// Deal with EPT violation VM-exit.
_Use_decl_annotations_ void EptHandleEptViolation(EptData *ept_data) {
const EptViolationQualification exit_qualification = {
UtilVmRead(VmcsField::kExitQualification)};
const auto fault_pa = UtilVmRead64(VmcsField::kGuestPhysicalAddress);
const auto fault_va = exit_qualification.fields.valid_guest_linear_address
? UtilVmRead(VmcsField::kGuestLinearAddress)
: 0;
if (!exit_qualification.fields.ept_readable &&
!exit_qualification.fields.ept_writeable &&
!exit_qualification.fields.ept_executable) {
const auto ept_entry = EptGetEptPtEntry(ept_data, fault_pa);
if (!ept_entry || !ept_entry->all) {
// EPT entry miss. It should be device memory.
HYPERPLATFORM_PERFORMANCE_MEASURE_THIS_SCOPE();
if (!IsReleaseBuild()) {
NT_VERIFY(EptpIsDeviceMemory(fault_pa));
}
EptpConstructTables(ept_data->ept_pml4, 4, fault_pa, ept_data);
UtilInveptAll();
return;
}
}
HYPERPLATFORM_LOG_DEBUG_SAFE("[IGNR] OTH VA = %p, PA = %016llx", fault_va,
fault_pa);
}
// Deal with L2 EPT violation VM-exit.
_Use_decl_annotations_ void EptHandleEptViolationEx(EptData *ept_data, EptData *ept_data02, ULONG_PTR guest_pa, bool is_range_of_ept12) {
const EptViolationQualification exit_qualification = {
UtilVmRead(VmcsField::kExitQualification) };
ULONG_PTR fault_pa = 0;
if (!guest_pa)
{
fault_pa = UtilVmRead64(VmcsField::kGuestPhysicalAddress);
}
else
{
fault_pa = guest_pa;
}
const auto fault_va = reinterpret_cast<void *>(
exit_qualification.fields.valid_guest_linear_address
? UtilVmRead(VmcsField::kGuestLinearAddress)
: 0);
//GuestPhysicalAddress will be the guest physical adderss of EPT1-2 Entry , we disable it write in L2 first initial
if (!exit_qualification.fields.ept_readable &&
!exit_qualification.fields.ept_writeable &&
!exit_qualification.fields.ept_executable) {
const auto ept_entry = EptGetEptPtEntry(ept_data, fault_pa);
if (!ept_entry || !ept_entry->all) {
// EPT entry miss. It should be device memory.
HYPERPLATFORM_PERFORMANCE_MEASURE_THIS_SCOPE();
if (!IsReleaseBuild()) {
NT_VERIFY(EptpIsDeviceMemory(fault_pa));
}
EptpConstructTables(ept_data->ept_pml4, 4, fault_pa, ept_data);
UtilInveptGlobal();
return;
}
}
if (!exit_qualification.fields.ept_writeable && is_range_of_ept12)
{
EptCommonEntry* Ept01Pte = EptGetEptPtEntry(ept_data, UtilVmRead64(VmcsField::kGuestPhysicalAddress));
if (Ept01Pte)
{
EptCommonEntry* entry = (EptCommonEntry*)UtilVaFromPa(UtilVmRead64(VmcsField::kGuestPhysicalAddress));
Ept01Pte->fields.write_access = true;
HYPERPLATFORM_LOG_DEBUG_SAFE("Faced non-writable address but it is readble. :%p %p", UtilVmRead64(VmcsField::kGuestPhysicalAddress), entry->fields.physial_address);
UtilInveptGlobal();
}
}
}
// Deal with EPT violation VM-exit.
_Use_decl_annotations_ void EptHandleEptViolation(EptData *ept_data) {
const EptViolationQualification exit_qualification = {
UtilVmRead(VmcsField::kExitQualification)};
const auto fault_pa = UtilVmRead64(VmcsField::kGuestPhysicalAddress);
const auto fault_va =
exit_qualification.fields.valid_guest_linear_address
? reinterpret_cast<void *>(UtilVmRead(VmcsField::kGuestLinearAddress))
: nullptr;
if (!exit_qualification.fields.ept_readable &&
!exit_qualification.fields.ept_writeable &&
!exit_qualification.fields.ept_executable) {
// EPT entry miss. It should be device memory.
HYPERPLATFORM_PERFORMANCE_MEASURE_THIS_SCOPE();
// HYPERPLATFORM_LOG_DEBUG_SAFE(
// "[INIT] Dev VA = %p, PA = %016llx, Used = %d",
// 0, fault_pa, ept_data->preallocated_entries_count);
if (!IsReleaseBuild()) {
const auto is_device_memory = EptpIsDeviceMemory(fault_pa);
NT_ASSERT(is_device_memory);
UNREFERENCED_PARAMETER(is_device_memory);
}
// There is a race condition here. If multiple processors reach this code
// with the same fault_pa, this function may create multiple EPT entries for
// one physical address and leads memory leak. This call should probably be
// guarded by a spin-lock but is not yet just because impact is so small.
EptpConstructTables(ept_data->ept_pml4, 4, fault_pa, ept_data);
UtilInveptAll();
} else if (exit_qualification.fields.caused_by_translation &&
exit_qualification.fields.execute_access &&
!exit_qualification.fields.ept_executable) {
const auto ept_pt_entry = EptGetEptPtEntry(ept_data->ept_pml4, 4, fault_pa);
MmoneptHandleDodgyRegionExecution(ept_data->hs_ept_data, ept_pt_entry,
fault_pa, fault_va);
} else {
HYPERPLATFORM_LOG_DEBUG_SAFE("[IGNR] OTH VA = %p, PA = %016llx", fault_va,
fault_pa);
}
}
