Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp1119356ybl;
        Wed, 11 Dec 2019 12:50:34 -0800 (PST)
X-Google-Smtp-Source: APXvYqy+94wdt2aUuylHyCEV6nk9V4ESCP4O6ACDfNmgcDMiYZtQDie4stCFBbM3vaU1701gauHn
X-Received: by 2002:a05:6830:91:: with SMTP id a17mr3680050oto.107.1576097433969;
        Wed, 11 Dec 2019 12:50:33 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1576097433; cv=none;
        d=google.com; s=arc-20160816;
        b=y2e8rCU2qpTKh0Izw1lgFTJXyRqOzQsI06uXCbtmV++v3qG1tKOcORc6UbXu5b7sDy
         YAOkWfrDhGtZOiBIxVJCzLOALSoW8mtLzwRFDJ4dah/pMRS+IP8p8RZxXtzNdWHywk/G
         rrb/LUzxDMafO+Lg72sqfKFWbd/Wa5mn31rSv2+xs3HXAINbh7Qi5OtGbGaXKQDlxwEE
         N+9+QdD8XwGxZcYmyZF2PtxgbFaohSuCDHA9pMmKRlZ0b7D0TvF+HqbwsvAdoYJFl3K7
         ymlthxH/rWpUASB4iWV4vdm/AYqV9B66oE6hpDarnTNqsiuIihMEfozdf7h0jvQo0yAc
         RfTQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:from:subject:references
         :mime-version:message-id:in-reply-to:date:dkim-signature;
        bh=U1oRaOu4UKf7viNh4ANM8AYZUjuVHiI8DgaphOB3TV4=;
        b=oHt//t27i9DPGGf6ol2FXU6Ld0VvgsND2xHr31Bzt/gzLankvTKj7GFQjEQuG2RaZ0
         8aAl1xh8klv1hAtnfKMs/iX4WOLWmEKHM9YXgkBmEFOrvRoit7f4hPLA4vqyolRXh4wn
         yQcJMUR0bSHbEu7X/3HW9roDqg4p6lhHmXrq3fnkVzYEcfVDGHRoS3hFBLg20VLPc97M
         C42EroTwzY/EGsiUjHAK5t5kp1VGqqb2kGqhBV4XqjxiQ3UigC+H5H/7ZJ8uGmjLEM0w
         t14Xx/TgPFo6pFvBYtsce+R7flzyI0Ob+SRveWOUiXAaYgzQ5cs8TUk7C7x1xJycJipG
         G9nA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=ICYTPZ7c;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id n8si1839097otr.102.2019.12.11.12.50.20;
        Wed, 11 Dec 2019 12:50:33 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=ICYTPZ7c;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727131AbfLKUsY (ORCPT <rfc822;epontan@gmail.com> + 99 others);
        Wed, 11 Dec 2019 15:48:24 -0500
Received: from mail-qv1-f73.google.com ([209.85.219.73]:34350 "EHLO
        mail-qv1-f73.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726741AbfLKUsX (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 11 Dec 2019 15:48:23 -0500
Received: by mail-qv1-f73.google.com with SMTP id c22so35573qvc.1
        for <linux-kernel@vger.kernel.org>; Wed, 11 Dec 2019 12:48:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=U1oRaOu4UKf7viNh4ANM8AYZUjuVHiI8DgaphOB3TV4=;
        b=ICYTPZ7c3Ur5ji8A/GJ8r6Yn1LPj2qOZ9iFVliX5y5EvvrQPEtD5bKeM/hIMzjzCdK
         9C7fqVZq5Dodo44qG4g3RI5a3sa9BWGW4OF6fXSYHtZClT+iMYX/X7zQKDgdGl5FTZkD
         VuZu07R6o/rPbJPedX7bDEBazLxwFoDm24MpXgvIBQCPXX+zjyDwOiwiKP7NdG7Y8ssE
         iFJNFPbtO5ZxdEojvVvyHPe94c+j7EC7ZLrgvsLPknHsYHF2CixJ3hzKeK60f4Z4F/aZ
         BGyVsAd4TsviSx5CLpkcieupXvevViyqB0BurofDUPCmizeEZDllBrv/MNt6YYaQr4Hx
         bbTw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=U1oRaOu4UKf7viNh4ANM8AYZUjuVHiI8DgaphOB3TV4=;
        b=e45cNt9J232YeWCIKI7KTZxlVe1blZrtujsSKedZD0RIfbO0ocgS+pCfiQamQYvpcn
         fYcphjIjO3p9XToGfqjdBMVR6zL1TDfc4oX3IDi57wSfLlByw/HkAB3C3lVgNvrhWUvY
         xa3ycw3c3PWnwzCkmbOPDpHXDW0dNzFveUY/n9kmEatOsMyXsvlgen5ICEduUzjSI60m
         iXCgaUNrHDTC95qhfIjAtUPnldbjRIzidPTGPRVy6fgc/vqY+oPJkl/KaWtq5SHZrnca
         Cqm9xIUN0PAeOJfFGcoTieJvD80/hhJ1p9pkxHo//HPulf6foUJa44fBZjICHGNM+RRT
         IWKw==
X-Gm-Message-State: APjAAAVjGtEWSiAlW8GBr1GgCVHIX2nrN7+kQsWY2519GLdmJluDlI7U
        H07VVQWIc10Cy3dOIQWRcYk4ZJHBSDPo
X-Received: by 2002:a37:9ace:: with SMTP id c197mr4955885qke.482.1576097302014;
 Wed, 11 Dec 2019 12:48:22 -0800 (PST)
Date:   Wed, 11 Dec 2019 12:47:41 -0800
In-Reply-To: <20191211204753.242298-1-pomonis@google.com>
Message-Id: <20191211204753.242298-2-pomonis@google.com>
Mime-Version: 1.0
References: <20191211204753.242298-1-pomonis@google.com>
X-Mailer: git-send-email 2.24.0.525.g8f36a354ae-goog
Subject: [PATCH v2 01/13] KVM: x86: Protect x86_decode_insn from
 Spectre-v1/L1TF attacks
From:   Marios Pomonis <pomonis@google.com>
To:     Paolo Bonzini <pbonzini@redhat.com>, rkrcmar@redhat.com,
        Sean Christopherson <sean.j.christopherson@intel.com>,
        Vitaly Kuznetsov <vkuznets@redhat.com>,
        Wanpeng Li <wanpengli@tencent.com>,
        Jim Mattson <jmattson@google.com>,
        Joerg Roedel <joro@8bytes.org>
Cc:     Thomas Gleixner <tglx@linutronix.de>,
        Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
        "H. Peter Anvin" <hpa@zytor.com>, x86@kernel.org,
        kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
        Nick Finco <nifi@google.com>, Andrew Honig <ahonig@google.com>,
        Marios Pomonis <pomonis@google.com>, stable@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

