Hi,
It looks like gmail silently failed to attach the file and didn't even
notify me about this. I reattached my program in this message. It was
compiled with MASM using attached script and tested under Windows XP SP3
host and guest.
Here's the bat file I used for compilation (I cannot attach such files):
@REM Make sure this path is correct before attempting to build
@set MASM_PATH=C:\masm32
@set PATH=%PATH%;%MASM_PATH%\bin
ml -c -coff -I%MASM_PATH%\include 10947_test.asm
link /ENTRY:start /SUBSYSTEM:CONSOLE /LIBPATH:%MASM_PATH%\lib 10947_test.obj
Regards,
Konrad
2013/11/12 Ramshankar <[email protected]>
> Hi,
>
> You said in the attachment, you have included a testcase, I can't find any
> attachment in your original email. Could you please re-attach it?
>
> Regards,
> Ram.
>
>
> On 11/09/2013 05:01 AM, Ramshankar wrote:
>
>> Hi,
>>
>> Thank you for the patch. I'll take a look at it next week.
>>
>> Regards,
>> Ram.
>>
>> On 08/11/13 22:13, Konrad Kuźmiński wrote:
>>
>>> Hi,
>>>
>>> I've made a fix for this bug https://www.virtualbox.org/ticket/10947.
>>> Mentioned ticket isn't very descriptive so I will try to explain this
>>> issue a little bit more in detail. First of all this problem occurs only
>>> when VT-x is enabled. Basically some instructions don't generate
>>> expected single step exception after they are executed with the trap
>>> flag being set. The behaviour is observed that such instructions are
>>> executed under the control of the guest system but single step exception
>>> is generated after the next instruction. This is a well known bug
>>> amongst malware researchers and malware authors who can easily take
>>> advantage of this fact in order to detect virtualized environment.
>>>
>>> It turns out that the problem lies in the way VirtualBox handles some VM
>>> exits initiated by the execution of certain instructions. Several
>>> instructions can never be executed in VMX non-root operation and those
>>> need to be emulated and skipped within VM exit handlers by adjusting
>>> RIP. Unfortunately the code lacks necessary check for the trap flag
>>> being set, so it doesn't inject expected exception into the guest.
>>>
>>> Here's the fix:
>>> *** src\VBox\VMM\VMMR0\HMVMXR0_original.cpp 2013-11-01
>>> 18:58:26.000000000 +0100
>>> --- src\VBox\VMM\VMMR0\HMVMXR0_fixed.cpp 2013-11-08
>>> 20:24:30.578125000 +0100
>>> ***************
>>> *** 8166,8181 ****
>>> --- 8166,8190 ----
>>> DECLINLINE(int) hmR0VmxAdvanceGuestRip(PVMCPU pVCpu, PCPUMCTX
>>> pMixedCtx, PVMXTRANSIENT pVmxTransient)
>>> {
>>> int rc = hmR0VmxReadExitInstrLenVmcs(pVCpu, pVmxTransient);
>>> rc |= hmR0VmxSaveGuestRip(pVCpu, pMixedCtx);
>>> AssertRCReturn(rc, rc);
>>>
>>> pMixedCtx->rip += pVmxTransient->cbInstr;
>>> VMCPU_HMCF_SET(pVCpu, HM_CHANGED_GUEST_RIP);
>>> +
>>> + X86EFLAGS Eflags;
>>> + rc = VMXReadVmcs32(VMX_VMCS_GUEST_RFLAGS, &Eflags.u32);
>>> + AssertRCReturn(rc, rc);
>>> + if (Eflags.Bits.u1TF)
>>> + {
>>> + hmR0VmxSetPendingXcptDB(pVCpu, pMixedCtx);
>>> + }
>>> +
>>> return rc;
>>> }
>>>
>>> This fix ensures correct handling of mentioned condition in all 13
>>> affected VM exit handlers: VMX_EXIT_CPUID, VMX_EXIT_RDTSC,
>>> VMX_EXIT_RDTSCP, VMX_EXIT_RDPMC, VMX_EXIT_MOV_CRX, VMX_EXIT_MOV_DRX,
>>> VMX_EXIT_MWAIT, VMX_EXIT_MONITOR, VMX_EXIT_RDMSR, VMX_EXIT_WRMSR,
>>> VMX_EXIT_INVD, VMX_EXIT_INVLPG, VMX_EXIT_WBINVD.
>>>
>>> In the attachment I provided a simple program which can be used to test
>>> this condition on 2 representative instructions: CPUID and RDTSC. I
>>> picked those because they don't require CPL = 0.
>>>
>>> I release this patch and test program under MIT license.
>>>
>>> Best regards,
>>> Konrad
>>>
>>>
>>> _______________________________________________
>>> vbox-dev mailing list
>>> [email protected]
>>> https://www.virtualbox.org/mailman/listinfo/vbox-dev
>>>
>>>
>> _______________________________________________
>> vbox-dev mailing list
>> [email protected]
>> https://www.virtualbox.org/mailman/listinfo/vbox-dev
>>
>
>
; Copyright (c) 2013 Konrad Kuźmiński
;
; Permission is hereby granted, free of charge, to any person obtaining a copy
; of this software and associated documentation files (the "Software"), to deal
; in the Software without restriction, including without limitation the rights
; to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
; copies of the Software, and to permit persons to whom the Software is
; furnished to do so, subject to the following conditions:
;
; The above copyright notice and this permission notice shall be included in
; all copies or substantial portions of the Software.
;
; THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
; IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
; FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
; AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
; LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
; OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
; THE SOFTWARE.
.686
.model flat, stdcall
option casemap:none
public start
include windows.inc
include kernel32.inc
includelib kernel32.lib
.data
cpuid_ok db 'CPUID has been executed correctly.', 0AH, 0
cpuid_bugged db 'Bugged CPUID has been detected!', 0AH, 0
rdtsc_ok db 'RDTSC has been executed correctly.', 0AH, 0
rdtsc_bugged db 'Bugged RDTSC has been detected!', 0AH, 0
.code
;this is a simple test case for vbox bug #10947
start:
assume fs : nothing
;installing exception handler
push edi
push offset handler
push fs:[0]
mov fs:[0], esp
xor edi, edi
xor eax, eax
pushf
pop ecx
or ch, 1 ;set the trap flag
push ecx
popf
cpuid ;exception should be generated after this instruction,
BEFORE the next one executes
inc edi ;#DB expected here
inc edi ;but under VT-x enabled VM it's being delivered here,
so EDI=1
mov edi, 8000H
pushf
pop ecx
or ch, 1
push ecx
popf
rdtsc
inc edi
inc edi
;cleanup
mov eax, [esp]
mov fs:[0], eax
add esp, 8
pop edi
ret
;exception handler itself, uses lower part of edi to check when exception was
delivered and notifies the user
handler:
mov eax, [esp+0CH]
mov eax, [eax+9CH] ;extract EDI value from the CONTEXT structure
test eax, 8000H
jnz check_rdtsc
mov ecx, offset cpuid_ok
test eax, eax
jz do_print
mov ecx, offset cpuid_bugged
jmp do_print
check_rdtsc:
mov ecx, offset rdtsc_ok
test al, al
jz do_print
mov ecx, offset rdtsc_bugged
do_print:
push ecx
call console_print
add esp, 4
xor eax, eax
ret
;helper function for printing to console, nothing special here
console_print:
sub esp, 4
push 0
lea eax, [esp+4]
push eax
mov edx, [esp+10H]
xor ecx, ecx
@@:
cmp byte ptr[edx+ecx], 0
jz @F
inc ecx
jmp @B
@@:
push ecx
push edx
push -11
call GetStdHandle
push eax
call WriteConsole
add esp, 4
ret
END_______________________________________________
vbox-dev mailing list
[email protected]
https://www.virtualbox.org/mailman/listinfo/vbox-dev
