* [PATCH] kvm: vmx: Scrub hardware GPRs at VM-exit
@ 2018-01-03 22:31 Jim Mattson
2018-01-07 10:40 ` Jan Kiszka
0 siblings, 1 reply; 11+ messages in thread
From: Jim Mattson @ 2018-01-03 22:31 UTC (permalink / raw)
To: kvm; +Cc: Jim Mattson
Guest GPR values are live in the hardware GPRs at VM-exit. Do not
leave any guest values in hardware GPRs after the guest GPR values are
saved to the vcpu_vmx structure.
This is a partial mitigation for CVE 2017-5715 and CVE 2017-5753.
Specifically, it defeats the Project Zero PoC for CVE 2017-5715.
Suggested-by: Eric Northup <digitaleric@google.com>
Signed-off-by: Jim Mattson <jmattson@google.com>
Reviewed-by: Eric Northup <digitaleric@google.com>
Reviewed-by: Benjamin Serebrin <serebrin@google.com>
Reviewed-by: Andrew Honig <ahonig@google.com>
---
arch/x86/kvm/vmx.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index 669f5f74857d..850baff9d107 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -9649,6 +9649,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
/* Save guest registers, load host registers, keep flags */
"mov %0, %c[wordsize](%%" _ASM_SP ") \n\t"
"pop %0 \n\t"
+ "setbe %c[fail](%0)\n\t"
"mov %%" _ASM_AX ", %c[rax](%0) \n\t"
"mov %%" _ASM_BX ", %c[rbx](%0) \n\t"
__ASM_SIZE(pop) " %c[rcx](%0) \n\t"
@@ -9665,12 +9666,23 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
"mov %%r13, %c[r13](%0) \n\t"
"mov %%r14, %c[r14](%0) \n\t"
"mov %%r15, %c[r15](%0) \n\t"
+ "xor %%r8d, %%r8d \n\t"
+ "xor %%r9d, %%r9d \n\t"
+ "xor %%r10d, %%r10d \n\t"
+ "xor %%r11d, %%r11d \n\t"
+ "xor %%r12d, %%r12d \n\t"
+ "xor %%r13d, %%r13d \n\t"
+ "xor %%r14d, %%r14d \n\t"
+ "xor %%r15d, %%r15d \n\t"
#endif
"mov %%cr2, %%" _ASM_AX " \n\t"
"mov %%" _ASM_AX ", %c[cr2](%0) \n\t"
+ "xor %%eax, %%eax \n\t"
+ "xor %%ebx, %%ebx \n\t"
+ "xor %%esi, %%esi \n\t"
+ "xor %%edi, %%edi \n\t"
"pop %%" _ASM_BP "; pop %%" _ASM_DX " \n\t"
- "setbe %c[fail](%0) \n\t"
".pushsection .rodata \n\t"
".global vmx_return \n\t"
"vmx_return: " _ASM_PTR " 2b \n\t"
--
2.15.1.620.gb9897f4670-goog
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [PATCH] kvm: vmx: Scrub hardware GPRs at VM-exit
2018-01-03 22:31 [PATCH] kvm: vmx: Scrub hardware GPRs at VM-exit Jim Mattson
@ 2018-01-07 10:40 ` Jan Kiszka
2018-01-08 8:58 ` Jack Wang
0 siblings, 1 reply; 11+ messages in thread
From: Jan Kiszka @ 2018-01-07 10:40 UTC (permalink / raw)
To: Jim Mattson, kvm
On 2018-01-03 23:31, Jim Mattson wrote:
> Guest GPR values are live in the hardware GPRs at VM-exit. Do not
> leave any guest values in hardware GPRs after the guest GPR values are
> saved to the vcpu_vmx structure.
>
> This is a partial mitigation for CVE 2017-5715 and CVE 2017-5753.
> Specifically, it defeats the Project Zero PoC for CVE 2017-5715.
