[pve-kernel.git] / patches / kernel / 0012-KVM-x86-Add-memory-barrier-on-vmcs-field-lookup.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Andrew Honig <ahonig@google.com>
Date: Wed, 10 Jan 2018 10:12:03 -0800
Subject: [PATCH] KVM: x86: Add memory barrier on vmcs field lookup
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

commit 75f139aaf896d6fdeec2e468ddfa4b2fe469bf40 upstream.

This adds a memory barrier when performing a lookup into
the vmcs_field_to_offset_table.  This is related to
CVE-2017-5753.

Signed-off-by: Andrew Honig <ahonig@google.com>
Reviewed-by: Jim Mattson <jmattson@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
 arch/x86/kvm/vmx.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index 0510bc11beb2..c79de3ac9d49 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -883,8 +883,16 @@ static inline short vmcs_field_to_offset(unsigned long field)
 {
 	BUILD_BUG_ON(ARRAY_SIZE(vmcs_field_to_offset_table) > SHRT_MAX);
 
-	if (field >= ARRAY_SIZE(vmcs_field_to_offset_table) ||
-	    vmcs_field_to_offset_table[field] == 0)
+	if (field >= ARRAY_SIZE(vmcs_field_to_offset_table))
+		return -ENOENT;
+
+	/*
+	 * FIXME: Mitigation for CVE-2017-5753.  To be replaced with a
+	 * generic mechanism.
+	 */
+	asm("lfence");
+
+	if (vmcs_field_to_offset_table[field] == 0)
 		return -ENOENT;
 
 	return vmcs_field_to_offset_table[field];
-- 
2.14.2
Commit	Line	Data
035dbe67 FG	1	From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
	2	From: Andrew Honig <ahonig@google.com>
	3	Date: Wed, 10 Jan 2018 10:12:03 -0800
	4	Subject: [PATCH] KVM: x86: Add memory barrier on vmcs field lookup
	5	MIME-Version: 1.0
	6	Content-Type: text/plain; charset=UTF-8
	7	Content-Transfer-Encoding: 8bit
	8
	9	commit 75f139aaf896d6fdeec2e468ddfa4b2fe469bf40 upstream.
	10
	11	This adds a memory barrier when performing a lookup into
	12	the vmcs_field_to_offset_table. This is related to
	13	CVE-2017-5753.
	14
	15	Signed-off-by: Andrew Honig <ahonig@google.com>
	16	Reviewed-by: Jim Mattson <jmattson@google.com>
	17	Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
	18	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	19	Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
	20	---
	21	arch/x86/kvm/vmx.c \| 12 ++++++++++--
	22	1 file changed, 10 insertions(+), 2 deletions(-)
	23
	24	diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
1f1e1833	25	index 0510bc11beb2..c79de3ac9d49 100644
035dbe67 FG	26	--- a/arch/x86/kvm/vmx.c
035dbe67 FG	27	+++ b/arch/x86/kvm/vmx.c
3adc5321	28	@@ -883,8 +883,16 @@ static inline short vmcs_field_to_offset(unsigned long field)
035dbe67 FG	29	{
	30	BUILD_BUG_ON(ARRAY_SIZE(vmcs_field_to_offset_table) > SHRT_MAX);
	31
	32	- if (field >= ARRAY_SIZE(vmcs_field_to_offset_table) \|\|
	33	- vmcs_field_to_offset_table[field] == 0)
	34	+ if (field >= ARRAY_SIZE(vmcs_field_to_offset_table))
	35	+ return -ENOENT;
	36	+
	37	+ /*
	38	+ * FIXME: Mitigation for CVE-2017-5753. To be replaced with a
	39	+ * generic mechanism.
	40	+ */
	41	+ asm("lfence");
	42	+
	43	+ if (vmcs_field_to_offset_table[field] == 0)
	44	return -ENOENT;
	45
	46	return vmcs_field_to_offset_table[field];
	47	--
	48	2.14.2
	49