Strange VM exits: PF with kernel mode error code and user mode CPL

Strange VM exits: PF with kernel mode error code and user mode CPL

Recently I have got very strange VM exits while debugging shadow paging. They appear somewhere at the time when guest OS (32-bit Windows Server 2003, single CPU and PAE in boot settings) boots and logon dialog appears. These are page faults with kernel mode error code and CR2, but user mode CPL and RIP.

Example of such VM exit:

[0]#VMEXIT 0x0, cs:rip=0x1b:0x7C81A77C, rflags=0x10283
[0]REGISTERS: RAX=0x7FFD5000 RBX=0x1 RCX=0x11B4D8 RDX=0x20 RSI=0x11B4D0 RDI=0x0 RBP=0x141FCB8 RSP=0x89B72FF0
[0]#PF(0x3, 0xB9A2BDDC)

The walk on the guest page table for the virtual address stored in CR2 and the error code (with bit U/S = 0) is correct.

Example of guest page table walk for CR2:
PDPTE: 0x77802801
PDE: 0xa287863
PTE: 0x8000000077565963

The walk on the shadow page table is also correct. So I retry faulting instruction. At the next VM exit I get the page fault with the same error code and CR2 pointing the next instruction. Guest general purpose registers are correctly updated.

Example of such trace:

[0]#VMEXIT 0x0, cs:rip=0x1b:0x7C81A78E, rflags=0x10246
[0]REGISTERS: RAX=0x7C81A7A4 RBX=0x1 RCX=0x118FF8 RDX=0x20 RSI=0x118FF0 RDI=0x0 RBP=0x141FCB8 RSP=0x89B72FF0
[0]#PF(0x3, 0xB9A2BDDC)

[0]#VMEXIT 0x0, cs:rip=0x1b:0x7C81A790, rflags=0x10246
[0]REGISTERS: RAX=0x11B4D8 RBX=0x1 RCX=0x118FF8 RDX=0x20 RSI=0x118FF0 RDI=0x0 RBP=0x141FCB8 RSP=0x89B72FF0
[0]#PF(0x3, 0xB9A2BDDC)

[0]#VMEXIT 0x0, cs:rip=0x1b:0x7C81A793, rflags=0x10246
[0]REGISTERS: RAX=0x11B4D8 RBX=0x1 RCX=0x118FF8 RDX=0x20 RSI=0x118FF0 RDI=0x0 RBP=0x141FCB8 RSP=0x89B72FF0
[0]#PF(0x3, 0xB9A2BDDC)

The lowest 12 bits of CR2 are always the same: 0xDDC.

I really do not have any suggestions on the nature of these page faults. Will be gratefulfor any help.

My processor is Intel Core 2 Duo E6700.

Sample dumps of VMCS, guest stack and code are provided in the attached files. Let me know if any additional information is required.

AllegatoDimensione
Download vmcsdump1.txt2.91 KB
Download vmcsdump2.txt2.88 KB
2 post / 0 nuovi
Ultimo contenuto
Per informazioni complete sulle ottimizzazioni del compilatore, consultare l'Avviso sull'ottimizzazione

Found the reason: IDT-vectoring information was improperly handled by VMM. Sorry for inconvenience.

Lascia un commento

Eseguire l'accesso per aggiungere un commento. Non siete membri? Iscriviti oggi