>
> Suggested-by: Eric Northup <digitaleric@google.com>
> Signed-off-by: Jim Mattson <jmattson@google.com>
> Reviewed-by: Eric Northup <digitaleric@google.com>
> Reviewed-by: Benjamin Serebrin <serebrin@google.com>
> Reviewed-by: Andrew Honig <ahonig@google.com>
> ---
> arch/x86/kvm/vmx.c | 14 +++++++++++++-
> 1 file changed, 13 insertions(+), 1 deletion(-)
>
> diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
> index 669f5f74857d..850baff9d107 100644
> --- a/arch/x86/kvm/vmx.c
> +++ b/arch/x86/kvm/vmx.c
> @@ -9649,6 +9649,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
> /* Save guest registers, load host registers, keep flags */
> "mov %0, %c[wordsize](%%" _ASM_SP ") \n\t"
> "pop %0 \n\t"
> + "setbe %c[fail](%0)\n\t"
> "mov %%" _ASM_AX ", %c[rax](%0) \n\t"
> "mov %%" _ASM_BX ", %c[rbx](%0) \n\t"
> __ASM_SIZE(pop) " %c[rcx](%0) \n\t"
> @@ -9665,12 +9666,23 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
> "mov %%r13, %c[r13](%0) \n\t"
> "mov %%r14, %c[r14](%0) \n\t"
> "mov %%r15, %c[r15](%0) \n\t"
> + "xor %%r8d, %%r8d \n\t"
> + "xor %%r9d, %%r9d \n\t"
> + "xor %%r10d, %%r10d \n\t"
> + "xor %%r11d, %%r11d \n\t"
> + "xor %%r12d, %%r12d \n\t"
> + "xor %%r13d, %%r13d \n\t"
> + "xor %%r14d, %%r14d \n\t"
> + "xor %%r15d, %%r15d \n\t"
> #endif
> "mov %%cr2, %%" _ASM_AX " \n\t"
> "mov %%" _ASM_AX ", %c[cr2](%0) \n\t"
>
> + "xor %%eax, %%eax \n\t"
> + "xor %%ebx, %%ebx \n\t"
> + "xor %%esi, %%esi \n\t"
> + "xor %%edi, %%edi \n\t"
> "pop %%" _ASM_BP "; pop %%" _ASM_DX " \n\t"
> - "setbe %c[fail](%0) \n\t"
> ".pushsection .rodata \n\t"
> ".global vmx_return \n\t"
> "vmx_return: " _ASM_PTR " 2b \n\t"
>
Shouldn't this be done on AMD as well, or is the answer "microcode
update" there?
Jan
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] kvm: vmx: Scrub hardware GPRs at VM-exit
2018-01-07 10:40 ` Jan Kiszka
@ 2018-01-08 8:58 ` Jack Wang
2018-01-08 9:57 ` Jan Kiszka
0 siblings, 1 reply; 11+ messages in thread
From: Jack Wang @ 2018-01-08 8:58 UTC (permalink / raw)
To: Jan Kiszka; +Cc: Jim Mattson, kvm
2018-01-07 11:40 GMT+01:00 Jan Kiszka <jan.kiszka@web.de>:
> On 2018-01-03 23:31, Jim Mattson wrote:
>> Guest GPR values are live in the hardware GPRs at VM-exit. Do not
>> leave any guest values in hardware GPRs after the guest GPR values are
>> saved to the vcpu_vmx structure.
>>
>> This is a partial mitigation for CVE 2017-5715 and CVE 2017-5753.
>> Specifically, it defeats the Project Zero PoC for CVE 2017-5715.
>>
>> Suggested-by: Eric Northup <digitaleric@google.com>
>> Signed-off-by: Jim Mattson <jmattson@google.com>
>> Reviewed-by: Eric Northup <digitaleric@google.com>
>> Reviewed-by: Benjamin Serebrin <serebrin@google.com>
>> Reviewed-by: Andrew Honig <ahonig@google.com>
>> ---
>> arch/x86/kvm/vmx.c | 14 +++++++++++++-
>> 1 file changed, 13 insertions(+), 1 deletion(-)
>>
>> diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
>> index 669f5f74857d..850baff9d107 100644
>> --- a/arch/x86/kvm/vmx.c
>> +++ b/arch/x86/kvm/vmx.c
>> @@ -9649,6 +9649,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
>> /* Save guest registers, load host registers, keep flags */
>> "mov %0, %c[wordsize](%%" _ASM_SP ") \n\t"
>> "pop %0 \n\t"
>> + "setbe %c[fail](%0)\n\t"
>> "mov %%" _ASM_AX ", %c[rax](%0) \n\t"
>> "mov %%" _ASM_BX ", %c[rbx](%0) \n\t"
>> __ASM_SIZE(pop) " %c[rcx](%0) \n\t"
>> @@ -9665,12 +9666,23 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
>> "mov %%r13, %c[r13](%0) \n\t"
>> "mov %%r14, %c[r14](%0) \n\t"
>> "mov %%r15, %c[r15](%0) \n\t"
>> + "xor %%r8d, %%r8d \n\t"
>> + "xor %%r9d, %%r9d \n\t"
>> + "xor %%r10d, %%r10d \n\t"
>> + "xor %%r11d, %%r11d \n\t"
>> + "xor %%r12d, %%r12d \n\t"
>> + "xor %%r13d, %%r13d \n\t"
>> + "xor %%r14d, %%r14d \n\t"
>> + "xor %%r15d, %%r15d \n\t"
>> #endif
>> "mov %%cr2, %%" _ASM_AX " \n\t"
>> "mov %%" _ASM_AX ", %c[cr2](%0) \n\t"
>>
>> + "xor %%eax, %%eax \n\t"
>> + "xor %%ebx, %%ebx \n\t"
>> + "xor %%esi, %%esi \n\t"
>> + "xor %%edi, %%edi \n\t"
>> "pop %%" _ASM_BP "; pop %%" _ASM_DX " \n\t"
>> - "setbe %c[fail](%0) \n\t"
>> ".pushsection .rodata \n\t"
>> ".global vmx_return \n\t"
>> "vmx_return: " _ASM_PTR " 2b \n\t"
>>
>
> Shouldn't this be done on AMD as well, or is the answer "microcode
> update" there?
>
> Jan
Paolo added it, already in linus tree Linux 4.15-rc7
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0cb5b30698fdc8f6b4646012e3acb4ddce430788
Jack
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] kvm: vmx: Scrub hardware GPRs at VM-exit
2018-01-08 8:58 ` Jack Wang
@ 2018-01-08 9:57 ` Jan Kiszka
2018-01-08 14:53 ` Paolo Bonzini
0 siblings, 1 reply; 11+ messages in thread
From: Jan Kiszka @ 2018-01-08 9:57 UTC (permalink / raw)
To: Jack Wang; +Cc: Jim Mattson, kvm
On 2018-01-08 09:58, Jack Wang wrote:
> 2018-01-07 11:40 GMT+01:00 Jan Kiszka <jan.kiszka@web.de>:
>> On 2018-01-03 23:31, Jim Mattson wrote:
>>> Guest GPR values are live in the hardware GPRs at VM-exit. Do not
>>> leave any guest values in hardware GPRs after the guest GPR values are
>>> saved to the vcpu_vmx structure.
>>>
>>> This is a partial mitigation for CVE 2017-5715 and CVE 2017-5753.
>>> Specifically, it defeats the Project Zero PoC for CVE 2017-5715.
