| From 85a41b7b667d6b79da0f9c0a9023b55a0d27a9e0 Mon Sep 17 00:00:00 2001 |
| From: Marios Pomonis <pomonis@google.com> |
| Date: Wed, 11 Dec 2019 12:47:50 -0800 |
| Subject: [PATCH] KVM: x86: Refactor prefix decoding to prevent Spectre-v1/L1TF |
| attacks |
| |
| commit 125ffc5e0a56a3eded608dc51e09d5ebf72cf652 upstream. |
| |
| This fixes Spectre-v1/L1TF vulnerabilities in |
| vmx_read_guest_seg_selector(), vmx_read_guest_seg_base(), |
| vmx_read_guest_seg_limit() and vmx_read_guest_seg_ar(). When |
| invoked from emulation, these functions contain index computations |
| based on the (attacker-influenced) segment value. Using constants |
| prevents the attack. |
| |
| Cc: stable@vger.kernel.org |
| Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c |
| index 2fe9912aeed7..a71c2db5180e 100644 |
| --- a/arch/x86/kvm/emulate.c |
| +++ b/arch/x86/kvm/emulate.c |
| @@ -5173,16 +5173,28 @@ int x86_decode_insn(struct x86_emulate_ctxt *ctxt, void *insn, int insn_len) |
| ctxt->ad_bytes = def_ad_bytes ^ 6; |
| break; |
| case 0x26: /* ES override */ |
| + has_seg_override = true; |
| + ctxt->seg_override = VCPU_SREG_ES; |
| + break; |
| case 0x2e: /* CS override */ |
| + has_seg_override = true; |
| + ctxt->seg_override = VCPU_SREG_CS; |
| + break; |
| case 0x36: /* SS override */ |
| + has_seg_override = true; |
| + ctxt->seg_override = VCPU_SREG_SS; |
| + break; |
| case 0x3e: /* DS override */ |
| has_seg_override = true; |
| - ctxt->seg_override = (ctxt->b >> 3) & 3; |
| + ctxt->seg_override = VCPU_SREG_DS; |
| break; |
| case 0x64: /* FS override */ |
| + has_seg_override = true; |
| + ctxt->seg_override = VCPU_SREG_FS; |
| + break; |
| case 0x65: /* GS override */ |
| has_seg_override = true; |
| - ctxt->seg_override = ctxt->b & 7; |
| + ctxt->seg_override = VCPU_SREG_GS; |
| break; |
| case 0x40 ... 0x4f: /* REX */ |
| if (mode != X86EMUL_MODE_PROT64) |
| -- |
| 2.7.4 |
| |