[pve-kernel.git] / patches / kernel / 0232-kvm-vmx-Scrub-hardware-GPRs-at-VM-exit.patch

From 711a55c9d58955a2bfca89cd25935ca607e49bc0 Mon Sep 17 00:00:00 2001
From: Jim Mattson <jmattson@google.com>
Date: Wed, 3 Jan 2018 14:31:38 -0800
Subject: [PATCH 232/241] kvm: vmx: Scrub hardware GPRs at VM-exit
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Guest GPR values are live in the hardware GPRs at VM-exit.  Do not
leave any guest values in hardware GPRs after the guest GPR values are
saved to the vcpu_vmx structure.

This is a partial mitigation for CVE 2017-5715 and CVE 2017-5753.
Specifically, it defeats the Project Zero PoC for CVE 2017-5715.

Suggested-by: Eric Northup <digitaleric@google.com>
Signed-off-by: Jim Mattson <jmattson@google.com>
Reviewed-by: Eric Northup <digitaleric@google.com>
Reviewed-by: Benjamin Serebrin <serebrin@google.com>
Reviewed-by: Andrew Honig <ahonig@google.com>
[Paolo: Add AMD bits, Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
 arch/x86/kvm/svm.c | 19 +++++++++++++++++++
 arch/x86/kvm/vmx.c | 14 +++++++++++++-
 2 files changed, 32 insertions(+), 1 deletion(-)

diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
index af09baa3d736..92cd94d51e1f 100644
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -4924,6 +4924,25 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu)
 		"mov %%r13, %c[r13](%[svm]) \n\t"
 		"mov %%r14, %c[r14](%[svm]) \n\t"
 		"mov %%r15, %c[r15](%[svm]) \n\t"
+#endif
+		/*
+		* Clear host registers marked as clobbered to prevent
+		* speculative use.
+		*/
+		"xor %%" _ASM_BX ", %%" _ASM_BX " \n\t"
+		"xor %%" _ASM_CX ", %%" _ASM_CX " \n\t"
+		"xor %%" _ASM_DX ", %%" _ASM_DX " \n\t"
+		"xor %%" _ASM_SI ", %%" _ASM_SI " \n\t"
+		"xor %%" _ASM_DI ", %%" _ASM_DI " \n\t"
+#ifdef CONFIG_X86_64
+		"xor %%r8, %%r8 \n\t"
+		"xor %%r9, %%r9 \n\t"
+		"xor %%r10, %%r10 \n\t"
+		"xor %%r11, %%r11 \n\t"
+		"xor %%r12, %%r12 \n\t"
+		"xor %%r13, %%r13 \n\t"
+		"xor %%r14, %%r14 \n\t"
+		"xor %%r15, %%r15 \n\t"
 #endif
 		"pop %%" _ASM_BP
 		:
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index d61986a36575..9b4256fd589a 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -9140,6 +9140,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
 		/* Save guest registers, load host registers, keep flags */
 		"mov %0, %c[wordsize](%%" _ASM_SP ") \n\t"
 		"pop %0 \n\t"
+		"setbe %c[fail](%0)\n\t"
 		"mov %%" _ASM_AX ", %c[rax](%0) \n\t"
 		"mov %%" _ASM_BX ", %c[rbx](%0) \n\t"
 		__ASM_SIZE(pop) " %c[rcx](%0) \n\t"
@@ -9156,12 +9157,23 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
 		"mov %%r13, %c[r13](%0) \n\t"
 		"mov %%r14, %c[r14](%0) \n\t"
 		"mov %%r15, %c[r15](%0) \n\t"
+		"xor %%r8d,  %%r8d \n\t"
+		"xor %%r9d,  %%r9d \n\t"
+		"xor %%r10d, %%r10d \n\t"
+		"xor %%r11d, %%r11d \n\t"
+		"xor %%r12d, %%r12d \n\t"
+		"xor %%r13d, %%r13d \n\t"
+		"xor %%r14d, %%r14d \n\t"
+		"xor %%r15d, %%r15d \n\t"
 #endif
 		"mov %%cr2, %%" _ASM_AX "   \n\t"
 		"mov %%" _ASM_AX ", %c[cr2](%0) \n\t"
 