This fixes a Spectre-v1/L1TF vulnerability in x86_decode_insn().
kvm_emulate_instruction() (an ancestor of x86_decode_insn()) is an exported
symbol, so KVM should treat it conservatively from a security perspective.

Fixes: commit 045a282ca415 ("KVM: emulator: implement fninit, fnstsw, fnstcw")

Signed-off-by: Nick Finco <nifi@google.com>
Signed-off-by: Marios Pomonis <pomonis@google.com>
Reviewed-by: Andrew Honig <ahonig@google.com>
Cc: stable@vger.kernel.org
---
 arch/x86/kvm/emulate.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index 952d1a4f4d7e..fcf7cdb21d60 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -5303,10 +5303,15 @@ int x86_decode_insn(struct x86_emulate_ctxt *ctxt, void *insn, int insn_len)
 			}
 			break;
 		case Escape:
-			if (ctxt->modrm > 0xbf)
-				opcode = opcode.u.esc->high[ctxt->modrm - 0xc0];
-			else
+			if (ctxt->modrm > 0xbf) {
+				size_t size = ARRAY_SIZE(opcode.u.esc->high);
+				u32 index = array_index_nospec(
+					ctxt->modrm - 0xc0, size);
+
+				opcode = opcode.u.esc->high[index];
+			} else {
 				opcode = opcode.u.esc->op[(ctxt->modrm >> 3) & 7];
+			}
 			break;
 		case InstrDual:
 			if ((ctxt->modrm >> 6) == 3)
-- 
2.24.0.525.g8f36a354ae-goog