Re: [Xen-devel] [BUG] Invalid guest state in Xen master, dom0 linux-5.3.6, domU windows 10

Andrew Cooper Mon, 04 Nov 2019 11:23:29 -0800

On 04/11/2019 15:40, Andrew Cooper wrote:
> On 04/11/2019 15:33, Håkon Alstadheim wrote:
>> Den 04.11.2019 14:31, skrev Andrew Cooper:
>>> On 03/11/2019 10:23, Håkon Alstadheim wrote:
>>>
>>>> (XEN) [2019-11-02 14:09:46] d2v0 vmentry failure (reason 0x80000021):
>>>> Invalid guest state (0)
>>>> (XEN) [2019-11-02 14:09:46] ************* VMCS Area **************
>>>> (XEN) [2019-11-02 14:09:46] *** Guest State ***
>>>> (XEN) [2019-11-02 14:09:46] CR0: actual=0x0000000080050031,
>>>> shadow=0x0000000080050031, gh_mask=ffffffffffffffff
>>>> (XEN) [2019-11-02 14:09:46] CR4: actual=0x0000000000172678,
>>>> shadow=0x0000000000170678, gh_mask=ffffffffffe8f860
>>>> (XEN) [2019-11-02 14:09:46] CR3 = 0x00000000001aa002
>>>> (XEN) [2019-11-02 14:09:46] RSP = 0xffff8c0f4dd71e98
>>>> (0xffff8c0f4dd71e98)  RIP = 0xffffd18a040bb75e (0xffffd18a040bb75e)
>>>> (XEN) [2019-11-02 14:09:46] RFLAGS=0x00000187 (0x00000187)  DR7 =
>>>> 0x0000000000000400
>>>> (XEN) [2019-11-02 14:09:46] Sysenter RSP=0000000000000000
>>>> CS:RIP=0000:0000000000000000
>>>> (XEN) [2019-11-02 14:09:46]        sel  attr  limit   base
>>>> (XEN) [2019-11-02 14:09:46]   CS: 0010 0209b 00000000 0000000000000000
>>>> (XEN) [2019-11-02 14:09:46]   DS: 002b 0c0f3 ffffffff 0000000000000000
>>>> (XEN) [2019-11-02 14:09:46]   SS: 0018 04093 00000000 0000000000000000
>>>> (XEN) [2019-11-02 14:09:46]   ES: 002b 0c0f3 ffffffff 0000000000000000
>>>> (XEN) [2019-11-02 14:09:46]   FS: 0053 040f3 00003c00 0000000000000000
>>>> (XEN) [2019-11-02 14:09:46]   GS: 002b 0c0f3 ffffffff fffff8044ff80000
>>>> (XEN) [2019-11-02 14:09:46] GDTR:            00000057 fffff80459c61fb0
>>>> (XEN) [2019-11-02 14:09:46] LDTR: 0000 1c000 ffffffff 0000000000000000
>>>> (XEN) [2019-11-02 14:09:46] IDTR:            0000012f ffffd18a014a0980
>>>> (XEN) [2019-11-02 14:09:46]   TR: 0040 0008b 00000067 fffff80459c60000
>>>> (XEN) [2019-11-02 14:09:46] EFER(VMCS) = 0x0000000000000d01  PAT =
>>>> 0x0007010600070106
>>>> (XEN) [2019-11-02 14:09:46] PreemptionTimer = 0x00000000  SM Base =
>>>> 0x00000000
>>>> (XEN) [2019-11-02 14:09:46] DebugCtl = 0x0000000000000000
>>>> DebugExceptions = 0x0000000000000000
>>>> (XEN) [2019-11-02 14:09:46] Interruptibility = 00000002  ActivityState
>>>> = 00000000
>>>> (XEN) [2019-11-02 14:09:46] InterruptStatus = 0000
>>>> (XEN) [2019-11-02 14:09:46] *** Host State ***
>>>> (XEN) [2019-11-02 14:09:46] RIP = 0xffff82d080341950
>>>> (vmx_asm_vmexit_handler)  RSP = 0xffff83083ff0ff70
>>>> (XEN) [2019-11-02 14:09:46] CS=e008 SS=0000 DS=0000 ES=0000 FS=0000
>>>> GS=0000 TR=e040
>>>> (XEN) [2019-11-02 14:09:46] FSBase=0000000000000000
>>>> GSBase=0000000000000000 TRBase=ffff83083ff14000
>>>> (XEN) [2019-11-02 14:09:46] GDTBase=ffff83083ff03000
>>>> IDTBase=ffff83083ff07000
>>>> (XEN) [2019-11-02 14:09:46] CR0=0000000080050033 CR3=000000054dbea000
>>>> CR4=00000000001526e0
>>>> (XEN) [2019-11-02 14:09:46] Sysenter RSP=ffff83083ff0ffa0
>>>> CS:RIP=e008:ffff82d080395440
>>>> (XEN) [2019-11-02 14:09:46] EFER = 0x0000000000000d01  PAT =
>>>> 0x0000050100070406
>>>> (XEN) [2019-11-02 14:09:46] *** Control State ***
>>>> (XEN) [2019-11-02 14:09:46] PinBased=000000bf CPUBased=b62065fa
>>>> SecondaryExec=000017eb
>>>> (XEN) [2019-11-02 14:09:46] EntryControls=0000d3ff
>>>> ExitControls=002fefff
>>>> (XEN) [2019-11-02 14:09:46] ExceptionBitmap=00060002 PFECmask=00000000
>>>> PFECmatch=00000000
>>>> (XEN) [2019-11-02 14:09:46] VMEntry: intr_info=80000501
>>>> errcode=00000000 ilen=00000001
>>>> (XEN) [2019-11-02 14:09:46] VMExit: intr_info=80000501
>>>> errcode=00000000 ilen=00000001
>>>> (XEN) [2019-11-02 14:09:46]         reason=80000021
>>>> qualification=0000000000000000
>>>> (XEN) [2019-11-02 14:09:46] IDTVectoring: info=00000000
>>>> errcode=00000000
>>>> (XEN) [2019-11-02 14:09:46] TSC Offset = 0xfffff45ded46dd57  TSC
>>>> Multiplier = 0x0000000000000000
>>>> (XEN) [2019-11-02 14:09:46] TPR Threshold = 0x00  PostedIntrVec = 0xf5
>>>> (XEN) [2019-11-02 14:09:46] EPT pointer = 0x000000054e3a701e  EPTP
>>>> index = 0x0000
>>>> (XEN) [2019-11-02 14:09:46] PLE Gap=00000080 Window=00001000
>>>> (XEN) [2019-11-02 14:09:46] Virtual processor ID = 0x5a02 VMfunc
>>>> controls = 0000000000000000
>>>> (XEN) [2019-11-02 14:09:46] **************************************
>>>> (XEN) [2019-11-02 14:09:46] domain_crash called from vmx.c:3335
>>>> (XEN) [2019-11-02 14:09:46] Domain 2 (vcpu#0) crashed on cpu#2:
>>> Interruptibility = 00000002 (Blocked by Mov SS) and VMEntry:
>>> intr_info=80000501 (ICEBP)
>>>
>>> Dare I ask what you're running in your windows guest?  Unless it is a
>>> vulnerability test suite, I'm rather concerned.
>> Because I have pulled out all stops ? Well no particular reason. I've
>> asked my kids nicely not to poke any /more/ holes in the security on
>> the system. Probably should tighten up the ship. I have some conflict
>> going on between the hardware pci USB cards in the machine, so I
>> thought I'd see what would happen if I gave ASUS and whatever no-name
>> Taiwanese I have in there free rein. Nothing gained as far as I can
>> see, so I'll see about closing some of the more gaping holes. At least
>> as far as getting rid of deprecation warnings go :-) .
>>
>> I hope "they" never get serious about requiring a license to own a
>> computer with Internet access. :-)
> Something in the VM is attempting to exploit XSA-260 / CVE-2018-8897
> against the guest kernel, using a variation of the attack.
>
> Xen should cope with the entry conditions correctly, and I think I've
> figured out a fairly non-invasive way of fixing this particular case
> without the full-blown #DB rework.


