2018-01-06 17:14:30 +03:00
|
|
|
From c59a61438e9a8f24a50171ac9d3b98e8f3719d07 Mon Sep 17 00:00:00 2001
|
|
|
|
From: Jim Mattson <jmattson@google.com>
|
|
|
|
Date: Wed, 3 Jan 2018 14:31:38 -0800
|
2018-01-07 15:17:59 +03:00
|
|
|
Subject: [PATCH 232/233] kvm: vmx: Scrub hardware GPRs at VM-exit
|
2018-01-06 17:14:30 +03:00
|
|
|
MIME-Version: 1.0
|
|
|
|
Content-Type: text/plain; charset=UTF-8
|
|
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
|
|
|
|
Guest GPR values are live in the hardware GPRs at VM-exit. Do not
|
|
|
|
leave any guest values in hardware GPRs after the guest GPR values are
|
|
|
|
saved to the vcpu_vmx structure.
|
|
|
|
|
|
|
|
This is a partial mitigation for CVE 2017-5715 and CVE 2017-5753.
|
|
|
|
Specifically, it defeats the Project Zero PoC for CVE 2017-5715.
|
|
|
|
|
|
|
|
Suggested-by: Eric Northup <digitaleric@google.com>
|
|
|
|
Signed-off-by: Jim Mattson <jmattson@google.com>
|
|
|
|
Reviewed-by: Eric Northup <digitaleric@google.com>
|
|
|
|
Reviewed-by: Benjamin Serebrin <serebrin@google.com>
|
|
|
|
Reviewed-by: Andrew Honig <ahonig@google.com>
|
|
|
|
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
|
|
|
|
---
|
|
|
|
arch/x86/kvm/vmx.c | 14 +++++++++++++-
|
|
|
|
1 file changed, 13 insertions(+), 1 deletion(-)
|
|
|
|
|
|
|
|
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
|
|
|
|
index d61986a36575..9b4256fd589a 100644
|
|
|
|
--- a/arch/x86/kvm/vmx.c
|
|
|
|
+++ b/arch/x86/kvm/vmx.c
|
|
|
|
@@ -9140,6 +9140,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
|
|
|
|
/* Save guest registers, load host registers, keep flags */
|
|
|
|
"mov %0, %c[wordsize](%%" _ASM_SP ") \n\t"
|
|
|
|
"pop %0 \n\t"
|
|
|
|
+ "setbe %c[fail](%0)\n\t"
|
|
|
|
"mov %%" _ASM_AX ", %c[rax](%0) \n\t"
|
|
|
|
"mov %%" _ASM_BX ", %c[rbx](%0) \n\t"
|
|
|
|
__ASM_SIZE(pop) " %c[rcx](%0) \n\t"
|
|
|
|
@@ -9156,12 +9157,23 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
|
|
|
|
"mov %%r13, %c[r13](%0) \n\t"
|
|
|
|
"mov %%r14, %c[r14](%0) \n\t"
|
|
|
|
"mov %%r15, %c[r15](%0) \n\t"
|
|
|
|
+ "xor %%r8d, %%r8d \n\t"
|
|
|
|
+ "xor %%r9d, %%r9d \n\t"
|
|
|
|
+ "xor %%r10d, %%r10d \n\t"
|
|
|
|
+ "xor %%r11d, %%r11d \n\t"
|
|
|
|
+ "xor %%r12d, %%r12d \n\t"
|
|
|
|
+ "xor %%r13d, %%r13d \n\t"
|
|
|
|
+ "xor %%r14d, %%r14d \n\t"
|
|
|
|
+ "xor %%r15d, %%r15d \n\t"
|
|
|
|
#endif
|
|
|
|
"mov %%cr2, %%" _ASM_AX " \n\t"
|
|
|
|
"mov %%" _ASM_AX ", %c[cr2](%0) \n\t"
|
|
|
|
|
|
|
|
+ "xor %%eax, %%eax \n\t"
|
|
|
|
+ "xor %%ebx, %%ebx \n\t"
|
|
|
|
+ "xor %%esi, %%esi \n\t"
|
|
|
|
+ "xor %%edi, %%edi \n\t"
|
|
|
|
"pop %%" _ASM_BP "; pop %%" _ASM_DX " \n\t"
|
|
|
|
- "setbe %c[fail](%0) \n\t"
|
|
|
|
".pushsection .rodata \n\t"
|
|
|
|
".global vmx_return \n\t"
|
|
|
|
"vmx_return: " _ASM_PTR " 2b \n\t"
|
|
|
|
--
|
|
|
|
2.14.2
|
|
|
|
|