Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2639689pxj;
        Mon, 14 Jun 2021 03:45:48 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJz+KBw4v7uvqa1UQQEy+6SS7KL8yFOanB4TnaVQuPsGP4HxSwUawFVyEq0oSjmIeoMGit49
X-Received: by 2002:a17:906:b0c8:: with SMTP id bk8mr14844354ejb.412.1623667548280;
        Mon, 14 Jun 2021 03:45:48 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1623667548; cv=none;
        d=google.com; s=arc-20160816;
        b=mNI5S/7Q4eM2C/CWGrDzyN6vke0MSSQNfUdgdvu63iVHgqjj3UbM7TckLeX2WHHPG1
         8b+ARekILJdjd9pz4/M+SJQwhBAA0XclpFki+semBpHSl2sn7nNHnppVqC+QYFZ8ELk+
         eUeEkO7iZsuFRmGjitplBpT5S0F6iUPEZlQ6WQP8ImFr1zzxZcRulLmiD3JhCctZP860
         d0j7CKphcOCRpUOPpiuImKYzrfUDDKRTfVOShy/0OTXO5pioksLq8GH1JaDfJwDetBBH
         1l1h4XXzErTRguabqmVl5mS8H/B8L2MwxSDzWuVO0uv67TB0TbfKCGfbZf9jfezlGccL
         /uzg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=BD8lMVHWDGCMRNdS5XH/6rgJLk09IDHx6GBJBailMNQ=;
        b=Txfz7NAxFH425svaN7jdQxmbagagMAUZh0e2b5/9v0lo2sL7OptIF/ji6ObmlWc639
         L4YwTVyShtfa7xm/5TtTzta1/vzNT4U6aMZp960h2yZIuse10itK0SEvG5R+EUWklNOw
         dqOMUs4eeSGFMd+k/fJU/05z1H8egJlIaqgwaJDQrqvX5s/IRKRVTC5UURxovIj9GU3d
         63pjLaOYc1R5+w4ycq7qnXrBgNN46RswUGJhgZYzNoYGsf3xRmLZRZP3oPea22ltqNxX
         /hEwlShQB08Hrx24Co1ANEac9jvptLa3hEATnHe7pDxK8j7sG5uqZuPHRxs6MoL2X3qu
         LMHQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ZN7DFtaf;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id l7si4587377edk.216.2021.06.14.03.45.26;
        Mon, 14 Jun 2021 03:45:48 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ZN7DFtaf;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S233344AbhFNKqG (ORCPT <rfc822;ly15351151@gmail.com> + 99 others);
        Mon, 14 Jun 2021 06:46:06 -0400
Received: from mail.kernel.org ([198.145.29.99]:46840 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S233964AbhFNKjV (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 14 Jun 2021 06:39:21 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id E2925613DE;
        Mon, 14 Jun 2021 10:34:07 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1623666848;
        bh=IzP+zjdyfA44WrSx2mr8hcZVCnLv+rDj6ZWbVWdx618=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=ZN7DFtafis4OzULG7XDI7bC3TPTa31OGzsEHOUJ/+nnQUTBolenr+l/yAZHX0xvhu
         SfrbiG1mXu1jQPHeUHW4GXiOpWuoUG+YkzJgj1DO4fslwcRtxHl50+DAeMfeH3NVet
         RBADZVsus2MOpzri8gtHi6RT1m3bazwWvx5JU6Dw=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        Artemiy Margaritov <artemiy.margaritov@gmail.com>,
        Paolo Bonzini <pbonzini@redhat.com>
Subject: [PATCH 4.14 23/49] kvm: avoid speculation-based attacks from out-of-range memslot accesses
Date:   Mon, 14 Jun 2021 12:27:16 +0200
Message-Id: <20210614102642.628329913@linuxfoundation.org>
X-Mailer: git-send-email 2.32.0
In-Reply-To: <20210614102641.857724541@linuxfoundation.org>
References: <20210614102641.857724541@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Paolo Bonzini <pbonzini@redhat.com>

commit da27a83fd6cc7780fea190e1f5c19e87019da65c upstream.

KVM's mechanism for accessing guest memory translates a guest physical
address (gpa) to a host virtual address using the right-shifted gpa
(also known as gfn) and a struct kvm_memory_slot.  The translation is
performed in __gfn_to_hva_memslot using the following formula:

      hva = slot->userspace_addr + (gfn - slot->base_gfn) * PAGE_SIZE

It is expected that gfn falls within the boundaries of the guest's
physical memory.  However, a guest can access invalid physical addresses
in such a way that the gfn is invalid.

__gfn_to_hva_memslot is called from kvm_vcpu_gfn_to_hva_prot, which first
retrieves a memslot through __gfn_to_memslot.  While __gfn_to_memslot
does check that the gfn falls within the boundaries of the guest's
physical memory or not, a CPU can speculate the result of the check and
continue execution speculatively using an illegal gfn. The speculation
can result in calculating an out-of-bounds hva.  If the resulting host
virtual address is used to load another guest physical address, this
is effectively a Spectre gadget consisting of two consecutive reads,
the second of which is data dependent on the first.

Right now it's not clear if there are any cases in which this is
exploitable.  One interesting case was reported by the original author
of this patch, and involves visiting guest page tables on x86.  Right
now these are not vulnerable because the hva read goes through get_user(),
which contains an LFENCE speculation barrier.  However, there are
patches in progress for x86 uaccess.h to mask kernel addresses instead of
using LFENCE; once these land, a guest could use speculation to read
from the VMM's ring 3 address space.  Other architectures such as ARM
already use the address masking method, and would be susceptible to
this same kind of data-dependent access gadgets.  Therefore, this patch
proactively protects from these attacks by masking out-of-bounds gfns
in __gfn_to_hva_memslot, which blocks speculation of invalid hvas.

Sean Christopherson noted that this patch does not cover
kvm_read_guest_offset_cached.  This however is limited to a few bytes
past the end of the cache, and therefore it is unlikely to be useful in
the context of building a chain of data dependent accesses.

Reported-by: Artemiy Margaritov <artemiy.margaritov@gmail.com>
Co-developed-by: Artemiy Margaritov <artemiy.margaritov@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/linux/kvm_host.h |   10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

--- a/include/linux/kvm_host.h
+++ b/include/linux/kvm_host.h
@@ -963,7 +963,15 @@ __gfn_to_memslot(struct kvm_memslots *sl
 static inline unsigned long
 __gfn_to_hva_memslot(struct kvm_memory_slot *slot, gfn_t gfn)
 {
-	return slot->userspace_addr + (gfn - slot->base_gfn) * PAGE_SIZE;
+	/*
+	 * The index was checked originally in search_memslots.  To avoid
+	 * that a malicious guest builds a Spectre gadget out of e.g. page
+	 * table walks, do not let the processor speculate loads outside
+	 * the guest's registered memslots.
+	 */
+	unsigned long offset = array_index_nospec(gfn - slot->base_gfn,
+						  slot->npages);
+	return slot->userspace_addr + offset * PAGE_SIZE;
 }
 
 static inline int memslot_id(struct kvm *kvm, gfn_t gfn)