Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp1119054ybl; Wed, 11 Dec 2019 12:50:18 -0800 (PST) X-Google-Smtp-Source: APXvYqxvZqMyNJ8QfzRGtafV4rIq1hRYTqPrcyC5Vt8OKHkRSu6Tllg8hCUl/412inplKYgM3GsK X-Received: by 2002:aca:4a08:: with SMTP id x8mr4373890oia.39.1576097418390; Wed, 11 Dec 2019 12:50:18 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1576097418; cv=none; d=google.com; s=arc-20160816; b=DozPZEG2TcSrnAlOljBCTg3RUmEOKH3HQnGAjeoYnOCfQZh63YEQ8KGZu5Q/ueAUxx ap7ddWI+4zU10LfNHL3dOisqPW1KKR+69PLyUI7N61qkDY6+FCYDNNytjA9NhMTwJ84R 3F7kwDOh7WxGMk7WlazoY3c/YilPipcwoe3MNR6/a1SS8yZqBv4twY6pVeeTT7vcY2U1 KEbLSLXwcmyGzVfia8GSlZ+fLsMH/AkE8n7GaQLVmDUVzeB4I+unY5PnGXXusarW5PML LE69014pIVDQ7AjHRcxWkazPNg2ugD3AzM+c/psfPvOdUqooqJqVB4yHyMhnWChjEoCX IeLw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:dkim-signature; bh=dcdfpo/SN401J0ADf28PICm6rQuV1bm1m38AbFi1Sng=; b=NqN04uIg7mBWprWAR2McWK0/01w8IUIT3cBh2upSTMzXg10LMLQhK7sVbLHKu9xddS gADDggRJNf+ccpHTO+wUpZkXTOAqQrk8j/0z/uqXt60Irb3nKavQq5gez8gAl8kuvgjg 7+mOLYMr8hAsd195aJUCGZr1gFVyglPzC6/o/9TxE+w0gWIShLZ9wDY67M0RIJf4LpZp 7OBAXcBSF4lYBza0PUIv8D14p7td/pR3fKyFwFHP1qEgSTWkVY+yr/zPDmOFEVaKsUdI FRariNM/7z9gNmI/76COAVEBAlgKjjpxh38GtRs3ls85tEbdlptBQHUjeJC6tfJDjilc yBWw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=v3TMDN4q; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o4si1887659oib.70.2019.12.11.12.50.07; Wed, 11 Dec 2019 12:50:18 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=v3TMDN4q; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727386AbfLKUtI (ORCPT + 99 others); Wed, 11 Dec 2019 15:49:08 -0500 Received: from mail-ua1-f74.google.com ([209.85.222.74]:54483 "EHLO mail-ua1-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727374AbfLKUtH (ORCPT ); Wed, 11 Dec 2019 15:49:07 -0500 Received: by mail-ua1-f74.google.com with SMTP id x2so6558175uaj.21 for ; Wed, 11 Dec 2019 12:49:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=dcdfpo/SN401J0ADf28PICm6rQuV1bm1m38AbFi1Sng=; b=v3TMDN4qBJP3ynZ8Qz07hxFn0g7CmdhMrFlr6NODGSx4qxZOgw/U1dSWChJLsNoBFU 7o8pV4BMWbpBqjD6gu4Gdmv0xE/OBK1gccVoJ0bnS3ZRZnWGPo5T2Px1Q6YSdeaaL4Zb Am8YnUqJMTkV0PHCV/SkNcfObE9Rzx04NJNKADv8xjkDDtIr6nG6BQUEUNgcAx2S0btH ozH1FeW6BVukSfrh2iRl1Qgt8SyV5gxfnZDQdMSMZKXnJiDbXITVNibsl0Li6HSAkLlm boO17LswojP4waDI6My0MeA5ulsFh2uTc/I7tVczPcIGjUicNyH4KSSJs3JrD2/CqNVR GYeg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=dcdfpo/SN401J0ADf28PICm6rQuV1bm1m38AbFi1Sng=; b=qKIcVGG1rRfOqlwdC6CzISfuoGgkDZPuAtLiUsTKG/SVkOqIpnF0sFv7KPVRk6X1jZ bv3TXoqlBxCoSjz4WAP1deuZRQalwuG07qfvYwEeL12GRKVuV+/P2rKc8VJoRtkXdeXP l91NwYWJkOkOH5ilaL43/GNlR5vkCkXbOPNCrXXiil9DCJW1txifkqKbYPD6s9Oi0V3w gexcYzmTcb1wTl/s6dzHbB88Yd/Z4x3bIKDFG+E8zPnErE6wVJN8gMcH+O7ktva3e9FK HCmeHiBHcKfPH8pVam/GFU3glz3B11cSQUQ5D11gqZOizAz49n00QvKuaADI2QSVcDfF HuOA== X-Gm-Message-State: APjAAAU2DhjDQkI3H8v/tpF82P47d0geOtH0lDM3vsaAuaoyzvX910hS weR/0iMRuBMR9ZXnyDgvaY8NR8oGmyRc X-Received: by 2002:a67:bd13:: with SMTP id y19mr4440913vsq.143.1576097346928; Wed, 11 Dec 2019 12:49:06 -0800 (PST) Date: Wed, 11 Dec 2019 12:47:51 -0800 In-Reply-To: <20191211204753.242298-1-pomonis@google.com> Message-Id: <20191211204753.242298-12-pomonis@google.com> Mime-Version: 1.0 References: <20191211204753.242298-1-pomonis@google.com> X-Mailer: git-send-email 2.24.0.525.g8f36a354ae-goog Subject: [PATCH v2 11/13] KVM: x86: Protect exit_reason from being used in Spectre-v1/L1TF