diff options
author | Marios Pomonis <pomonis@google.com> | 2019-12-11 12:47:41 -0800 |
---|---|---|
committer | Ben Hutchings <ben@decadent.org.uk> | 2020-05-22 21:19:36 +0100 |
commit | db929cc57463b056ff9aaaca6ed309464c029e01 (patch) | |
tree | dac4f53e2bec5f1f3ee6ece914567713454fe49c | |
parent | d9dc0fd7792fec52cb7cdf7ca39c734733e8b57e (diff) | |
download | linux-stable-db929cc57463b056ff9aaaca6ed309464c029e01.tar.gz |
KVM: x86: Protect x86_decode_insn from Spectre-v1/L1TF attacks
commit 3c9053a2cae7ba2ba73766a34cea41baa70f57f7 upstream.
This fixes a Spectre-v1/L1TF vulnerability in x86_decode_insn().
kvm_emulate_instruction() (an ancestor of x86_decode_insn()) is an exported
symbol, so KVM should treat it conservatively from a security perspective.
Fixes: 045a282ca415 ("KVM: emulator: implement fninit, fnstsw, fnstcw")
Signed-off-by: Nick Finco <nifi@google.com>
Signed-off-by: Marios Pomonis <pomonis@google.com>
Reviewed-by: Andrew Honig <ahonig@google.com>
Reviewed-by: Jim Mattson <jmattson@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[bwh: Backported to 3.16: Add #include <linux/nospec.h>]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
-rw-r--r-- | arch/x86/kvm/emulate.c | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c index ede6797ee2038c..16c267510d285e 100644 --- a/arch/x86/kvm/emulate.c +++ b/arch/x86/kvm/emulate.c @@ -26,6 +26,7 @@ #include <asm/kvm_emulate.h> #include <linux/stringify.h> #include <asm/nospec-branch.h> +#include <linux/nospec.h> #include "x86.h" #include "tss.h" @@ -4487,10 +4488,15 @@ done_prefixes: } break; case Escape: - if (ctxt->modrm > 0xbf) - opcode = opcode.u.esc->high[ctxt->modrm - 0xc0]; - else + if (ctxt->modrm > 0xbf) { + size_t size = ARRAY_SIZE(opcode.u.esc->high); + u32 index = array_index_nospec( + ctxt->modrm - 0xc0, size); + + opcode = opcode.u.esc->high[index]; + } else { opcode = opcode.u.esc->op[(ctxt->modrm >> 3) & 7]; + } break; default: return EMULATION_FAILED; |