KVM: x86: Refactor prefix decoding to prevent Spectre-v1/L1TF attacks

BugLink: https://bugs.launchpad.net/bugs/1866678
commit 125ffc5e0a56a3eded608dc51e09d5ebf72cf652 upstream.

This fixes Spectre-v1/L1TF vulnerabilities in
vmx_read_guest_seg_selector(), vmx_read_guest_seg_base(),
vmx_read_guest_seg_limit() and vmx_read_guest_seg_ar().  When
invoked from emulation, these functions contain index computations
based on the (attacker-influenced) segment value.  Using constants
prevents the attack.

Cc: stable@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>

diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index 65285b0dabaa224fbb4654bf7866abeda6fd787f..aba6627d0966c114ca8a9520989d5c8bcf2d6e5f 100644 (file)
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -5119,16 +5119,28 @@ int x86_decode_insn(struct x86_emulate_ctxt *ctxt, void *insn, int insn_len)
                                ctxt->ad_bytes = def_ad_bytes ^ 6;
                        break;
                case 0x26:      /* ES override */
+                       has_seg_override = true;
+                       ctxt->seg_override = VCPU_SREG_ES;
+                       break;
                case 0x2e:      /* CS override */
+                       has_seg_override = true;
+                       ctxt->seg_override = VCPU_SREG_CS;
+                       break;
                case 0x36:      /* SS override */
+                       has_seg_override = true;
+                       ctxt->seg_override = VCPU_SREG_SS;
+                       break;
                case 0x3e:      /* DS override */
                        has_seg_override = true;
-                       ctxt->seg_override = (ctxt->b >> 3) & 3;
+                       ctxt->seg_override = VCPU_SREG_DS;
                        break;
                case 0x64:      /* FS override */
+                       has_seg_override = true;
+                       ctxt->seg_override = VCPU_SREG_FS;
+                       break;
                case 0x65:      /* GS override */
                        has_seg_override = true;
-                       ctxt->seg_override = ctxt->b & 7;
+                       ctxt->seg_override = VCPU_SREG_GS;
                        break;
                case 0x40 ... 0x4f: /* REX */
                        if (mode != X86EMUL_MODE_PROT64)