svn commit: r329162 - in head/sys/amd64/vmm: amd intel

Shawn Webb shawn.webb at hardenedbsd.org
Mon Feb 12 15:37:12 UTC 2018 

On Mon, Feb 12, 2018 at 02:45:27PM +0000, Tycho Nightingale wrote:
> Author: tychon
> Date: Mon Feb 12 14:45:27 2018
> New Revision: 329162
> URL: https://svnweb.freebsd.org/changeset/base/329162
> 
> Log:
>   Provide further mitigation against CVE-2017-5715 by flushing the
>   return stack buffer (RSB) upon returning from the guest.
>   
>   This was inspired by this linux commit:
>   https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/arch/x86/kvm?id=117cc7a908c83697b0b737d15ae1eb5943afe35b
>   
>   Reviewed by:	grehan
>   Sponsored by:	Dell EMC Isilon
>   Differential Revision:	https://reviews.freebsd.org/D14272
> 
> Modified:
>   head/sys/amd64/vmm/amd/svm_support.S
>   head/sys/amd64/vmm/intel/vmcs.c
>   head/sys/amd64/vmm/intel/vmx.h
>   head/sys/amd64/vmm/intel/vmx_support.S
> 
> Modified: head/sys/amd64/vmm/amd/svm_support.S
> ==============================================================================
> --- head/sys/amd64/vmm/amd/svm_support.S	Mon Feb 12 14:44:21 2018	(r329161)
> +++ head/sys/amd64/vmm/amd/svm_support.S	Mon Feb 12 14:45:27 2018	(r329162)
> @@ -113,6 +113,23 @@ ENTRY(svm_launch)
>  	movq %rdi, SCTX_RDI(%rax)
>  	movq %rsi, SCTX_RSI(%rax)
>  
> +	/*
> +	 * To prevent malicious branch target predictions from
> +	 * affecting the host, overwrite all entries in the RSB upon
> +	 * exiting a guest.
> +	 */
> +	mov $16, %ecx	/* 16 iterations, two calls per loop */
> +	mov %rsp, %rax
> +0:	call 2f		/* create an RSB entry. */
> +1:	pause
> +	call 1b		/* capture rogue speculation. */
> +2:	call 2f		/* create an RSB entry. */
> +1:	pause
> +	call 1b		/* capture rogue speculation. */
> +2:	sub $1, %ecx
> +	jnz 0b
> +	mov %rax, %rsp
> +
>  	/* Restore host state */
>  	pop %r15
>  	pop %r14
> 

For amd systems, isn't use of lfence required for performance
reasons[1]? Or am I conflating two things?

1: https://reviews.llvm.org/D41723

Thanks,

-- 
Shawn Webb
Cofounder and Security Engineer
HardenedBSD

Tor-ified Signal:    +1 443-546-8752
GPG Key ID:          0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89  3D9E 6A84 658F 5245 6EEE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/svn-src-all/attachments/20180212/ca853c0a/attachment.sig>

More information about the svn-src-all mailing list