svn commit: r328011 - in head/sys/amd64/vmm: amd intel

Tycho Nightingale tychon at FreeBSD.org
Mon Jan 15 18:37:04 UTC 2018 

Author: tychon
Date: Mon Jan 15 18:37:03 2018
New Revision: 328011
URL: https://svnweb.freebsd.org/changeset/base/328011

Log:
  Provide some mitigation against CVE-2017-5715 by clearing registers
  upon returning from the guest which aren't immediately clobbered by
  the host.  This eradicates any remaining guest contents limiting their
  usefulness in an exploit gadget.
  
  This was inspired by this linux commit:
  https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5b6c02f38315b720c593c6079364855d276886aa
  
  Reviewed by:	grehan, rgrimes
  Sponsored by:	Dell EMC Isilon
  Differential Revision:	https://reviews.freebsd.org/D13573

Modified:
  head/sys/amd64/vmm/amd/svm_support.S
  head/sys/amd64/vmm/intel/vmx_support.S

Modified: head/sys/amd64/vmm/amd/svm_support.S
==============================================================================
--- head/sys/amd64/vmm/amd/svm_support.S	Mon Jan 15 18:20:15 2018	(r328010)
+++ head/sys/amd64/vmm/amd/svm_support.S	Mon Jan 15 18:37:03 2018	(r328011)
@@ -124,8 +124,20 @@ ENTRY(svm_launch)
 	pop %rdx
 	mov %edx, %eax
 	shr $32, %rdx
-	mov $MSR_GSBASE, %ecx
+	mov $MSR_GSBASE, %rcx
 	wrmsr
+
+	/*
+	 * Clobber the remaining registers with guest contents so they
+	 * can't be misused.
+	 */
+	xor %rbp, %rbp
+	xor %rdi, %rdi
+	xor %rsi, %rsi
+	xor %r8, %r8
+	xor %r9, %r9
+	xor %r10, %r10
+	xor %r11, %r11
 
 	VLEAVE
 	ret

Modified: head/sys/amd64/vmm/intel/vmx_support.S
==============================================================================
--- head/sys/amd64/vmm/intel/vmx_support.S	Mon Jan 15 18:20:15 2018	(r328010)
+++ head/sys/amd64/vmm/intel/vmx_support.S	Mon Jan 15 18:37:03 2018	(r328011)
@@ -72,6 +72,20 @@
 	movq	VMXCTX_GUEST_RDI(%rdi),%rdi; /* restore rdi the last */
 
 /*
+ * Clobber the remaining registers with guest contents so they can't
+ * be misused.
+ */
+#define	VMX_GUEST_CLOBBER						\
+	xor	%rax, %rax;						\
+	xor	%rcx, %rcx;						\
+	xor	%rdx, %rdx;						\
+	xor	%rsi, %rsi;						\
+	xor	%r8, %r8;						\
+	xor	%r9, %r9;						\
+	xor	%r10, %r10;						\
+	xor	%r11, %r11;
+
+/*
  * Save and restore the host context.
  *
  * Assumes that %rdi holds a pointer to the 'vmxctx'.
@@ -231,6 +245,8 @@ vmx_exit_guest:
 	LK btrl	%r10d, PM_ACTIVE(%r11)
 
 	VMX_HOST_RESTORE
+
+	VMX_GUEST_CLOBBER
 
 	/*
 	 * This will return to the caller of 'vmx_enter_guest()' with a return

More information about the svn-src-head mailing list