3.16.84-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Marios Pomonis <pomo...@google.com>

commit 3c9053a2cae7ba2ba73766a34cea41baa70f57f7 upstream.

This fixes a Spectre-v1/L1TF vulnerability in x86_decode_insn().
kvm_emulate_instruction() (an ancestor of x86_decode_insn()) is an exported
symbol, so KVM should treat it conservatively from a security perspective.

Fixes: 045a282ca415 ("KVM: emulator: implement fninit, fnstsw, fnstcw")

Signed-off-by: Nick Finco <n...@google.com>
Signed-off-by: Marios Pomonis <pomo...@google.com>
Reviewed-by: Andrew Honig <aho...@google.com>
Reviewed-by: Jim Mattson <jmatt...@google.com>
Signed-off-by: Paolo Bonzini <pbonz...@redhat.com>
[bwh: Backported to 3.16: Add #include <linux/nospec.h>]
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
 arch/x86/kvm/emulate.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -26,6 +26,7 @@
 #include <asm/kvm_emulate.h>
 #include <linux/stringify.h>
 #include <asm/nospec-branch.h>
+#include <linux/nospec.h>
 
 #include "x86.h"
 #include "tss.h"
@@ -4487,10 +4488,15 @@ done_prefixes:
                        }
                        break;
                case Escape:
-                       if (ctxt->modrm > 0xbf)
-                               opcode = opcode.u.esc->high[ctxt->modrm - 0xc0];
-                       else
+                       if (ctxt->modrm > 0xbf) {
+                               size_t size = ARRAY_SIZE(opcode.u.esc->high);
+                               u32 index = array_index_nospec(
+                                       ctxt->modrm - 0xc0, size);
+
+                               opcode = opcode.u.esc->high[index];
+                       } else {
                                opcode = opcode.u.esc->op[(ctxt->modrm >> 3) & 
7];
+                       }
                        break;
                default:
                        return EMULATION_FAILED;

Reply via email to