a0f7ab8a6a
cherry-pick from upstream 4.14
50 lines
1.5 KiB
Diff
50 lines
1.5 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Andrew Honig <ahonig@google.com>
|
|
Date: Wed, 10 Jan 2018 10:12:03 -0800
|
|
Subject: [PATCH] KVM: x86: Add memory barrier on vmcs field lookup
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
commit 75f139aaf896d6fdeec2e468ddfa4b2fe469bf40 upstream.
|
|
|
|
This adds a memory barrier when performing a lookup into
|
|
the vmcs_field_to_offset_table. This is related to
|
|
CVE-2017-5753.
|
|
|
|
Signed-off-by: Andrew Honig <ahonig@google.com>
|
|
Reviewed-by: Jim Mattson <jmattson@google.com>
|
|
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
|
|
---
|
|
arch/x86/kvm/vmx.c | 12 ++++++++++--
|
|
1 file changed, 10 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
|
|
index d2168203bddc..e6fa3df81fd8 100644
|
|
--- a/arch/x86/kvm/vmx.c
|
|
+++ b/arch/x86/kvm/vmx.c
|
|
@@ -882,8 +882,16 @@ static inline short vmcs_field_to_offset(unsigned long field)
|
|
{
|
|
BUILD_BUG_ON(ARRAY_SIZE(vmcs_field_to_offset_table) > SHRT_MAX);
|
|
|
|
- if (field >= ARRAY_SIZE(vmcs_field_to_offset_table) ||
|
|
- vmcs_field_to_offset_table[field] == 0)
|
|
+ if (field >= ARRAY_SIZE(vmcs_field_to_offset_table))
|
|
+ return -ENOENT;
|
|
+
|
|
+ /*
|
|
+ * FIXME: Mitigation for CVE-2017-5753. To be replaced with a
|
|
+ * generic mechanism.
|
|
+ */
|
|
+ asm("lfence");
|
|
+
|
|
+ if (vmcs_field_to_offset_table[field] == 0)
|
|
return -ENOENT;
|
|
|
|
return vmcs_field_to_offset_table[field];
|
|
--
|
|
2.14.2
|
|
|