Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2642536pxj;
        Mon, 14 Jun 2021 03:50:44 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxlR5y0u0309b/M0cYa+J4nCtmKxtJ4oVKhOHZ6/k+xIUlhXJw0O1v6NO82FVVAzdVCHT0T
X-Received: by 2002:a05:6402:31a8:: with SMTP id dj8mr16154782edb.296.1623667844331;
        Mon, 14 Jun 2021 03:50:44 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1623667844; cv=none;
        d=google.com; s=arc-20160816;
        b=doca27lxM9R+lCOg2hPzWF0zWkYs8hG+lRqtwtDoAfFEmrf2iFqOeknivvMubKGQZL
         8N5aPfbvFGv4MJgD3F2Njsx3LEpebf77WnuXsNBx0igew6CmtWhHvPv0Oo8Zz0w1Wlto
         3x6B6QCLxN+ClcKggfK7iJwflX4FHhSKKj9TpaqoMLXym1ujjeIprX1fK5oAi6k8mqUZ
         ldzsxonvVNCgerx7MciCTXEnm6iZ3CxwdqAYCkh8vX0QR6/zIFuI1bQxRE6SGQ7VIDUp
         0LR7tT715pQ4WQKlCDdzpWRLB7yMWXtLMnp7igr4lE92zK5nN5ga6e0010TwtjvRUfay
         7+eg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=4PzXH2gQWZ13wlb3lnC5sk6jtldxSBLxyJ7iI4R17Jw=;
        b=NdYP2QovDZ5DiHIMRLIow/yjhXvOtmrv/WWzBlJN2+2Ms9L94Ce0Itdj8AuYuR/a+V
         5YHdyHwUA+3RPUcMAnxlNzuXL65X9xsLyM/RIjkAUNUSc2CYIg1mP/dJGTCCtkxRrXJd
         jRLtiB1JWkJNH1ixf7XCMphzgs/i01OuRppKyQGNIlnrTfUJAb9E9PAbP6lUXw7At/98
         bYGOAkZEreMX9kHWM9a7I41IEGdJGn6Un+foLoA3XTsP3eZCuUsp0ByfgJ4n79tfrkWB
         XH7f8qJhu6yvLlebMqSl13UjIToEvnIIikU1MkMje+yripHfikIUnAe5h7MLLpBmDTLJ
         J2uQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="AM4XYqT/";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id j7si11263693ejc.247.2021.06.14.03.50.22;
        Mon, 14 Jun 2021 03:50:44 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="AM4XYqT/";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S233863AbhFNKsu (ORCPT <rfc822;ly15351151@gmail.com> + 99 others);
        Mon, 14 Jun 2021 06:48:50 -0400
Received: from mail.kernel.org ([198.145.29.99]:47204 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S233891AbhFNKmG (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 14 Jun 2021 06:42:06 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id 382526142B;
        Mon, 14 Jun 2021 10:35:29 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1623666929;
        bh=WLp2408oOE4R09RHywTUu0/w1wZ9qGrx6yoM5nU4CUY=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=AM4XYqT/WwPWuy+dN2PnNA8yT9Xs0/5l7S5wImRyZ2cqCm6HcOMC9bo1Y6fQmSJBA
         ZqZeJXLiCE38hc6VaMAr+QCb5EbqakH1JxnnIPQbhjEE+jYCvsoeZiVmPr0NIDzbnu
         DwOFO1evq5pVH0P+rmfmK5i0Cyp3/l3NsUtYakYg=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        Artemiy Margaritov <artemiy.margaritov@gmail.com>,
        Paolo Bonzini <pbonzini@redhat.com>
Subject: [PATCH 4.19 31/67] kvm: avoid speculation-based attacks from out-of-range memslot accesses
Date:   Mon, 14 Jun 2021 12:27:14 +0200
Message-Id: <20210614102644.818014959@linuxfoundation.org>
X-Mailer: git-send-email 2.32.0
In-Reply-To: <20210614102643.797691914@linuxfoundation.org>
References: <20210614102643.797691914@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Paolo Bonzini <pbonzini@redhat.com>

commit da27a83fd6cc7780fea190e1f5c19e87019da65c upstream.

KVM's mechanism for accessing guest memory translates a guest physical
address (gpa) to a host virtual address using the right-shifted gpa
(also known as gfn) and a struct kvm_memory_slot.  The translation is
performed in __gfn_to_hva_memslot using the following formula:

      hva = slot->userspace_addr + (gfn - slot->base_gfn) * PAGE_SIZE

It is expected that gfn falls within the boundaries of the guest's
physical memory.  However, a guest can access invalid physical addresses
in such a way that the gfn is invalid.

__gfn_to_hva_memslot is called from kvm_vcpu_gfn_to_hva_prot, which first
retrieves a memslot through __gfn_to_memslot.  While __gfn_to_memslot
does check that the gfn falls within the boundaries of the guest's
physical memory or not, a CPU can speculate the result of the check and
continue execution speculatively using an illegal gfn. The speculation
can result in calculating an out-of-bounds hva.  If the resulting host
virtual address is used to load another guest physical address, this
is effectively a Spectre gadget consisting of two consecutive reads,
the second of which is data dependent on the first.

Right now it's not clear if there are any cases in which this is
exploitable.  One interesting case was reported by the original author
of this patch, and involves visiting guest page tables on x86.  Right
now these are not vulnerable because the hva read goes through get_user(),
which contains an LFENCE speculation barrier.  However, there are
patches in progress for x86 uaccess.h to mask kernel addresses instead of
using LFENCE; once these land, a guest could use speculation to read
from the VMM's ring 3 address space.  Other architectures such as ARM
already use the address masking method, and would be susceptible to
this same kind of data-dependent access gadgets.  Therefore, this patch
proactively protects from these attacks by masking out-of-bounds gfns
in __gfn_to_hva_memslot, which blocks speculation of invalid hvas.

Sean Christopherson noted that this patch does not cover
kvm_read_guest_offset_cached.  This however is limited to a few bytes
past the end of the cache, and therefore it is unlikely to be useful in
the context of building a chain of data dependent accesses.

Reported-by: Artemiy Margaritov <artemiy.margaritov@gmail.com>
Co-developed-by: Artemiy Margaritov <artemiy.margaritov@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/linux/kvm_host.h |   10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

--- a/include/linux/kvm_host.h
+++ b/include/linux/kvm_host.h
@@ -1017,7 +1017,15 @@ __gfn_to_memslot(struct kvm_memslots *sl
 static inline unsigned long
 __gfn_to_hva_memslot(struct kvm_memory_slot *slot, gfn_t gfn)
 {
-	return slot->userspace_addr + (gfn - slot->base_gfn) * PAGE_SIZE;
+	/*
+	 * The index was checked originally in search_memslots.  To avoid
+	 * that a malicious guest builds a Spectre gadget out of e.g. page
+	 * table walks, do not let the processor speculate loads outside
+	 * the guest's registered memslots.
+	 */
+	unsigned long offset = array_index_nospec(gfn - slot->base_gfn,
+						  slot->npages);
+	return slot->userspace_addr + offset * PAGE_SIZE;
 }
 
 static inline int memslot_id(struct kvm *kvm, gfn_t gfn)