How to get return value of system call in kvm

[Junwei Li]

Hi,

I am trying to do system call interception inside kvm according to the ether paper. I used the same method that Ether paper mentioned to intercept syscall, namely causing a page fault at a chosen address during system call invocation. But there are some issues when I try to get the return value of sysret. My host and guest vm are both 64bit, so guest vm uses syscall/sysret mechanism. My method is to assign a non-canonical address (0x1122334455667788) to register RCX after I intercept syscall. Then sysret will cause a general protection fault. In the handler of general protection fault, I should be able to get the return value of system call from register RAX. 

But when guest vm boots, sometimes interrupt happens, the non-canonical address, 0x1122334455667788 will be pushed to stack and iretq instruction will cause another general protection fault when it tries to return to 0x1122334455667788. So guest vm will fail to boot. How can I avoid this? Is there something wrong about how I get the return value of sysret?  Thanks!

[Artem Dinaburg]

Hi,

From my understanding it is not a requirement to return from SYSCALL with SYSRET; any instruction combination that restores the previous machine state will do; hence the OS may be using IRET instead. 

It seems that everything is working correctly for you -- you are getting a fault when you try to return to 0x1122334455667788, whether it is with SYSRET or IRET. Is there something I am missing?

Artem