[thirdparty/kernel/stable-queue.git] /

From 25a5edea71b7c154b6a0b8cec14c711cafa31d26 Mon Sep 17 00:00:00 2001
From: Marios Pomonis <pomonis@google.com>
Date: Wed, 11 Dec 2019 12:47:47 -0800
Subject: KVM: x86: Protect MSR-based index computations in fixed_msr_to_seg_unit() from Spectre-v1/L1TF attacks

From: Marios Pomonis <pomonis@google.com>

commit 25a5edea71b7c154b6a0b8cec14c711cafa31d26 upstream.

This fixes a Spectre-v1/L1TF vulnerability in fixed_msr_to_seg_unit().
This function contains index computations based on the
(attacker-controlled) MSR number.

Fixes: de9aef5e1ad6 ("KVM: MTRR: introduce fixed_mtrr_segment table")

Signed-off-by: Nick Finco <nifi@google.com>
Signed-off-by: Marios Pomonis <pomonis@google.com>
Reviewed-by: Andrew Honig <ahonig@google.com>
Cc: stable@vger.kernel.org
Reviewed-by: Jim Mattson <jmattson@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kvm/mtrr.c |    8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/arch/x86/kvm/mtrr.c
+++ b/arch/x86/kvm/mtrr.c
@@ -202,11 +202,15 @@ static bool fixed_msr_to_seg_unit(u32 ms
                break;
        case MSR_MTRRfix16K_80000 ... MSR_MTRRfix16K_A0000:
                *seg = 1;
-               *unit = msr - MSR_MTRRfix16K_80000;
+               *unit = array_index_nospec(
+                       msr - MSR_MTRRfix16K_80000,
+                       MSR_MTRRfix16K_A0000 - MSR_MTRRfix16K_80000 + 1);
                break;
        case MSR_MTRRfix4K_C0000 ... MSR_MTRRfix4K_F8000:
                *seg = 2;
-               *unit = msr - MSR_MTRRfix4K_C0000;
+               *unit = array_index_nospec(
+                       msr - MSR_MTRRfix4K_C0000,
+                       MSR_MTRRfix4K_F8000 - MSR_MTRRfix4K_C0000 + 1);
                break;
        default:
                return false;