Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Windows 1903 - Ryzen 3600 - Bugcheck issue #2

Closed
seeker25 opened this issue Aug 31, 2019 · 2 comments
Closed

Windows 1903 - Ryzen 3600 - Bugcheck issue #2

seeker25 opened this issue Aug 31, 2019 · 2 comments

Comments

@seeker25
Copy link

seeker25 commented Aug 31, 2019
edited by tandasat
Loading

Hello Satoshi,

I've been trying to get SimpleSvmHook working with Windows 1903 with my Ryzen 3600. It seems after the system virtualizes, that it runs into an error:

For some reason it's not being set to:
NT_ASSERT(GuestContext->VpRegs->Rcx == IA32_MSR_EFER);

I think this is because an error is coming up. I ended up figure out which value GuestContext->VpRegs->Rcx contained:

0xc0002001

If we look at the AMD Manual:
image
image

So I'm thinking this is a MCA_STATUS error of some sort?

Here's a copy paste of the dump analysis:

Use !analyze -v to get detailed debugging information.

BugCheck 139, {4, fffff8028227c4f0, fffff8028227c448, 0}

*** WARNING: Unable to verify timestamp for win32k.sys
*** ERROR: Module load completed but symbols could not be loaded for win32k.sys
Probably caused by : memory_corruption

Followup: memory_corruption
---------

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure.  The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000004, The thread's stack pointer was outside the legal stack
	extents for the thread.
Arg2: fffff8028227c4f0, Address of the trap frame for the exception that caused the bugcheck
Arg3: fffff8028227c448, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved

Debugging Details:
------------------


TRAP_FRAME:  fffff8028227c4f0 -- (.trap 0xfffff8028227c4f0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffff970419216000 rbx=0000000000000000 rcx=0000000000000004
rdx=ffff97041921c000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8027c64e2d3 rsp=fffff8028227c680 rbp=fffff8028227c6f0
 r8=ffff97041921c000  r9=fffff8028227c710 r10=ffff9889c9113080
r11=ffff9889d0efbe10 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
nt!RtlpGetStackLimitsEx+0x12e557:
fffff802`7c64e2d3 cd29            int     29h
Resetting default scope

EXCEPTION_RECORD:  fffff8028227c448 -- (.exr 0xfffff8028227c448)
ExceptionAddress: fffff8027c64e2d3 (nt!RtlpGetStackLimitsEx+0x000000000012e557)
   ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
  ExceptionFlags: 00000001
NumberParameters: 1
   Parameter[0]: 0000000000000004

CUSTOMER_CRASH_COUNT:  1

PROCESS_NAME:  System

CURRENT_IRQL:  2

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_PARAMETER1:  0000000000000004

BUGCHECK_STR:  0x139

DEFAULT_BUCKET_ID:  CODE_CORRUPTION

ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre

EXCEPTION_STR:  0x0

LAST_CONTROL_TRANSFER:  from fffff8027c5d1ae9 to fffff8027c5bfcc0

FAULTING_THREAD:  0000000000000000

STACK_TEXT:  
fffff802`8227c1c8 fffff802`7c5d1ae9 : 00000000`00000139 00000000`00000004 fffff802`8227c4f0 fffff802`8227c448 : nt!KeBugCheckEx
fffff802`8227c1d0 fffff802`7c5d1f10 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiBugCheckDispatch+0x69
fffff802`8227c310 fffff802`7c5d02a5 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiFastFailDispatch+0xd0
fffff802`8227c4f0 fffff802`7c64e2d3 : fffff802`8227c930 ffff9889`d0efbbd8 00000001`00000010 00000000`00000000 : nt!KiRaiseSecurityCheckFailure+0x325
fffff802`8227c680 fffff802`7c4c2a11 : fffff802`8227c930 ffff9889`d0efbbd8 000004e8`fffffb30 000004d0`00000003 : nt!RtlpGetStackLimitsEx+0x12e557
fffff802`8227c6b0 fffff802`7c4c738e : ffff9889`d0efbbd8 fffff802`8227ce30 ffff9889`d0efbbd8 00000000`00000000 : nt!RtlDispatchException+0xc1
fffff802`8227c900 fffff802`7c5c0b42 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiDispatchException+0x16e
fffff802`8227cfb0 fffff802`7c5c0b10 : fffff802`7c5d1c16 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KxExceptionDispatchOnExceptionStack+0x12
ffff9889`d0efba98 fffff802`7c5d1c16 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiExceptionDispatchOnExceptionStackContinue
ffff9889`d0efbaa0 fffff802`7c5d05de : 00000000`02d6d000 00000000`00000001 00000001`e2afd000 fffff802`7d5f1892 : nt!KiExceptionDispatch+0x116
ffff9889`d0efbc80 fffff802`7d5f6251 : 00000001`cdd72900 fffff802`7d5f309f fffff802`7c76d0a0 fffff802`7d5f663b : nt!KiRaiseAssertion+0x31e
ffff9889`d0efbe10 fffff802`7d5f6480 : ffff9889`d0ef6000 ffff9889`d0efbeb0 00000000`00000000 00000000`00000000 : SimpleSvmHook!HandleMsrAccess+0x21 [C:\Code\SimpleSvmHook\SimpleSvmHook\VmmMain.cpp @ 176]
ffff9889`d0efbe60 fffff802`7d5f105e : ffff9889`d0ef6000 ffff9889`d0efbf50 00000000`00000000 00000000`00000000 : SimpleSvmHook!HandleVmExit+0xd0 [C:\Code\SimpleSvmHook\SimpleSvmHook\VmmMain.cpp @ 308]
ffff9889`d0efbed0 ffff9889`d0ef6000 : ffff9889`d0efbf50 00000000`00000000 00000000`00000000 00000000`00000000 : SimpleSvmHook!SvLaunchVm+0x5e [C:\Code\SimpleSvmHook\SimpleSvmHook\x64.asm @ 175]
ffff9889`d0efbed8 ffff9889`d0efbf50 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0xffff9889`d0ef6000
ffff9889`d0efbee0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0xffff9889`d0efbf50


