| From 56c62b2fa8923ecaac40ed48142f0bd071ab267d Mon Sep 17 00:00:00 2001 |
| From: Marios Pomonis <pomonis@google.com> |
| Date: Wed, 11 Dec 2019 12:47:45 -0800 |
| Subject: [PATCH] KVM: x86: Protect ioapic_write_indirect() from |
| Spectre-v1/L1TF attacks |
| |
| commit 670564559ca35b439c8d8861fc399451ddf95137 upstream. |
| |
| This fixes a Spectre-v1/L1TF vulnerability in ioapic_write_indirect(). |
| This function contains index computations based on the |
| (attacker-controlled) IOREGSEL register. |
| |
| This patch depends on patch |
| "KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF attacks". |
| |
| Fixes: 70f93dae32ac ("KVM: Use temporary variable to shorten lines.") |
| |
| Signed-off-by: Nick Finco <nifi@google.com> |
| Signed-off-by: Marios Pomonis <pomonis@google.com> |
| Reviewed-by: Andrew Honig <ahonig@google.com> |
| Cc: stable@vger.kernel.org |
| Reviewed-by: Jim Mattson <jmattson@google.com> |
| Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/arch/x86/kvm/ioapic.c b/arch/x86/kvm/ioapic.c |
| index 1add1bc881e2..9f0698b0092f 100644 |
| --- a/arch/x86/kvm/ioapic.c |
| +++ b/arch/x86/kvm/ioapic.c |
| @@ -297,6 +297,7 @@ static void ioapic_write_indirect(struct kvm_ioapic *ioapic, u32 val) |
| ioapic_debug("change redir index %x val %x\n", index, val); |
| if (index >= IOAPIC_NUM_PINS) |
| return; |
| + index = array_index_nospec(index, IOAPIC_NUM_PINS); |
| e = &ioapic->redirtbl[index]; |
| mask_before = e->fields.mask; |
| /* Preserve read-only fields */ |
| -- |
| 2.7.4 |
| |
