From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Paolo Bonzini <pbonzini@redhat.com>
Subject: [PATCH 4.9 044/116] KVM: x86: Refactor prefix decoding to prevent Spectre-v1/L1TF attacks
Date: Thu, 13 Feb 2020 07:19:48 -0800 [thread overview]
Message-ID: <20200213151900.140135328@linuxfoundation.org> (raw)
In-Reply-To: <20200213151842.259660170@linuxfoundation.org>
From: Marios Pomonis <pomonis@google.com>
commit 125ffc5e0a56a3eded608dc51e09d5ebf72cf652 upstream.
This fixes Spectre-v1/L1TF vulnerabilities in
vmx_read_guest_seg_selector(), vmx_read_guest_seg_base(),
vmx_read_guest_seg_limit() and vmx_read_guest_seg_ar(). When
invoked from emulation, these functions contain index computations
based on the (attacker-influenced) segment value. Using constants
prevents the attack.
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/emulate.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -5053,16 +5053,28 @@ int x86_decode_insn(struct x86_emulate_c
ctxt->ad_bytes = def_ad_bytes ^ 6;
break;
case 0x26: /* ES override */
+ has_seg_override = true;
+ ctxt->seg_override = VCPU_SREG_ES;
+ break;
case 0x2e: /* CS override */
+ has_seg_override = true;
+ ctxt->seg_override = VCPU_SREG_CS;
+ break;
case 0x36: /* SS override */
+ has_seg_override = true;
+ ctxt->seg_override = VCPU_SREG_SS;
+ break;
case 0x3e: /* DS override */
has_seg_override = true;
- ctxt->seg_override = (ctxt->b >> 3) & 3;
+ ctxt->seg_override = VCPU_SREG_DS;
break;
case 0x64: /* FS override */
+ has_seg_override = true;
+ ctxt->seg_override = VCPU_SREG_FS;
+ break;
case 0x65: /* GS override */
has_seg_override = true;
- ctxt->seg_override = ctxt->b & 7;
+ ctxt->seg_override = VCPU_SREG_GS;
break;
case 0x40 ... 0x4f: /* REX */
if (mode != X86EMUL_MODE_PROT64)
next prev parent reply other threads:[~2020-02-13 16:05 UTC|newest]
Thread overview: 129+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-13 15:19 [PATCH 4.9 000/116] 4.9.214-stable review Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.9 001/116] media: iguanair: fix endpoint sanity check Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.9 002/116] x86/cpu: Update cached HLE state on write to TSX_CTRL_CPUID_CLEAR Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.9 003/116] sparc32: fix struct ipc64_perm type definition Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.9 004/116] ASoC: qcom: Fix of-node refcount unbalance to link->codec_of_node Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.9 005/116] cls_rsvp: fix rsvp_policy Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.9 006/116] gtp: use __GFP_NOWARN to avoid memalloc warning Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.9 007/116] net: hsr: fix possible NULL deref in hsr_handle_frame() Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.9 008/116] net_sched: fix an OOB access in cls_tcindex Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.9 009/116] rxrpc: Fix insufficient receive notification generation Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.9 010/116] rxrpc: Fix NULL pointer deref due to call->conn being cleared on disconnect Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.9 011/116] tcp: clear tp->total_retrans in tcp_disconnect() Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.9 012/116] tcp: clear tp->delivered " Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.9 013/116] tcp: clear tp->data_segs{in|out} " Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.9 014/116] tcp: clear tp->segs_{in|out} " Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.9 015/116] media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.9 016/116] mfd: dln2: More sanity checking for endpoints Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.9 017/116] brcmfmac: Fix memory leak in brcmf_usbdev_qinit Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.9 018/116] usb: gadget: legacy: set max_speed to super-speed Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.9 019/116] usb: gadget: f_ncm: Use atomic_t to track in-flight request Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.9 020/116] usb: gadget: f_ecm: " Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.9 021/116] ALSA: dummy: Fix PCM format loop in proc output Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.9 022/116] media/v4l2-core: set pages dirty upon releasing DMA buffers Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.9 023/116] media: v4l2-rect.h: fix v4l2_rect_map_inside() top/left adjustments Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.9 024/116] lib/test_kasan.c: fix memory leak in kmalloc_oob_krealloc_more() Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.9 025/116] powerpc/pseries: Advance pfn if section is not present in lmb_is_removable() Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.9 026/116] mmc: spi: Toggle SPI polarity, do not hardcode it Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.9 027/116] PCI: keystone: Fix link training retries initiation Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.9 028/116] ubifs: Change gfp flags in page allocation for bulk read Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.9 029/116] ubifs: Fix deadlock in concurrent bulk-read and writepage Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.9 030/116] crypto: api - Check spawn->alg under lock in crypto_drop_spawn Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.9 031/116] scsi: qla2xxx: Fix mtcp dump collection failure Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.9 032/116] power: supply: ltc2941-battery-gauge: fix use-after-free Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.9 033/116] of: Add OF_DMA_DEFAULT_COHERENT & select it on powerpc Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.9 034/116] dm space map common: fix to ensure new block isnt already in use Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.9 035/116] padata: Remove broken queue flushing Greg Kroah-Hartman
2020-02-14 21:48 ` [PATCH v2 4.9] " Daniel Jordan
2020-02-13 15:19 ` [PATCH 4.9 036/116] crypto: pcrypt - Do not clear MAY_SLEEP flag in original request Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.9 037/116] crypto: atmel-aes - Fix counter overflow in CTR mode Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.9 038/116] crypto: api - Fix race condition in crypto_spawn_alg Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.9 039/116] crypto: picoxcell - adjust the position of tasklet_init and fix missed tasklet_kill Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.9 040/116] btrfs: set trans->drity in btrfs_commit_transaction Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.9 041/116] ARM: tegra: Enable PLLP bypass during Tegra124 LP1 Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.9 042/116] mwifiex: fix unbalanced locking in mwifiex_process_country_ie() Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.9 043/116] sunrpc: expiry_time should be seconds not timeval Greg Kroah-Hartman
2020-02-13 15:19 ` Greg Kroah-Hartman [this message]
2020-02-13 15:19 ` [PATCH 4.9 045/116] KVM: x86: Protect DR-based index computations from Spectre-v1/L1TF attacks Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.9 046/116] KVM: x86: Protect kvm_lapic_reg_write() " Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.9 047/116] KVM: x86: Protect kvm_hv_msr_[get|set]_crash_data() " Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.9 048/116] KVM: x86: Protect ioapic_write_indirect() " Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.9 049/116] KVM: x86: Protect MSR-based index computations in pmu.h " Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.9 050/116] KVM: x86: Protect ioapic_read_indirect() " Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.9 051/116] KVM: x86: Protect MSR-based index computations from Spectre-v1/L1TF attacks in x86.c Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.9 052/116] KVM: x86: Protect x86_decode_insn from Spectre-v1/L1TF attacks Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.9 053/116] KVM: x86: Protect MSR-based index computations in fixed_msr_to_seg_unit() " Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.9 054/116] KVM: PPC: Book3S HV: Uninit vCPU if vcore creation fails Greg Kroah-Hartman
2020-02-13 15:19 ` [PATCH 4.9 055/116] KVM: PPC: Book3S PR: Free shared page if mmu initialization fails Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 056/116] KVM: x86: Free wbinvd_dirty_mask if vCPU creation fails Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 057/116] clk: tegra: Mark fuse clock as critical Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 058/116] scsi: qla2xxx: Fix the endianness of the qla82xx_get_fw_size() return type Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 059/116] scsi: csiostor: Adjust indentation in csio_device_reset Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 060/116] scsi: qla4xxx: Adjust indentation in qla4xxx_mem_free Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 061/116] ext2: Adjust indentation in ext2_fill_super Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 062/116] powerpc/44x: Adjust indentation in ibm4xx_denali_fixup_memsize Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 063/116] NFC: pn544: Adjust indentation in pn544_hci_check_presence Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 064/116] ppp: Adjust indentation into ppp_async_input Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 065/116] net: smc911x: Adjust indentation in smc911x_phy_configure Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 066/116] net: tulip: Adjust indentation in {dmfe, uli526x}_init_module Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 067/116] IB/mlx5: Fix outstanding_pi index for GSI qps Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 068/116] nfsd: fix delay timer on 32-bit architectures Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 069/116] nfsd: fix jiffies/time_t mixup in LRU list Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 070/116] ubi: fastmap: Fix inverted logic in seen selfcheck Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 071/116] ubi: Fix an error pointer dereference in error handling code Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 072/116] mfd: da9062: Fix watchdog compatible string Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 073/116] mfd: rn5t618: Mark ADC control register volatile Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 074/116] net: systemport: Avoid RBUF stuck in Wake-on-LAN mode Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 075/116] bonding/alb: properly access headers in bond_alb_xmit() Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 076/116] NFS: switch back to to ->iterate() Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 077/116] NFS: Fix memory leaks and corruption in readdir Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 078/116] NFS: Fix bool initialization/comparison Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 079/116] NFS: Directory page cache pages need to be locked when read Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 080/116] ext4: fix deadlock allocating crypto bounce page from mempool Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 081/116] Btrfs: fix assertion failure on fsync with NO_HOLES enabled Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 082/116] btrfs: use bool argument in free_root_pointers() Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 083/116] btrfs: free block groups after freeing fs trees Greg Kroah-Hartman
2020-02-13 20:55 ` David Sterba
2020-02-13 22:59 ` Greg Kroah-Hartman
2020-02-14 1:13 ` Sasha Levin
2020-02-13 15:20 ` [PATCH 4.9 084/116] btrfs: remove trivial locking wrappers of tree mod log Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 085/116] Btrfs: fix race between adding and putting tree mod seq elements and nodes Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 086/116] drm: atmel-hlcdc: enable clock before configuring timing engine Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 087/116] drm/dp_mst: Remove VCPI while disabling topology mgr Greg Kroah-Hartman
2020-02-14 17:38 ` Lyude Paul
2020-02-14 21:11 ` Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 088/116] KVM: x86: Protect pmu_intel.c from Spectre-v1/L1TF attacks Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 089/116] btrfs: flush write bio if we loop in extent_write_cache_pages Greg Kroah-Hartman
2020-02-13 21:01 ` David Sterba
2020-02-14 1:19 ` Sasha Levin
2020-02-13 15:20 ` [PATCH 4.9 090/116] KVM: x86/mmu: Apply max PA check for MMIO sptes to 32-bit KVM Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 091/116] KVM: VMX: Add non-canonical check on writes to RTIT address MSRs Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 092/116] KVM: nVMX: vmread should not set rflags to specify success in case of #PF Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 093/116] cifs: fail i/o on soft mounts if sessionsetup errors out Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 094/116] clocksource: Prevent double add_timer_on() for watchdog_timer Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 095/116] perf/core: Fix mlock accounting in perf_mmap() Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 096/116] rxrpc: Fix service call disconnection Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 097/116] ASoC: pcm: update FE/BE trigger order based on the command Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 098/116] RDMA/netlink: Do not always generate an ACK for some netlink operations Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 099/116] scsi: ufs: Fix ufshcd_probe_hba() reture value in case ufshcd_scsi_add_wlus() fails Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 100/116] PCI: Dont disable bridge BARs when assigning bus resources Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 101/116] nfs: NFS_SWAP should depend on SWAP Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 102/116] NFSv4: try lease recovery on NFS4ERR_EXPIRED Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 103/116] rtc: hym8563: Return -EINVAL if the time is known to be invalid Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 104/116] rtc: cmos: Stop using shared IRQ Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 105/116] ARC: [plat-axs10x]: Add missing multicast filter number to GMAC node Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 106/116] ARM: dts: at91: sama5d3: fix maximum peripheral clock rates Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 107/116] ARM: dts: at91: sama5d3: define clock rate range for tcb1 Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 108/116] tools/power/acpi: fix compilation error Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 109/116] powerpc/pseries: Allow not having ibm, hypertas-functions::hcall-multi-tce for DDW Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 110/116] pinctrl: sh-pfc: r8a7778: Fix duplicate SDSELF_B and SD1_CLK_B Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 111/116] scsi: megaraid_sas: Do not initiate OCR if controller is not in ready state Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 112/116] dm: fix potential for q->make_request_fn NULL pointer Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 113/116] mwifiex: Fix possible buffer overflows in mwifiex_ret_wmm_get_status() Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 114/116] mwifiex: Fix possible buffer overflows in mwifiex_cmd_append_vsie_tlv() Greg Kroah-Hartman
2020-02-13 15:20 ` [PATCH 4.9 115/116] libertas: dont exit from lbs_ibss_join_existing() with RCU read lock held Greg Kroah-Hartman
2020-02-13 15:21 ` [PATCH 4.9 116/116] libertas: make lbs_ibss_join_existing() return error code on rates overflow Greg Kroah-Hartman
2020-02-14 1:21 ` [PATCH 4.9 000/116] 4.9.214-stable review shuah
2020-02-14 5:26 ` Guenter Roeck
2020-02-14 10:13 ` Naresh Kamboju
2020-02-14 10:26 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200213151900.140135328@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).