Author: tychon
Date: Mon Jan 15 18:37:03 2018
New Revision: 328011
URL: https://svnweb.freebsd.org/changeset/base/328011

Log:
  Provide some mitigation against CVE-2017-5715 by clearing registers
  upon returning from the guest which aren't immediately clobbered by
  the host.  This eradicates any remaining guest contents limiting their
  usefulness in an exploit gadget.
  
  This was inspired by this linux commit:
  
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5b6c02f38315b720c593c6079364855d276886aa
  
  Reviewed by:  grehan, rgrimes
  Sponsored by: Dell EMC Isilon
  Differential Revision:        https://reviews.freebsd.org/D13573

Modified:
  head/sys/amd64/vmm/amd/svm_support.S
  head/sys/amd64/vmm/intel/vmx_support.S

Modified: head/sys/amd64/vmm/amd/svm_support.S
==============================================================================
--- head/sys/amd64/vmm/amd/svm_support.S        Mon Jan 15 18:20:15 2018        
(r328010)
+++ head/sys/amd64/vmm/amd/svm_support.S        Mon Jan 15 18:37:03 2018        
(r328011)
@@ -124,8 +124,20 @@ ENTRY(svm_launch)
        pop %rdx
        mov %edx, %eax
        shr $32, %rdx
-       mov $MSR_GSBASE, %ecx
+       mov $MSR_GSBASE, %rcx
        wrmsr
+
+       /*
+        * Clobber the remaining registers with guest contents so they
+        * can't be misused.
+        */
+       xor %rbp, %rbp
+       xor %rdi, %rdi
+       xor %rsi, %rsi
+       xor %r8, %r8
+       xor %r9, %r9
+       xor %r10, %r10
+       xor %r11, %r11
 
        VLEAVE
        ret

Modified: head/sys/amd64/vmm/intel/vmx_support.S
==============================================================================
--- head/sys/amd64/vmm/intel/vmx_support.S      Mon Jan 15 18:20:15 2018        
(r328010)
+++ head/sys/amd64/vmm/intel/vmx_support.S      Mon Jan 15 18:37:03 2018        
(r328011)
@@ -72,6 +72,20 @@
        movq    VMXCTX_GUEST_RDI(%rdi),%rdi; /* restore rdi the last */
 
 /*
+ * Clobber the remaining registers with guest contents so they can't
+ * be misused.
+ */
+#define        VMX_GUEST_CLOBBER                                               
\
+       xor     %rax, %rax;                                             \
+       xor     %rcx, %rcx;                                             \
+       xor     %rdx, %rdx;                                             \
+       xor     %rsi, %rsi;                                             \
+       xor     %r8, %r8;                                               \
+       xor     %r9, %r9;                                               \
+       xor     %r10, %r10;                                             \
+       xor     %r11, %r11;
+
+/*
  * Save and restore the host context.
  *
  * Assumes that %rdi holds a pointer to the 'vmxctx'.
@@ -231,6 +245,8 @@ vmx_exit_guest:
        LK btrl %r10d, PM_ACTIVE(%r11)
 
        VMX_HOST_RESTORE
+
+       VMX_GUEST_CLOBBER
 
        /*
         * This will return to the caller of 'vmx_enter_guest()' with a return
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"

Reply via email to