Catastrophic System Failure on Multiple VMEXITs due to GS Base Access Issues #2
Description
The SecureHack POC experiences system crashes (black screen) after multiple VMEXIT operations, specifically when __readgsqword(0) is involved. No host IDT handlers (#PF, #GP) are being called before failure.
Detailed Behavior
- Initial VMEXITs work correctly
- System fails after sustained VMEXIT operations, especially when occurring at different intervals
- Failure pattern: instant black screen without invoking host IDT handlers
- Test case: Even a minimal debug command that only sets RAX register crashes after ~5 seconds (with 10k VMEXITs every 0.5 seconds)
Debug Findings
-
__readgsqword(0)appears to be the root cause:- Works for initial VMEXITs
- Fails during heavy VMEXIT loads
- Suspected issue with PGS base structure return values
-
Validation test:
- Letting requests pass through to original handler works consistently
- Debug code executes successfully in this case
- Suggests issue is specific to GS base structure handling
Questions
- Are there known issues with GS base structure handling during frequent VMEXITs?
- What's the recommended approach for handling GS base access in this context?
- Could there be timing-related issues affecting the GS base structure's stability?
Debug environment
Real Hardware + Hyper-V (since Hyper-V acts more like real hardware, also Hyper-V allows us to debug the hypervisor even when the OS is booted)
Zen 4 AMD Ryzen Processor
Steps to Reproduce
- Run SecureHack POC
- Trigger multiple VMEXITs (10k/0.5s)
- Observe system crash after approximately 5 seconds
Additional Notes
- Debug command execution succeeds when using original handler
- Problem appears related to high-frequency VMEXIT scenarios