Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp1120077ybl;
        Wed, 11 Dec 2019 12:51:11 -0800 (PST)
X-Google-Smtp-Source: APXvYqyiz4aEGpMoi8PkZvKrLqiFEcnZrOKuTGISZwv1yds8ew30NXxgGZe/vW1q+QlicqdQNUyS
X-Received: by 2002:a9d:7394:: with SMTP id j20mr3978338otk.273.1576097470979;
        Wed, 11 Dec 2019 12:51:10 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1576097470; cv=none;
        d=google.com; s=arc-20160816;
        b=GpXD6YKiioh7hfVxpsXJ8FM2MDvO5it2xXrmpaDW/PDzrZ0Y+bl9Ul3Shl5ttwQJ9Q
         SVo/4IjGq1Bw6l5XQHFeDc4WXU7EmkHRXJ5GJq85g7X1lvsoLzQ7Z+tQIl5oR+8y5RMR
         k1nT6+dLmWTg24v8xIdXL4ckRM5fu9iylrAoKK0EsDAhKL93T81XMjNj7qHzebYG9K4x
         oYR0ljBdGuuj66/7d0BShsirm9CiZEUzZOIhBGEJ11YvW9ls4CCPMwUMLU/YcwKQZRb1
         uR56uciCq5lOf82iUCZdqtbx/ka8aNZF7SM7XO+taC7jCN4lryZJ9UNEzuR7rRAZXXlv
         y12g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:from:subject:references
         :mime-version:message-id:in-reply-to:date:dkim-signature;
        bh=hTNW3ODcCvFxOFPF3z95jUajN2yDUtML20vR5t2IREg=;
        b=sUEvPb9pxfHZuCPjNnj0R/4bw1f8Hu+41EEthMnNZglFH6zKtS537ejaWdbi9N6fya
         lNm6J2LlT4kaTaELbfxie4DmPlirxG+/I1UNZXV+knLD1jKUwM0dgfDOECdqHLLB5iAX
         fuNohC3awlgB+oVg6WxCeZTctOj8OYUp98ht2tYWkVhF7LujtcajWELGbeHPVOQGg1xI
         XRDRkQx/zBc9zCD+kUXHtct+ulzXr7RgyBmhMxB6JhpeDsxT7jcBprpNaUUImj/o1F5D
         LZScYxq0gZCDtSv0YmJaMRh4mQuxrIb1Ok6Sl73Xa+jEi7liuwyQPgVdAc+D+UsRoWnp
         hnVw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=dy2B3r++;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id f9si1779692otp.111.2019.12.11.12.50.58;
        Wed, 11 Dec 2019 12:51:10 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=dy2B3r++;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726631AbfLKUsu (ORCPT <rfc822;epontan@gmail.com> + 99 others);
        Wed, 11 Dec 2019 15:48:50 -0500
Received: from mail-pj1-f74.google.com ([209.85.216.74]:38175 "EHLO
        mail-pj1-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727265AbfLKUst (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 11 Dec 2019 15:48:49 -0500
Received: by mail-pj1-f74.google.com with SMTP id k93so12161916pjh.5
        for <linux-kernel@vger.kernel.org>; Wed, 11 Dec 2019 12:48:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=hTNW3ODcCvFxOFPF3z95jUajN2yDUtML20vR5t2IREg=;
        b=dy2B3r+++dZl+ThGERMOVovQJLenKliQYHzqLXvVkDm/0uZ8Gq3hCRgZG7tyd84kSC
         vdk9fXkvOx45tG0X/9LZdpJ53i3mcwnbYwDT/z2mUEz6CF5qqnHx/UEYV7hMKX2L/5Oo
         BwjoIzsDdayWCwOFblKERarcaoxS0sRtURTgX+1+//NTSuTbTaH33yi5DOtom0S4lq99
         q+VJL0Dp1iY7Rap3CiKHhUUEccLEo67XSSOOFB/8NY4dDN5uw4tafg/feMXo5GKJ6uUV
         lHcfsBn1Ipdrjt/9jS4WdLQ3fw4u180ZNYPIOOr8WbI+cLMuRWTUky++KooaR2tV0dO9
         ITpQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=hTNW3ODcCvFxOFPF3z95jUajN2yDUtML20vR5t2IREg=;
        b=TQvHXh4Z13cZWr++BeJ/SQJ0frO+rFXZO8Rs13kcA29HOzpYDkXu7C+wsfYDz+Ee+Y
         a390KAoQocFj/J176GsRTyeIeFdRDY6DBFsNRDkKqwyYYwbMa15JLPDUT6efp4K5jHpT
         sQsHJJa5LfdlKG+QRXexeg5kYg/mtrCV/3gzC7H/ETbYU29kPNn8wJUj/eUfx6g30hpi
         4lohWw0aQB5MudnaWa9y24Ts0ej5+NqdGM4MoUm/4XjKz1FSxVhsbX6r/MOxBOrta2F3
         UAO727VdRDifU+zlYpRtLB3mIKoHNph2HDzBXurt31Egp482u7wuIIml7wrIe93XUaIE
         zxxw==
X-Gm-Message-State: APjAAAVaA86e/cdgB9An5UVDXirBI1MCyBvPM42wZqW3tB+ig0rJRDD1
        CdSJU1NpJ0RRu2fN5pIP73FOzvsSYfKr
X-Received: by 2002:a63:6c03:: with SMTP id h3mr5981055pgc.19.1576097328530;
 Wed, 11 Dec 2019 12:48:48 -0800 (PST)
Date:   Wed, 11 Dec 2019 12:47:46 -0800
In-Reply-To: <20191211204753.242298-1-pomonis@google.com>
Message-Id: <20191211204753.242298-7-pomonis@google.com>
Mime-Version: 1.0
References: <20191211204753.242298-1-pomonis@google.com>
X-Mailer: git-send-email 2.24.0.525.g8f36a354ae-goog
Subject: [PATCH v2 06/13] KVM: x86: Protect kvm_lapic_reg_write() from
 Spectre-v1/L1TF attacks
From:   Marios Pomonis <pomonis@google.com>
To:     Paolo Bonzini <pbonzini@redhat.com>, rkrcmar@redhat.com,
        Sean Christopherson <sean.j.christopherson@intel.com>,
        Vitaly Kuznetsov <vkuznets@redhat.com>,
        Wanpeng Li <wanpengli@tencent.com>,
        Jim Mattson <jmattson@google.com>,
        Joerg Roedel <joro@8bytes.org>
Cc:     Thomas Gleixner <tglx@linutronix.de>,
        Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
        "H. Peter Anvin" <hpa@zytor.com>, x86@kernel.org,
        kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
        Nick Finco <nifi@google.com>, Andrew Honig <ahonig@google.com>,
        Marios Pomonis <pomonis@google.com>, stable@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

