Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp3701330ybv; Mon, 10 Feb 2020 04:59:46 -0800 (PST) X-Google-Smtp-Source: APXvYqxmD8815W7My00cZ+cezhPEe0EPr5NOe18FqSDJwJBUBRt0TVPMDqCv0UuWojMV1RI8Whtq X-Received: by 2002:a9d:64ca:: with SMTP id n10mr943354otl.325.1581339585883; Mon, 10 Feb 2020 04:59:45 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1581339585; cv=none; d=google.com; s=arc-20160816; b=0UoAl9WOaTtY+bkMqCbNf+E5o6L6wYzIlU3XQlzMv93pcDzi3l38aQO3xNduUjsWjP 0xjV1hGCcQRjnLXw7pqe456ZtY0jF+xmA+Y3ttx5NOB4T0NJzHYIxBkbPillZPPdC66L OHCn0odIAx1rK7ke0G3cQIwi0ZbEZpca34rPEwOPt8c1eWE2bP58gDlF1P+llDMV+iTt j6vdqjvvSsTDSrBBJwJNocv8VcdwuYLdVB1tmjFBMYW1FFMJ/QsLy1u2KVKZajfxBoCO m4R2BdAEOBFO2Neo+2PpqSgp/7bg+xsPuYqMCW1LQk8ZJcJAVnHaDS72ratJi86522vv oqBQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=cdRYrj1qRPPWBxPCuIsVMK6zztzWy89leozbwOZhFwU=; b=XeFBUWI/KZMsMjXVkD/ikItGDiMihCWy4NmCB9eB9TNYkGHa1MbK+aAVIVxMS0Z7vO DxMRWCjbW1XxT89fi6s8EDGCU+IRYOeGUtet6ZtE0UY2cGoAzX6pM8YVAu1JScD9dzbb rZAvOfq/afA7jxzV3QeX/0gyteEtTU0CSHjgiZ8JUj8i80i+63XuwLHEZu2O0rSJckqv cS7/X+UiZhd4MwoxYGBeItBYWY/bKUK5+FxXN1A5RHt5rVZzn9yidsISbnnt0uGM8EK5 eam2ooxouz7H6ut0oYORuMZ9qVmyvY7O1ul+DTxswCG0rY4XC4dXE5MICVItHzqc73AM TTAQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=N9umN6ac; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f14si163405oto.46.2020.02.10.04.59.33; Mon, 10 Feb 2020 04:59:45 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=N9umN6ac; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730345AbgBJM7W (ORCPT + 99 others); Mon, 10 Feb 2020 07:59:22 -0500 Received: from mail.kernel.org ([198.145.29.99]:42856 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729614AbgBJMlL (ORCPT ); Mon, 10 Feb 2020 07:41:11 -0500 Received: from localhost (unknown [209.37.97.194]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id CB3AC2051A; Mon, 10 Feb 2020 12:41:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1581338470; bh=A/2U5VX3ZwwTAy8Oy69vmzKMOlRkiaXXOgPpFnlDUzc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=N9umN6acj3jFz+7M0WpyL+uB3PoV5nuqUuyMmzcv0l8FGs8P3GdiIWT46+iOg5uQR wfbokN1BNXZz7KD9AFYXXs5/B8EIj86stImg8e4VzzwiI7vYhwupskRcA6IIH4ZztN K1JN9O9KF4+1a2W9QG884wbbtB4FFNtj5MRnASEk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Nick Finco , Marios Pomonis , Andrew Honig , Jim Mattson , Paolo Bonzini Subject: [PATCH 5.5 235/367] KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF attacks Date: Mon, 10 Feb 2020 04:32:28 -0800 Message-Id: <20200210122445.883199754@linuxfoundation.org> X-Mailer: git-send-email 2.25.0 In-Reply-To: <20200210122423.695146547@linuxfoundation.org> References: <20200210122423.695146547@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Marios Pomonis commit 8c86405f606ca8508b8d9280680166ca26723695 upstream. This fixes a Spectre-v1/L1TF vulnerability in ioapic_read_indirect(). This function contains index computations based on the (attacker-controlled) IOREGSEL register. Fixes: a2c118bfab8b ("KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798)") Signed-off-by: Nick Finco Signed-off-by: Marios Pomonis Reviewed-by: Andrew Honig Cc: stable@vger.kernel.org Reviewed-by: Jim Mattson Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman --- arch/x86/kvm/ioapic.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) --- a/arch/x86/kvm/ioapic.c +++ b/arch/x86/kvm/ioapic.c @@ -36,6 +36,7 @@ #include #include #include +#include #include #include #include @@ -68,13 +69,14 @@ static unsigned long ioapic_read_indirec default: { u32 redir_index = (ioapic->ioregsel - 0x10) >> 1; - u64 redir_content; + u64 redir_content = ~0ULL; - if (redir_index < IOAPIC_NUM_PINS) - redir_content = - ioapic->redirtbl[redir_index].bits; - else - redir_content = ~0ULL; + if (redir_index < IOAPIC_NUM_PINS) { + u32 index = array_index_nospec( + redir_index, IOAPIC_NUM_PINS); + + redir_content = ioapic->redirtbl[index].bits; + } result = (ioapic->ioregsel & 0x1) ? (redir_content >> 32) & 0xffffffff :