| From ea740059ecb37807ba47b84b33d1447435a8d868 Mon Sep 17 00:00:00 2001 |
| From: Marios Pomonis <pomonis@google.com> |
| Date: Wed, 11 Dec 2019 12:47:52 -0800 |
| Subject: KVM: x86: Protect DR-based index computations from Spectre-v1/L1TF attacks |
| |
| From: Marios Pomonis <pomonis@google.com> |
| |
| commit ea740059ecb37807ba47b84b33d1447435a8d868 upstream. |
| |
| This fixes a Spectre-v1/L1TF vulnerability in __kvm_set_dr() and |
| kvm_get_dr(). |
| Both kvm_get_dr() and kvm_set_dr() (a wrapper of __kvm_set_dr()) are |
| exported symbols so KVM should tream them conservatively from a security |
| perspective. |
| |
| Fixes: 020df0794f57 ("KVM: move DR register access handling into generic code") |
| |
| Signed-off-by: Nick Finco <nifi@google.com> |
| Signed-off-by: Marios Pomonis <pomonis@google.com> |
| Reviewed-by: Andrew Honig <ahonig@google.com> |
| Cc: stable@vger.kernel.org |
| Reviewed-by: Jim Mattson <jmattson@google.com> |
| Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| arch/x86/kvm/x86.c | 8 ++++++-- |
| 1 file changed, 6 insertions(+), 2 deletions(-) |
| |
| --- a/arch/x86/kvm/x86.c |
| +++ b/arch/x86/kvm/x86.c |
| @@ -961,9 +961,11 @@ static u64 kvm_dr6_fixed(struct kvm_vcpu |
| |
| static int __kvm_set_dr(struct kvm_vcpu *vcpu, int dr, unsigned long val) |
| { |
| + size_t size = ARRAY_SIZE(vcpu->arch.db); |
| + |
| switch (dr) { |
| case 0 ... 3: |
| - vcpu->arch.db[dr] = val; |
| + vcpu->arch.db[array_index_nospec(dr, size)] = val; |
| if (!(vcpu->guest_debug & KVM_GUESTDBG_USE_HW_BP)) |
| vcpu->arch.eff_db[dr] = val; |
| break; |
| @@ -1000,9 +1002,11 @@ EXPORT_SYMBOL_GPL(kvm_set_dr); |
| |
| int kvm_get_dr(struct kvm_vcpu *vcpu, int dr, unsigned long *val) |
| { |
| + size_t size = ARRAY_SIZE(vcpu->arch.db); |
| + |
| switch (dr) { |
| case 0 ... 3: |
| - *val = vcpu->arch.db[dr]; |
| + *val = vcpu->arch.db[array_index_nospec(dr, size)]; |
| break; |
| case 4: |
| /* fall through */ |