svn commit: r329162 - in head/sys/amd64/vmm: amd intel
Shawn Webb
shawn.webb at hardenedbsd.org
Mon Feb 12 15:37:12 UTC 2018
On Mon, Feb 12, 2018 at 02:45:27PM +0000, Tycho Nightingale wrote:
> Author: tychon
> Date: Mon Feb 12 14:45:27 2018
> New Revision: 329162
> URL: https://svnweb.freebsd.org/changeset/base/329162
>
> Log:
> Provide further mitigation against CVE-2017-5715 by flushing the
> return stack buffer (RSB) upon returning from the guest.
>
> This was inspired by this linux commit:
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/arch/x86/kvm?id=117cc7a908c83697b0b737d15ae1eb5943afe35b
>
> Reviewed by: grehan
> Sponsored by: Dell EMC Isilon
> Differential Revision: https://reviews.freebsd.org/D14272
>
> Modified:
> head/sys/amd64/vmm/amd/svm_support.S
> head/sys/amd64/vmm/intel/vmcs.c
> head/sys/amd64/vmm/intel/vmx.h
> head/sys/amd64/vmm/intel/vmx_support.S
>
> Modified: head/sys/amd64/vmm/amd/svm_support.S
> ==============================================================================
> --- head/sys/amd64/vmm/amd/svm_support.S Mon Feb 12 14:44:21 2018 (r329161)
> +++ head/sys/amd64/vmm/amd/svm_support.S Mon Feb 12 14:45:27 2018 (r329162)
> @@ -113,6 +113,23 @@ ENTRY(svm_launch)
> movq %rdi, SCTX_RDI(%rax)
> movq %rsi, SCTX_RSI(%rax)
>
> + /*
> + * To prevent malicious branch target predictions from
> + * affecting the host, overwrite all entries in the RSB upon
> + * exiting a guest.
> + */
> + mov $16, %ecx /* 16 iterations, two calls per loop */
> + mov %rsp, %rax
> +0: call 2f /* create an RSB entry. */
> +1: pause
> + call 1b /* capture rogue speculation. */
> +2: call 2f /* create an RSB entry. */
> +1: pause
> + call 1b /* capture rogue speculation. */
> +2: sub $1, %ecx
> + jnz 0b
> + mov %rax, %rsp
> +
> /* Restore host state */
> pop %r15
> pop %r14
>
For amd systems, isn't use of lfence required for performance
reasons[1]? Or am I conflating two things?
1: https://reviews.llvm.org/D41723
Thanks,
--
Shawn Webb
Cofounder and Security Engineer
HardenedBSD
Tor-ified Signal: +1 443-546-8752
GPG Key ID: 0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/svn-src-all/attachments/20180212/ca853c0a/attachment.sig>
More information about the svn-src-all
mailing list