Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp1119551ybl;
        Wed, 11 Dec 2019 12:50:43 -0800 (PST)
X-Google-Smtp-Source: APXvYqwhdoReb2OhdE8fmSqV+EewmCnuHUbFx5h3PAKNzgY9UnCKy0fr2DBDvgv1jFT+xfPbo6x8
X-Received: by 2002:a9d:68ca:: with SMTP id i10mr3812595oto.178.1576097442747;
        Wed, 11 Dec 2019 12:50:42 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1576097442; cv=none;
        d=google.com; s=arc-20160816;
        b=SkuDQXAZ9m/hx+G3foJ4j6vsQjy6BvXJ0py8gX4VOmkAKeZJTivoC/uJVDIwZtgeRZ
         aY86pC3+YHYCdoDzg+UG9ULZgbqmpQa1LCZdXYe3dZTvnI8Pv2zomxfgO5wkh3hfoZkO
         m8I2u7I8GOGoH7ZG5Kg428srQBRwq5O22CwmBTNeKO62I4AXg0febGEbAI4JofOLZ0t8
         kWoTGu/am00Nc2HUpfGNmG8fRjtfK2A7uDIN7POVarcauR1SQsj+sSCb/477t8kX+Mwk
         NRpF3uK6i99tSIWYKkzotg0MvQRsjUaerVD2nzU9RAA3T+KSB5HtW2fi0WCLQ+p062ZC
         aC4g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:from:subject:references
         :mime-version:message-id:in-reply-to:date:dkim-signature;
        bh=nhUvad64y2J5+k80ysZ9zgdkeo4zQNXWR3pwGYhF48c=;
        b=MveVdablmBbz/If5bdegviPvinypcZLeeZYHrYubG72op49nyntVusUiVXn7skTzf3
         +p5GFyj3mYr18RHZwGQfr9af6VcUw4FoRG60nf9E555K9+IoHEBZBFV+XsHyLi+ec2ti
         nrmq8+yVNkzPW2FteE7/rzEhNd1ho6bTkcC2ivwygLSQbE3HADfIt3CKc2/Wuc3XFun2
         V24ML3MmaeCPBGXh35KEs8Z7KR0dNz2hsp4otCyc8s8LVujzpU98NRADnfb19p2G3FX0
         TW4Mtewp2Tj9ub2s8nI8ZYdl2HdzrmhQsIS3+u0WmvAG5g3wodcWLlAwjiHiCQ2A14wr
         RC7g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=acHQQrZr;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id i6si1848515oth.182.2019.12.11.12.50.31;
        Wed, 11 Dec 2019 12:50:42 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=acHQQrZr;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727356AbfLKUtG (ORCPT <rfc822;epontan@gmail.com> + 99 others);
        Wed, 11 Dec 2019 15:49:06 -0500
Received: from mail-pl1-f202.google.com ([209.85.214.202]:48039 "EHLO
        mail-pl1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727305AbfLKUtB (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 11 Dec 2019 15:49:01 -0500
Received: by mail-pl1-f202.google.com with SMTP id d24so36713pll.14
        for <linux-kernel@vger.kernel.org>; Wed, 11 Dec 2019 12:49:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=nhUvad64y2J5+k80ysZ9zgdkeo4zQNXWR3pwGYhF48c=;
        b=acHQQrZrnlr62CvNe5hxg9AohvcCZSjyCDFZ3Hf5zH8EGMQDG6TujUFqKegZobyqaJ
         7sI/4zwUeQFvB+2u50CjyMrj/ifLgYYvLIf99oOMmrewQwIkGelULqk7ofqEgb/3JkTo
         Az8Fm/HnT5CtdvcYvSQXcEQLAlpUY8cI/5x8Vgk3WBdNado0bfxlVBd2l9+5JhFCB0Dp
         TlC2DKTS+DnW0a3B1QDsKKGIEC9sGa6z8g/KKaY3L99Z4jKH3+pbSmWlYVSYD1ADltT+
         4IeQVJL031mY56W+XjhxwAsmN3ZSrFPcVmQi3F0vwX5oQZBsY2eHl9PM9RmLxQDKlzW/
         2mXQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=nhUvad64y2J5+k80ysZ9zgdkeo4zQNXWR3pwGYhF48c=;
        b=AdgGs9DHvQfCl8kmPY/0ZP6mjFzFhKsZUAtnlSSYF5FSztAy2OkKaksOxV6IXExgO7
         qoixYmozUnQrV7uU62wdtjB9oc5pEmsmOaTLYJ42kGrAcizrvcm4ZRyMkeoD4Ec0DKWs
         d6YoAorT/EU08y1hf6xONcT+RL6v2jXgs5YX0tybGWCm63OaqWdEC2sERy4iLaTjTsIm
         CVSHRptzUGvNzfGDElWfvJuk8u+E7s0YqFwsSlwI4+t7UqmDRET9Qa81EiDlMbYRtGAO
         0NdN0jZasKgOhX9eWID+Nbr7J5ulJjnHgtjNdp4OYUdLfyg4igBp0AAh7o0XGm/+/JD/
         AXEg==
X-Gm-Message-State: APjAAAWJCNvOp6MeDrwLHuCj/ls+DPd5x3FXpSW62qqAWyp9Mw6v76nx
        SuMjZokGTtgLPzsPUfr2EdJkPCiyYVdd
X-Received: by 2002:a63:9d07:: with SMTP id i7mr6629501pgd.344.1576097340640;
 Wed, 11 Dec 2019 12:49:00 -0800 (PST)
Date:   Wed, 11 Dec 2019 12:47:49 -0800
In-Reply-To: <20191211204753.242298-1-pomonis@google.com>
Message-Id: <20191211204753.242298-10-pomonis@google.com>
Mime-Version: 1.0
References: <20191211204753.242298-1-pomonis@google.com>
X-Mailer: git-send-email 2.24.0.525.g8f36a354ae-goog
Subject: [PATCH v2 09/13] KVM: x86: Protect MSR-based index computations from
 Spectre-v1/L1TF attacks in x86.c
From:   Marios Pomonis <pomonis@google.com>
To:     Paolo Bonzini <pbonzini@redhat.com>, rkrcmar@redhat.com,
        Sean Christopherson <sean.j.christopherson@intel.com>,
        Vitaly Kuznetsov <vkuznets@redhat.com>,
        Wanpeng Li <wanpengli@tencent.com>,
        Jim Mattson <jmattson@google.com>,
        Joerg Roedel <joro@8bytes.org>
Cc:     Thomas Gleixner <tglx@linutronix.de>,
        Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
        "H. Peter Anvin" <hpa@zytor.com>, x86@kernel.org,
        kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
        Nick Finco <nifi@google.com>, Andrew Honig <ahonig@google.com>,
        Marios Pomonis <pomonis@google.com>, stable@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

