Author: tychon Date: Mon Jan 15 18:37:03 2018 New Revision: 328011 URL: https://svnweb.freebsd.org/changeset/base/328011
Log: Provide some mitigation against CVE-2017-5715 by clearing registers upon returning from the guest which aren't immediately clobbered by the host. This eradicates any remaining guest contents limiting their usefulness in an exploit gadget. This was inspired by this linux commit: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5b6c02f38315b720c593c6079364855d276886aa Reviewed by: grehan, rgrimes Sponsored by: Dell EMC Isilon Differential Revision: https://reviews.freebsd.org/D13573 Modified: head/sys/amd64/vmm/amd/svm_support.S head/sys/amd64/vmm/intel/vmx_support.S Modified: head/sys/amd64/vmm/amd/svm_support.S ============================================================================== --- head/sys/amd64/vmm/amd/svm_support.S Mon Jan 15 18:20:15 2018 (r328010) +++ head/sys/amd64/vmm/amd/svm_support.S Mon Jan 15 18:37:03 2018 (r328011) @@ -124,8 +124,20 @@ ENTRY(svm_launch) pop %rdx mov %edx, %eax shr $32, %rdx - mov $MSR_GSBASE, %ecx + mov $MSR_GSBASE, %rcx wrmsr + + /* + * Clobber the remaining registers with guest contents so they + * can't be misused. + */ + xor %rbp, %rbp + xor %rdi, %rdi + xor %rsi, %rsi + xor %r8, %r8 + xor %r9, %r9 + xor %r10, %r10 + xor %r11, %r11 VLEAVE ret Modified: head/sys/amd64/vmm/intel/vmx_support.S ============================================================================== --- head/sys/amd64/vmm/intel/vmx_support.S Mon Jan 15 18:20:15 2018 (r328010) +++ head/sys/amd64/vmm/intel/vmx_support.S Mon Jan 15 18:37:03 2018 (r328011) @@ -72,6 +72,20 @@ movq VMXCTX_GUEST_RDI(%rdi),%rdi; /* restore rdi the last */ /* + * Clobber the remaining registers with guest contents so they can't + * be misused. + */ +#define VMX_GUEST_CLOBBER \ + xor %rax, %rax; \ + xor %rcx, %rcx; \ + xor %rdx, %rdx; \ + xor %rsi, %rsi; \ + xor %r8, %r8; \ + xor %r9, %r9; \ + xor %r10, %r10; \ + xor %r11, %r11; + +/* * Save and restore the host context. * * Assumes that %rdi holds a pointer to the 'vmxctx'. @@ -231,6 +245,8 @@ vmx_exit_guest: LK btrl %r10d, PM_ACTIVE(%r11) VMX_HOST_RESTORE + + VMX_GUEST_CLOBBER /* * This will return to the caller of 'vmx_enter_guest()' with a return _______________________________________________ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"