Ok - something more complicated is going on here.  I can't reproduce the
corner case in the obvious way.

Can you apply this debugging patch and try to reproduce the issue?  I
want to confirm which instructions the guest is executing.

~Andrew

diff --git a/xen/arch/x86/hvm/vmx/vmcs.c b/xen/arch/x86/hvm/vmx/vmcs.c
index ed27e8def7..3ca3671a9e 100644
--- a/xen/arch/x86/hvm/vmx/vmcs.c
+++ b/xen/arch/x86/hvm/vmx/vmcs.c
@@ -2025,6 +2025,30 @@ void vmcs_dump_vcpu(struct vcpu *v)
         printk("Virtual processor ID = 0x%04x VMfunc controls = %016lx\n",
                vmr16(VIRTUAL_PROCESSOR_ID), vmr(VM_FUNCTION_CONTROL));
 
+    {
+        struct hvm_emulate_ctxt ctxt;
+        const struct segment_register *cs;
+
+        hvm_emulate_init_once(&ctxt, NULL, regs);
+
+        cs = &ctxt.seg_reg[x86_seg_cs];
+
+        {
+            uint32_t walk = ((ctxt.seg_reg[x86_seg_ss].dpl == 3)
+                             ? PFEC_user_mode : 0) | PFEC_insn_fetch;
+            unsigned long addr;
+            char bytes[32];
+
+            if ( hvm_virtual_to_linear_addr(x86_seg_cs, cs, regs->rip - 16,
+                                            sizeof(bytes), hvm_access_insn_fetch,
+                                            cs, &addr) &&
+                 (hvm_copy_from_guest_linear(bytes, addr, sizeof(bytes),
+                                             walk, NULL) == HVMTRANS_okay) )
+                printk("*** Insn bytes from %lx: %16ph <%02x> %15ph\n",
+                       addr, bytes, (unsigned int)bytes[16], &bytes[17]);
+        }
+    }
+
     vmx_vmcs_exit(v);
 }

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [Xen-devel] [BUG] Invalid guest state in Xen master, dom0 linux-5.3.6, domU windows 10

Reply via email to