Ticket Navigation

Ticket #4311 (closed defect: wontfix)

Opened 9 months ago

Last modified 9 months ago

VMM patches interfere with guest analysis of ring-0 code (e.g. Ksplice)

Reported by:	andersk	Assigned to:
Priority:	major	Component:	VMM
Version:	VirtualBox 2.2.4	Keywords:
Cc:		Guest type:	Linux
Host type:	Linux

Description

The attached Linux kernel module executes the instruction sequence:

PUSHF; CLI; NOP; NOP; NOP; NOP; POPF

and then reads the code it just executed and logs those 7 bytes.

Under VirtualBox 2.2.4 r47978 with VT-x/AMD-V disabled, when this module is compiled and loaded in an Ubuntu 9.04 i386 guest, it outputs:

Before: 9c fa 90 90 90 90 9d
After: 9c e9 69 db b1 ff 9d

That is, the CLI was overwritten by a CALL instruction. This demonstrates that the VMM-generated patches are visible to the guest.

This can interfere with guest analysis of ring-0 code. In particular, this problem was discovered while trying to apply Ksplice updates to a VirtualBox guest. Ksplice attempts to match the code in the running kernel with the expected original code before patching it to ensure safety (see http://www.ksplice.com/paper for details), but the VMM-generated patches cause this matching to fail and the update to be aborted.

Recent Linux kernel features such as ftrace and kprobes may be affected by this as well.

Attachments

test-cli.c (467 bytes) - added by andersk on 2009-06-29 01:17:51.: test kernel module

Change History

Download in other formats: