From: Ben Hutchings <ben@decadent.org.uk>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: akpm@linux-foundation.org, "Andrew Honig" <ahonig@google.com>,
"Jim Mattson" <jmattson@google.com>,
kvm@vger.kernel.org, "Paolo Bonzini" <pbonzini@redhat.com>,
"Thomas Gleixner" <tglx@linutronix.de>,
"Dan Williams" <dan.j.williams@intel.com>
Subject: [PATCH 3.16 62/76] x86/kvm: Update spectre-v1 mitigation
Date: Mon, 12 Mar 2018 03:06:12 +0000 [thread overview]
Message-ID: <lsq.1520823972.361057584@decadent.org.uk> (raw)
In-Reply-To: <lsq.1520823971.5976735@decadent.org.uk>
3.16.56-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Williams <dan.j.williams@intel.com>
commit 085331dfc6bbe3501fb936e657331ca943827600 upstream.
Commit 75f139aaf896 "KVM: x86: Add memory barrier on vmcs field lookup"
added a raw 'asm("lfence");' to prevent a bounds check bypass of
'vmcs_field_to_offset_table'.
The lfence can be avoided in this path by using the array_index_nospec()
helper designed for these types of fixes.
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Cc: Andrew Honig <ahonig@google.com>
Cc: kvm@vger.kernel.org
Cc: Jim Mattson <jmattson@google.com>
Link: https://lkml.kernel.org/r/151744959670.6342.3001723920950249067.stgit@dwillia2-desk3.amr.corp.intel.com
[bwh: Backported to 3.16:
- Replace max_vmcs_field with the local size variable
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -32,6 +32,7 @@
#include <linux/slab.h>
#include <linux/tboot.h>
#include <linux/hrtimer.h>
+#include <linux/nospec.h>
#include "kvm_cache_regs.h"
#include "x86.h"
@@ -695,23 +696,21 @@ static const unsigned short vmcs_field_t
FIELD(HOST_RSP, host_rsp),
FIELD(HOST_RIP, host_rip),
};
-static const int max_vmcs_field = ARRAY_SIZE(vmcs_field_to_offset_table);
static inline short vmcs_field_to_offset(unsigned long field)
{
- if (field >= max_vmcs_field)
- return -1;
+ const size_t size = ARRAY_SIZE(vmcs_field_to_offset_table);
+ unsigned short offset;
- /*
- * FIXME: Mitigation for CVE-2017-5753. To be replaced with a
- * generic mechanism.
- */
- asm("lfence");
-
- if (vmcs_field_to_offset_table[field] == 0)
+ BUILD_BUG_ON(size > SHRT_MAX);
+ if (field >= size)
return -1;
- return vmcs_field_to_offset_table[field];
+ field = array_index_nospec(field, size);
+ offset = vmcs_field_to_offset_table[field];
+ if (offset == 0)
+ return -1;
+ return offset;
}
static inline struct vmcs12 *get_vmcs12(struct kvm_vcpu *vcpu)
next prev parent reply other threads:[~2018-03-12 3:12 UTC|newest]
Thread overview: 86+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-12 3:06 [PATCH 3.16 00/76] 3.16.56-rc1 review Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 28/76] x86/retpoline/hyperv: Convert assembler indirect jumps Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 21/76] x86: Clean up current_stack_pointer Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 38/76] x86/pti: Document fix wrong index Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 34/76] x86/retpoline: Add LFENCE to the retpoline/RSB filling RSB macros Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 63/76] x86/retpoline: Avoid retpolines for built-in __init functions Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 17/76] x86/cpu/AMD: Make LFENCE a serializing instruction Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 06/76] x86/cpu, x86/pti: Do not enable PTI on AMD processors Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 54/76] x86: Introduce barrier_nospec Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 05/76] x86/cpufeatures: Add X86_BUG_CPU_INSECURE Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 14/76] x86/alternatives: Fix ALTERNATIVE_2 padding generation properly Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 31/76] x86/retpoline/irq32: Convert assembler indirect jumps Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 49/76] x86/cpu/bugs: Make retpoline module warning conditional Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 01/76] kvm: vmx: Scrub hardware GPRs at VM-exit Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 44/76] KVM: x86: Make indirect calls in emulator speculation safe Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 42/76] x86/cpu: Change type of x86_cache_size variable to unsigned int Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 59/76] x86/spectre: Report get_user mitigation for spectre_v1 Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 71/76] x86: reorganize SMAP handling in user space accesses Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 56/76] x86/syscall: Sanitize syscall table de-references under speculation Ben Hutchings
2018-03-12 7:32 ` Jiri Slaby
2018-03-19 0:59 ` Ben Hutchings
2018-03-19 0:59 ` Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 73/76] x86: Introduce __uaccess_begin_nospec() and uaccess_try_nospec Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 07/76] x86/pti: Rename BUG_CPU_INSECURE to BUG_CPU_MELTDOWN Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 36/76] kprobes/x86: Blacklist indirect thunk functions for kprobes Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 47/76] x86/nospec: Fix header guards names Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 67/76] x86/spectre: Fix an error message Ben Hutchings
2018-03-12 3:06 ` Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 15/76] x86/alternatives: Make optimize_nops() interrupt safe and synced Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 53/76] x86: Implement array_index_mask_nospec Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 19/76] x86/asm: Make asm/alternative.h safe from assembly Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 76/76] x86: fix build warnign with 32-bit PAE Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 32/76] x86/retpoline: Fill return stack buffer on vmexit Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 65/76] x86/speculation: Fix typo IBRS_ATT, which should be IBRS_ALL Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 57/76] vfs, fdtable: Prevent bounds-check bypass via speculative execution Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 16/76] x86/alternatives: Fix optimize_nops() checking Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 58/76] nl80211: Sanitize array index in parse_txq_params Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 10/76] sysfs/cpu: Add vulnerability folder Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 41/76] x86/retpoline: Fill RSB on context switch for affected CPUs Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 12/76] sysfs/cpu: Fix typos in vulnerability documentation Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 51/76] Documentation: Document array_index_nospec Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 29/76] x86/retpoline/xen: Convert Xen hypercall indirect jumps Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 13/76] x86/alternatives: Guard NOPs optimization Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 20/76] kconfig.h: use __is_defined() to check if MODULE is defined Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 08/76] x86/cpufeatures: Add X86_BUG_SPECTRE_V[12] Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 37/76] kprobes/x86: Disable optimizing on the function jumps to indirect thunk Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 33/76] x86/retpoline: Remove compile time warning Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 09/76] x86/cpu: Merge bugs.c and bugs_64.c Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 48/76] x86/bugs: Drop one "mitigation" from dmesg Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 43/76] x86/retpoline: Remove the esp/rsp thunk Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 02/76] x86/Documentation: Add PTI description Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 04/76] x86/cpufeatures: Make CPU bugs sticky Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 25/76] x86/retpoline/crypto: Convert crypto assembler indirect jumps Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 52/76] array_index_nospec: Sanitize speculative array de-references Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 68/76] nospec: Move array_index_nospec() parameter checking into separate macro Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 74/76] x86/usercopy: Replace open coded stac/clac with __uaccess_{begin, end} Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 27/76] x86/retpoline/ftrace: Convert ftrace assembler indirect jumps Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 26/76] x86/retpoline/entry: Convert entry " Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 30/76] x86/retpoline/checksum32: Convert " Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 69/76] nospec: Kill array_index_nospec_mask_check() Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 40/76] x86/cpu/intel: Introduce macros for Intel family numbers Ben Hutchings
2018-03-12 3:06 ` [3.16,40/76] " Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 40/76] " Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 75/76] x86/uaccess: Use __uaccess_begin_nospec() and uaccess_try_nospec Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 39/76] x86/retpoline: Optimize inline assembler for vmexit_fill_RSB Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 45/76] KVM: VMX: Make indirect call speculation safe Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 03/76] x86/cpu: Factor out application of forced CPU caps Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 18/76] x86/cpu/AMD: Use LFENCE_RDTSC in preference to MFENCE_RDTSC Ben Hutchings
2018-03-12 3:06 ` Ben Hutchings [this message]
2018-03-12 3:06 ` [PATCH 3.16 35/76] retpoline: Introduce start/end markers of indirect thunk Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 72/76] x86: fix SMAP in 32-bit environments Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 24/76] x86/spectre: Add boot time option to select Spectre v2 mitigation Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 61/76] x86/paravirt: Remove 'noreplace-paravirt' cmdline option Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 23/76] x86/retpoline: Add initial retpoline support Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 22/76] x86/asm: Use register variable to get stack pointer value Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 66/76] x86/cpufeatures: Clean up Spectre v2 related CPUID flags Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 64/76] x86/spectre: Simplify spectre_v2 command line parsing Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 55/76] x86/get_user: Use pointer masking to limit speculation Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 70/76] nospec: Include <asm/barrier.h> dependency Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 60/76] x86/spectre: Fix spelling mistake: "vunerable"-> "vulnerable" Ben Hutchings
2018-03-12 3:06 ` Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 11/76] x86/cpu: Implement CPU vulnerabilites sysfs functions Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 46/76] module/retpoline: Warn about missing retpoline in module Ben Hutchings
2018-03-12 15:00 ` [PATCH 3.16 00/76] 3.16.56-rc1 review Guenter Roeck
2018-03-12 16:45 ` Guenter Roeck
2018-03-20 17:25 ` Ben Hutchings
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=lsq.1520823972.361057584@decadent.org.uk \
--to=ben@decadent.org.uk \
--cc=ahonig@google.com \
--cc=akpm@linux-foundation.org \
--cc=dan.j.williams@intel.com \
--cc=jmattson@google.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.