Diffusion FreeBSD src repository d19fa9c1b72b

vmm: avoid potential KASSERT kernel panic in vm_handle_db
d19fa9c1b72b
Actions

Description

vmm: avoid potential KASSERT kernel panic in vm_handle_db

If the guest VM emits the exit code VM_EXITCODE_DB the kernel will
execute the function named vm_handle_db.

If the value of rsp is not page aligned and if rsp+sizeof(uint64_t)
spans across two pages, the function vm_copy_setup will need two structs
vm_copyinfo to prepare the copy operation.

For instance is rsp value is 0xFFC, two vm_copyinfo objects are needed:

address=0xFFC, len=4
address=0x1000, len=4

The vulnerability was addressed by commit 51fda658baa ("vmm: Properly
handle writes spanning across two pages in vm_handle_db"). Still,
replace the KASSERT with an error return as a more defensive approach.

Reported by: Synacktiv
Reviewed by markj, emaste
Security: HYP-09
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46133

Details

Provenance

khorben_defora.org	Authored on Jul 25 2024, 2:40 PM
emaste	Committed on Wed, Oct 2, 4:58 PM

Differential Revision

Restricted Differential Revision

Parents

rG51fda658baa3: vmm: Properly handle writes spanning across two pages in vm_handle_db

Branches

Unknown

Tags

Unknown

Event Timeline

emaste committed rGd19fa9c1b72b: vmm: avoid potential KASSERT kernel panic in vm_handle_db (authored by khorben_defora.org).Wed, Oct 2, 4:58 PM

emaste added an edge: Restricted Differential Revision.

Changes (1)

Path

Size

sys/

amd64/

vmm/

vmm.c

rGd19fa9c1b72b

View Options