vmm(4): Reset host LDTR on exit for SVM

For SVM machines, the LDT content remains set to that of the guest VM on
exit (as compared to Intel/VMX which resets the LDTR to 0). This fix
ensures the LDT is reset to 0 on SVM exits.

Leaving the LDT set to the guest's choice could allow a malicious process
to escalate its privileges with the help of a malicious VM that they
also are able to run on the machine.

This was reported by Maxime Villard; thanks!

diff --git a/sys/arch/amd64/amd64/vmm_support.S b/sys/arch/amd64/amd64/vmm_support.S
index 872951b..e7f0255 100644 (file)
--- a/sys/arch/amd64/amd64/vmm_support.S
+++ b/sys/arch/amd64/amd64/vmm_support.S
@@ -1,4 +1,4 @@
-/*     $OpenBSD: vmm_support.S,v 1.13 2018/08/21 19:04:38 deraadt Exp $        */
+/*     $OpenBSD: vmm_support.S,v 1.14 2018/09/18 16:02:08 mlarkin Exp $        */
 /*
  * Copyright (c) 2014 Mike Larkin <mlarkin@openbsd.org>
  *
@@ -680,6 +680,8 @@ restore_host_svm:
        movw    %ax, %es
 
        xorq    %rax, %rax
+       lldtw   %ax             /* Host LDT is always 0 */
+
        popw    %ax             /* ax = saved TR */
 
        popq    %rdx