Package: qemu-system-x86 Severity: grave Tags: security These are not upstreamed due to the embargo period, but I'm attaching the 3.1 patches from Ubuntu 19.04.
Cheers, Moritz
>From a57fa50701c6a0fbe5ac7dbcc314c3c970bff899 Mon Sep 17 00:00:00 2001 From: Paolo Bonzini <pbonz...@redhat.com> Date: Fri, 1 Mar 2019 21:40:52 +0100 Subject: [qemu PATCH] target/i386: define md-clear bit md-clear is a new CPUID bit which is set when microcode provides the mechanism to invoke a flush of various exploitable CPU buffers by invoking the VERW instruction. Add the new feature, and pass it down to Hypervisor.framework guests. Signed-off-by: Paolo Bonzini <pbonz...@redhat.com> [Backported to qemu 3.1 - sbeattie] --- The last hunk is only needed for OS X, but anyway this is going to be the patch that will be committed upstream. CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 target/i386/cpu.c | 2 +- target/i386/cpu.h | 1 + target/i386/hvf/x86_cpuid.c | 3 ++- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/target/i386/cpu.c b/target/i386/cpu.c index d990070c59..16da90562c 100644 --- a/target/i386/cpu.c +++ b/target/i386/cpu.c @@ -1075,7 +1075,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { .feat_names = { NULL, NULL, "avx512-4vnniw", "avx512-4fmaps", NULL, NULL, NULL, NULL, - NULL, NULL, NULL, NULL, + NULL, NULL, "md-clear", NULL, NULL, NULL, NULL, NULL, NULL, NULL, "pconfig", NULL, NULL, NULL, NULL, NULL, diff --git a/target/i386/cpu.h b/target/i386/cpu.h index 26412f15eb..cbfab1a421 100644 --- a/target/i386/cpu.h +++ b/target/i386/cpu.h @@ -692,6 +692,7 @@ typedef uint32_t FeatureWordArray[FEATURE_WORDS]; #define CPUID_7_0_EDX_AVX512_4VNNIW (1U << 2) /* AVX512 Neural Network Instructions */ #define CPUID_7_0_EDX_AVX512_4FMAPS (1U << 3) /* AVX512 Multiply Accumulation Single Precision */ +#define CPUID_7_0_EDX_MD_CLEAR (1U << 10) /* Microarchitectural Data Clear */ #define CPUID_7_0_EDX_PCONFIG (1U << 18) /* Platform Configuration */ #define CPUID_7_0_EDX_SPEC_CTRL (1U << 26) /* Speculation Control */ #define CPUID_7_0_EDX_ARCH_CAPABILITIES (1U << 29) /*Arch Capabilities*/ diff --git a/target/i386/hvf/x86_cpuid.c b/target/i386/hvf/x86_cpuid.c index 9874a46e92..f76ba50424 100644 --- a/target/i386/hvf/x86_cpuid.c +++ b/target/i386/hvf/x86_cpuid.c @@ -103,7 +103,8 @@ uint32_t hvf_get_supported_cpuid(uint32_t func, uint32_t idx, } ecx &= CPUID_7_0_ECX_AVX512BMI | CPUID_7_0_ECX_AVX512_VPOPCNTDQ; - edx &= CPUID_7_0_EDX_AVX512_4VNNIW | CPUID_7_0_EDX_AVX512_4FMAPS; + edx &= CPUID_7_0_EDX_AVX512_4VNNIW | CPUID_7_0_EDX_AVX512_4FMAPS | \ + CPUID_7_0_EDX_MD_CLEAR; } else { ebx = 0; ecx = 0; -- 2.20.1
From: Paolo Bonzini <pbonz...@redhat.com> Subject: [PATCH] target/i386: add MDS-NO feature Microarchitectural Data Sampling is a hardware vulnerability which allows unprivileged speculative access to data which is available in various CPU internal buffers. Some Intel processors use the ARCH_CAP_MDS_NO bit in the IA32_ARCH_CAPABILITIES MSR to report that they are not vulnerable, make it available to guests. Signed-off-by: Paolo Bonzini <pbonz...@redhat.com> -- CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 diff --git a/target/i386/cpu.c b/target/i386/cpu.c index 722c5514d4..558347e6c3 100644 --- a/target/i386/cpu.c +++ b/target/i386/cpu.c @@ -1184,7 +1184,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { .type = MSR_FEATURE_WORD, .feat_names = { "rdctl-no", "ibrs-all", "rsba", "skip-l1dfl-vmentry", - "ssb-no", NULL, NULL, NULL, + "ssb-no", "mds-no", NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,