ShvOsCaptureContext suffers from stack corruptions on restore #48
Comments
|
hi man, do you fixed the ShvOsCaptureContext bosd on ntos? |
Not sure if the BSOD you get really results from the same issue I had, because I did't get one. However, if so, simply inlining ShvOsCaptureContext or directly replacing all calls with RtlCaptureContext should fix the issue |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
ShvOsCaptureContext (at least the nt implementation) can suffer from stack corruptions when restoring the context.
The reason is that it adds an extra stack frame when calling RtlCaptureContext. While capturing the registers, including the stack pointer, it does not capture the data on the stack.
That means the captured stack pointer points to data, that might and will be overwriten by future function calls after ShvOsCaptureContext has returned.
In consequence, control flow will not continue here after a launch: https://github.com/ionescu007/SimpleVisor/blob/master/shvvp.c#L143
But rather here instead: https://github.com/ionescu007/SimpleVisor/blob/master/shvvp.c#L149 right after the call to ShvVmxLaunchOnVp
The reason is that the return pointer on the stack, where rsp of the stored context points to, is overwritten by the call to ShvVmxLaunchOnVp.
Either ShvOsCaptureContext would need to be inlined or a fixup must be done to remove the extra frame from the captured context.
The text was updated successfully, but these errors were encountered: