SimpleVisor state after vmlaunch question

Hello !

Here https://github.com/ionescu007/SimpleVisor/blob/master/shvvmxhv.c at
line 70 comment:

// If we got here, either VMCS setup failed in some way, or the launch
// did not proceed as planned.

So if CPU successfull switched in non-root mode vmlaunch never returns in
root mode.
I don’t really understand why. After launching normal VM vmlaunch should
return in root-mode.

Why such return doesn’t happen in case of hyperjacking ?

On Tue, Jan 31, 2017 at 12:24:25PM +0300, Sergey Pisarev wrote:

Hello !

Here https://github.com/ionescu007/SimpleVisor/blob/master/shvvmxhv.c at
line 70 comment:

// If we got here, either VMCS setup failed in some way, or the launch
// did not proceed as planned.

So if CPU successfull switched in non-root mode vmlaunch never returns in
root mode.
I don’t really understand why. After launching normal VM vmlaunch should
return in root-mode.

Why such return doesn’t happen in case of hyperjacking ?

Hi Sergey,

If I understand your question correctly, vmlaunch (or for that matter,
vmresume as well) can fail if you have invalid VMCS state in some way
(impossible settings/controls, or bad host state values). In this case,
the VMCS will not be launched, either OF or CF will be set in RFLAGS to
convey the reason for failure to launch, and control will fall through
to the instruction following the vmlaunch/vmresume function.

The Intel SDM describes reasons why launch/resume can fail (there are a bunch
of things checked - search the SDM for VMfailValid and VMfailInvalid, it’s
explained in vol3, ch30).

Remember that the “return” from vmlaunch isn’t the next instruction, that
only happens if something went wrong. The “return” is actually to the location
specified by the VMCS field for host %rip, which in most hypervisors is set
to the exit handler code (or something that ends up calling the exit handler
code at some point later).

Hope this helps.

-ml


NTDEV is sponsored by OSR

Visit the list online at: http:
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:>

Hi Mike

Thank you for very elaborate answer. So do i understand correctly that
successful vmlaunch never returns, even in the case of “normal” VM ?

On Tue, Jan 31, 2017 at 12:40 PM, Mike Larkin wrote:

> On Tue, Jan 31, 2017 at 12:24:25PM +0300, Sergey Pisarev wrote:
> > Hello !
> >
> > Here https://github.com/ionescu007/SimpleVisor/blob/master/shvvmxhv.c at
> > line 70 comment:
> >
> > // If we got here, either VMCS setup failed in some way, or the launch
> > // did not proceed as planned.
> >
> >
> >
> > So if CPU successfull switched in non-root mode vmlaunch never returns in
> > root mode.
> > I don’t really understand why. After launching normal VM vmlaunch should
> > return in root-mode.
> >
> > Why such return doesn’t happen in case of hyperjacking ?
>
> Hi Sergey,
>
> If I understand your question correctly, vmlaunch (or for that matter,
> vmresume as well) can fail if you have invalid VMCS state in some way
> (impossible settings/controls, or bad host state values). In this case,
> the VMCS will not be launched, either OF or CF will be set in RFLAGS to
> convey the reason for failure to launch, and control will fall through
> to the instruction following the vmlaunch/vmresume function.
>
> The Intel SDM describes reasons why launch/resume can fail (there are a
> bunch
> of things checked - search the SDM for VMfailValid and VMfailInvalid, it’s
> explained in vol3, ch30).
>
> Remember that the “return” from vmlaunch isn’t the next instruction, that
> only happens if something went wrong. The “return” is actually to the
> location
> specified by the VMCS field for host %rip, which in most hypervisors is set
> to the exit handler code (or something that ends up calling the exit
> handler
> code at some point later).
>
> Hope this helps.
>
> -ml
>
> >
> > —
> > NTDEV is sponsored by OSR
> >
> > Visit the list online at: http:> showlists.cfm?list=ntdev>
> >
> > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> > Details at http:
> >
> > To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:></http:></http:></http:>

On Tue, Jan 31, 2017 at 01:05:21PM +0300, Sergey Pisarev wrote:

Hi Mike

Thank you for very elaborate answer. So do i understand correctly that
successful vmlaunch never returns, even in the case of “normal” VM ?

