}

Followup:     MachineOwner
---------
jonomango commented 1 year ago

Hi, can you check to see if you get a BSOD with the latest commit? https://github.com/jonomango/hv/commit/86ca9f50238c65b75ef04fdec1f6c45d8e98fdbf

VMHolePuncher commented 1 year ago

I am getting this with the newest commit:


fffff803`4fdf70d0 48894c2408      mov     qword ptr [rsp+8],rcx ss:0018:ffffc080`aec56480=0000000000000139
12: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure.  The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 000000000000001d, An RTL_BALANCED_NODE RBTree entry has been corrupted.
Arg2: ffffc080aec567a0, Address of the trap frame for the exception that caused the BugCheck
Arg3: ffffc080aec566f8, Address of the exception record for the exception that caused the BugCheck
Arg4: 0000000000000000, Reserved

Debugging Details:
------------------

KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.mSec
    Value: 2218

    Key  : Analysis.Elapsed.mSec
    Value: 2258

    Key  : Analysis.IO.Other.Mb
    Value: 0

    Key  : Analysis.IO.Read.Mb
    Value: 0

    Key  : Analysis.IO.Write.Mb
    Value: 0

    Key  : Analysis.Init.CPU.mSec
    Value: 358

    Key  : Analysis.Init.Elapsed.mSec
    Value: 1925

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 97

    Key  : Bugcheck.Code.KiBugCheckData
    Value: 0x139

    Key  : Bugcheck.Code.LegacyAPI
    Value: 0x139

    Key  : FailFast.Name
    Value: INVALID_BALANCED_TREE

    Key  : FailFast.Type
    Value: 29

    Key  : Failure.Bucket
    Value: 0x139_1d_INVALID_BALANCED_TREE_nt!KiFastFailDispatch

