From mboxrd@z Thu Jan  1 00:00:00 1970
From: Andrew Cooper <andrew.cooper3@citrix.com>
Subject: Re: Emulating in response of an int3 vm_event
Date: Tue, 1 Dec 2015 10:40:35 +0000
Message-ID: <565D7923.5080806@citrix.com>
References: <CABfawhncf2sk43q6DBQBdYEvcfm6VdVPa1MHd7nRFpLPw7Cr=A@mail.gmail.com>
	<565CE349.4070207@bitdefender.com>
	<CABfawhkiBYY8vxtGkRDVV_jS6HF794+scRH+bQ1TRVLJ50MtVQ@mail.gmail.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7981056615440405763=="
Return-path: <xen-devel-bounces@lists.xen.org>
Received: from mail6.bemta3.messagelabs.com ([195.245.230.39])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <prvs=770f1729a=Andrew.Cooper3@citrix.com>)
	id 1a3iMV-0005L6-U1
	for xen-devel@lists.xenproject.org; Tue, 01 Dec 2015 10:40:44 +0000
In-Reply-To: <CABfawhkiBYY8vxtGkRDVV_jS6HF794+scRH+bQ1TRVLJ50MtVQ@mail.gmail.com>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Tamas K Lengyel <tamas@tklengyel.com>, Razvan Cojocaru <rcojocaru@bitdefender.com>
Cc: Xen-devel <xen-devel@lists.xenproject.org>
List-Id: xen-devel@lists.xenproject.org

--===============7981056615440405763==
Content-Type: multipart/alternative;
	boundary="------------050007010705020308030203"

--------------050007010705020308030203
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit

On 01/12/15 01:21, Tamas K Lengyel wrote:
>
>
> On Mon, Nov 30, 2015 at 7:01 PM, Razvan Cojocaru
> <rcojocaru@bitdefender.com <mailto:rcojocaru@bitdefender.com>> wrote:
>
>     On 12/01/2015 01:32 AM, Tamas K Lengyel wrote:
>     > Hi all,
>     > I'm trying to extend the current vm_event system to be able to
>     emulate
>     > over an in-guest breakpoint using the
>     VM_EVENT_FLAG_SET_EMUL_READ_DATA
>     > feature. The idea is to have the vm_event listener send back the
>     > contents of the memory that was overwritten by the breakpoint
>     > instruction, have Xen emulate one instruction, and resume execution
>     > normally afterwards. This would eliminate the need of removing the
>     > breakpoint, singlestepping, and placing the breakpoint back again.
>     >
>     > Unfortunately I encounter this crash when I call
>     > hvm_mem_access_emulate_one in the event response handler:
>     >
>     > (XEN) vm_event.c:72:d0v0 Checking flags on int3 response 37
>     > (XEN) Xen BUG at /share/src/xen/xen/include/asm/hvm/vmx/vmx.h:372
>

This BUG() is the cause of the crash.

It is a bad parameter to VMREAD, by the looks of it.

~Andrew

--------------050007010705020308030203
Content-Type: text/html; charset="windows-1252"
Content-Transfer-Encoding: 7bit

<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">On 01/12/15 01:21, Tamas K Lengyel
      wrote:<br>
    </div>
    <blockquote
cite="mid:CABfawhkiBYY8vxtGkRDVV_jS6HF794+scRH+bQ1TRVLJ50MtVQ@mail.gmail.com"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=windows-1252">
      <div dir="ltr"><br>
        <div class="gmail_extra"><br>
          <div class="gmail_quote">On Mon, Nov 30, 2015 at 7:01 PM,
            Razvan Cojocaru <span dir="ltr">&lt;<a
                moz-do-not-send="true"
                href="mailto:rcojocaru@bitdefender.com" target="_blank">rcojocaru@bitdefender.com</a>&gt;</span>
            wrote:<br>
            <blockquote class="gmail_quote" style="margin:0px 0px 0px
              0.8ex;border-left:1px solid
              rgb(204,204,204);padding-left:1ex">
              <div class="">
                <div class="h5">On 12/01/2015 01:32 AM, Tamas K Lengyel
                  wrote:<br>
                  &gt; Hi all,<br>
                  &gt; I'm trying to extend the current vm_event system
                  to be able to emulate<br>
                  &gt; over an in-guest breakpoint using the
                  VM_EVENT_FLAG_SET_EMUL_READ_DATA<br>
                  &gt; feature. The idea is to have the vm_event
                  listener send back the<br>
                  &gt; contents of the memory that was overwritten by
                  the breakpoint<br>
                  &gt; instruction, have Xen emulate one instruction,
                  and resume execution<br>
                  &gt; normally afterwards. This would eliminate the
                  need of removing the<br>
                  &gt; breakpoint, singlestepping, and placing the
                  breakpoint back again.<br>
                  &gt;<br>
                  &gt; Unfortunately I encounter this crash when I call<br>
                  &gt; hvm_mem_access_emulate_one in the event response
                  handler:<br>
                  &gt;<br>
                  &gt; (XEN) vm_event.c:72:d0v0 Checking flags on int3
                  response 37<br>
                  &gt; (XEN) Xen BUG at
                  /share/src/xen/xen/include/asm/hvm/vmx/vmx.h:372<br>
                </div>
              </div>
            </blockquote>
          </div>
        </div>
      </div>
    </blockquote>
    <br>
    This BUG() is the cause of the crash.<br>
    <br>
    It is a bad parameter to VMREAD, by the looks of it.<br>
    <br>
    ~Andrew<br>
  </body>
</html>

--------------050007010705020308030203--


--===============7981056615440405763==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

--===============7981056615440405763==--