Execution will not continue to the next instruction unless an error occurred.

Technically, one could set the host %rip setting to also be the next
instruction after vmlaunch, but then you’d need to take care to also ensure
that the host %rflags setting to have cleared CF and OF to be able to tell
if you continued to the next instruction because of failure, or because you
exited there. Generally you set host %rip to point to some other function, then
you can be sure that if you ended up in that function, you certainly at least
passed the host state area and VMCS controls check part of the vmlaunch.

The SDM explains this in far more detail, along with all the checks that are
performed.

It may be worth noting that AMD SVM behaves slightly differently here -
the equivalent instruction (vmrun) always returns to the subsequent instruction
and you don’t put a “host %rip” value into the VMCB. You just check for an
error condition after each vmrun to determine if you entered the VM or failed
for some reason.

-ml

On Tue, Jan 31, 2017 at 12:40 PM, Mike Larkin wrote:
>
> > On Tue, Jan 31, 2017 at 12:24:25PM +0300, Sergey Pisarev wrote:
> > > Hello !
> > >
> > > Here https://github.com/ionescu007/SimpleVisor/blob/master/shvvmxhv.c at
> > > line 70 comment:
> > >
> > > // If we got here, either VMCS setup failed in some way, or the launch
> > > // did not proceed as planned.
> > >
> > >
> > >
> > > So if CPU successfull switched in non-root mode vmlaunch never returns in
> > > root mode.
> > > I don’t really understand why. After launching normal VM vmlaunch should
> > > return in root-mode.
> > >
> > > Why such return doesn’t happen in case of hyperjacking ?
> >
> > Hi Sergey,
> >
> > If I understand your question correctly, vmlaunch (or for that matter,
> > vmresume as well) can fail if you have invalid VMCS state in some way
> > (impossible settings/controls, or bad host state values). In this case,
> > the VMCS will not be launched, either OF or CF will be set in RFLAGS to
> > convey the reason for failure to launch, and control will fall through
> > to the instruction following the vmlaunch/vmresume function.
> >
> > The Intel SDM describes reasons why launch/resume can fail (there are a
> > bunch
> > of things checked - search the SDM for VMfailValid and VMfailInvalid, it’s
> > explained in vol3, ch30).
> >
> > Remember that the “return” from vmlaunch isn’t the next instruction, that
> > only happens if something went wrong. The “return” is actually to the
> > location
> > specified by the VMCS field for host %rip, which in most hypervisors is set
> > to the exit handler code (or something that ends up calling the exit
> > handler
> > code at some point later).
> >
> > Hope this helps.
> >
> > -ml
> >
> > >
> > > —
> > > NTDEV is sponsored by OSR
> > >
> > > Visit the list online at: http:> > showlists.cfm?list=ntdev>
> > >
> > > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> > software drivers!
> > > Details at http:
> > >
> > > To unsubscribe, visit the List Server section of OSR Online at <
> > http://www.osronline.com/page.cfm?name=ListServer&gt;
> >
> > —
> > NTDEV is sponsored by OSR
> >
> > Visit the list online at: http:> > showlists.cfm?list=ntdev>
> >
> > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> > software drivers!
> > Details at http:
> >
> > To unsubscribe, visit the List Server section of OSR Online at <
> > http://www.osronline.com/page.cfm?name=ListServer&gt;
> >
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:></http:></http:></http:></http:>

Thank you very much Mike !

Great elaborate explanation. I think now i understand how things work.