+		"xor %%eax, %%eax \n\t"
+		"xor %%ebx, %%ebx \n\t"
+		"xor %%esi, %%esi \n\t"
+		"xor %%edi, %%edi \n\t"
 		"pop  %%" _ASM_BP "; pop  %%" _ASM_DX " \n\t"
-		"setbe %c[fail](%0) \n\t"
 		".pushsection .rodata \n\t"
 		".global vmx_return \n\t"
 		"vmx_return: " _ASM_PTR " 2b \n\t"
-- 
2.14.2
Commit	Line	Data
76ec7e59	1	From 711a55c9d58955a2bfca89cd25935ca607e49bc0 Mon Sep 17 00:00:00 2001
7c7389df FG	2	From: Jim Mattson <jmattson@google.com>
7c7389df FG	3	Date: Wed, 3 Jan 2018 14:31:38 -0800
e4cdf2a5	4	Subject: [PATCH 232/241] kvm: vmx: Scrub hardware GPRs at VM-exit
7c7389df FG	5	MIME-Version: 1.0
	6	Content-Type: text/plain; charset=UTF-8
	7	Content-Transfer-Encoding: 8bit
	8
	9	Guest GPR values are live in the hardware GPRs at VM-exit. Do not
	10	leave any guest values in hardware GPRs after the guest GPR values are
	11	saved to the vcpu_vmx structure.
	12
	13	This is a partial mitigation for CVE 2017-5715 and CVE 2017-5753.
	14	Specifically, it defeats the Project Zero PoC for CVE 2017-5715.
	15
	16	Suggested-by: Eric Northup <digitaleric@google.com>
	17	Signed-off-by: Jim Mattson <jmattson@google.com>
	18	Reviewed-by: Eric Northup <digitaleric@google.com>
	19	Reviewed-by: Benjamin Serebrin <serebrin@google.com>
	20	Reviewed-by: Andrew Honig <ahonig@google.com>
76ec7e59 FG	21	[Paolo: Add AMD bits, Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>]
76ec7e59 FG	22	Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
7c7389df FG	23	Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
7c7389df FG	24	---
76ec7e59	25	arch/x86/kvm/svm.c \| 19 +++++++++++++++++++
7c7389df	26	arch/x86/kvm/vmx.c \| 14 +++++++++++++-
76ec7e59	27	2 files changed, 32 insertions(+), 1 deletion(-)
7c7389df	28
76ec7e59 FG	29	diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
	30	index af09baa3d736..92cd94d51e1f 100644
	31	--- a/arch/x86/kvm/svm.c
	32	+++ b/arch/x86/kvm/svm.c
	33	@@ -4924,6 +4924,25 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu)
	34	"mov %%r13, %c[r13](%[svm]) \n\t"
	35	"mov %%r14, %c[r14](%[svm]) \n\t"
	36	"mov %%r15, %c[r15](%[svm]) \n\t"
	37	+#endif
	38	+ /*
	39	+ * Clear host registers marked as clobbered to prevent
	40	+ * speculative use.
	41	+ */
	42	+ "xor %%" _ASM_BX ", %%" _ASM_BX " \n\t"
	43	+ "xor %%" _ASM_CX ", %%" _ASM_CX " \n\t"
	44	+ "xor %%" _ASM_DX ", %%" _ASM_DX " \n\t"
	45	+ "xor %%" _ASM_SI ", %%" _ASM_SI " \n\t"
	46	+ "xor %%" _ASM_DI ", %%" _ASM_DI " \n\t"
	47	+#ifdef CONFIG_X86_64
	48	+ "xor %%r8, %%r8 \n\t"
	49	+ "xor %%r9, %%r9 \n\t"
	50	+ "xor %%r10, %%r10 \n\t"
	51	+ "xor %%r11, %%r11 \n\t"
	52	+ "xor %%r12, %%r12 \n\t"
	53	+ "xor %%r13, %%r13 \n\t"
	54	+ "xor %%r14, %%r14 \n\t"
	55	+ "xor %%r15, %%r15 \n\t"
	56	#endif
	57	"pop %%" _ASM_BP
	58	:
7c7389df FG	59	diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
	60	index d61986a36575..9b4256fd589a 100644
	61	--- a/arch/x86/kvm/vmx.c
	62	+++ b/arch/x86/kvm/vmx.c
	63	@@ -9140,6 +9140,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
	64	/* Save guest registers, load host registers, keep flags */
	65	"mov %0, %c[wordsize](%%" _ASM_SP ") \n\t"
	66	"pop %0 \n\t"
	67	+ "setbe %c[fail](%0)\n\t"
	68	"mov %%" _ASM_AX ", %c[rax](%0) \n\t"
	69	"mov %%" _ASM_BX ", %c[rbx](%0) \n\t"
	70	__ASM_SIZE(pop) " %c[rcx](%0) \n\t"
	71	@@ -9156,12 +9157,23 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
	72	"mov %%r13, %c[r13](%0) \n\t"
	73	"mov %%r14, %c[r14](%0) \n\t"
	74	"mov %%r15, %c[r15](%0) \n\t"
	75	+ "xor %%r8d, %%r8d \n\t"
	76	+ "xor %%r9d, %%r9d \n\t"
	77	+ "xor %%r10d, %%r10d \n\t"
	78	+ "xor %%r11d, %%r11d \n\t"
	79	+ "xor %%r12d, %%r12d \n\t"
	80	+ "xor %%r13d, %%r13d \n\t"
	81	+ "xor %%r14d, %%r14d \n\t"
	82	+ "xor %%r15d, %%r15d \n\t"
	83	#endif
	84	"mov %%cr2, %%" _ASM_AX " \n\t"
	85	"mov %%" _ASM_AX ", %c[cr2](%0) \n\t"
	86
	87	+ "xor %%eax, %%eax \n\t"
	88	+ "xor %%ebx, %%ebx \n\t"
	89	+ "xor %%esi, %%esi \n\t"
	90	+ "xor %%edi, %%edi \n\t"
	91	"pop %%" _ASM_BP "; pop %%" _ASM_DX " \n\t"
	92	- "setbe %c[fail](%0) \n\t"
	93	".pushsection .rodata \n\t"
	94	".global vmx_return \n\t"
	95	"vmx_return: " _ASM_PTR " 2b \n\t"
	96	--
	97	2.14.2
	98