[pve-kernel.git] / patches / kernel / 0285-x86-kvm-Pad-RSB-on-VM-transition.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Tim Chen <tim.c.chen@linux.intel.com>
Date: Fri, 20 Oct 2017 17:05:54 -0700
Subject: [PATCH] x86/kvm: Pad RSB on VM transition
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CVE-2017-5753
CVE-2017-5715

Add code to pad the local CPU's RSB entries to protect
from previous less privilege mode.

Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com>
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
(cherry picked from commit 5369368d3520addb2ffb2413cfa7e8f3efe2e31d)
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
 arch/x86/include/asm/kvm_host.h | 103 ++++++++++++++++++++++++++++++++++++++++
 arch/x86/kvm/vmx.c              |   2 +
 2 files changed, 105 insertions(+)

diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
index 1953c0a5b972..4117a97228a2 100644
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -125,6 +125,109 @@ static inline gfn_t gfn_to_index(gfn_t gfn, gfn_t base_gfn, int level)
 
 #define ASYNC_PF_PER_VCPU 64
 
+static inline void stuff_RSB(void)
+{
+        __asm__ __volatile__("  \n\
+	call .label1    \n\
+	pause     \n\
+.label1:        \n\
+	call .label2    \n\
+	pause     \n\
+.label2:        \n\
+	call .label3    \n\
+	pause     \n\
+.label3:        \n\
+	call .label4    \n\
+	pause     \n\
+.label4:        \n\
+	call .label5    \n\
+	pause     \n\
+.label5:        \n\
+	call .label6    \n\
+	pause     \n\
+.label6:        \n\
+	call .label7    \n\
+	pause     \n\
+.label7:        \n\
+	call .label8    \n\
+	pause     \n\
+.label8:        \n\
+	call .label9    \n\
+	pause     \n\
+.label9:        \n\
+	call .label10   \n\
+	pause     \n\
+.label10:       \n\
+	call .label11   \n\
+	pause     \n\
+.label11:       \n\
+	call .label12   \n\
+	pause     \n\
+.label12:       \n\
+	call .label13   \n\
+	pause     \n\
+.label13:       \n\
+	call .label14   \n\
+	pause     \n\
+.label14:       \n\
+	call .label15   \n\
+	pause     \n\
+.label15:       \n\
+	call .label16   \n\
+	pause     \n\
+.label16:	\n\
+	call .label17	\n\
+	pause	\n\
+.label17:	\n\
+	call .label18	\n\
+	pause	\n\
+.label18:	\n\
+	call .label19	\n\
+	pause	\n\
+.label19:	\n\
+	call .label20	\n\
+	pause	\n\
+.label20:	\n\
+	call .label21	\n\
+	pause	\n\
+.label21:	\n\
+	call .label22	\n\
+	pause	\n\
+.label22:	\n\
+	call .label23	\n\
+	pause	\n\
+.label23:	\n\
+	call .label24	\n\
+	pause	\n\
+.label24:	\n\
+	call .label25	\n\
+	pause	\n\
+.label25:	\n\
+	call .label26	\n\
+	pause	\n\
+.label26:	\n\
+	call .label27	\n\
+	pause	\n\
+.label27:	\n\
+	call .label28	\n\
+	pause	\n\
+.label28:	\n\
+	call .label29	\n\
+	pause	\n\
+.label29:	\n\
+	call .label30	\n\
+	pause	\n\
+.label30:	\n\
+	call .label31	\n\
+	pause	\n\
+.label31:	\n\
+	call .label32	\n\
+	pause	\n\
+.label32: \n\
+	add $(32*8), %%rsp 	\n\
+": : :"memory");
+}
+
 enum kvm_reg {
 	VCPU_REGS_RAX = 0,
 	VCPU_REGS_RCX = 1,
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index 57d538fc7c75..496884b6467f 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -9228,6 +9228,8 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
 #endif
 	      );
 
