| From 4bf79cb089f6b1c6c632492c0271054ce52ad766 Mon Sep 17 00:00:00 2001 |
| From: Marios Pomonis <pomonis@google.com> |
| Date: Wed, 11 Dec 2019 12:47:46 -0800 |
| Subject: KVM: x86: Protect kvm_lapic_reg_write() from Spectre-v1/L1TF attacks |
| |
| From: Marios Pomonis <pomonis@google.com> |
| |
| commit 4bf79cb089f6b1c6c632492c0271054ce52ad766 upstream. |
| |
| This fixes a Spectre-v1/L1TF vulnerability in kvm_lapic_reg_write(). |
| This function contains index computations based on the |
| (attacker-controlled) MSR number. |
| |
| Fixes: 0105d1a52640 ("KVM: x2apic interface to lapic") |
| |
| Signed-off-by: Nick Finco <nifi@google.com> |
| Signed-off-by: Marios Pomonis <pomonis@google.com> |
| Reviewed-by: Andrew Honig <ahonig@google.com> |
| Cc: stable@vger.kernel.org |
| Reviewed-by: Jim Mattson <jmattson@google.com> |
| Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| arch/x86/kvm/lapic.c | 13 +++++++++---- |
| 1 file changed, 9 insertions(+), 4 deletions(-) |
| |
| --- a/arch/x86/kvm/lapic.c |
| +++ b/arch/x86/kvm/lapic.c |
| @@ -1862,15 +1862,20 @@ int kvm_lapic_reg_write(struct kvm_lapic |
| case APIC_LVTTHMR: |
| case APIC_LVTPC: |
| case APIC_LVT1: |
| - case APIC_LVTERR: |
| + case APIC_LVTERR: { |
| /* TODO: Check vector */ |
| + size_t size; |
| + u32 index; |
| + |
| if (!kvm_apic_sw_enabled(apic)) |
| val |= APIC_LVT_MASKED; |
| - |
| - val &= apic_lvt_mask[(reg - APIC_LVTT) >> 4]; |
| + size = ARRAY_SIZE(apic_lvt_mask); |
| + index = array_index_nospec( |
| + (reg - APIC_LVTT) >> 4, size); |
| + val &= apic_lvt_mask[index]; |
| kvm_lapic_set_reg(apic, reg, val); |
| - |
| break; |
| + } |
| |
| case APIC_LVTT: |
| if (!kvm_apic_sw_enabled(apic)) |