Some things, at least :slight_smile:

On Tue, Jan 31, 2017 at 1:21 PM, Mike Larkin wrote:

> On Tue, Jan 31, 2017 at 01:05:21PM +0300, Sergey Pisarev wrote:
> > Hi Mike
> >
> > Thank you for very elaborate answer. So do i understand correctly that
> > successful vmlaunch never returns, even in the case of “normal” VM ?
>
> Execution will not continue to the next instruction unless an error
> occurred.
>
> Technically, one could set the host %rip setting to also be the next
> instruction after vmlaunch, but then you’d need to take care to also ensure
> that the host %rflags setting to have cleared CF and OF to be able to tell
> if you continued to the next instruction because of failure, or because you
> exited there. Generally you set host %rip to point to some other function,
> then
> you can be sure that if you ended up in that function, you certainly at
> least
> passed the host state area and VMCS controls check part of the vmlaunch.
>
> The SDM explains this in far more detail, along with all the checks that
> are
> performed.
>
> It may be worth noting that AMD SVM behaves slightly differently here -
> the equivalent instruction (vmrun) always returns to the subsequent
> instruction
> and you don’t put a “host %rip” value into the VMCB. You just check for an
> error condition after each vmrun to determine if you entered the VM or
> failed
> for some reason.
>
> -ml
>
>
> >
> > On Tue, Jan 31, 2017 at 12:40 PM, Mike Larkin
> wrote:
> >
> > > On Tue, Jan 31, 2017 at 12:24:25PM +0300, Sergey Pisarev wrote:
> > > > Hello !
> > > >
> > > > Here https://github.com/ionescu007/SimpleVisor/blob/master/
> shvvmxhv.c at
> > > > line 70 comment:
> > > >
> > > > // If we got here, either VMCS setup failed in some way, or the
> launch
> > > > // did not proceed as planned.
> > > >
> > > >
> > > >
> > > > So if CPU successfull switched in non-root mode vmlaunch never
> returns in
> > > > root mode.
> > > > I don’t really understand why. After launching normal VM vmlaunch
> should
> > > > return in root-mode.
> > > >
> > > > Why such return doesn’t happen in case of hyperjacking ?
> > >
> > > Hi Sergey,
> > >
> > > If I understand your question correctly, vmlaunch (or for that matter,
> > > vmresume as well) can fail if you have invalid VMCS state in some way
> > > (impossible settings/controls, or bad host state values). In this case,
> > > the VMCS will not be launched, either OF or CF will be set in RFLAGS to
> > > convey the reason for failure to launch, and control will fall through
> > > to the instruction following the vmlaunch/vmresume function.
> > >
> > > The Intel SDM describes reasons why launch/resume can fail (there are a
> > > bunch
> > > of things checked - search the SDM for VMfailValid and VMfailInvalid,
> it’s
> > > explained in vol3, ch30).
> > >
> > > Remember that the “return” from vmlaunch isn’t the next instruction,
> that
> > > only happens if something went wrong. The “return” is actually to the
> > > location
> > > specified by the VMCS field for host %rip, which in most hypervisors
> is set
> > > to the exit handler code (or something that ends up calling the exit
> > > handler
> > > code at some point later).
> > >
> > > Hope this helps.
> > >
> > > -ml
> > >
> > > >
> > > > —
> > > > NTDEV is sponsored by OSR
> > > >
> > > > Visit the list online at: http:> > > showlists.cfm?list=ntdev>
> > > >
> > > > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> > > software drivers!
> > > > Details at http:
> > > >
> > > > To unsubscribe, visit the List Server section of OSR Online at <
> > > http://www.osronline.com/page.cfm?name=ListServer&gt;
> > >
> > > —
> > > NTDEV is sponsored by OSR
> > >
> > > Visit the list online at: http:> > > showlists.cfm?list=ntdev>
> > >
> > > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> > > software drivers!
> > > Details at http:
> > >
> > > To unsubscribe, visit the List Server section of OSR Online at <
> > > http://www.osronline.com/page.cfm?name=ListServer&gt;
> > >
> >
> > —
> > NTDEV is sponsored by OSR
> >
> > Visit the list online at: http:> showlists.cfm?list=ntdev>
> >
> > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> > Details at http:
> >
> > To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:></http:></http:></http:></http:></http:></http:></http:>