[BUG]: Unable to stop or unload in Windows 1903

Question

[BUG]: Unable to stop or unload in Windows 1903

rianquinn opened this issue 5 years ago · 1 comments

If you run make "stop" or make "unload" bfm locks up on WdfRequestComplete(). make "driver_unload" works fine.

Answer 1 · 2019-09-28T15:45:47.000Z

If the SMAP bit is set in the CR4 register, explicit supervisor-mode data accesses to user-mode pages are allowed if and only if this bit is 1. See Section 4.6, “Access Rights.”

In the promote logic, we were never resetting RFLAGS. The VMM's RFLAGS do not match that of the guest. This has not been a problem until now. It appears that Windows 1903 is using SMAP which is why the IOCTL was failing. The kernel was attempting to write into user-space memory and was being denied because SMAP was generating a fault.