[PATCH v2 10/13] KVM: x86: Protect memory accesses from Spectre-v1/L1TF attacks in x86.c
This fixes Spectre-v1/L1TF vulnerabilities in vmx_read_guest_seg_selector(), vmx_read_guest_seg_base(), vmx_read_guest_seg_limit() and vmx_read_guest_seg_ar(). These functions contain index computations based on the (attacker-influenced) segment value.
Fixes: commit 2fb92db1ec08 ("KVM: VMX: Cache vmcs segment fields")
Signed-off-by: Nick Finco nifi@google.com Signed-off-by: Marios Pomonis pomonis@google.com Reviewed-by: Andrew Honig ahonig@google.com Cc: stable@vger.kernel.org --- arch/x86/kvm/vmx/vmx.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index d39475e2d44e..82b25f1812aa 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -753,7 +753,9 @@ static bool vmx_segment_cache_test_set(struct vcpu_vmx *vmx, unsigned seg,
static u16 vmx_read_guest_seg_selector(struct vcpu_vmx *vmx, unsigned seg) { - u16 *p = &vmx->segment_cache.seg[seg].selector; + size_t size = ARRAY_SIZE(vmx->segment_cache.seg); + size_t index = array_index_nospec(seg, size); + u16 *p = &vmx->segment_cache.seg[index].selector;
if (!vmx_segment_cache_test_set(vmx, seg, SEG_FIELD_SEL)) *p = vmcs_read16(kvm_vmx_segment_fields[seg].selector); @@ -762,7 +764,9 @@ static u16 vmx_read_guest_seg_selector(struct vcpu_vmx *vmx, unsigned seg)
static ulong vmx_read_guest_seg_base(struct vcpu_vmx *vmx, unsigned seg) { - ulong *p = &vmx->segment_cache.seg[seg].base; + size_t size = ARRAY_SIZE(vmx->segment_cache.seg); + size_t index = array_index_nospec(seg, size); + ulong *p = &vmx->segment_cache.seg[index].base;
if (!vmx_segment_cache_test_set(vmx, seg, SEG_FIELD_BASE)) *p = vmcs_readl(kvm_vmx_segment_fields[seg].base); @@ -771,7 +775,9 @@ static ulong vmx_read_guest_seg_base(struct vcpu_vmx *vmx, unsigned seg)
static u32 vmx_read_guest_seg_limit(struct vcpu_vmx *vmx, unsigned seg) { - u32 *p = &vmx->segment_cache.seg[seg].limit; + size_t size = ARRAY_SIZE(vmx->segment_cache.seg); + size_t index = array_index_nospec(seg, size); + u32 *p = &vmx->segment_cache.seg[index].limit;
if (!vmx_segment_cache_test_set(vmx, seg, SEG_FIELD_LIMIT)) *p = vmcs_read32(kvm_vmx_segment_fields[seg].limit); @@ -780,7 +786,9 @@ static u32 vmx_read_guest_seg_limit(struct vcpu_vmx *vmx, unsigned seg)
static u32 vmx_read_guest_seg_ar(struct vcpu_vmx *vmx, unsigned seg) { - u32 *p = &vmx->segment_cache.seg[seg].ar; + size_t size = ARRAY_SIZE(vmx->segment_cache.seg); + size_t index = array_index_nospec(seg, size); + u32 *p = &vmx->segment_cache.seg[index].ar;
if (!vmx_segment_cache_test_set(vmx, seg, SEG_FIELD_AR)) *p = vmcs_read32(kvm_vmx_segment_fields[seg].ar_bytes);
On Wed, Dec 11, 2019 at 12:49 PM Marios Pomonis pomonis@google.com wrote:
This fixes Spectre-v1/L1TF vulnerabilities in vmx_read_guest_seg_selector(), vmx_read_guest_seg_base(), vmx_read_guest_seg_limit() and vmx_read_guest_seg_ar(). These functions contain index computations based on the (attacker-influenced) segment value.
Fixes: commit 2fb92db1ec08 ("KVM: VMX: Cache vmcs segment fields")
Signed-off-by: Nick Finco nifi@google.com Signed-off-by: Marios Pomonis pomonis@google.com Reviewed-by: Andrew Honig ahonig@google.com Cc: stable@vger.kernel.org
Reviewed-by: Jim Mattson jmattson@google.com
On 11/12/19 21:47, Marios Pomonis wrote:
This fixes Spectre-v1/L1TF vulnerabilities in vmx_read_guest_seg_selector(), vmx_read_guest_seg_base(), vmx_read_guest_seg_limit() and vmx_read_guest_seg_ar(). These functions contain index computations based on the (attacker-influenced) segment value.
Fixes: commit 2fb92db1ec08 ("KVM: VMX: Cache vmcs segment fields")
I think we could instead do
diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c index 2d4faefe8dd4..20c0cbdff1be 100644 --- a/arch/x86/kvm/emulate.c +++ b/arch/x86/kvm/emulate.c @@ -5195,16 +5195,28 @@ int x86_decode_insn(struct x86_emulate_ctxt *ctxt, void *insn, int insn_len) ctxt->ad_bytes = def_ad_bytes ^ 6; break; case 0x26: /* ES override */ + has_seg_override = true; + ctxt->seg_override = VCPU_SREG_ES; + break; case 0x2e: /* CS override */ + has_seg_override = true; + ctxt->seg_override = VCPU_SREG_CS; + break; case 0x36: /* SS override */ + has_seg_override = true; + ctxt->seg_override = VCPU_SREG_SS; + break; case 0x3e: /* DS override */ has_seg_override = true; - ctxt->seg_override = (ctxt->b >> 3) & 3; + ctxt->seg_override = VCPU_SREG_DS; break; case 0x64: /* FS override */ + has_seg_override = true; + ctxt->seg_override = VCPU_SREG_FS; + break; case 0x65: /* GS override */ has_seg_override = true; - ctxt->seg_override = ctxt->b & 7; + ctxt->seg_override = VCPU_SREG_GS; break; case 0x40 ... 0x4f: /* REX */ if (mode != X86EMUL_MODE_PROT64)
so that the segment is never calculated.
Paolo
linux-stable-mirror@lists.linaro.org
-
Jim Mattson -
Marios Pomonis -
Paolo Bonzini