]>
Commit | Line | Data |
---|---|---|
1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 | |
2 | From: Tim Chen <tim.c.chen@linux.intel.com> | |
3 | Date: Fri, 20 Oct 2017 17:05:54 -0700 | |
4 | Subject: [PATCH] x86/kvm: Pad RSB on VM transition | |
5 | MIME-Version: 1.0 | |
6 | Content-Type: text/plain; charset=UTF-8 | |
7 | Content-Transfer-Encoding: 8bit | |
8 | ||
9 | CVE-2017-5753 | |
10 | CVE-2017-5715 | |
11 | ||
12 | Add code to pad the local CPU's RSB entries to protect | |
13 | from previous less privilege mode. | |
14 | ||
15 | Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> | |
16 | Signed-off-by: Andy Whitcroft <apw@canonical.com> | |
17 | Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> | |
18 | (cherry picked from commit 5369368d3520addb2ffb2413cfa7e8f3efe2e31d) | |
19 | Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> | |
20 | --- | |
21 | arch/x86/include/asm/kvm_host.h | 103 ++++++++++++++++++++++++++++++++++++++++ | |
22 | arch/x86/kvm/vmx.c | 2 + | |
23 | 2 files changed, 105 insertions(+) | |
24 | ||
25 | diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h | |
26 | index 1953c0a5b972..4117a97228a2 100644 | |
27 | --- a/arch/x86/include/asm/kvm_host.h | |
28 | +++ b/arch/x86/include/asm/kvm_host.h | |
29 | @@ -125,6 +125,109 @@ static inline gfn_t gfn_to_index(gfn_t gfn, gfn_t base_gfn, int level) | |
30 | ||
31 | #define ASYNC_PF_PER_VCPU 64 | |
32 | ||
33 | +static inline void stuff_RSB(void) | |
34 | +{ | |
35 | + __asm__ __volatile__(" \n\ | |
36 | + call .label1 \n\ | |
37 | + pause \n\ | |
38 | +.label1: \n\ | |
39 | + call .label2 \n\ | |
40 | + pause \n\ | |
41 | +.label2: \n\ | |
42 | + call .label3 \n\ | |
43 | + pause \n\ | |
44 | +.label3: \n\ | |
45 | + call .label4 \n\ | |
46 | + pause \n\ | |
47 | +.label4: \n\ | |
48 | + call .label5 \n\ | |
49 | + pause \n\ | |
50 | +.label5: \n\ | |
51 | + call .label6 \n\ | |
52 | + pause \n\ | |
53 | +.label6: \n\ | |
54 | + call .label7 \n\ | |
55 | + pause \n\ | |
56 | +.label7: \n\ | |
57 | + call .label8 \n\ | |
58 | + pause \n\ | |
59 | +.label8: \n\ | |
60 | + call .label9 \n\ | |
61 | + pause \n\ | |
62 | +.label9: \n\ | |
63 | + call .label10 \n\ | |
64 | + pause \n\ | |
65 | +.label10: \n\ | |
66 | + call .label11 \n\ | |
67 | + pause \n\ | |
68 | +.label11: \n\ | |
69 | + call .label12 \n\ | |
70 | + pause \n\ | |
71 | +.label12: \n\ | |
72 | + call .label13 \n\ | |
73 | + pause \n\ | |
74 | +.label13: \n\ | |
75 | + call .label14 \n\ | |
76 | + pause \n\ | |
77 | +.label14: \n\ | |
78 | + call .label15 \n\ | |
79 | + pause \n\ | |
80 | +.label15: \n\ | |
81 | + call .label16 \n\ | |
82 | + pause \n\ | |
83 | +.label16: \n\ | |
84 | + call .label17 \n\ | |
85 | + pause \n\ | |
86 | +.label17: \n\ | |
87 | + call .label18 \n\ | |
88 | + pause \n\ | |
89 | +.label18: \n\ | |
90 | + call .label19 \n\ | |
91 | + pause \n\ | |
92 | +.label19: \n\ | |
93 | + call .label20 \n\ | |
94 | + pause \n\ | |
95 | +.label20: \n\ | |
96 | + call .label21 \n\ | |
97 | + pause \n\ | |
98 | +.label21: \n\ | |
99 | + call .label22 \n\ | |
100 | + pause \n\ | |
101 | +.label22: \n\ | |
102 | + call .label23 \n\ | |
103 | + pause \n\ | |
104 | +.label23: \n\ | |
105 | + call .label24 \n\ | |
106 | + pause \n\ | |
107 | +.label24: \n\ | |
108 | + call .label25 \n\ | |
109 | + pause \n\ | |
110 | +.label25: \n\ | |
111 | + call .label26 \n\ | |
112 | + pause \n\ | |
113 | +.label26: \n\ | |
114 | + call .label27 \n\ | |
115 | + pause \n\ | |
116 | +.label27: \n\ | |
117 | + call .label28 \n\ | |
118 | + pause \n\ | |
119 | +.label28: \n\ | |
120 | + call .label29 \n\ | |
121 | + pause \n\ | |
122 | +.label29: \n\ | |
123 | + call .label30 \n\ | |
124 | + pause \n\ | |
125 | +.label30: \n\ | |
126 | + call .label31 \n\ | |
127 | + pause \n\ | |
128 | +.label31: \n\ | |
129 | + call .label32 \n\ | |
130 | + pause \n\ | |
131 | +.label32: \n\ | |
132 | + add $(32*8), %%rsp \n\ | |
133 | +": : :"memory"); | |
134 | +} | |
135 | + | |
136 | enum kvm_reg { | |
137 | VCPU_REGS_RAX = 0, | |
138 | VCPU_REGS_RCX = 1, | |
139 | diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c | |
140 | index 57d538fc7c75..496884b6467f 100644 | |
141 | --- a/arch/x86/kvm/vmx.c | |
142 | +++ b/arch/x86/kvm/vmx.c | |
143 | @@ -9228,6 +9228,8 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) | |
144 | #endif | |
145 | ); | |
146 | ||
147 | + stuff_RSB(); | |
148 | + | |
149 | /* MSR_IA32_DEBUGCTLMSR is zeroed on vmexit. Restore it if needed */ | |
150 | if (debugctlmsr) | |
151 | update_debugctlmsr(debugctlmsr); | |
152 | -- | |
153 | 2.14.2 | |
154 |