| From 25a5edea71b7c154b6a0b8cec14c711cafa31d26 Mon Sep 17 00:00:00 2001 |
| From: Marios Pomonis <pomonis@google.com> |
| Date: Wed, 11 Dec 2019 12:47:47 -0800 |
| Subject: KVM: x86: Protect MSR-based index computations in fixed_msr_to_seg_unit() from Spectre-v1/L1TF attacks |
| |
| From: Marios Pomonis <pomonis@google.com> |
| |
| commit 25a5edea71b7c154b6a0b8cec14c711cafa31d26 upstream. |
| |
| This fixes a Spectre-v1/L1TF vulnerability in fixed_msr_to_seg_unit(). |
| This function contains index computations based on the |
| (attacker-controlled) MSR number. |
| |
| Fixes: de9aef5e1ad6 ("KVM: MTRR: introduce fixed_mtrr_segment table") |
| |
| Signed-off-by: Nick Finco <nifi@google.com> |
| Signed-off-by: Marios Pomonis <pomonis@google.com> |
| Reviewed-by: Andrew Honig <ahonig@google.com> |
| Cc: stable@vger.kernel.org |
| Reviewed-by: Jim Mattson <jmattson@google.com> |
| Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| arch/x86/kvm/mtrr.c | 8 ++++++-- |
| 1 file changed, 6 insertions(+), 2 deletions(-) |
| |
| --- a/arch/x86/kvm/mtrr.c |
| +++ b/arch/x86/kvm/mtrr.c |
| @@ -194,11 +194,15 @@ static bool fixed_msr_to_seg_unit(u32 ms |
| break; |
| case MSR_MTRRfix16K_80000 ... MSR_MTRRfix16K_A0000: |
| *seg = 1; |
| - *unit = msr - MSR_MTRRfix16K_80000; |
| + *unit = array_index_nospec( |
| + msr - MSR_MTRRfix16K_80000, |
| + MSR_MTRRfix16K_A0000 - MSR_MTRRfix16K_80000 + 1); |
| break; |
| case MSR_MTRRfix4K_C0000 ... MSR_MTRRfix4K_F8000: |
| *seg = 2; |
| - *unit = msr - MSR_MTRRfix4K_C0000; |
| + *unit = array_index_nospec( |
| + msr - MSR_MTRRfix4K_C0000, |
| + MSR_MTRRfix4K_F8000 - MSR_MTRRfix4K_C0000 + 1); |
| break; |
| default: |
| return false; |