[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen staging] x86/hvm: block speculative out-of-bound accesses
commit f178a00c30173c0b268d99160e19ad299b1823a2 Author: Norbert Manthey <nmanthey@xxxxxxxxx> AuthorDate: Tue Feb 12 15:20:15 2019 +0100 Commit: Jan Beulich <jbeulich@xxxxxxxx> CommitDate: Tue Feb 12 15:20:15 2019 +0100 x86/hvm: block speculative out-of-bound accesses There are multiple arrays in the HVM interface that are accessed with indices that are provided by the guest. To avoid speculative out-of-bound accesses, we use the array_index_nospec macro. When blocking speculative out-of-bound accesses, we can classify arrays into dynamic arrays and static arrays. Where the former are allocated during run time, the size of the latter is known during compile time. On static arrays, compiler might be able to block speculative accesses in the future. This is part of the speculative hardening effort. Reported-by: Pawel Wieczorkiewicz <wipawel@xxxxxxxxx> Signed-off-by: Norbert Manthey <nmanthey@xxxxxxxxx> Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx> Release-acked-by: Juergen Gross <jgross@xxxxxxxx> --- xen/arch/x86/hvm/hvm.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c index 21944e9306..410623d437 100644 --- a/xen/arch/x86/hvm/hvm.c +++ b/xen/arch/x86/hvm/hvm.c @@ -37,6 +37,7 @@ #include <xen/monitor.h> #include <xen/warning.h> #include <xen/vpci.h> +#include <xen/nospec.h> #include <asm/shadow.h> #include <asm/hap.h> #include <asm/current.h> @@ -2092,7 +2093,7 @@ int hvm_mov_from_cr(unsigned int cr, unsigned int gpr) case 2: case 3: case 4: - val = curr->arch.hvm.guest_cr[cr]; + val = array_access_nospec(curr->arch.hvm.guest_cr, cr); break; case 8: val = (vlapic_get_reg(vcpu_vlapic(curr), APIC_TASKPRI) & 0xf0) >> 4; @@ -3438,13 +3439,15 @@ int hvm_msr_read_intercept(unsigned int msr, uint64_t *msr_content) if ( !d->arch.cpuid->basic.mtrr ) goto gp_fault; index = msr - MSR_MTRRfix16K_80000; - *msr_content = fixed_range_base[index + 1]; + *msr_content = fixed_range_base[array_index_nospec(index + 1, + ARRAY_SIZE(v->arch.hvm.mtrr.fixed_ranges))]; break; case MSR_MTRRfix4K_C0000...MSR_MTRRfix4K_F8000: if ( !d->arch.cpuid->basic.mtrr ) goto gp_fault; index = msr - MSR_MTRRfix4K_C0000; - *msr_content = fixed_range_base[index + 3]; + *msr_content = fixed_range_base[array_index_nospec(index + 3, + ARRAY_SIZE(v->arch.hvm.mtrr.fixed_ranges))]; break; case MSR_IA32_MTRR_PHYSBASE(0)...MSR_IA32_MTRR_PHYSMASK(MTRR_VCNT_MAX - 1): if ( !d->arch.cpuid->basic.mtrr ) @@ -3453,7 +3456,9 @@ int hvm_msr_read_intercept(unsigned int msr, uint64_t *msr_content) if ( (index / 2) >= MASK_EXTR(v->arch.hvm.mtrr.mtrr_cap, MTRRcap_VCNT) ) goto gp_fault; - *msr_content = var_range_base[index]; + *msr_content = var_range_base[array_index_nospec(index, + 2 * MASK_EXTR(v->arch.hvm.mtrr.mtrr_cap, + MTRRcap_VCNT))]; break; case MSR_IA32_XSS: @@ -4016,7 +4021,7 @@ static int hvmop_set_evtchn_upcall_vector( if ( op.vector < 0x10 ) return -EINVAL; - if ( op.vcpu >= d->max_vcpus || (v = d->vcpu[op.vcpu]) == NULL ) + if ( (v = domain_vcpu(d, op.vcpu)) == NULL ) return -ENOENT; printk(XENLOG_G_INFO "%pv: upcall vector %02x\n", v, op.vector); -- generated by git-patchbot for /home/xen/git/xen.git#staging _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/xen-changelog
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |