mirror of
https://github.com/opnsense/src.git
synced 2026-05-28 04:12:45 -04:00
f8db6fb90e
If the guest VM emits the exit code VM_EXITCODE_DB the kernel will
execute the function named vm_handle_db.
If the value of rsp is not page aligned and if rsp+sizeof(uint64_t)
spans across two pages, the function vm_copy_setup will need two structs
vm_copyinfo to prepare the copy operation.
For instance is rsp value is 0xFFC, two vm_copyinfo objects are needed:
* address=0xFFC, len=4
* address=0x1000, len=4
The vulnerability was addressed by commit 51fda658baa ("vmm: Properly
handle writes spanning across two pages in vm_handle_db"). Still,
replace the KASSERT with an error return as a more defensive approach.
Reported by: Synacktiv
Reviewed by markj, emaste
Security: HYP-09
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46133
(cherry picked from commit d19fa9c1b72bc52e51524abcc59ad844012ec365)
|
||
|---|---|---|
| .. | ||
| amd | ||
| intel | ||
| io | ||
| vmm.c | ||
| vmm_dev.c | ||
| vmm_host.c | ||
| vmm_host.h | ||
| vmm_instruction_emul.c | ||
| vmm_ioport.c | ||
| vmm_ioport.h | ||
| vmm_ktr.h | ||
| vmm_lapic.c | ||
| vmm_lapic.h | ||
| vmm_mem.c | ||
| vmm_mem.h | ||
| vmm_snapshot.c | ||
| vmm_stat.c | ||
| vmm_stat.h | ||
| vmm_util.c | ||
| vmm_util.h | ||
| x86.c | ||
| x86.h | ||