155 lines
3.4 KiB
Diff
155 lines
3.4 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Tim Chen <tim.c.chen@linux.intel.com>
|
|
Date: Fri, 20 Oct 2017 17:05:54 -0700
|
|
Subject: [PATCH] x86/kvm: Pad RSB on VM transition
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
CVE-2017-5753
|
|
CVE-2017-5715
|
|
|
|
Add code to pad the local CPU's RSB entries to protect
|
|
from previous less privilege mode.
|
|
|
|
Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com>
|
|
Signed-off-by: Andy Whitcroft <apw@canonical.com>
|
|
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
|
|
(cherry picked from commit 5369368d3520addb2ffb2413cfa7e8f3efe2e31d)
|
|
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
|
|
---
|
|
arch/x86/include/asm/kvm_host.h | 103 ++++++++++++++++++++++++++++++++++++++++
|
|
arch/x86/kvm/vmx.c | 2 +
|
|
2 files changed, 105 insertions(+)
|
|
|
|
diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
|
|
index 1953c0a5b972..4117a97228a2 100644
|
|
--- a/arch/x86/include/asm/kvm_host.h
|
|
+++ b/arch/x86/include/asm/kvm_host.h
|
|
@@ -125,6 +125,109 @@ static inline gfn_t gfn_to_index(gfn_t gfn, gfn_t base_gfn, int level)
|
|
|
|
#define ASYNC_PF_PER_VCPU 64
|
|
|
|
+static inline void stuff_RSB(void)
|
|
+{
|
|
+ __asm__ __volatile__(" \n\
|
|
+ call .label1 \n\
|
|
+ pause \n\
|
|
+.label1: \n\
|
|
+ call .label2 \n\
|
|
+ pause \n\
|
|
+.label2: \n\
|
|
+ call .label3 \n\
|
|
+ pause \n\
|
|
+.label3: \n\
|
|
+ call .label4 \n\
|
|
+ pause \n\
|
|
+.label4: \n\
|
|
+ call .label5 \n\
|
|
+ pause \n\
|
|
+.label5: \n\
|
|
+ call .label6 \n\
|
|
+ pause \n\
|
|
+.label6: \n\
|
|
+ call .label7 \n\
|
|
+ pause \n\
|
|
+.label7: \n\
|
|
+ call .label8 \n\
|
|
+ pause \n\
|
|
+.label8: \n\
|
|
+ call .label9 \n\
|
|
+ pause \n\
|
|
+.label9: \n\
|
|
+ call .label10 \n\
|
|
+ pause \n\
|
|
+.label10: \n\
|
|
+ call .label11 \n\
|
|
+ pause \n\
|
|
+.label11: \n\
|
|
+ call .label12 \n\
|
|
+ pause \n\
|
|
+.label12: \n\
|
|
+ call .label13 \n\
|
|
+ pause \n\
|
|
+.label13: \n\
|
|
+ call .label14 \n\
|
|
+ pause \n\
|
|
+.label14: \n\
|
|
+ call .label15 \n\
|
|
+ pause \n\
|
|
+.label15: \n\
|
|
+ call .label16 \n\
|
|
+ pause \n\
|
|
+.label16: \n\
|
|
+ call .label17 \n\
|
|
+ pause \n\
|
|
+.label17: \n\
|
|
+ call .label18 \n\
|
|
+ pause \n\
|
|
+.label18: \n\
|
|
+ call .label19 \n\
|
|
+ pause \n\
|
|
+.label19: \n\
|
|
+ call .label20 \n\
|
|
+ pause \n\
|
|
+.label20: \n\
|
|
+ call .label21 \n\
|
|
+ pause \n\
|
|
+.label21: \n\
|
|
+ call .label22 \n\
|
|
+ pause \n\
|
|
+.label22: \n\
|
|
+ call .label23 \n\
|
|
+ pause \n\
|
|
+.label23: \n\
|
|
+ call .label24 \n\
|
|
+ pause \n\
|
|
+.label24: \n\
|
|
+ call .label25 \n\
|
|
+ pause \n\
|
|
+.label25: \n\
|
|
+ call .label26 \n\
|
|
+ pause \n\
|
|
+.label26: \n\
|
|
+ call .label27 \n\
|
|
+ pause \n\
|
|
+.label27: \n\
|
|
+ call .label28 \n\
|
|
+ pause \n\
|
|
+.label28: \n\
|
|
+ call .label29 \n\
|
|
+ pause \n\
|
|
+.label29: \n\
|
|
+ call .label30 \n\
|
|
+ pause \n\
|
|
+.label30: \n\
|
|
+ call .label31 \n\
|
|
+ pause \n\
|
|
+.label31: \n\
|
|
+ call .label32 \n\
|
|
+ pause \n\
|
|
+.label32: \n\
|
|
+ add $(32*8), %%rsp \n\
|
|
+": : :"memory");
|
|
+}
|
|
+
|
|
enum kvm_reg {
|
|
VCPU_REGS_RAX = 0,
|
|
VCPU_REGS_RCX = 1,
|
|
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
|
|
index 57d538fc7c75..496884b6467f 100644
|
|
--- a/arch/x86/kvm/vmx.c
|
|
+++ b/arch/x86/kvm/vmx.c
|
|
@@ -9228,6 +9228,8 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
|
|
#endif
|
|
);
|
|
|
|
+ stuff_RSB();
|
|
+
|
|
/* MSR_IA32_DEBUGCTLMSR is zeroed on vmexit. Restore it if needed */
|
|
if (debugctlmsr)
|
|
update_debugctlmsr(debugctlmsr);
|
|
--
|
|
2.14.2
|
|
|