| From 3c9053a2cae7ba2ba73766a34cea41baa70f57f7 Mon Sep 17 00:00:00 2001 |
| From: Marios Pomonis <pomonis@google.com> |
| Date: Wed, 11 Dec 2019 12:47:41 -0800 |
| Subject: KVM: x86: Protect x86_decode_insn from Spectre-v1/L1TF attacks |
| |
| From: Marios Pomonis <pomonis@google.com> |
| |
| commit 3c9053a2cae7ba2ba73766a34cea41baa70f57f7 upstream. |
| |
| This fixes a Spectre-v1/L1TF vulnerability in x86_decode_insn(). |
| kvm_emulate_instruction() (an ancestor of x86_decode_insn()) is an exported |
| symbol, so KVM should treat it conservatively from a security perspective. |
| |
| Fixes: 045a282ca415 ("KVM: emulator: implement fninit, fnstsw, fnstcw") |
| |
| Signed-off-by: Nick Finco <nifi@google.com> |
| Signed-off-by: Marios Pomonis <pomonis@google.com> |
| Reviewed-by: Andrew Honig <ahonig@google.com> |
| Cc: stable@vger.kernel.org |
| Reviewed-by: Jim Mattson <jmattson@google.com> |
| Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| arch/x86/kvm/emulate.c | 11 ++++++++--- |
| 1 file changed, 8 insertions(+), 3 deletions(-) |
| |
| --- a/arch/x86/kvm/emulate.c |
| +++ b/arch/x86/kvm/emulate.c |
| @@ -5269,10 +5269,15 @@ done_prefixes: |
| } |
| break; |
| case Escape: |
| - if (ctxt->modrm > 0xbf) |
| - opcode = opcode.u.esc->high[ctxt->modrm - 0xc0]; |
| - else |
| + if (ctxt->modrm > 0xbf) { |
| + size_t size = ARRAY_SIZE(opcode.u.esc->high); |
| + u32 index = array_index_nospec( |
| + ctxt->modrm - 0xc0, size); |
| + |
| + opcode = opcode.u.esc->high[index]; |
| + } else { |
| opcode = opcode.u.esc->op[(ctxt->modrm >> 3) & 7]; |
| + } |
| break; |
| case InstrDual: |
| if ((ctxt->modrm >> 6) == 3) |