>>>
>>> Suggested-by: Eric Northup <digitaleric@google.com>
>>> Signed-off-by: Jim Mattson <jmattson@google.com>
>>> Reviewed-by: Eric Northup <digitaleric@google.com>
>>> Reviewed-by: Benjamin Serebrin <serebrin@google.com>
>>> Reviewed-by: Andrew Honig <ahonig@google.com>
>>> ---
>>> arch/x86/kvm/vmx.c | 14 +++++++++++++-
>>> 1 file changed, 13 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
>>> index 669f5f74857d..850baff9d107 100644
>>> --- a/arch/x86/kvm/vmx.c
>>> +++ b/arch/x86/kvm/vmx.c
>>> @@ -9649,6 +9649,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
>>> /* Save guest registers, load host registers, keep flags */
>>> "mov %0, %c[wordsize](%%" _ASM_SP ") \n\t"
>>> "pop %0 \n\t"
>>> + "setbe %c[fail](%0)\n\t"
>>> "mov %%" _ASM_AX ", %c[rax](%0) \n\t"
>>> "mov %%" _ASM_BX ", %c[rbx](%0) \n\t"
>>> __ASM_SIZE(pop) " %c[rcx](%0) \n\t"
>>> @@ -9665,12 +9666,23 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
>>> "mov %%r13, %c[r13](%0) \n\t"
>>> "mov %%r14, %c[r14](%0) \n\t"
>>> "mov %%r15, %c[r15](%0) \n\t"
>>> + "xor %%r8d, %%r8d \n\t"
>>> + "xor %%r9d, %%r9d \n\t"
>>> + "xor %%r10d, %%r10d \n\t"
>>> + "xor %%r11d, %%r11d \n\t"
>>> + "xor %%r12d, %%r12d \n\t"
>>> + "xor %%r13d, %%r13d \n\t"
>>> + "xor %%r14d, %%r14d \n\t"
>>> + "xor %%r15d, %%r15d \n\t"
>>> #endif
>>> "mov %%cr2, %%" _ASM_AX " \n\t"
>>> "mov %%" _ASM_AX ", %c[cr2](%0) \n\t"
>>>
>>> + "xor %%eax, %%eax \n\t"
>>> + "xor %%ebx, %%ebx \n\t"
>>> + "xor %%esi, %%esi \n\t"
>>> + "xor %%edi, %%edi \n\t"
>>> "pop %%" _ASM_BP "; pop %%" _ASM_DX " \n\t"
>>> - "setbe %c[fail](%0) \n\t"
>>> ".pushsection .rodata \n\t"
>>> ".global vmx_return \n\t"
>>> "vmx_return: " _ASM_PTR " 2b \n\t"
>>>
>>
>> Shouldn't this be done on AMD as well, or is the answer "microcode
>> update" there?
>>
>> Jan
> Paolo added it, already in linus tree Linux 4.15-rc7
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0cb5b30698fdc8f6b4646012e3acb4ddce430788
Thanks, I didn't noticed this.
Jan
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] kvm: vmx: Scrub hardware GPRs at VM-exit
2018-01-08 9:57 ` Jan Kiszka
@ 2018-01-08 14:53 ` Paolo Bonzini
2018-01-09 8:27 ` Jack Wang
2018-02-11 8:42 ` Wanpeng Li
0 siblings, 2 replies; 11+ messages in thread
From: Paolo Bonzini @ 2018-01-08 14:53 UTC (permalink / raw)
To: Jan Kiszka, Jack Wang; +Cc: Jim Mattson, kvm
On 08/01/2018 10:57, Jan Kiszka wrote:
>>> Shouldn't this be done on AMD as well, or is the answer "microcode
>>> update" there?
>>>
>>> Jan
>> Paolo added it, already in linus tree Linux 4.15-rc7
>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0cb5b30698fdc8f6b4646012e3acb4ddce430788
> Thanks, I didn't noticed this.
Yeah, they were posted in a separate thread. (Actually Ashok Raj's
patch was mine, :) but I went with Jim's VMX part and attribution
because he actually tested it with Google's reproducer).
Paolo
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] kvm: vmx: Scrub hardware GPRs at VM-exit
2018-01-08 14:53 ` Paolo Bonzini
@ 2018-01-09 8:27 ` Jack Wang
2018-01-09 8:43 ` Paolo Bonzini
2018-02-11 8:42 ` Wanpeng Li
1 sibling, 1 reply; 11+ messages in thread
From: Jack Wang @ 2018-01-09 8:27 UTC (permalink / raw)
To: Paolo Bonzini; +Cc: Jan Kiszka, Jim Mattson, kvm
2018-01-08 15:53 GMT+01:00 Paolo Bonzini <pbonzini@redhat.com>:
> On 08/01/2018 10:57, Jan Kiszka wrote:
>>>> Shouldn't this be done on AMD as well, or is the answer "microcode
>>>> update" there?
