git.proxmox.com Git - mirror_ubuntu-jammy-kernel.git/commit

author	Josh Poimboeuf <jpoimboe@kernel.org>
	Tue, 14 Jun 2022 21:16:16 +0000 (23:16 +0200)
committer	Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
	Tue, 19 Jul 2022 19:20:06 +0000 (16:20 -0300)
commit	85561a53259b267e75ba4bb3a02ef0185502bf3f
tree	216e832ce775f39d7ed7ee1154f92dbe56b8ebde	tree
parent	7bb0b4d78650e860f4fdc4a69e7a665117f93105	commit \| diff

KVM: VMX: Prevent RSB underflow before vmenter

commit 07853adc29a058c5fd143c14e5ac528448a72ed9 upstream.

On VMX, there are some balanced returns between the time the guest's
SPEC_CTRL value is written, and the vmenter.

Balanced returns (matched by a preceding call) are usually ok, but it's
at least theoretically possible an NMI with a deep call stack could
empty the RSB before one of the returns.

For maximum paranoia, don't allow *any* returns (balanced or otherwise)
between the SPEC_CTRL write and the vmenter.

[ bp: Fix 32-bit build. ]

Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Borislav Petkov <bp@suse.de>
[cascardo: header conflict fixup at arch/x86/kernel/asm-offsets.c]
[cascardo: header conflict fixup at arch/x86/kvm/vmx/capabilities.h]
CVE-2022-29900
CVE-2022-29901
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>

arch/x86/kernel/asm-offsets.c		diff \| blob \| blame \| history
arch/x86/kernel/cpu/bugs.c		diff \| blob \| blame \| history
arch/x86/kvm/vmx/capabilities.h		diff \| blob \| blame \| history
arch/x86/kvm/vmx/vmenter.S		diff \| blob \| blame \| history
arch/x86/kvm/vmx/vmx.c		diff \| blob \| blame \| history
arch/x86/kvm/vmx/vmx.h		diff \| blob \| blame \| history
arch/x86/kvm/vmx/vmx_ops.h		diff \| blob \| blame \| history