VMM patches interfere with guest analysis of ring-0 code (e.g. Ksplice)
|Reported by:||Anders Kaseorg||Owned by:|
|Guest type:||Linux||Host type:||Linux|
The attached Linux kernel module executes the instruction sequence:
PUSHF; CLI; NOP; NOP; NOP; NOP; POPF
and then reads the code it just executed and logs those 7 bytes.
Before: 9c fa 90 90 90 90 9d After: 9c e9 69 db b1 ff 9d
That is, the CLI was overwritten by a CALL instruction. This demonstrates that the VMM-generated patches are visible to the guest.
This can interfere with guest analysis of ring-0 code. In particular, this problem was discovered while trying to apply Ksplice updates to a VirtualBox guest. Ksplice attempts to match the code in the running kernel with the expected original code before patching it to ensure safety (see http://www.ksplice.com/paper for details), but the VMM-generated patches cause this matching to fail and the update to be aborted.
Recent Linux kernel features such as ftrace and kprobes may be affected by this as well.