Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp1119593ybl; Wed, 11 Dec 2019 12:50:45 -0800 (PST) X-Google-Smtp-Source: APXvYqwqhdKGGbfMTNnARlDgqgIhE42eNQVE8m7Z2l1+1rOjxe8oOiSO98QeHclu3BjpTwfNY6CN X-Received: by 2002:a9d:6216:: with SMTP id g22mr4139426otj.260.1576097445481; Wed, 11 Dec 2019 12:50:45 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1576097445; cv=none; d=google.com; s=arc-20160816; b=lWNpuoL27aATBnPlgXZrBYdnHWExxJ0cb+6yY7v1/pfl98krqR+zJRJvFqNDXLZzIL Re9b840JzoR5A26Oxw51ZOnWcWfeRktKhEvNOyGDbpOjS4A8nsFTj8EXzxIB/eDoln2D jcZWdFfrzkIBTL4o2SDHMHm75Ybv7DcCRdEyqbXJZoznBbVakTPXPAn2EacIe/2xx6Ho 2+hKhLikY2rQd8PtPhxW4adU/ob0cT8gzxiUUP+yR1zwMYWXQnqRepx7BwV8705nCsf0 907uH8arjsLxxjMtDvMdO24bmSgGLHEPb0orJS3Sb+YM9kX/cdd4Qvwqru+H9stG8h7r 3Jqw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:dkim-signature; bh=A6I91kn+0yQQJKIUv7rdcMWQv4VGfJnYJ3un85npOfQ=; b=gG6uhDan22o4pJoWk8tEe7zgiLi/vDt4Pj4G/XiBChn4RwsiGlAmEu3iJxGqEdlcB6 1ci5JbWr33tDTB+mj4hS/abCSth7T3xEM6/DTsqbV0VfGIehPzLoZ53t9kf9Aua7zcMp AoIWctOfZHovRQRQIMxCH7claEdCVaxZCuDYI9Zp5l2lAstOOvhXOsRKzh0OPCBOHk4H FgWft6T7etn0jL4uavekPxJUg0EShx0PKsN8z1a4TgfugVpMH6vDfw3hYn00EdD6ub3M /nOHhmuPqml3cNg8j1lUvdeX7++pI3RUGzRBq5xjKBLsRY2+MizjOLw9JLtsZjFlKELh A1TQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=EmaCb3Mi; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m5si1798050ote.187.2019.12.11.12.50.33; Wed, 11 Dec 2019 12:50:45 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=EmaCb3Mi; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727346AbfLKUtG (ORCPT + 99 others); Wed, 11 Dec 2019 15:49:06 -0500 Received: from mail-vk1-f202.google.com ([209.85.221.202]:45743 "EHLO mail-vk1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727064AbfLKUtF (ORCPT ); Wed, 11 Dec 2019 15:49:05 -0500 Received: by mail-vk1-f202.google.com with SMTP id 128so104243vka.12 for ; Wed, 11 Dec 2019 12:49:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=A6I91kn+0yQQJKIUv7rdcMWQv4VGfJnYJ3un85npOfQ=; b=EmaCb3MiHl905ggtmxlJYSNqiwbYOAuAXhBhx69L2hwmQkZB6mjkAksiMXjhmz+OtF xmt7gQw56ElZvY5gGaxcgRhWMdGMmJACrKJfuY0grAAY84Ehrt+pnphAdosVfe5bDP9+ sxKD5FArmwJOfsa4pqK6ONiWhVbhIxjKINQOCnTs+eW/kcqhpVkDGog90OjcTAMlqBLQ ttdtfVcrQZ2vt74tvWjJ9SHYGNncd5x0OZYu6Y7TuMHQEsGrxHdN7tPv8h/t8/HFNpGr r/2IaW++GswPF7pTR3TfwfvKi8iv1te0lISWln3rg9S0egpCMa1QYvTqOgqRKqyX5wkN lzZA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=A6I91kn+0yQQJKIUv7rdcMWQv4VGfJnYJ3un85npOfQ=; b=EabEyM7whk3ETBxNUFsv9AZe8U3pfiJxtoCDgqQbeA5NwmK7hr+iHa35X8Bi3KwuKP PTKyI792gloF2xpZkPylBQxwomZJDFNxdCzb870SaOaeSKoheZXaJU6OBV+Y7iKoLK6O 8EYMyYLKiFB1gLGRfc6HfqkWaqb7XnA0qtdhjGDnb6qZufzlmOAuzmBlqwxXE6Q6Lkpi U/omA7L9p09gWV6L69jERAZNu6vB4RPORgK8FD4TBSj4XrzSo8amktm842AG06PRaQCa J/b1iXKHzIQqo05BVESU4+kf0Qj7uxu8EcnhxAIyerA/KfjxZW3uhB92vrGuqsTeGR+A B1CQ== X-Gm-Message-State: APjAAAUheQ/GYgeVAa1kLsB8n8/sm/BXOwxyumXM1I+ozLUdLTOxOHIy vLC6OWBUHsNHCggQOGoaokfeQXV7id0w X-Received: by 2002:a1f:1785:: with SMTP id 127mr5599428vkx.74.1576097343861; Wed, 11 Dec 2019 12:49:03 -0800 (PST) Date: Wed, 11 Dec 2019 12:47:50 -0800 In-Reply-To: <20191211204753.242298-1-pomonis@google.com> Message-Id: <20191211204753.242298-11-pomonis@google.com> Mime-Version: 