From mboxrd@z Thu Jan  1 00:00:00 1970
From: Andrew Cooper <andrew.cooper3@citrix.com>
Subject: Re: Emulating in response of an int3 vm_event
Date: Tue, 1 Dec 2015 10:51:17 +0000
Message-ID: <565D7BA5.90205@citrix.com>
References: <CABfawhncf2sk43q6DBQBdYEvcfm6VdVPa1MHd7nRFpLPw7Cr=A@mail.gmail.com>
	<565CE349.4070207@bitdefender.com>
	<CABfawhkiBYY8vxtGkRDVV_jS6HF794+scRH+bQ1TRVLJ50MtVQ@mail.gmail.com>
	<565D7923.5080806@citrix.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7221346523386224324=="
Return-path: <xen-devel-bounces@lists.xen.org>
Received: from mail6.bemta3.messagelabs.com ([195.245.230.39])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <prvs=770f1729a=Andrew.Cooper3@citrix.com>)
	id 1a3iWq-0006Ux-0W
	for xen-devel@lists.xenproject.org; Tue, 01 Dec 2015 10:51:24 +0000
In-Reply-To: <565D7923.5080806@citrix.com>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Tamas K Lengyel <tamas@tklengyel.com>, Razvan Cojocaru <rcojocaru@bitdefender.com>
Cc: Xen-devel <xen-devel@lists.xenproject.org>, Jan Beulich <JBeulich@suse.com>
List-Id: xen-devel@lists.xenproject.org

--===============7221346523386224324==
Content-Type: multipart/alternative;
	boundary="------------010107050308060106060604"

--------------010107050308060106060604
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit

On 01/12/15 10:40, Andrew Cooper wrote:
> On 01/12/15 01:21, Tamas K Lengyel wrote:
>>
>>
>> On Mon, Nov 30, 2015 at 7:01 PM, Razvan Cojocaru
>> <rcojocaru@bitdefender.com <mailto:rcojocaru@bitdefender.com>> wrote:
>>
>>     On 12/01/2015 01:32 AM, Tamas K Lengyel wrote:
>>     > Hi all,
>>     > I'm trying to extend the current vm_event system to be able to
>>     emulate
>>     > over an in-guest breakpoint using the
>>     VM_EVENT_FLAG_SET_EMUL_READ_DATA
>>     > feature. The idea is to have the vm_event listener send back the
>>     > contents of the memory that was overwritten by the breakpoint
>>     > instruction, have Xen emulate one instruction, and resume execution
>>     > normally afterwards. This would eliminate the need of removing the
>>     > breakpoint, singlestepping, and placing the breakpoint back again.
>>     >
>>     > Unfortunately I encounter this crash when I call
>>     > hvm_mem_access_emulate_one in the event response handler:
>>     >
>>     > (XEN) vm_event.c:72:d0v0 Checking flags on int3 response 37
>>     > (XEN) Xen BUG at /share/src/xen/xen/include/asm/hvm/vmx/vmx.h:372
>>
>
> This BUG() is the cause of the crash.
>
> It is a bad parameter to VMREAD, by the looks of it.

Jan: This is a good example of why unlikely regions should have
symbols.  The stack trace from this bug is actively misleading because
the symbol information for %eip is wrong.

~Andrew

--------------010107050308060106060604
Content-Type: text/html; charset="windows-1252"
Content-Length: 3322
Content-Transfer-Encoding: quoted-printable

<html>
  <head>
    <meta content=3D"text/html; charset=3Dwindows-1252"
      http-equiv=3D"Content-Type">
  </head>
  <body bgcolor=3D"#FFFFFF" text=3D"#000000">
    <div class=3D"moz-cite-prefix">On 01/12/15 10:40, Andrew Cooper wrote:<br>
    </div>
    <blockquote cite=3D"mid:565D7923.5080806@citrix.com" type=3D"cite">
      <meta http-equiv=3D"Content-Type" content=3D"text/html;
        charset=3Dwindows-1252">
      <div class=3D"moz-cite-prefix">On 01/12/15 01:21, Tamas K Lengyel
        wrote:<br>
      </div>
      <blockquote
cite=3D"mid:CABfawhkiBYY8vxtGkRDVV_jS6HF794+scRH+bQ1TRVLJ50MtVQ@mail.gmail.com"
        type=3D"cite">
        <div dir=3D"ltr"><br>
          <div class=3D"gmail_extra"><br>
            <div class=3D"gmail_quote">On Mon, Nov 30, 2015 at 7:01 PM,
              Razvan Cojocaru <span dir=3D"ltr">&lt;<a
                  moz-do-not-send=3D"true"
                  href=3D"mailto:rcojocaru@bitdefender.com"
                  target=3D"_blank">rcojocaru@bitdefender.com</a>&gt;</span>
              wrote:<br>
              <blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px
                0.8ex;border-left:1px solid
                rgb(204,204,204);padding-left:1ex">
                <div class=3D"">
                  <div class=3D"h5">On 12/01/2015 01:32 AM, Tamas K
                    Lengyel wrote:<br>
                    &gt; Hi all,<br>
                    &gt; I'm trying to extend the current vm_event
                    system to be able to emulate<br>
                    &gt; over an in-guest breakpoint using the
                    VM_EVENT_FLAG_SET_EMUL_READ_DATA<br>
                    &gt; feature. The idea is to have the vm_event
                    listener send back the<br>
                    &gt; contents of the memory that was overwritten by
                    the breakpoint<br>
                    &gt; instruction, have Xen emulate one instruction,
                    and resume execution<br>
                    &gt; normally afterwards. This would eliminate the
                    need of removing the<br>
                    &gt; breakpoint, singlestepping, and placing the
                    breakpoint back again.<br>
                    &gt;<br>
                    &gt; Unfortunately I encounter this crash when I
                    call<br>
                    &gt; hvm_mem_access_emulate_one in the event
                    response handler:<br>
                    &gt;<br>
                    &gt; (XEN) vm_event.c:72:d0v0 Checking flags on int3
                    response 37<br>
                    &gt; (XEN) Xen BUG at
                    /share/src/xen/xen/include/asm/hvm/vmx/vmx.h:372<br>
                  </div>
                </div>
              </blockquote>
            </div>
          </div>
        </div>
      </blockquote>
      <br>
      This BUG() is the cause of the crash.<br>
      <br>
      It is a bad parameter to VMREAD, by the looks of it.<br>
    </blockquote>
    <br>
    Jan: This is a good example of why unlikely regions should have
    symbols.=A0 The stack trace from this bug is actively misleading
    because the symbol information for %eip is wrong.<br>
    <br>
    ~Andrew<br>
  </body>
</html>

--------------010107050308060106060604--


--===============7221346523386224324==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

--===============7221346523386224324==--