svn commit: r328011 - in head/sys/amd64/vmm: amd intel
Tycho Nightingale
tychon at FreeBSD.org
Mon Jan 15 18:37:04 UTC 2018
Author: tychon
Date: Mon Jan 15 18:37:03 2018
New Revision: 328011
URL: https://svnweb.freebsd.org/changeset/base/328011
Log:
Provide some mitigation against CVE-2017-5715 by clearing registers
upon returning from the guest which aren't immediately clobbered by
the host. This eradicates any remaining guest contents limiting their
usefulness in an exploit gadget.
This was inspired by this linux commit:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5b6c02f38315b720c593c6079364855d276886aa
Reviewed by: grehan, rgrimes
Sponsored by: Dell EMC Isilon
Differential Revision: https://reviews.freebsd.org/D13573
Modified:
head/sys/amd64/vmm/amd/svm_support.S
head/sys/amd64/vmm/intel/vmx_support.S
Modified: head/sys/amd64/vmm/amd/svm_support.S
==============================================================================
--- head/sys/amd64/vmm/amd/svm_support.S Mon Jan 15 18:20:15 2018 (r328010)
+++ head/sys/amd64/vmm/amd/svm_support.S Mon Jan 15 18:37:03 2018 (r328011)
@@ -124,8 +124,20 @@ ENTRY(svm_launch)
pop %rdx
mov %edx, %eax
shr $32, %rdx
- mov $MSR_GSBASE, %ecx
+ mov $MSR_GSBASE, %rcx
wrmsr
+
+ /*
+ * Clobber the remaining registers with guest contents so they
+ * can't be misused.
+ */
+ xor %rbp, %rbp
+ xor %rdi, %rdi
+ xor %rsi, %rsi
+ xor %r8, %r8
+ xor %r9, %r9
+ xor %r10, %r10
+ xor %r11, %r11
VLEAVE
ret
Modified: head/sys/amd64/vmm/intel/vmx_support.S
==============================================================================
--- head/sys/amd64/vmm/intel/vmx_support.S Mon Jan 15 18:20:15 2018 (r328010)
+++ head/sys/amd64/vmm/intel/vmx_support.S Mon Jan 15 18:37:03 2018 (r328011)
@@ -72,6 +72,20 @@
movq VMXCTX_GUEST_RDI(%rdi),%rdi; /* restore rdi the last */
/*
+ * Clobber the remaining registers with guest contents so they can't
+ * be misused.
+ */
+#define VMX_GUEST_CLOBBER \
+ xor %rax, %rax; \
+ xor %rcx, %rcx; \
+ xor %rdx, %rdx; \
+ xor %rsi, %rsi; \
+ xor %r8, %r8; \
+ xor %r9, %r9; \
+ xor %r10, %r10; \
+ xor %r11, %r11;
+
+/*
* Save and restore the host context.
*
* Assumes that %rdi holds a pointer to the 'vmxctx'.
@@ -231,6 +245,8 @@ vmx_exit_guest:
LK btrl %r10d, PM_ACTIVE(%r11)
VMX_HOST_RESTORE
+
+ VMX_GUEST_CLOBBER
/*
* This will return to the caller of 'vmx_enter_guest()' with a return
More information about the svn-src-all
mailing list