>>>>
>>>> Jan
>>> Paolo added it, already in linus tree Linux 4.15-rc7
>>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0cb5b30698fdc8f6b4646012e3acb4ddce430788
>> Thanks, I didn't noticed this.
>
> Yeah, they were posted in a separate thread. (Actually Ashok Raj's
> patch was mine, :) but I went with Jim's VMX part and attribution
> because he actually tested it with Google's reproducer).
>
> Paolo
Thanks Paolo, should we mark it for stable as this bug is so well
known, the change seems easy to backport?
Thanks,
Jack
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] kvm: vmx: Scrub hardware GPRs at VM-exit
2018-01-09 8:27 ` Jack Wang
@ 2018-01-09 8:43 ` Paolo Bonzini
2018-01-09 8:49 ` Jack Wang
0 siblings, 1 reply; 11+ messages in thread
From: Paolo Bonzini @ 2018-01-09 8:43 UTC (permalink / raw)
To: Jack Wang; +Cc: Jan Kiszka, Jim Mattson, kvm
On 09/01/2018 09:27, Jack Wang wrote:
> 2018-01-08 15:53 GMT+01:00 Paolo Bonzini <pbonzini@redhat.com>:
>> On 08/01/2018 10:57, Jan Kiszka wrote:
>>>>> Shouldn't this be done on AMD as well, or is the answer "microcode
>>>>> update" there?
>>>>>
>>>>> Jan
>>>> Paolo added it, already in linus tree Linux 4.15-rc7
>>>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0cb5b30698fdc8f6b4646012e3acb4ddce430788
>>> Thanks, I didn't noticed this.
>>
>> Yeah, they were posted in a separate thread. (Actually Ashok Raj's
>> patch was mine, :) but I went with Jim's VMX part and attribution
>> because he actually tested it with Google's reproducer).
>>
>> Paolo
> Thanks Paolo, should we mark it for stable as this bug is so well
> known, the change seems easy to backport?
Yes, I will mark it for stable.
Paolo
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] kvm: vmx: Scrub hardware GPRs at VM-exit
2018-01-09 8:43 ` Paolo Bonzini
@ 2018-01-09 8:49 ` Jack Wang
0 siblings, 0 replies; 11+ messages in thread
From: Jack Wang @ 2018-01-09 8:49 UTC (permalink / raw)
To: Paolo Bonzini; +Cc: Jan Kiszka, Jim Mattson, kvm
2018-01-09 9:43 GMT+01:00 Paolo Bonzini <pbonzini@redhat.com>:
> On 09/01/2018 09:27, Jack Wang wrote:
>> 2018-01-08 15:53 GMT+01:00 Paolo Bonzini <pbonzini@redhat.com>:
>>> On 08/01/2018 10:57, Jan Kiszka wrote:
>>>>>> Shouldn't this be done on AMD as well, or is the answer "microcode
>>>>>> update" there?
>>>>>>
>>>>>> Jan
>>>>> Paolo added it, already in linus tree Linux 4.15-rc7
>>>>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0cb5b30698fdc8f6b4646012e3acb4ddce430788
>>>> Thanks, I didn't noticed this.
>>>
>>> Yeah, they were posted in a separate thread. (Actually Ashok Raj's
>>> patch was mine, :) but I went with Jim's VMX part and attribution
>>> because he actually tested it with Google's reproducer).
>>>
>>> Paolo
>> Thanks Paolo, should we mark it for stable as this bug is so well
>> known, the change seems easy to backport?
>
> Yes, I will mark it for stable.
>
> Paolo
Thanks!
Jack
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] kvm: vmx: Scrub hardware GPRs at VM-exit
2018-01-08 14:53 ` Paolo Bonzini
2018-01-09 8:27 ` Jack Wang
@ 2018-02-11 8:42 ` Wanpeng Li
1 sibling, 0 replies; 11+ messages in thread
From: Wanpeng Li @ 2018-02-11 8:42 UTC (permalink / raw)
To: Paolo Bonzini; +Cc: Jan Kiszka, Jack Wang, Jim Mattson, kvm, chandu
Cc chandu,
2018-01-08 22:53 GMT+08:00 Paolo Bonzini <pbonzini@redhat.com>:
> On 08/01/2018 10:57, Jan Kiszka wrote:
>>>> Shouldn't this be done on AMD as well, or is the answer "microcode
>>>> update" there?