    Key  : Failure.Hash
    Value: {67ec97ad-ad0b-071e-ab87-6dc661e22d1b}

    Key  : Hypervisor.Enlightenments.Value
    Value: 0

    Key  : Hypervisor.Enlightenments.ValueHex
    Value: 0

    Key  : Hypervisor.Flags.AnyHypervisorPresent
    Value: 0

    Key  : Hypervisor.Flags.ApicEnlightened
    Value: 0

    Key  : Hypervisor.Flags.ApicVirtualizationAvailable
    Value: 1

    Key  : Hypervisor.Flags.AsyncMemoryHint
    Value: 0

    Key  : Hypervisor.Flags.CoreSchedulerRequested
    Value: 0

    Key  : Hypervisor.Flags.CpuManager
    Value: 0

    Key  : Hypervisor.Flags.DeprecateAutoEoi
    Value: 0

    Key  : Hypervisor.Flags.DynamicCpuDisabled
    Value: 0

    Key  : Hypervisor.Flags.Epf
    Value: 0

    Key  : Hypervisor.Flags.ExtendedProcessorMasks
    Value: 0

    Key  : Hypervisor.Flags.HardwareMbecAvailable
    Value: 1

    Key  : Hypervisor.Flags.MaxBankNumber
    Value: 0

    Key  : Hypervisor.Flags.MemoryZeroingControl
    Value: 0

    Key  : Hypervisor.Flags.NoExtendedRangeFlush
    Value: 0

    Key  : Hypervisor.Flags.NoNonArchCoreSharing
    Value: 0

    Key  : Hypervisor.Flags.Phase0InitDone
    Value: 0

    Key  : Hypervisor.Flags.PowerSchedulerQos
    Value: 0

    Key  : Hypervisor.Flags.RootScheduler
    Value: 0

    Key  : Hypervisor.Flags.SynicAvailable
    Value: 0

    Key  : Hypervisor.Flags.UseQpcBias
    Value: 0

    Key  : Hypervisor.Flags.Value
    Value: 16908288

    Key  : Hypervisor.Flags.ValueHex
    Value: 1020000

    Key  : Hypervisor.Flags.VpAssistPage
    Value: 0

    Key  : Hypervisor.Flags.VsmAvailable
    Value: 0

    Key  : Hypervisor.RootFlags.AccessStats
    Value: 0

    Key  : Hypervisor.RootFlags.CrashdumpEnlightened
    Value: 0

    Key  : Hypervisor.RootFlags.CreateVirtualProcessor
    Value: 0

    Key  : Hypervisor.RootFlags.DisableHyperthreading
    Value: 0

    Key  : Hypervisor.RootFlags.HostTimelineSync
    Value: 0

    Key  : Hypervisor.RootFlags.HypervisorDebuggingEnabled
    Value: 0

    Key  : Hypervisor.RootFlags.IsHyperV
    Value: 0

    Key  : Hypervisor.RootFlags.LivedumpEnlightened
    Value: 0

    Key  : Hypervisor.RootFlags.MapDeviceInterrupt
    Value: 0

    Key  : Hypervisor.RootFlags.MceEnlightened
    Value: 0

    Key  : Hypervisor.RootFlags.Nested
    Value: 0

    Key  : Hypervisor.RootFlags.StartLogicalProcessor
    Value: 0

    Key  : Hypervisor.RootFlags.Value
    Value: 0

    Key  : Hypervisor.RootFlags.ValueHex
    Value: 0

    Key  : SecureKernel.HalpHvciEnabled
    Value: 0

    Key  : WER.OS.Branch
    Value: vb_release

    Key  : WER.OS.Version
    Value: 10.0.19041.1

BUGCHECK_CODE:  139

BUGCHECK_P1: 1d

BUGCHECK_P2: ffffc080aec567a0

BUGCHECK_P3: ffffc080aec566f8

BUGCHECK_P4: 0

FILE_IN_CAB:  MEMORY.DMP

TRAP_FRAME:  ffffc080aec567a0 -- (.trap 0xffffc080aec567a0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=000000000000001d
rdx=ffff9e82d8701b80 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8034fe3d7df rsp=ffffc080aec56938 rbp=ffff9e82d8700040
 r8=0000000000000000  r9=ffff9e82d8701b88 r10=0000000000000000
r11=ffff9e82d8700040 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na pe cy
nt!RtlRbRemoveNode+0x1b246f:
fffff803`4fe3d7df cd29            int     29h
Resetting default scope

EXCEPTION_RECORD:  ffffc080aec566f8 -- (.exr 0xffffc080aec566f8)
ExceptionAddress: fffff8034fe3d7df (nt!RtlRbRemoveNode+0x00000000001b246f)
   ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
  ExceptionFlags: 00000001
NumberParameters: 1
   Parameter[0]: 000000000000001d
Subcode: 0x1d FAST_FAIL_INVALID_BALANCED_TREE 

BLACKBOXBSD: 1 (!blackboxbsd)

BLACKBOXNTFS: 1 (!blackboxntfs)

BLACKBOXPNP: 1 (!blackboxpnp)

BLACKBOXWINLOGON: 1

PROCESS_NAME:  System

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE_STR:  c0000409

EXCEPTION_PARAMETER1:  000000000000001d

EXCEPTION_STR:  0xc0000409

STACK_TEXT:  
ffffc080`aec56478 fffff803`4fe09069     : 00000000`00000139 00000000`0000001d ffffc080`aec567a0 ffffc080`aec566f8 : nt!KeBugCheckEx
ffffc080`aec56480 fffff803`4fe09490     : ffffc080`aec56490 fffff803`55225692 00000000`00000000 00000000`00001000 : nt!KiBugCheckDispatch+0x69
ffffc080`aec565c0 fffff803`4fe07823     : ffff9e82`e1bf7bd0 ffff9e82`e30ec0a0 ffff9e82`ed764ab0 ffff8387`00000005 : nt!KiFastFailDispatch+0xd0
ffffc080`aec567a0 fffff803`4fe3d7df     : ffff9e82`d8800100 ffffffff`ffffffff fffff803`4fc57007 00000000`00000001 : nt!KiRaiseSecurityCheckFailure+0x323
ffffc080`aec56938 fffff803`4fc57007     : 00000000`00000001 00000000`67000000 ffff9e82`f5a00040 00000000`00000067 : nt!RtlRbRemoveNode+0x1b246f
ffffc080`aec56950 fffff803`4fc56dba     : 00000000`00000000 00000000`00000000 00000000`00000000 ffff9e82`00000000 : nt!RtlpHpSegPageRangeAllocate+0x107
ffffc080`aec569f0 fffff803`4fc8d0a6     : 00000000`00067000 00000000`00067000 00000000`00000000 ffff9e82`e30ec0a0 : nt!RtlpHpSegAlloc+0x5a
ffffc080`aec56a50 fffff803`503b11c4     : 00000000`00000d07 70100080`04002001 ffff9e82`6a536c46 ffffc080`aec56c00 : nt!ExAllocateHeapPool+0x8f6
ffffc080`aec56b90 ffff9e82`f5b824d1     : 00000000`00000000 ffffc080`aec56ce0 00000000`00000001 ffff9e82`00000000 : nt!ExAllocatePoolWithTag+0x64
ffffc080`aec56be0 00000000`00000000     : ffffc080`aec56ce0 00000000`00000001 ffff9e82`00000000 00000000`00000000 : 0xffff9e82`f5b824d1

SYMBOL_NAME:  nt!KiFastFailDispatch+d0

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

STACK_COMMAND:  .cxr; .ecxr ; kb

BUCKET_ID_FUNC_OFFSET:  d0

FAILURE_BUCKET_ID:  0x139_1d_INVALID_BALANCED_TREE_nt!KiFastFailDispatch

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {67ec97ad-ad0b-071e-ab87-6dc661e22d1b}

Followup:     MachineOwner
---------```
jonomango commented 1 year ago

I am honestly not sure what the cause of this issue could be. Try replacing um/main.cpp with only the following:

int main() {
  if (!hv::is_hv_running()) {
    printf("HV not running.\n");
    return 0;
  }
}
VMHolePuncher commented 1 year ago

I'm not getting the bsod with just that code.