+	stuff_RSB();
+
 	/* MSR_IA32_DEBUGCTLMSR is zeroed on vmexit. Restore it if needed */
 	if (debugctlmsr)
 		update_debugctlmsr(debugctlmsr);
-- 
2.14.2
Commit	Line	Data
035dbe67 FG	1	From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
	2	From: Tim Chen <tim.c.chen@linux.intel.com>
	3	Date: Fri, 20 Oct 2017 17:05:54 -0700
	4	Subject: [PATCH] x86/kvm: Pad RSB on VM transition
	5	MIME-Version: 1.0
	6	Content-Type: text/plain; charset=UTF-8
	7	Content-Transfer-Encoding: 8bit
	8
	9	CVE-2017-5753
	10	CVE-2017-5715
	11
	12	Add code to pad the local CPU's RSB entries to protect
	13	from previous less privilege mode.
	14
	15	Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com>
	16	Signed-off-by: Andy Whitcroft <apw@canonical.com>
	17	Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
	18	(cherry picked from commit 5369368d3520addb2ffb2413cfa7e8f3efe2e31d)
	19	Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
	20	---
	21	arch/x86/include/asm/kvm_host.h \| 103 ++++++++++++++++++++++++++++++++++++++++
	22	arch/x86/kvm/vmx.c \| 2 +
	23	2 files changed, 105 insertions(+)
	24
	25	diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
	26	index 1953c0a5b972..4117a97228a2 100644
	27	--- a/arch/x86/include/asm/kvm_host.h
	28	+++ b/arch/x86/include/asm/kvm_host.h
	29	@@ -125,6 +125,109 @@ static inline gfn_t gfn_to_index(gfn_t gfn, gfn_t base_gfn, int level)
	30
	31	#define ASYNC_PF_PER_VCPU 64
	32
	33	+static inline void stuff_RSB(void)
	34	+{
	35	+ __asm__ __volatile__(" \n\
	36	+ call .label1 \n\
	37	+ pause \n\
	38	+.label1: \n\
	39	+ call .label2 \n\
	40	+ pause \n\
	41	+.label2: \n\
	42	+ call .label3 \n\
	43	+ pause \n\
	44	+.label3: \n\
	45	+ call .label4 \n\
	46	+ pause \n\
	47	+.label4: \n\
	48	+ call .label5 \n\
	49	+ pause \n\
	50	+.label5: \n\
	51	+ call .label6 \n\
	52	+ pause \n\
	53	+.label6: \n\
	54	+ call .label7 \n\
	55	+ pause \n\
	56	+.label7: \n\
	57	+ call .label8 \n\
	58	+ pause \n\
	59	+.label8: \n\
	60	+ call .label9 \n\
	61	+ pause \n\
	62	+.label9: \n\
	63	+ call .label10 \n\
	64	+ pause \n\
65	+.label10: \n\
66	+ call .label11 \n\
67	+ pause \n\
68	+.label11: \n\
69	+ call .label12 \n\
70	+ pause \n\
71	+.label12: \n\
72	+ call .label13 \n\
73	+ pause \n\
74	+.label13: \n\
75	+ call .label14 \n\
76	+ pause \n\
77	+.label14: \n\
78	+ call .label15 \n\
79	+ pause \n\
80	+.label15: \n\
81	+ call .label16 \n\
82	+ pause \n\
83	+.label16: \n\
84	+ call .label17 \n\
85	+ pause \n\
86	+.label17: \n\
87	+ call .label18 \n\
88	+ pause \n\
89	+.label18: \n\
90	+ call .label19 \n\
91	+ pause \n\
92	+.label19: \n\
93	+ call .label20 \n\
94	+ pause \n\
95	+.label20: \n\
96	+ call .label21 \n\
97	+ pause \n\
98	+.label21: \n\
99	+ call .label22 \n\
100	+ pause \n\
101	+.label22: \n\
102	+ call .label23 \n\
103	+ pause \n\
104	+.label23: \n\
105	+ call .label24 \n\
106	+ pause \n\
107	+.label24: \n\
108	+ call .label25 \n\
109	+ pause \n\
110	+.label25: \n\
111	+ call .label26 \n\
112	+ pause \n\
113	+.label26: \n\
114	+ call .label27 \n\
115	+ pause \n\
116	+.label27: \n\
117	+ call .label28 \n\
118	+ pause \n\
119	+.label28: \n\
120	+ call .label29 \n\
121	+ pause \n\
122	+.label29: \n\
123	+ call .label30 \n\
124	+ pause \n\
125	+.label30: \n\
126	+ call .label31 \n\
127	+ pause \n\
128	+.label31: \n\
129	+ call .label32 \n\
130	+ pause \n\
131	+.label32: \n\
132	+ add $(32*8), %%rsp \n\
133	+": : :"memory");
134	+}
135	+
136	enum kvm_reg {
137	VCPU_REGS_RAX = 0,
138	VCPU_REGS_RCX = 1,
139	diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
140	index 57d538fc7c75..496884b6467f 100644
141	--- a/arch/x86/kvm/vmx.c
142	+++ b/arch/x86/kvm/vmx.c
143	@@ -9228,6 +9228,8 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
144	#endif
145	);
146
147	+ stuff_RSB();
148	+
149	/* MSR_IA32_DEBUGCTLMSR is zeroed on vmexit. Restore it if needed */
150	if (debugctlmsr)
151	update_debugctlmsr(debugctlmsr);
152	--
153	2.14.2
154