releases/4.19.103/kvm-x86-protect-kvm_lapic_reg_write-from-spectre-v1-l1tf-attacks.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 4bf79cb089f6b1c6c632492c0271054ce52ad766 Mon Sep 17 00:00:00 2001
 From: Marios Pomonis <pomonis@google.com>
 Date: Wed, 11 Dec 2019 12:47:46 -0800
 Subject: KVM: x86: Protect kvm_lapic_reg_write() from Spectre-v1/L1TF attacks

 From: Marios Pomonis <pomonis@google.com>

 commit 4bf79cb089f6b1c6c632492c0271054ce52ad766 upstream.

 This fixes a Spectre-v1/L1TF vulnerability in kvm_lapic_reg_write().
 This function contains index computations based on the
 (attacker-controlled) MSR number.

 Fixes: 0105d1a52640 ("KVM: x2apic interface to lapic")

 Signed-off-by: Nick Finco <nifi@google.com>
 Signed-off-by: Marios Pomonis <pomonis@google.com>
 Reviewed-by: Andrew Honig <ahonig@google.com>
 Cc: stable@vger.kernel.org
 Reviewed-by: Jim Mattson <jmattson@google.com>
 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 ---
  arch/x86/kvm/lapic.c |   13 +++++++++----
  1 file changed, 9 insertions(+), 4 deletions(-)

 --- a/arch/x86/kvm/lapic.c
 +++ b/arch/x86/kvm/lapic.c
 @@ -1862,15 +1862,20 @@ int kvm_lapic_reg_write(struct kvm_lapic
  	case APIC_LVTTHMR:
  	case APIC_LVTPC:
  	case APIC_LVT1:
 -	case APIC_LVTERR:
 +	case APIC_LVTERR: {
  		/* TODO: Check vector */
 +		size_t size;
 +		u32 index;
 +
  		if (!kvm_apic_sw_enabled(apic))
  			val |= APIC_LVT_MASKED;
 -
 -		val &= apic_lvt_mask[(reg - APIC_LVTT) >> 4];
 +		size = ARRAY_SIZE(apic_lvt_mask);
 +		index = array_index_nospec(
 +				(reg - APIC_LVTT) >> 4, size);
 +		val &= apic_lvt_mask[index];
  		kvm_lapic_set_reg(apic, reg, val);
 -
  		break;
 +	}

  	case APIC_LVTT:
  		if (!kvm_apic_sw_enabled(apic))
	From 4bf79cb089f6b1c6c632492c0271054ce52ad766 Mon Sep 17 00:00:00 2001
	From: Marios Pomonis <pomonis@google.com>
	Date: Wed, 11 Dec 2019 12:47:46 -0800
	Subject: KVM: x86: Protect kvm_lapic_reg_write() from Spectre-v1/L1TF attacks

	From: Marios Pomonis <pomonis@google.com>

	commit 4bf79cb089f6b1c6c632492c0271054ce52ad766 upstream.

	This fixes a Spectre-v1/L1TF vulnerability in kvm_lapic_reg_write().
	This function contains index computations based on the
	(attacker-controlled) MSR number.

	Fixes: 0105d1a52640 ("KVM: x2apic interface to lapic")

	Signed-off-by: Nick Finco <nifi@google.com>
	Signed-off-by: Marios Pomonis <pomonis@google.com>
	Reviewed-by: Andrew Honig <ahonig@google.com>
	Cc: stable@vger.kernel.org
	Reviewed-by: Jim Mattson <jmattson@google.com>
	Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

	---
	arch/x86/kvm/lapic.c \| 13 +++++++++----
	1 file changed, 9 insertions(+), 4 deletions(-)

	--- a/arch/x86/kvm/lapic.c
	+++ b/arch/x86/kvm/lapic.c
	@@ -1862,15 +1862,20 @@ int kvm_lapic_reg_write(struct kvm_lapic
	case APIC_LVTTHMR:
	case APIC_LVTPC:
	case APIC_LVT1:
	- case APIC_LVTERR:
	+ case APIC_LVTERR: {
	/* TODO: Check vector */
	+ size_t size;
	+ u32 index;
	+
	if (!kvm_apic_sw_enabled(apic))
	val \|= APIC_LVT_MASKED;
	-
	- val &= apic_lvt_mask[(reg - APIC_LVTT) >> 4];
	+ size = ARRAY_SIZE(apic_lvt_mask);
	+ index = array_index_nospec(
	+ (reg - APIC_LVTT) >> 4, size);
	+ val &= apic_lvt_mask[index];
	kvm_lapic_set_reg(apic, reg, val);
	-
	break;
	+ }

	case APIC_LVTT:
	if (!kvm_apic_sw_enabled(apic))