ShvOsCaptureContext suffers from stack corruptions on restore

Question

ShvOsCaptureContext suffers from stack corruptions on restore

momo5502 opened this issue 2 years ago · 2 comments

ShvOsCaptureContext (at least the nt implementation) can suffer from stack corruptions when restoring the context.

The reason is that it adds an extra stack frame when calling RtlCaptureContext. While capturing the registers, including the stack pointer, it does not capture the data on the stack.

That means the captured stack pointer points to data, that might and will be overwriten by future function calls after ShvOsCaptureContext has returned.

In consequence, control flow will not continue here after a launch: https://github.com/ionescu007/SimpleVisor/blob/master/shvvp.c#L143
But rather here instead: https://github.com/ionescu007/SimpleVisor/blob/master/shvvp.c#L149 right after the call to ShvVmxLaunchOnVp

The reason is that the return pointer on the stack, where rsp of the stored context points to, is overwritten by the call to ShvVmxLaunchOnVp.

Either ShvOsCaptureContext would need to be inlined or a fixup must be done to remove the extra frame from the captured context.

Answer 1 · 2023-02-26T05:41:20.000Z

hi man, do you fixed the ShvOsCaptureContext bosd on ntos?
I have the same problem as you

Answer 2 · 2023-02-26T06:00:11.000Z

hi man, do you fixed the ShvOsCaptureContext bosd on ntos?
I have the same problem as you

Not sure if the BSOD you get really results from the same issue I had, because I did't get one. However, if so, simply inlining ShvOsCaptureContext or directly replacing all calls with RtlCaptureContext should fix the issue