Index: /trunk/include/VBox/err.h =================================================================== --- /trunk/include/VBox/err.h (revision 58657) +++ /trunk/include/VBox/err.h (revision 58658) @@ -247,4 +247,6 @@ /** Reason for leaving RC: Inject a TRPM event. */ #define VINF_EM_RAW_INJECT_TRPM_EVENT 1157 +/** Guest tried to trigger a CPU hang. The guest is probably up to no good. */ +#define VERR_EM_GUEST_CPU_HANG (-1158) /** @} */ Index: /trunk/src/VBox/VMM/VMMR0/HMSVMR0.cpp =================================================================== --- /trunk/src/VBox/VMM/VMMR0/HMSVMR0.cpp (revision 58657) +++ /trunk/src/VBox/VMM/VMMR0/HMSVMR0.cpp (revision 58658) @@ -107,7 +107,8 @@ { \ int rc = hmR0SvmCheckExitDueToEventDelivery(pVCpu, pCtx, pSvmTransient); \ - if (RT_UNLIKELY(rc == VINF_HM_DOUBLE_FAULT)) \ + if (RT_LIKELY(rc == VINF_SUCCESS)) { /* likely */ } \ + else if (rc == VINF_HM_DOUBLE_FAULT) \ return VINF_SUCCESS; \ - else if (RT_UNLIKELY(rc == VINF_EM_RESET)) \ + else \ return rc; \ } while (0) @@ -304,4 +305,5 @@ static FNSVMEXITHANDLER hmR0SvmExitXcptMF; static FNSVMEXITHANDLER hmR0SvmExitXcptDB; +static FNSVMEXITHANDLER hmR0SvmExitXcptAC; /** @} */ @@ -692,4 +694,10 @@ HMCPU_EXIT_HISTORY_RESET(pVCpu); + /* Always trap #AC for reasons of security. */ + pVmcb->ctrl.u32InterceptException |= RT_BIT_32(X86_XCPT_AC); + + /* Always trap #DB for reasons of security. */ + pVmcb->ctrl.u32InterceptException |= RT_BIT_32(X86_XCPT_DB); + /* Trap exceptions unconditionally (debug purposes). */ #ifdef HMSVM_ALWAYS_TRAP_PF @@ -700,5 +708,4 @@ pVmcb->ctrl.u32InterceptException |= 0 | RT_BIT(X86_XCPT_BP) - | RT_BIT(X86_XCPT_DB) | RT_BIT(X86_XCPT_DE) | RT_BIT(X86_XCPT_NM) @@ -1112,4 +1119,6 @@ DECLINLINE(void) hmR0SvmRemoveXcptIntercept(PSVMVMCB pVmcb, uint32_t u32Xcpt) { + Assert(u32Xcpt != X86_XCPT_DB); + Assert(u32Xcpt != X86_XCPT_AC); #ifndef HMSVM_ALWAYS_TRAP_ALL_XCPTS if (pVmcb->ctrl.u32InterceptException & RT_BIT(u32Xcpt)) @@ -1437,5 +1446,4 @@ Assert((pCtx->dr[7] & X86_DR7_RA1_MASK) == X86_DR7_RA1_MASK); Assert((pCtx->dr[7] & X86_DR7_RAZ_MASK) == 0); - bool fInterceptDB = false; bool fInterceptMovDRx = false; @@ -1450,5 +1458,4 @@ pVCpu->hm.s.fClearTrapFlag = true; pVmcb->guest.u64RFlags |= X86_EFL_TF; - fInterceptDB = true; fInterceptMovDRx = true; /* Need clean DR6, no guest mess. */ } @@ -1495,5 +1502,4 @@ /** @todo If we cared, we could optimize to allow the guest to read registers * with the same values. */ - fInterceptDB = true; fInterceptMovDRx = true; Log5(("hmR0SvmLoadSharedDebugState: Loaded hyper DRx\n")); @@ -1542,4 +1548,8 @@ * If no debugging enabled, we'll lazy load DR0-3. We don't need to * intercept #DB as DR6 is updated in the VMCB. + * + * Note! If we cared and dared, we could skip intercepting \#DB here. + * However, \#DB shouldn't be performance critical, so we'll play safe + * and keep the code similar to the VT-x code and always intercept it. */ #if HC_ARCH_BITS == 32 && defined(VBOX_WITH_64_BITS_GUESTS) @@ -1554,12 +1564,5 @@ } - /* - * Set up the intercepts. - */ - if (fInterceptDB) - hmR0SvmAddXcptIntercept(pVmcb, X86_XCPT_DB); - else - hmR0SvmRemoveXcptIntercept(pVmcb, X86_XCPT_DB); - + Assert(pVmcb->ctrl.u32InterceptException & RT_BIT_32(X86_XCPT_DB)); if (fInterceptMovDRx) { @@ -3545,4 +3548,7 @@ return hmR0SvmExitXcptDB(pVCpu, pCtx, pSvmTransient); + case SVM_EXIT_EXCEPTION_11: /* X86_XCPT_AC */ + return hmR0SvmExitXcptAC(pVCpu, pCtx, pSvmTransient); + case SVM_EXIT_MONITOR: return hmR0SvmExitMonitor(pVCpu, pCtx, pSvmTransient); @@ -3661,5 +3667,5 @@ /* SVM_EXIT_EXCEPTION_E: */ /* X86_XCPT_PF - Handled above. */ /* SVM_EXIT_EXCEPTION_10: */ /* X86_XCPT_MF - Handled above. */ - case SVM_EXIT_EXCEPTION_11: /* X86_XCPT_AC */ + /* SVM_EXIT_EXCEPTION_11: */ /* X86_XCPT_AC - Handled above. */ case SVM_EXIT_EXCEPTION_12: /* X86_XCPT_MC */ case SVM_EXIT_EXCEPTION_13: /* X86_XCPT_XF */ @@ -4069,4 +4075,5 @@ * continue execution of the guest which will delivery the \#DF. * @retval VINF_EM_RESET if we detected a triple-fault condition. + * @retval VERR_EM_GUEST_CPU_HANG if we detected a guest CPU hang. * * @param pVCpu The cross context virtual CPU structure. @@ -4092,4 +4099,5 @@ SVMREFLECTXCPT_DF, /* Reflect the exception as a double-fault to the guest. */ SVMREFLECTXCPT_TF, /* Indicate a triple faulted state to the VMM. */ + SVMREFLECTXCPT_HANG, /* Indicate bad VM trying to deadlock the CPU. */ SVMREFLECTXCPT_NONE /* Nothing to reflect. */ } SVMREFLECTXCPT; @@ -4115,4 +4123,10 @@ pSvmTransient->fVectoringDoublePF = true; Log4(("IDT: Vectoring double #PF uCR2=%#RX64\n", pCtx->cr2)); + } + else if ( uExitVector == X86_XCPT_AC + && uIdtVector == X86_XCPT_AC) + { + enmReflect = SVMREFLECTXCPT_HANG; + Log4(("IDT: Nested #AC - Bad guest\n")); } else if ( (pVmcb->ctrl.u32InterceptException & HMSVM_CONTRIBUTORY_XCPT_MASK) @@ -4191,4 +4205,10 @@ } + case SVMREFLECTXCPT_HANG: + { + rc = VERR_EM_GUEST_CPU_HANG; + break; + } + default: Assert(rc == VINF_SUCCESS); @@ -4196,5 +4216,5 @@ } } - Assert(rc == VINF_SUCCESS || rc == VINF_HM_DOUBLE_FAULT || rc == VINF_EM_RESET); + Assert(rc == VINF_SUCCESS || rc == VINF_HM_DOUBLE_FAULT || rc == VINF_EM_RESET || rc == VERR_EM_GUEST_CPU_HANG); NOREF(pCtx); return rc; @@ -5481,4 +5501,24 @@ } + +/** + * \#VMEXIT handler for alignment check exceptions (SVM_EXIT_EXCEPTION_11). + * Conditional \#VMEXIT. + */ +HMSVM_EXIT_DECL hmR0SvmExitXcptAC(PVMCPU pVCpu, PCPUMCTX pCtx, PSVMTRANSIENT pSvmTransient) +{ + HMSVM_VALIDATE_EXIT_HANDLER_PARAMS(); + + HMSVM_CHECK_EXIT_DUE_TO_EVENT_DELIVERY(); + + SVMEVENT Event; + Event.u = 0; + Event.n.u1Valid = 1; + Event.n.u3Type = SVM_EVENT_EXCEPTION; + Event.n.u8Vector = X86_XCPT_AC; + hmR0SvmSetPendingEvent(pVCpu, &Event, 0 /* GCPtrFaultAddress */); + return VINF_SUCCESS; +} + /** @} */ Index: /trunk/src/VBox/VMM/VMMR0/HMVMXR0.cpp =================================================================== --- /trunk/src/VBox/VMM/VMMR0/HMVMXR0.cpp (revision 58657) +++ /trunk/src/VBox/VMM/VMMR0/HMVMXR0.cpp (revision 58658) @@ -143,10 +143,10 @@ * support. */ -#define HMVMX_REAL_MODE_XCPT_MASK ( RT_BIT(X86_XCPT_DE) /* RT_BIT(X86_XCPT_DB) */ | RT_BIT(X86_XCPT_NMI) \ +#define HMVMX_REAL_MODE_XCPT_MASK ( RT_BIT(X86_XCPT_DE) /* always: | RT_BIT(X86_XCPT_DB) */ | RT_BIT(X86_XCPT_NMI) \ | RT_BIT(X86_XCPT_BP) | RT_BIT(X86_XCPT_OF) | RT_BIT(X86_XCPT_BR) \ | RT_BIT(X86_XCPT_UD) /* RT_BIT(X86_XCPT_NM) */ | RT_BIT(X86_XCPT_DF) \ | RT_BIT(X86_XCPT_CO_SEG_OVERRUN) | RT_BIT(X86_XCPT_TS) | RT_BIT(X86_XCPT_NP) \ | RT_BIT(X86_XCPT_SS) | RT_BIT(X86_XCPT_GP) /* RT_BIT(X86_XCPT_PF) */ \ - /* RT_BIT(X86_XCPT_MF) */ | RT_BIT(X86_XCPT_AC) | RT_BIT(X86_XCPT_MC) \ + /* RT_BIT(X86_XCPT_MF) always: | RT_BIT(X86_XCPT_AC) */ | RT_BIT(X86_XCPT_MC) \ | RT_BIT(X86_XCPT_XF)) @@ -409,4 +409,5 @@ static int hmR0VmxExitXcptBP(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient); static int hmR0VmxExitXcptGP(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient); +static int hmR0VmxExitXcptAC(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient); #ifdef HMVMX_ALWAYS_TRAP_ALL_XCPTS static int hmR0VmxExitXcptGeneric(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient); @@ -2582,4 +2583,12 @@ uint32_t u32XcptBitmap = pVCpu->hm.s.fGIMTrapXcptUD ? RT_BIT(X86_XCPT_UD) : 0; + /* Must always intercept #AC to prevent the guest from hanging the CPU. */ + u32XcptBitmap |= RT_BIT_32(X86_XCPT_AC); + + /* Because we need to maintain the DR6 state even when intercepting DRx reads + and writes, and because recursive #DBs can cause the CPU hang, we must always + intercept #DB. */ + u32XcptBitmap |= RT_BIT_32(X86_XCPT_DB); + /* Without Nested Paging, #PF must cause a VM-exit so we can sync our shadow page tables. */ if (!pVM->hm.s.fNestedPaging) @@ -3436,4 +3445,7 @@ } + Assert(pVCpu->hm.s.vmx.u32XcptBitmap & RT_BIT_32(X86_XCPT_AC)); + Assert(pVCpu->hm.s.vmx.u32XcptBitmap & RT_BIT_32(X86_XCPT_DB)); + rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_EXCEPTION_BITMAP, pVCpu->hm.s.vmx.u32XcptBitmap); AssertRCReturn(rc, rc); @@ -3688,5 +3700,4 @@ pVCpu->hm.s.vmx.u32XcptBitmap |= 0 | RT_BIT(X86_XCPT_BP) - | RT_BIT(X86_XCPT_DB) | RT_BIT(X86_XCPT_DE) | RT_BIT(X86_XCPT_NM) @@ -4007,5 +4018,5 @@ int rc; PVM pVM = pVCpu->CTX_SUFF(pVM); - bool fInterceptDB = false; + bool fSteppingDB = false; bool fInterceptMovDRx = false; if (pVCpu->hm.s.fSingleInstruction) @@ -4017,5 +4028,5 @@ rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_PROC_EXEC, pVCpu->hm.s.vmx.u32ProcCtls); AssertRCReturn(rc, rc); - Assert(fInterceptDB == false); + Assert(fSteppingDB == false); } else @@ -4024,9 +4035,9 @@ pVCpu->hm.s.fClearTrapFlag = true; HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_RFLAGS); - fInterceptDB = true; - } - } - - if ( fInterceptDB + fSteppingDB = true; + } + } + + if ( fSteppingDB || (CPUMGetHyperDR7(pVCpu) & X86_DR7_ENABLED_MASK)) { @@ -4060,5 +4071,4 @@ pVCpu->hm.s.fUsingHyperDR7 = true; - fInterceptDB = true; fInterceptMovDRx = true; } @@ -4089,10 +4099,11 @@ STAM_COUNTER_INC(&pVCpu->hm.s.StatDRxArmed); } - Assert(!fInterceptDB); Assert(!fInterceptMovDRx); } /* * If no debugging enabled, we'll lazy load DR0-3. Unlike on AMD-V, we - * must intercept #DB in order to maintain a correct DR6 guest value. + * must intercept #DB in order to maintain a correct DR6 guest value, and + * because we need to intercept it to prevent nested #DBs from hanging the + * CPU, we end up always having to intercept it. See hmR0VmxInitXcptBitmap. */ #if HC_ARCH_BITS == 32 && defined(VBOX_WITH_64_BITS_GUESTS) @@ -4104,5 +4115,4 @@ { fInterceptMovDRx = true; - fInterceptDB = true; } @@ -4112,21 +4122,4 @@ pVCpu->hm.s.fUsingHyperDR7 = false; - } - - /* - * Update the exception bitmap regarding intercepting #DB generated by the guest. - */ - if ( fInterceptDB - || pVCpu->hm.s.vmx.RealMode.fRealOnV86Active) - { - pVCpu->hm.s.vmx.u32XcptBitmap |= RT_BIT(X86_XCPT_DB); - HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_XCPT_INTERCEPTS); - } - else - { -#ifndef HMVMX_ALWAYS_TRAP_ALL_XCPTS - pVCpu->hm.s.vmx.u32XcptBitmap &= ~RT_BIT(X86_XCPT_DB); - HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_XCPT_INTERCEPTS); -#endif } @@ -5597,4 +5590,5 @@ * continue execution of the guest which will delivery the \#DF. * @retval VINF_EM_RESET if we detected a triple-fault condition. + * @retval VERR_EM_GUEST_CPU_HANG if we detected a guest CPU hang. * * @param pVCpu The cross context virtual CPU structure. @@ -5625,4 +5619,5 @@ VMXREFLECTXCPT_DF, /* Reflect the exception as a double-fault to the guest. */ VMXREFLECTXCPT_TF, /* Indicate a triple faulted state to the VMM. */ + VMXREFLECTXCPT_HANG, /* Indicate bad VM trying to deadlock the CPU. */ VMXREFLECTXCPT_NONE /* Nothing to reflect. */ } VMXREFLECTXCPT; @@ -5647,4 +5642,10 @@ pVmxTransient->fVectoringDoublePF = true; Log4(("IDT: vcpu[%RU32] Vectoring Double #PF uCR2=%#RX64\n", pVCpu->idCpu, pMixedCtx->cr2)); + } + else if ( uExitVector == X86_XCPT_AC + && uIdtVector == X86_XCPT_AC) + { + enmReflect = VMXREFLECTXCPT_HANG; + Log4(("IDT: Nested #AC - Bad guest\n")); } else if ( (pVCpu->hm.s.vmx.u32XcptBitmap & HMVMX_CONTRIBUTORY_XCPT_MASK) @@ -5745,4 +5746,10 @@ } + case VMXREFLECTXCPT_HANG: + { + rc = VERR_EM_GUEST_CPU_HANG; + break; + } + default: Assert(rc == VINF_SUCCESS); @@ -5768,5 +5775,5 @@ } - Assert(rc == VINF_SUCCESS || rc == VINF_HM_DOUBLE_FAULT || rc == VINF_EM_RESET); + Assert(rc == VINF_SUCCESS || rc == VINF_HM_DOUBLE_FAULT || rc == VINF_EM_RESET || rc == VERR_EM_GUEST_CPU_HANG); return rc; } @@ -8259,4 +8266,6 @@ if (HMCPU_CF_IS_PENDING(pVCpu, HM_CHANGED_GUEST_XCPT_INTERCEPTS)) { + Assert(pVCpu->hm.s.vmx.u32XcptBitmap & RT_BIT_32(X86_XCPT_AC)); + Assert(pVCpu->hm.s.vmx.u32XcptBitmap & RT_BIT_32(X86_XCPT_DB)); int rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_EXCEPTION_BITMAP, pVCpu->hm.s.vmx.u32XcptBitmap); AssertRC(rc); @@ -9872,4 +9881,5 @@ case X86_XCPT_DB: rc = hmR0VmxExitXcptDB(pVCpu, pMixedCtx, pVmxTransient); break; case X86_XCPT_BP: rc = hmR0VmxExitXcptBP(pVCpu, pMixedCtx, pVmxTransient); break; + case X86_XCPT_AC: rc = hmR0VmxExitXcptAC(pVCpu, pMixedCtx, pVmxTransient); break; #ifdef HMVMX_ALWAYS_TRAP_ALL_XCPTS case X86_XCPT_XF: STAM_COUNTER_INC(&pVCpu->hm.s.StatExitGuestXF); @@ -11293,17 +11303,10 @@ { Assert(!DBGFIsStepping(pVCpu)); - - /* Don't intercept MOV DRx and #DB any more. */ + Assert(pVCpu->hm.s.vmx.u32XcptBitmap & RT_BIT_32(X86_XCPT_DB)); + + /* Don't intercept MOV DRx any more. */ pVCpu->hm.s.vmx.u32ProcCtls &= ~VMX_VMCS_CTRL_PROC_EXEC_MOV_DR_EXIT; rc = VMXWriteVmcs32(VMX_VMCS32_CTRL_PROC_EXEC, pVCpu->hm.s.vmx.u32ProcCtls); AssertRCReturn(rc, rc); - - if (!pVCpu->hm.s.vmx.RealMode.fRealOnV86Active) - { -#ifndef HMVMX_ALWAYS_TRAP_ALL_XCPTS - pVCpu->hm.s.vmx.u32XcptBitmap &= ~RT_BIT(X86_XCPT_DB); - HMCPU_CF_SET(pVCpu, HM_CHANGED_GUEST_XCPT_INTERCEPTS); -#endif - } /* We're playing with the host CPU state here, make sure we can't preempt or longjmp. */ @@ -11562,4 +11565,25 @@ Assert(rc == VINF_SUCCESS || rc == VINF_EM_RAW_GUEST_TRAP || rc == VINF_EM_DBG_BREAKPOINT); return rc; +} + + +/** + * VM-exit exception handler for \#AC (alignment check exception). + */ +static int hmR0VmxExitXcptAC(PVMCPU pVCpu, PCPUMCTX pMixedCtx, PVMXTRANSIENT pVmxTransient) +{ + HMVMX_VALIDATE_EXIT_XCPT_HANDLER_PARAMS(); + + /* + * Re-inject it. We'll detect any nesting before getting here. + */ + int rc = hmR0VmxReadExitIntErrorCodeVmcs(pVmxTransient); + rc |= hmR0VmxReadExitInstrLenVmcs(pVmxTransient); + AssertRCReturn(rc, rc); + Assert(pVmxTransient->fVmcsFieldsRead & HMVMX_UPDATED_TRANSIENT_EXIT_INTERRUPTION_INFO); + + hmR0VmxSetPendingEvent(pVCpu, VMX_VMCS_CTRL_ENTRY_IRQ_INFO_FROM_EXIT_INT_INFO(pVmxTransient->uExitIntInfo), + pVmxTransient->cbInstr, pVmxTransient->uExitIntErrorCode, 0 /* GCPtrFaultAddress */); + return VINF_SUCCESS; } Index: /trunk/src/VBox/VMM/VMMR3/VMMGuruMeditation.cpp =================================================================== --- /trunk/src/VBox/VMM/VMMR3/VMMGuruMeditation.cpp (revision 58657) +++ /trunk/src/VBox/VMM/VMMR3/VMMGuruMeditation.cpp (revision 58658) @@ -603,4 +603,5 @@ case VERR_IEM_ASPECT_NOT_IMPLEMENTED: case VERR_PATM_IPE_TRAP_IN_PATCH_CODE: + case VERR_EM_GUEST_CPU_HANG: { DBGFR3Info(pVM->pUVM, "cpumguest", NULL, pHlp); Index: /trunk/src/VBox/VMM/include/EMHandleRCTmpl.h =================================================================== --- /trunk/src/VBox/VMM/include/EMHandleRCTmpl.h (revision 58657) +++ /trunk/src/VBox/VMM/include/EMHandleRCTmpl.h (revision 58658) @@ -354,4 +354,5 @@ case VERR_IEM_INSTR_NOT_IMPLEMENTED: case VERR_IEM_ASPECT_NOT_IMPLEMENTED: + case VERR_EM_GUEST_CPU_HANG: break;