This fixes a Spectre-v1/L1TF vulnerability in set_msr_mce() and
get_msr_mce().
Both functions contain index computations based on the
(attacker-controlled) MSR number.

Fixes: commit 890ca9aefa78 ("KVM: Add MCE support")

Signed-off-by: Nick Finco <nifi@google.com>
Signed-off-by: Marios Pomonis <pomonis@google.com>
Reviewed-by: Andrew Honig <ahonig@google.com>
Cc: stable@vger.kernel.org
---
 arch/x86/kvm/x86.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index a256e09f321a..a9e66f09422e 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -2496,7 +2496,10 @@ static int set_msr_mce(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
 	default:
 		if (msr >= MSR_IA32_MC0_CTL &&
 		    msr < MSR_IA32_MCx_CTL(bank_num)) {
-			u32 offset = msr - MSR_IA32_MC0_CTL;
+			u32 offset = array_index_nospec(
+				msr - MSR_IA32_MC0_CTL,
+				MSR_IA32_MCx_CTL(bank_num) - MSR_IA32_MC0_CTL);
+
 			/* only 0 or all 1s can be written to IA32_MCi_CTL
 			 * some Linux kernels though clear bit 10 in bank 4 to
 			 * workaround a BIOS/GART TBL issue on AMD K8s, ignore
@@ -2937,7 +2940,10 @@ static int get_msr_mce(struct kvm_vcpu *vcpu, u32 msr, u64 *pdata, bool host)
 	default:
 		if (msr >= MSR_IA32_MC0_CTL &&
 		    msr < MSR_IA32_MCx_CTL(bank_num)) {
-			u32 offset = msr - MSR_IA32_MC0_CTL;
+			u32 offset = array_index_nospec(
+				msr - MSR_IA32_MC0_CTL,
+				MSR_IA32_MCx_CTL(bank_num) - MSR_IA32_MC0_CTL);
+
 			data = vcpu->arch.mce_banks[offset];
 			break;
 		}
-- 
2.24.0.525.g8f36a354ae-goog