vmm(4): Reset host LDTR on exit for SVM

For SVM machines, the LDT content remains set to that of the guest VM on exit (as compared to Intel/VMX which resets the LDTR to 0). This fix ensures the LDT is reset to 0 on SVM exits. Leaving the LDT set to the guest's choice could allow a malicious process to escalate its privileges with the help of a malicious VM that they also are able to run on the machine. This was reported by Maxime Villard; thanks!
author: mlarkin <mlarkin@openbsd.org> 2018-09-18 16:02:08 +0000
committer: mlarkin <mlarkin@openbsd.org> 2018-09-18 16:02:08 +0000
commit: 184c804a7bcef546d5d111b9caecc5e1574bd145 (patch)
tree: 889306f7ee18a1b3f378ed212e6588a730598b93
parent: Start testing the roa backend (test 5) and cleanup tool in general. (diff)
download: wireguard-openbsd-184c804a7bcef546d5d111b9caecc5e1574bd145.tar.xz
wireguard-openbsd-184c804a7bcef546d5d111b9caecc5e1574bd145.zip
1 files changed, 3 insertions, 1 deletions
diff --git a/sys/arch/amd64/amd64/vmm_support.S b/sys/arch/amd64/amd64/vmm_support.S
index 872951bcc20..e7f02555f7e 100644
--- a/sys/arch/amd64/amd64/vmm_support.S
+++ b/sys/arch/amd64/amd64/vmm_support.S
@@ -1,4 +1,4 @@
-/*	$OpenBSD: vmm_support.S,v 1.13 2018/08/21 19:04:38 deraadt Exp $	*/
+/*	$OpenBSD: vmm_support.S,v 1.14 2018/09/18 16:02:08 mlarkin Exp $	*/
 /*
  * Copyright (c) 2014 Mike Larkin <mlarkin@openbsd.org>
  *
@@ -680,6 +680,8 @@ restore_host_svm:
 	movw	%ax, %es
 
 	xorq	%rax, %rax
+	lldtw	%ax		/* Host LDT is always 0 */
+
 	popw	%ax		/* ax = saved TR */
 
 	popq	%rdx
author	mlarkin <mlarkin@openbsd.org>	2018-09-18 16:02:08 +0000
committer	mlarkin <mlarkin@openbsd.org>	2018-09-18 16:02:08 +0000
commit	184c804a7bcef546d5d111b9caecc5e1574bd145 (patch)
tree	889306f7ee18a1b3f378ed212e6588a730598b93
parent	Start testing the roa backend (test 5) and cleanup tool in general. (diff)
download	wireguard-openbsd-184c804a7bcef546d5d111b9caecc5e1574bd145.tar.xz wireguard-openbsd-184c804a7bcef546d5d111b9caecc5e1574bd145.zip