patches/kernel/0012-KVM-x86-Add-memory-barrier-on-vmcs-field-lookup.patch

   1 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
   2 From: Andrew Honig <ahonig@google.com>
   3 Date: Wed, 10 Jan 2018 10:12:03 -0800
   4 Subject: [PATCH] KVM: x86: Add memory barrier on vmcs field lookup
   5 MIME-Version: 1.0
   6 Content-Type: text/plain; charset=UTF-8
   7 Content-Transfer-Encoding: 8bit
   8
   9 commit 75f139aaf896d6fdeec2e468ddfa4b2fe469bf40 upstream.
  10
  11 This adds a memory barrier when performing a lookup into
  12 the vmcs_field_to_offset_table.  This is related to
  13 CVE-2017-5753.
  14
  15 Signed-off-by: Andrew Honig <ahonig@google.com>
  16 Reviewed-by: Jim Mattson <jmattson@google.com>
  17 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
  18 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  19 Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
  20 ---
  21  arch/x86/kvm/vmx.c | 12 ++++++++++--
  22  1 file changed, 10 insertions(+), 2 deletions(-)
  23
  24 diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
  25 index 0510bc11beb2..c79de3ac9d49 100644
  26 --- a/arch/x86/kvm/vmx.c
  27 +++ b/arch/x86/kvm/vmx.c
  28 @@ -883,8 +883,16 @@ static inline short vmcs_field_to_offset(unsigned long field)
  29  {
  30         BUILD_BUG_ON(ARRAY_SIZE(vmcs_field_to_offset_table) > SHRT_MAX);
  31
  32 -       if (field >= ARRAY_SIZE(vmcs_field_to_offset_table) ||
  33 -           vmcs_field_to_offset_table[field] == 0)
  34 +       if (field >= ARRAY_SIZE(vmcs_field_to_offset_table))
  35 +               return -ENOENT;
  36 +
  37 +       /*
  38 +        * FIXME: Mitigation for CVE-2017-5753.  To be replaced with a
  39 +        * generic mechanism.
  40 +        */
  41 +       asm("lfence");
  42 +
  43 +       if (vmcs_field_to_offset_table[field] == 0)
  44                 return -ENOENT;
  45
  46         return vmcs_field_to_offset_table[field];
  47 --
  48 2.14.2
  49