>>>>
>>>> Jan
>>> Paolo added it, already in linus tree Linux 4.15-rc7
>>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0cb5b30698fdc8f6b4646012e3acb4ddce430788
>> Thanks, I didn't noticed this.
>
> Yeah, they were posted in a separate thread. (Actually Ashok Raj's
> patch was mine, :) but I went with Jim's VMX part and attribution
> because he actually tested it with Google's reproducer).
We cooperate with AMD guys to test the Scrub hardware GPRs against
latest AMD EPYC, we observe the performance of Redis drop ~11% in the
guest (Centos 7.4, 3.10.0-693).
redis(redis_version:3.2.10)
Redis command line:
redis-server > /dev/null 2>&1 &
redis-benchmark -t ping,set,get -d 128 -c 100 -r 1000000 -n 10000000 -q -P 20
redis-benchmark -t ping,set,get -d 1024 -c 100 -r 1000000 -n 10000000 -q -P 20
redis-benchmark -t ping,set,get -d 2048 -c 100 -r 1000000 -n 10000000 -q -P 20
Regards,
Wanpeng Li
^ permalink raw reply [flat|nested] 11+ messages in thread
* [PATCH] kvm: vmx: Scrub hardware GPRs at VM-exit
@ 2018-01-09 8:46 Paolo Bonzini
2018-01-10 12:17 ` Greg KH
0 siblings, 1 reply; 11+ messages in thread
From: Paolo Bonzini @ 2018-01-09 8:46 UTC (permalink / raw)
To: stable
From: Jim Mattson <jmattson@google.com>
[ upstream commit 0cb5b30698fdc8f6b4646012e3acb4ddce430788 ]
Guest GPR values are live in the hardware GPRs at VM-exit. Do not
leave any guest values in hardware GPRs after the guest GPR values are
saved to the vcpu_vmx structure.
This is a partial mitigation for CVE 2017-5715 and CVE 2017-5753.
Specifically, it defeats the Project Zero PoC for CVE 2017-5715.
Suggested-by: Eric Northup <digitaleric@google.com>
Signed-off-by: Jim Mattson <jmattson@google.com>
Reviewed-by: Eric Northup <digitaleric@google.com>
Reviewed-by: Benjamin Serebrin <serebrin@google.com>
Reviewed-by: Andrew Honig <ahonig@google.com>
[Paolo: Add AMD bits, Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
arch/x86/kvm/svm.c | 19 +++++++++++++++++++
arch/x86/kvm/vmx.c | 14 +++++++++++++-
2 files changed, 32 insertions(+), 1 deletion(-)
diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
index eb714f1cdf7e..bb31c801f1fc 100644
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -4985,6 +4985,25 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu)
"mov %%r13, %c[r13](%[svm]) \n\t"
"mov %%r14, %c[r14](%[svm]) \n\t"
"mov %%r15, %c[r15](%[svm]) \n\t"
+#endif
+ /*
+ * Clear host registers marked as clobbered to prevent
+ * speculative use.
