diff options
| author | Mike Larkin <mlarkin@cvs.openbsd.org> | 2018-09-18 16:02:09 +0000 |
|---|---|---|
| committer | Mike Larkin <mlarkin@cvs.openbsd.org> | 2018-09-18 16:02:09 +0000 |
| commit | d17c874ff0198b315f7eba509eb863234b229e1f (patch) | |
| tree | 304ad342c97c43a9aeb936a959f84faabf3455ee /sys/arch/amd64 | |
| parent | 96d4454ede88ec8e725558c847dfa0e2bbe87a55 (diff) | |
vmm(4): Reset host LDTR on exit for SVM
For SVM machines, the LDT content remains set to that of the guest VM on
exit (as compared to Intel/VMX which resets the LDTR to 0). This fix
ensures the LDT is reset to 0 on SVM exits.
Leaving the LDT set to the guest's choice could allow a malicious process
to escalate its privileges with the help of a malicious VM that they
also are able to run on the machine.
This was reported by Maxime Villard; thanks!
Diffstat (limited to 'sys/arch/amd64')
| -rw-r--r-- | sys/arch/amd64/amd64/vmm_support.S | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/sys/arch/amd64/amd64/vmm_support.S b/sys/arch/amd64/amd64/vmm_support.S index 872951bcc20..e7f02555f7e 100644 --- a/sys/arch/amd64/amd64/vmm_support.S +++ b/sys/arch/amd64/amd64/vmm_support.S @@ -1,4 +1,4 @@ -/* $OpenBSD: vmm_support.S,v 1.13 2018/08/21 19:04:38 deraadt Exp $ */ +/* $OpenBSD: vmm_support.S,v 1.14 2018/09/18 16:02:08 mlarkin Exp $ */ /* * Copyright (c) 2014 Mike Larkin <mlarkin@openbsd.org> * @@ -680,6 +680,8 @@ restore_host_svm: movw %ax, %es xorq %rax, %rax + lldtw %ax /* Host LDT is always 0 */ + popw %ax /* ax = saved TR */ popq %rdx |