attacks From: Marios Pomonis To: Paolo Bonzini , rkrcmar@redhat.com, Sean Christopherson , Vitaly Kuznetsov , Wanpeng Li , Jim Mattson , Joerg Roedel Cc: Thomas Gleixner , Ingo Molnar , Borislav Petkov , "H. Peter Anvin" , x86@kernel.org, kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Nick Finco , Andrew Honig , Marios Pomonis , stable@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This fixes a Spectre-v1/L1TF vulnerability in vmx_handle_exit(). While exit_reason is set by the hardware and therefore should not be attacker-influenced, an unknown exit_reason could potentially be used to perform such an attack. Fixes: commit 55d2375e58a6 ("KVM: nVMX: Move nested code to dedicated files") Signed-off-by: Marios Pomonis Signed-off-by: Nick Finco Suggested-by: Sean Christopherson Reviewed-by: Andrew Honig Cc: stable@vger.kernel.org --- arch/x86/kvm/vmx/vmx.c | 55 +++++++++++++++++++++++------------------- 1 file changed, 30 insertions(+), 25 deletions(-) diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index 82b25f1812aa..78f2fef97d93 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -5918,34 +5918,39 @@ static int vmx_handle_exit(struct kvm_vcpu *vcpu) } } - if (exit_reason < kvm_vmx_max_exit_handlers - && kvm_vmx_exit_handlers[exit_reason]) { + if (exit_reason >= kvm_vmx_max_exit_handlers) + goto unexpected_vmexit; #ifdef CONFIG_RETPOLINE - if (exit_reason == EXIT_REASON_MSR_WRITE) - return kvm_emulate_wrmsr(vcpu); - else if (exit_reason == EXIT_REASON_PREEMPTION_TIMER) - return handle_preemption_timer(vcpu); - else if (exit_reason == EXIT_REASON_PENDING_INTERRUPT) - return handle_interrupt_window(vcpu); - else if (exit_reason == EXIT_REASON_EXTERNAL_INTERRUPT) - return handle_external_interrupt(vcpu); - else if (exit_reason == EXIT_REASON_HLT) - return kvm_emulate_halt(vcpu); - else if (exit_reason == EXIT_REASON_EPT_MISCONFIG) - return handle_ept_misconfig(vcpu); + if (exit_reason == EXIT_REASON_MSR_WRITE) + return kvm_emulate_wrmsr(vcpu); + else if (exit_reason == EXIT_REASON_PREEMPTION_TIMER) + return handle_preemption_timer(vcpu); + else if (exit_reason == EXIT_REASON_PENDING_INTERRUPT) + return handle_interrupt_window(vcpu); + else if (exit_reason == EXIT_REASON_EXTERNAL_INTERRUPT) + return handle_external_interrupt(vcpu); + else if (exit_reason == EXIT_REASON_HLT) + return kvm_emulate_halt(vcpu); + else if (exit_reason == EXIT_REASON_EPT_MISCONFIG) + return handle_ept_misconfig(vcpu); #endif - return kvm_vmx_exit_handlers[exit_reason](vcpu); - } else { - vcpu_unimpl(vcpu, "vmx: unexpected exit reason 0x%x\n", - exit_reason); - dump_vmcs(); - vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR; - vcpu->run->internal.suberror = + + exit_reason = array_index_nospec(exit_reason, + kvm_vmx_max_exit_handlers); + if (!kvm_vmx_exit_handlers[exit_reason]) + goto unexpected_vmexit; + + return kvm_vmx_exit_handlers[exit_reason](vcpu); + +unexpected_vmexit: + vcpu_unimpl(vcpu, "vmx: unexpected exit reason 0x%x\n", exit_reason); + dump_vmcs(); + vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR; + vcpu->run->internal.suberror = KVM_INTERNAL_ERROR_UNEXPECTED_EXIT_REASON; - vcpu->run->internal.ndata = 1; - vcpu->run->internal.data[0] = exit_reason; - return 0; - } + vcpu->run->internal.ndata = 1; + vcpu->run->internal.data[0] = exit_reason; + return 0; } /* -- 2.24.0.525.g8f36a354ae-goog