This fixes a Spectre-v1/L1TF vulnerability in kvm_lapic_reg_write().
This function contains index computations based on the
(attacker-controlled) MSR number.

Fixes: commit 0105d1a52640 ("KVM: x2apic interface to lapic")

Signed-off-by: Nick Finco <nifi@google.com>
Signed-off-by: Marios Pomonis <pomonis@google.com>
Reviewed-by: Andrew Honig <ahonig@google.com>
Cc: stable@vger.kernel.org
---
 arch/x86/kvm/lapic.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
index cf9177b4a07f..3323115f52d5 100644
--- a/arch/x86/kvm/lapic.c
+++ b/arch/x86/kvm/lapic.c
@@ -1963,15 +1963,20 @@ int kvm_lapic_reg_write(struct kvm_lapic *apic, u32 reg, u32 val)
 	case APIC_LVTTHMR:
 	case APIC_LVTPC:
 	case APIC_LVT1:
-	case APIC_LVTERR:
+	case APIC_LVTERR: {
 		/* TODO: Check vector */
+		size_t size;
+		u32 index;
+
 		if (!kvm_apic_sw_enabled(apic))
 			val |= APIC_LVT_MASKED;
-
-		val &= apic_lvt_mask[(reg - APIC_LVTT) >> 4];
+		size = ARRAY_SIZE(apic_lvt_mask);
+		index = array_index_nospec(
+				(reg - APIC_LVTT) >> 4, size);
+		val &= apic_lvt_mask[index];
 		kvm_lapic_set_reg(apic, reg, val);
-
 		break;
+	}
 
 	case APIC_LVTT:
 		if (!kvm_apic_sw_enabled(apic))
-- 
2.24.0.525.g8f36a354ae-goog