| From: Marios Pomonis <pomonis@google.com> |
| Date: Wed, 11 Dec 2019 12:47:44 -0800 |
| Subject: KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF attacks |
| |
| commit 8c86405f606ca8508b8d9280680166ca26723695 upstream. |
| |
| This fixes a Spectre-v1/L1TF vulnerability in ioapic_read_indirect(). |
| This function contains index computations based on the |
| (attacker-controlled) IOREGSEL register. |
| |
| Fixes: a2c118bfab8b ("KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798)") |
| |
| Signed-off-by: Nick Finco <nifi@google.com> |
| Signed-off-by: Marios Pomonis <pomonis@google.com> |
| Reviewed-by: Andrew Honig <ahonig@google.com> |
| Reviewed-by: Jim Mattson <jmattson@google.com> |
| Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> |
| [bwh: Backported to 3.16: adjust filename] |
| Signed-off-by: Ben Hutchings <ben@decadent.org.uk> |
| --- |
| virt/kvm/ioapic.c | 14 ++++++++------ |
| 1 file changed, 8 insertions(+), 6 deletions(-) |
| |
| --- a/virt/kvm/ioapic.c |
| +++ b/virt/kvm/ioapic.c |
| @@ -36,6 +36,7 @@ |
| #include <linux/io.h> |
| #include <linux/slab.h> |
| #include <linux/export.h> |
| +#include <linux/nospec.h> |
| #include <asm/processor.h> |
| #include <asm/page.h> |
| #include <asm/current.h> |
| @@ -73,13 +74,14 @@ static unsigned long ioapic_read_indirec |
| default: |
| { |
| u32 redir_index = (ioapic->ioregsel - 0x10) >> 1; |
| - u64 redir_content; |
| + u64 redir_content = ~0ULL; |
| |
| - if (redir_index < IOAPIC_NUM_PINS) |
| - redir_content = |
| - ioapic->redirtbl[redir_index].bits; |
| - else |
| - redir_content = ~0ULL; |
| + if (redir_index < IOAPIC_NUM_PINS) { |
| + u32 index = array_index_nospec( |
| + redir_index, IOAPIC_NUM_PINS); |
| + |
| + redir_content = ioapic->redirtbl[index].bits; |
| + } |
| |
| result = (ioapic->ioregsel & 0x1) ? |
| (redir_content >> 32) & 0xffffffff : |