+ */
+ "xor %%" _ASM_BX ", %%" _ASM_BX " \n\t"
+ "xor %%" _ASM_CX ", %%" _ASM_CX " \n\t"
+ "xor %%" _ASM_DX ", %%" _ASM_DX " \n\t"
+ "xor %%" _ASM_SI ", %%" _ASM_SI " \n\t"
+ "xor %%" _ASM_DI ", %%" _ASM_DI " \n\t"
+#ifdef CONFIG_X86_64
+ "xor %%r8, %%r8 \n\t"
+ "xor %%r9, %%r9 \n\t"
+ "xor %%r10, %%r10 \n\t"
+ "xor %%r11, %%r11 \n\t"
+ "xor %%r12, %%r12 \n\t"
+ "xor %%r13, %%r13 \n\t"
+ "xor %%r14, %%r14 \n\t"
+ "xor %%r15, %%r15 \n\t"
#endif
"pop %%" _ASM_BP
:
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index 8eba631c4dbd..c1e7ed371259 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -9415,6 +9415,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
/* Save guest registers, load host registers, keep flags */
"mov %0, %c[wordsize](%%" _ASM_SP ") \n\t"
"pop %0 \n\t"
+ "setbe %c[fail](%0)\n\t"
"mov %%" _ASM_AX ", %c[rax](%0) \n\t"
"mov %%" _ASM_BX ", %c[rbx](%0) \n\t"
__ASM_SIZE(pop) " %c[rcx](%0) \n\t"
@@ -9431,12 +9432,23 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
"mov %%r13, %c[r13](%0) \n\t"
"mov %%r14, %c[r14](%0) \n\t"
"mov %%r15, %c[r15](%0) \n\t"
+ "xor %%r8d, %%r8d \n\t"
+ "xor %%r9d, %%r9d \n\t"
+ "xor %%r10d, %%r10d \n\t"
+ "xor %%r11d, %%r11d \n\t"
+ "xor %%r12d, %%r12d \n\t"
+ "xor %%r13d, %%r13d \n\t"
+ "xor %%r14d, %%r14d \n\t"
+ "xor %%r15d, %%r15d \n\t"
#endif
"mov %%cr2, %%" _ASM_AX " \n\t"
"mov %%" _ASM_AX ", %c[cr2](%0) \n\t"
+ "xor %%eax, %%eax \n\t"
+ "xor %%ebx, %%ebx \n\t"
+ "xor %%esi, %%esi \n\t"
+ "xor %%edi, %%edi \n\t"
"pop %%" _ASM_BP "; pop %%" _ASM_DX " \n\t"
- "setbe %c[fail](%0) \n\t"
".pushsection .rodata \n\t"
".global vmx_return \n\t"
"vmx_return: " _ASM_PTR " 2b \n\t"
--
2.14.3
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [PATCH] kvm: vmx: Scrub hardware GPRs at VM-exit
2018-01-09 8:46 Paolo Bonzini
@ 2018-01-10 12:17 ` Greg KH
0 siblings, 0 replies; 11+ messages in thread
From: Greg KH @ 2018-01-10 12:17 UTC (permalink / raw)
To: Paolo Bonzini; +Cc: stable
On Tue, Jan 09, 2018 at 09:46:20AM +0100, Paolo Bonzini wrote:
> From: Jim Mattson <jmattson@google.com>
>
> [ upstream commit 0cb5b30698fdc8f6b4646012e3acb4ddce430788 ]
>
> Guest GPR values are live in the hardware GPRs at VM-exit. Do not
> leave any guest values in hardware GPRs after the guest GPR values are
> saved to the vcpu_vmx structure.
>
> This is a partial mitigation for CVE 2017-5715 and CVE 2017-5753.
> Specifically, it defeats the Project Zero PoC for CVE 2017-5715.
>
> Suggested-by: Eric Northup <digitaleric@google.com>
> Signed-off-by: Jim Mattson <jmattson@google.com>
> Reviewed-by: Eric Northup <digitaleric@google.com>
> Reviewed-by: Benjamin Serebrin <serebrin@google.com>
> Reviewed-by: Andrew Honig <ahonig@google.com>
> [Paolo: Add AMD bits, Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>]
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Now applied, thanks.
greg k-h
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2018-02-11 8:42 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-01-03 22:31 [PATCH] kvm: vmx: Scrub hardware GPRs at VM-exit Jim Mattson
2018-01-07 10:40 ` Jan Kiszka
2018-01-08 8:58 ` Jack Wang
2018-01-08 9:57 ` Jan Kiszka
2018-01-08 14:53 ` Paolo Bonzini
2018-01-09 8:27 ` Jack Wang
2018-01-09 8:43 ` Paolo Bonzini
2018-01-09 8:49 ` Jack Wang
2018-02-11 8:42 ` Wanpeng Li
2018-01-09 8:46 Paolo Bonzini
2018-01-10 12:17 ` Greg KH
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.