1.0 References: <20191211204753.242298-1-pomonis@google.com> X-Mailer: git-send-email 2.24.0.525.g8f36a354ae-goog Subject: [PATCH v2 10/13] KVM: x86: Protect memory accesses from Spectre-v1/L1TF attacks in x86.c From: Marios Pomonis To: Paolo Bonzini , rkrcmar@redhat.com, Sean Christopherson , Vitaly Kuznetsov , Wanpeng Li , Jim Mattson , Joerg Roedel Cc: Thomas Gleixner , Ingo Molnar , Borislav Petkov , "H. Peter Anvin" , x86@kernel.org, kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Nick Finco , Andrew Honig , Marios Pomonis , stable@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This fixes Spectre-v1/L1TF vulnerabilities in vmx_read_guest_seg_selector(), vmx_read_guest_seg_base(), vmx_read_guest_seg_limit() and vmx_read_guest_seg_ar(). These functions contain index computations based on the (attacker-influenced) segment value. Fixes: commit 2fb92db1ec08 ("KVM: VMX: Cache vmcs segment fields") Signed-off-by: Nick Finco Signed-off-by: Marios Pomonis Reviewed-by: Andrew Honig Cc: stable@vger.kernel.org --- arch/x86/kvm/vmx/vmx.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index d39475e2d44e..82b25f1812aa 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -753,7 +753,9 @@ static bool vmx_segment_cache_test_set(struct vcpu_vmx *vmx, unsigned seg, static u16 vmx_read_guest_seg_selector(struct vcpu_vmx *vmx, unsigned seg) { - u16 *p = &vmx->segment_cache.seg[seg].selector; + size_t size = ARRAY_SIZE(vmx->segment_cache.seg); + size_t index = array_index_nospec(seg, size); + u16 *p = &vmx->segment_cache.seg[index].selector; if (!vmx_segment_cache_test_set(vmx, seg, SEG_FIELD_SEL)) *p = vmcs_read16(kvm_vmx_segment_fields[seg].selector); @@ -762,7 +764,9 @@ static u16 vmx_read_guest_seg_selector(struct vcpu_vmx *vmx, unsigned seg) static ulong vmx_read_guest_seg_base(struct vcpu_vmx *vmx, unsigned seg) { - ulong *p = &vmx->segment_cache.seg[seg].base; + size_t size = ARRAY_SIZE(vmx->segment_cache.seg); + size_t index = array_index_nospec(seg, size); + ulong *p = &vmx->segment_cache.seg[index].base; if (!vmx_segment_cache_test_set(vmx, seg, SEG_FIELD_BASE)) *p = vmcs_readl(kvm_vmx_segment_fields[seg].base); @@ -771,7 +775,9 @@ static ulong vmx_read_guest_seg_base(struct vcpu_vmx *vmx, unsigned seg) static u32 vmx_read_guest_seg_limit(struct vcpu_vmx *vmx, unsigned seg) { - u32 *p = &vmx->segment_cache.seg[seg].limit; + size_t size = ARRAY_SIZE(vmx->segment_cache.seg); + size_t index = array_index_nospec(seg, size); + u32 *p = &vmx->segment_cache.seg[index].limit; if (!vmx_segment_cache_test_set(vmx, seg, SEG_FIELD_LIMIT)) *p = vmcs_read32(kvm_vmx_segment_fields[seg].limit); @@ -780,7 +786,9 @@ static u32 vmx_read_guest_seg_limit(struct vcpu_vmx *vmx, unsigned seg) static u32 vmx_read_guest_seg_ar(struct vcpu_vmx *vmx, unsigned seg) { - u32 *p = &vmx->segment_cache.seg[seg].ar; + size_t size = ARRAY_SIZE(vmx->segment_cache.seg); + size_t index = array_index_nospec(seg, size); + u32 *p = &vmx->segment_cache.seg[index].ar; if (!vmx_segment_cache_test_set(vmx, seg, SEG_FIELD_AR)) *p = vmcs_read32(kvm_vmx_segment_fields[seg].ar_bytes); -- 2.24.0.525.g8f36a354ae-goog