gva_to_gpa function internals

gva_to_gpa function internals

[Yacine HEBBAL]

Hi all,
I'm trying to build some tools on top of kvm in order to debug, monitor and
reverse engineer the guest OS (ubuntu 12.04, 32 bits)
One of my tools walks through (and prints) the guest paging data structures
as following: cr3 -> pdpte -> pde -> pte -> page (PAE paging, 32 bits)

According to my logs some accessed kernel PTEs are not present (pte =
9090909090909090) in all processes address spaces (even from init process
cr3), however when I use the function kvm_read_guest_virt_helper on their
corresponding virtual addresses (GVAs), I get a correct content (content
correctness checked using system.map file).
Just after calling kvm_read_guest_virt_helper, I check again the PTE
corresponding to the read gva, I see that they are unmapped (invalid, always
9090909090909090)

I investigated a little the code of kvm_read_guest_virt_helper, this
function calls vcpu->arch.walk_mmu->gva_to_gpa(vcpu, gva, ...) which in turn
calls other functions until FNAME(walk_addr_generic) which seems to do the
translation.
walk_addr_generic seems to do the translation starting from cr3 of the
current process (in line: mmu->get_cr3(vcpu);) and works fine regardless of
the identity of the current process (i.e. current cr3).

So how the function gva_to_gpa is able to the read correctly any GVA that my
tool sees invalid (unmapped) in the paging structures, knowing that my tool
is able to read and display correctly a content of (thousands) many other GVAs ?
I would be very thankful for any feedback :)

Re: gva_to_gpa function internals

[Paolo Bonzini]

On 01/12/2015 19:30, Yacine HEBBAL wrote:
> Hi all,
> I'm trying to build some tools on top of kvm in order to debug, monitor and
> reverse engineer the guest OS (ubuntu 12.04, 32 bits)
> One of my tools walks through (and prints) the guest paging data structures
> as following: cr3 -> pdpte -> pde -> pte -> page (PAE paging, 32 bits)
> 
> According to my logs some accessed kernel PTEs are not present (pte =
> 9090909090909090) in all processes address spaces (even from init process
> cr3), however when I use the function kvm_read_guest_virt_helper on their
> corresponding virtual addresses (GVAs), I get a correct content (content
> correctness checked using system.map file).
> Just after calling kvm_read_guest_virt_helper, I check again the PTE
> corresponding to the read gva, I see that they are unmapped (invalid, always
> 9090909090909090)
> 
> I investigated a little the code of kvm_read_guest_virt_helper, this
> function calls vcpu->arch.walk_mmu->gva_to_gpa(vcpu, gva, ...) which in turn
> calls other functions until FNAME(walk_addr_generic) which seems to do the
> translation.
> walk_addr_generic seems to do the translation starting from cr3 of the
> current process (in line: mmu->get_cr3(vcpu);) and works fine regardless of
> the identity of the current process (i.e. current cr3).
> 
> So how the function gva_to_gpa is able to the read correctly any GVA that my
> tool sees invalid (unmapped) in the paging structures, knowing that my tool
> is able to read and display correctly a content of (thousands) many other GVAs ?
> I would be very thankful for any feedback :)

Unfortunately that's impossible to know without knowing your tool.  How
does it read guest memory?

Paolo

Re: gva_to_gpa function internals

[Yacine HEBBAL]

In fact, my tool walks through paging data structures (entry by entry) 
using the function "kvm_read_guest" (sorry i don't have my machine with 
me right now to poste my code :-( ).
for example to read PDPTEs, I do something like this:

for(i = 0; i < 32; i= i + 8)
{
       kvm_read_guest(kvm, cr3 + i, &pdepte, 8);
}

I use the same logique for PDEs and PTEs (of couse by masking the flags 
bits to walk from one level to another)

I hope this explains a little more.
I'll poste more code tomorrow to give more details.

Le 01/12/2015 22:31, Paolo Bonzini a écrit :
>
> On 01/12/2015 19:30, Yacine HEBBAL wrote:
>> Hi all,
>> I'm trying to build some tools on top of kvm in order to debug, monitor and
>> reverse engineer the guest OS (ubuntu 12.04, 32 bits)
>> One of my tools walks through (and prints) the guest paging data structures
>> as following: cr3 -> pdpte -> pde -> pte -> page (PAE paging, 32 bits)
>>
>> According to my logs some accessed kernel PTEs are not present (pte =
>> 9090909090909090) in all processes address spaces (even from init process
>> cr3), however when I use the function kvm_read_guest_virt_helper on their
>> corresponding virtual addresses (GVAs), I get a correct content (content
>> correctness checked using system.map file).
>> Just after calling kvm_read_guest_virt_helper, I check again the PTE
>> corresponding to the read gva, I see that they are unmapped (invalid, always
>> 9090909090909090)
>>
>> I investigated a little the code of kvm_read_guest_virt_helper, this
>> function calls vcpu->arch.walk_mmu->gva_to_gpa(vcpu, gva, ...) which in turn
>> calls other functions until FNAME(walk_addr_generic) which seems to do the
>> translation.
>> walk_addr_generic seems to do the translation starting from cr3 of the
>> current process (in line: mmu->get_cr3(vcpu);) and works fine regardless of
>> the identity of the current process (i.e. current cr3).
>>
>> So how the function gva_to_gpa is able to the read correctly any GVA that my
>> tool sees invalid (unmapped) in the paging structures, knowing that my tool
>> is able to read and display correctly a content of (thousands) many other GVAs ?
>> I would be very thankful for any feedback :)
> Unfortunately that's impossible to know without knowing your tool.  How
> does it read guest memory?
>
> Paolo

-- 
Hebbal Yacine
PhD student
Tel +33 6 45 42 10 96