From 184c804a7bcef546d5d111b9caecc5e1574bd145 Mon Sep 17 00:00:00 2001 From: mlarkin Date: Tue, 18 Sep 2018 16:02:08 +0000 Subject: [PATCH] vmm(4): Reset host LDTR on exit for SVM For SVM machines, the LDT content remains set to that of the guest VM on exit (as compared to Intel/VMX which resets the LDTR to 0). This fix ensures the LDT is reset to 0 on SVM exits. Leaving the LDT set to the guest's choice could allow a malicious process to escalate its privileges with the help of a malicious VM that they also are able to run on the machine. This was reported by Maxime Villard; thanks! --- sys/arch/amd64/amd64/vmm_support.S | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/sys/arch/amd64/amd64/vmm_support.S b/sys/arch/amd64/amd64/vmm_support.S index 872951bcc20..e7f02555f7e 100644 --- a/sys/arch/amd64/amd64/vmm_support.S +++ b/sys/arch/amd64/amd64/vmm_support.S @@ -1,4 +1,4 @@ -/* $OpenBSD: vmm_support.S,v 1.13 2018/08/21 19:04:38 deraadt Exp $ */ +/* $OpenBSD: vmm_support.S,v 1.14 2018/09/18 16:02:08 mlarkin Exp $ */ /* * Copyright (c) 2014 Mike Larkin * @@ -680,6 +680,8 @@ restore_host_svm: movw %ax, %es xorq %rax, %rax + lldtw %ax /* Host LDT is always 0 */ + popw %ax /* ax = saved TR */ popq %rdx -- 2.20.1