CHKIMG_EXTENSION: !chkimg -lo 50 -d !hal
    fffff8027c3602ca - hal!HalPerformEndOfInterrupt+1a
	[ 00:90 ]
    fffff8027c3603a7-fffff8027c3603a8  2 bytes - hal!HalPutScatterGatherList+67 (+0xdd)
	[ 48 ff:4c 8b ]
    fffff8027c3603ae-fffff8027c3603b1  4 bytes - hal!HalPutScatterGatherList+6e (+0x07)
	[ 0f 1f 44 00:e8 ed cc 40 ]
    fffff8027c3df8ec-fffff8027c3df8ed  2 bytes - hal!HalpCmcWorkerRoutine+3c
	[ 48 ff:4c 8b ]
    fffff8027c3df8f3-fffff8027c3df8f6  4 bytes - hal!HalpCmcWorkerRoutine+43 (+0x07)
	[ 0f 1f 44 00:e8 e8 85 0c ]
    fffff8027c3df90a-fffff8027c3df90b  2 bytes - hal!HalpCmcWorkerRoutine+5a (+0x17)
	[ 48 ff:4c 8b ]
    fffff8027c3df911-fffff8027c3df914  4 bytes - hal!HalpCmcWorkerRoutine+61 (+0x07)
	[ 0f 1f 44 00:e8 aa 17 15 ]
    fffff8027c3df928-fffff8027c3df929  2 bytes - hal!HalpCmcWorkerRoutine+78 (+0x17)
	[ 48 ff:4c 8b ]
    fffff8027c3df92f-fffff8027c3df932  4 bytes - hal!HalpCmcWorkerRoutine+7f (+0x07)
	[ 0f 1f 44 00:e8 7c df 07 ]
    fffff8027c3df977-fffff8027c3df978  2 bytes - hal!HalpCmcWorkerRoutine+c7 (+0x48)
	[ 48 ff:4c 8b ]
    fffff8027c3df97e-fffff8027c3df981  4 bytes - hal!HalpCmcWorkerRoutine+ce (+0x07)
	[ 0f 1f 44 00:e8 8d dc 07 ]
31 errors : !hal (fffff8027c3602ca-fffff8027c3df981)

MODULE_NAME: memory_corruption

IMAGE_NAME:  memory_corruption

FOLLOWUP_NAME:  memory_corruption

DEBUG_FLR_IMAGE_TIMESTAMP:  0

MEMORY_CORRUPTOR:  LARGE

STACK_COMMAND:  ~0s ; kb

FAILURE_BUCKET_ID:  MEMORY_CORRUPTION_LARGE

BUCKET_ID:  MEMORY_CORRUPTION_LARGE

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:memory_corruption_large

FAILURE_ID_HASH:  {e29154ac-69a4-0eb8-172a-a860f73c0a3c}

Followup: memory_corruption
---------

Seems that Rcx is set to something other than IA32_MSR_EFER (as talked about above)

image

image

I wasn't sure if there was some new changes with Ryzen 3000 series that need some tweaking or Ryzen Master on my system causing some issues etc.

Any suggestions? I appreciate any advice you give me, thank you.
@seeker25 seeker25 changed the title Bluescreen when running for 1-2 minutes Bluescreen when running for 2 minutes Aug 31, 2019
@seeker25 seeker25 closed this as completed Sep 1, 2019
@seeker25 seeker25 changed the title Bluescreen when running for 2 minutes . Sep 1, 2019
@seeker25 seeker25 changed the title . Windows 1903 - Ryzen 3600 - Bugcheck issue Sep 2, 2019
@seeker25 seeker25 reopened this Sep 2, 2019
@tandasat
Copy link
Owner

tandasat commented Sep 3, 2019

The assert was broken. It should be fixed with 7cef39f. Please try and let me know if the issue is not resolved.

@tandasat tandasat closed this as completed Sep 3, 2019
@seeker25
Copy link
Author

seeker25 commented Sep 3, 2019

Awesome! It's running, no bugchecks so far.. Thank you!

@nerded1337 nerded1337 mentioned this issue Sep 4, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tandasat @seeker25