CVSROOT: /cvs
Module name: src
Changes by: mlar...@cvs.openbsd.org 2019/03/26 13:32:47
Modified files:
sys/arch/amd64/include: cpufunc.h
sys/arch/amd64/amd64: vmm.c
Log message:
vmm(4): On VMX, use sgdt/sidt to reset the GDT/IDT limits after exiting
the guest VM. By default, VMX sets the limits to 0xFFFF on exit, which is
larger than what we want and can lead to security issues.
While here, reset the LDT as well. We don't use this in OpenBSD, and
VMX loads a null LDT selector on exit anyway, but resetting it here
prevents any future surprises.
Pointed out by Maxime Villard from NetBSD - thanks!
ok deraadt@
