Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp709646ybv; Thu, 13 Feb 2020 08:08:27 -0800 (PST) X-Google-Smtp-Source: APXvYqyr0oIGwy5B1an3Bt7b/bejrsyiuBc6IWFtSmI/4PQfYZnKKxjBnrYTSmqosq2/i+FTX66t X-Received: by 2002:a9d:f45:: with SMTP id 63mr14447026ott.0.1581610106945; Thu, 13 Feb 2020 08:08:26 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1581610106; cv=none; d=google.com; s=arc-20160816; b=VKaWgqxZ5A1u6oEvJu3n5L/R9liEvpGo1rytFJCjfRZzHlVbV0p1lMdsnl1hxV0agC BQkxFmp4tQapPxV+ojZFDMcDTaliNgGSeabMoG3n3m5t/42RckZTwa1MA3HhBSLuM5bE sYh9JkA1wt1/MX+6J040YdIfDsl5FDwfCOfgnbtsvy8P+pWM8kkXQWQVpcvOkys47UaM eFZ32c+JvFI3SiwgWOGmHo0uGWD7BHetdww0Demr37o5ZYqiB+1y6oCCQ6iWUzz2wCNI SKuAQ5AACsy5k2CbpeFa94+Asp8aqxWJU2mVwzPfZOhbEcBwx4vbEuOEp7KE8egkeblO zImg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=suX/0F90/EQGayb1TpQPj+rj3XOunIktueHfFyGEUT4=; b=vGQ9Xi2PLgPcYxH2rvvBuF+d1xuKQRNyZJkN5S26DwfmtNsSbLseVNaEYu0uYDfB8a PrruWD6GByb42xB4j3MsZB+EvyY31fXaaNjqJQ94lXvYCfc3KJoeAjXXf2J/R6YP86mT +oj0Cs7kxCiIuKij19bEwEfv6IK1TSrdk9qFbNPi6tCckiU0NlpgpqrfaWUjsWfQag8Z PpN0dLIJLVHdteodbHMCQcroBK/bUMkidAxtSJx9wNujtbMf6EJ/gMJW3iB5lGJp73Ty EkyxvN1JqAVvkAfMTt6Re+BwLYzko70NqxUcFwA6RIJeaV4HgTYis1QIIAvvMO5Z4Y/p p5hw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=hCZ1YPcC; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 10si1293043ois.76.2020.02.13.08.08.12; Thu, 13 Feb 2020 08:08:26 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=hCZ1YPcC; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730365AbgBMQGK (ORCPT + 99 others); Thu, 13 Feb 2020 11:06:10 -0500 Received: from mail.kernel.org ([198.145.29.99]:35458 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728446AbgBMPXm (ORCPT ); Thu, 13 Feb 2020 10:23:42 -0500 Received: from localhost (unknown [104.132.1.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id EEF56246AD; Thu, 13 Feb 2020 15:23:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1581607422; bh=wp6DlfLy2ZTgy4xURGFu8rOf9ZQEUYuUErnKGeDGjD0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=hCZ1YPcC0v7IoHBBhNoa5DdO5iaSJHLqz3aP0Lf8N0L5m/BxKxaO8NdCDPT9jkjV8 216IZINxFm78FJhemzMe1wf6dh0LbQMJrzMnsuOvEfy+UZKJbnPEja7bQbigmSuRvj 7oBgj6q89SOULAeYP2rbJonbWrl+19JU5CZ3TXic= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Nick Finco , Marios Pomonis , Andrew Honig , Jim Mattson , Paolo Bonzini Subject: [PATCH 4.9 050/116] KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF attacks Date: Thu, 13 Feb 2020 07:19:54 -0800 Message-Id: <20200213151902.169820776@linuxfoundation.org> X-Mailer: git-send-email 2.25.0 In-Reply-To: <20200213151842.259660170@linuxfoundation.org> References: <20200213151842.259660170@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Marios Pomonis commit 8c86405f606ca8508b8d9280680166ca26723695 upstream. This fixes a Spectre-v1/L1TF vulnerability in ioapic_read_indirect(). This function contains index computations based on the (attacker-controlled) IOREGSEL register. Fixes: a2c118bfab8b ("KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798)") Signed-off-by: Nick Finco Signed-off-by: Marios Pomonis Reviewed-by: Andrew Honig Cc: stable@vger.kernel.org Reviewed-by: Jim Mattson Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman --- arch/x86/kvm/ioapic.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) --- a/arch/x86/kvm/ioapic.c +++ b/arch/x86/kvm/ioapic.c @@ -74,13 +74,14 @@ static unsigned long ioapic_read_indirec default: { u32 redir_index = (ioapic->ioregsel - 0x10) >> 1; - u64 redir_content; + u64 redir_content = ~0ULL; - if (redir_index < IOAPIC_NUM_PINS) - redir_content = - ioapic->redirtbl[redir_index].bits; - else - redir_content = ~0ULL; + if (redir_index < IOAPIC_NUM_PINS) { + u32 index = array_index_nospec( + redir_index, IOAPIC_NUM_PINS); + + redir_content = ioapic->redirtbl[index].bits; + } result = (ioapic->ioregsel & 0x1) ? (redir_content >> 32) & 0xffffffff :