From owner-svn-src-all@freebsd.org  Mon Jan 15 18:37:04 2018
Return-Path: <owner-svn-src-all@freebsd.org>
Delivered-To: svn-src-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 67C64E6CDF5;
 Mon, 15 Jan 2018 18:37:04 +0000 (UTC)
 (envelope-from tychon@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 42E2B63E20;
 Mon, 15 Jan 2018 18:37:04 +0000 (UTC)
 (envelope-from tychon@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 8ECFB14F24;
 Mon, 15 Jan 2018 18:37:03 +0000 (UTC)
 (envelope-from tychon@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w0FIb3mJ098462;
 Mon, 15 Jan 2018 18:37:03 GMT (envelope-from tychon@FreeBSD.org)
Received: (from tychon@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id w0FIb3R7098459;
 Mon, 15 Jan 2018 18:37:03 GMT (envelope-from tychon@FreeBSD.org)
Message-Id: <201801151837.w0FIb3R7098459@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: tychon set sender to
 tychon@FreeBSD.org using -f
From: Tycho Nightingale <tychon@FreeBSD.org>
Date: Mon, 15 Jan 2018 18:37:03 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r328011 - in head/sys/amd64/vmm: amd intel
X-SVN-Group: head
X-SVN-Commit-Author: tychon
X-SVN-Commit-Paths: in head/sys/amd64/vmm: amd intel
X-SVN-Commit-Revision: 328011
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jan 2018 18:37:04 -0000

Author: tychon
Date: Mon Jan 15 18:37:03 2018
New Revision: 328011
URL: https://svnweb.freebsd.org/changeset/base/328011

Log:
  Provide some mitigation against CVE-2017-5715 by clearing registers
  upon returning from the guest which aren't immediately clobbered by
  the host.  This eradicates any remaining guest contents limiting their
  usefulness in an exploit gadget.
  
  This was inspired by this linux commit:
  https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5b6c02f38315b720c593c6079364855d276886aa
  
  Reviewed by:	grehan, rgrimes
  Sponsored by:	Dell EMC Isilon
  Differential Revision:	https://reviews.freebsd.org/D13573

Modified:
  head/sys/amd64/vmm/amd/svm_support.S
  head/sys/amd64/vmm/intel/vmx_support.S

Modified: head/sys/amd64/vmm/amd/svm_support.S
==============================================================================
--- head/sys/amd64/vmm/amd/svm_support.S	Mon Jan 15 18:20:15 2018	(r328010)
+++ head/sys/amd64/vmm/amd/svm_support.S	Mon Jan 15 18:37:03 2018	(r328011)
@@ -124,8 +124,20 @@ ENTRY(svm_launch)
 	pop %rdx
 	mov %edx, %eax
 	shr $32, %rdx
-	mov $MSR_GSBASE, %ecx
+	mov $MSR_GSBASE, %rcx
 	wrmsr
+
+	/*
+	 * Clobber the remaining registers with guest contents so they
+	 * can't be misused.
+	 */
+	xor %rbp, %rbp
+	xor %rdi, %rdi
+	xor %rsi, %rsi
+	xor %r8, %r8
+	xor %r9, %r9
+	xor %r10, %r10
+	xor %r11, %r11
 
 	VLEAVE
 	ret

Modified: head/sys/amd64/vmm/intel/vmx_support.S
==============================================================================
--- head/sys/amd64/vmm/intel/vmx_support.S	Mon Jan 15 18:20:15 2018	(r328010)
+++ head/sys/amd64/vmm/intel/vmx_support.S	Mon Jan 15 18:37:03 2018	(r328011)
@@ -72,6 +72,20 @@
 	movq	VMXCTX_GUEST_RDI(%rdi),%rdi; /* restore rdi the last */
 
 /*
+ * Clobber the remaining registers with guest contents so they can't
+ * be misused.
+ */
+#define	VMX_GUEST_CLOBBER						\
+	xor	%rax, %rax;						\
+	xor	%rcx, %rcx;						\
+	xor	%rdx, %rdx;						\
+	xor	%rsi, %rsi;						\
+	xor	%r8, %r8;						\
+	xor	%r9, %r9;						\
+	xor	%r10, %r10;						\
+	xor	%r11, %r11;
+
+/*
  * Save and restore the host context.
  *
  * Assumes that %rdi holds a pointer to the 'vmxctx'.
@@ -231,6 +245,8 @@ vmx_exit_guest:
 	LK btrl	%r10d, PM_ACTIVE(%r11)
 
 	VMX_HOST_RESTORE
+
+	VMX_GUEST_CLOBBER
 
 	/*
 	 * This will return to the caller of 'vmx_enter_guest()' with a return