Commit 3c9053a2 authored Dec 11, 2019 by Marios Pomonis Committed by Paolo Bonzini Jan 27, 2020

KVM: x86: Protect x86_decode_insn from Spectre-v1/L1TF attacks



This fixes a Spectre-v1/L1TF vulnerability in x86_decode_insn().
kvm_emulate_instruction() (an ancestor of x86_decode_insn()) is an exported
symbol, so KVM should treat it conservatively from a security perspective.

Fixes: 045a282c ("KVM: emulator: implement fninit, fnstsw, fnstcw")

Signed-off-by: Nick Finco <nifi@google.com>
Signed-off-by: Marios Pomonis <pomonis@google.com>
Reviewed-by: Andrew Honig <ahonig@google.com>
Cc: stable@vger.kernel.org
Reviewed-by: Jim Mattson <jmattson@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

parent a47970ed

arch/x86/kvm/emulate.c

+8 −3

Original line number	Diff line number	Diff line
		@@ -5288,10 +5288,15 @@ int x86_decode_insn(struct x86_emulate_ctxt ctxt, void insn, int insn_len)
		}
		break;
		case Escape:
		if (ctxt->modrm > 0xbf)
		opcode = opcode.u.esc->high[ctxt->modrm - 0xc0];
		else
		if (ctxt->modrm > 0xbf) {
		size_t size = ARRAY_SIZE(opcode.u.esc->high);
		u32 index = array_index_nospec(
		ctxt->modrm - 0xc0, size);

		opcode = opcode.u.esc->high[index];
		} else {
		opcode = opcode.u.esc->op[(ctxt->modrm >> 3) & 7];
		}
		break;
		case InstrDual:
		if ((ctxt->modrm >> 6) == 3)