From patchwork Wed Jul 17 16:02:55 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jan Beulich <JBeulich@suse.com>
X-Patchwork-Id: 11048077
Return-Path: <xen-devel-bounces@lists.xenproject.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 7A0B913BD
	for <patchwork-xen-devel@patchwork.kernel.org>;
 Wed, 17 Jul 2019 16:06:41 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 68D27286E0
	for <patchwork-xen-devel@patchwork.kernel.org>;
 Wed, 17 Jul 2019 16:06:41 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 5D4502880B; Wed, 17 Jul 2019 16:06:41 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_MED,UNPARSEABLE_RELAY autolearn=ham version=3.3.1
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 4F9DD286E0
	for <patchwork-xen-devel@patchwork.kernel.org>;
 Wed, 17 Jul 2019 16:06:40 +0000 (UTC)
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.89)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1hnmPb-00024s-H1; Wed, 17 Jul 2019 16:04:11 +0000
Received: from all-amaz-eas1.inumbo.com ([34.197.232.57]
 helo=us1-amaz-eas2.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.89)
 (envelope-from
 <SRS0=H7Ci=VO=suse.com=jbeulich@srs-us1.protection.inumbo.net>)
 id 1hnmPa-00024n-JN
 for xen-devel@lists.xenproject.org; Wed, 17 Jul 2019 16:04:10 +0000
X-Inumbo-ID: 7212b0ee-a8ac-11e9-b007-f7e3f830f5a6
Received: from m9a0003g.houston.softwaregrp.com (unknown [15.124.64.68])
 by us1-amaz-eas2.inumbo.com (Halon) with ESMTPS
 id 7212b0ee-a8ac-11e9-b007-f7e3f830f5a6;
 Wed, 17 Jul 2019 16:04:07 +0000 (UTC)
Received: FROM m9a0003g.houston.softwaregrp.com (15.121.0.191) BY
 m9a0003g.houston.softwaregrp.com WITH ESMTP;
 Wed, 17 Jul 2019 16:03:39 +0000
Received: from M9W0067.microfocus.com (2002:f79:be::f79:be) by
 M9W0068.microfocus.com (2002:f79:bf::f79:bf) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id
 15.1.1591.10; Wed, 17 Jul 2019 16:02:56 +0000
Received: from NAM05-BY2-obe.outbound.protection.outlook.com (15.124.72.10) by
 M9W0067.microfocus.com (15.121.0.190) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id
 15.1.1591.10 via Frontend Transport; Wed, 17 Jul 2019 16:02:56 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=Oe5gmz8RGfxJlq0+KYNqUvoe7NwoFdZKDrsR+EyUPzgcrgf899HWgCyWnO21dQ0qnOHX3cOjWQbHas7U/2CCq8McWMF27uVRjNw4OMt29bod028C8dWvtspbl39B/YfaBxVxZ1a8EqOfucKUHZHqYrj0OehDYKpNyuzFICvOcssofiHylB+rep7Gu32QO0n3GjBUifLGmyNW2j8QnIpkq3ThneQmk+hJ3BE7Gthh6ps/VHel2812jKIPUB4R1o/ybqmnjUg3tlem8tjNR4k5/HPXNHNH7Rn4wT+cFpqcbI0RGbkEf3phYPPAmZ2/QivZlvgnQbUaq5c0EaimLEL7DA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=7yslL580Mkil9M70hJUBUralZXl+xHSCHvi6gp/y3nw=;
 b=P8XA6yHl7X6O5D+VsqIvh5g6HzI5p1jqASJXYY+02wtId8MD+IxLG7p7f0bJXToTzZErSUb/KVwh8hEPUCcHNUdt50vYjQVb8jlkaovb3E/5PMXfoOrRuWBWFIHfO09at6fF7Bv4G0yj0LFaE6RT2p8j3MbR4QNOEE3FwM3P+joeEk+U+fySj0SRd/w5t5xuZ1X+Ee2Q4snr7/aBebf7wVVKg7kQ2Mcdx5FohRR/XLpcVnKipKgdb/7A355iMvjz5tv18s1tgllSzfT4xXyxlXuFfUz5dh+LpsGqsG8Syvee63ohQX4IXHnnVNZhQGTiDROo9GVqjI820t19etFydw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass
 smtp.mailfrom=suse.com;dmarc=pass action=none header.from=suse.com;dkim=pass
 header.d=suse.com;arc=none
Received: from DM6PR18MB3401.namprd18.prod.outlook.com (10.255.174.218) by
 DM6PR18MB2683.namprd18.prod.outlook.com (20.179.107.14) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.2094.11; Wed, 17 Jul 2019 16:02:55 +0000
Received: from DM6PR18MB3401.namprd18.prod.outlook.com
 ([fe80::1fe:35f6:faf3:78c7]) by DM6PR18MB3401.namprd18.prod.outlook.com
 ([fe80::1fe:35f6:faf3:78c7%7]) with mapi id 15.20.2073.012; Wed, 17 Jul 2019
 16:02:55 +0000
From: Jan Beulich <JBeulich@suse.com>
To: "xen-devel@lists.xenproject.org" <xen-devel@lists.xenproject.org>
Thread-Topic: [PATCH v2] x86/vLAPIC: avoid speculative out of bounds accesses
Thread-Index: AQHVPLkYZF8+iP93okCS7B48MIFZhA==
Date: Wed, 17 Jul 2019 16:02:55 +0000
Message-ID: <8ef6318e-83ca-780d-8472-9f617eae4896@suse.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-clientproxiedby: DB6P191CA0001.EURP191.PROD.OUTLOOK.COM (2603:10a6:6:28::11)
 To DM6PR18MB3401.namprd18.prod.outlook.com
 (2603:10b6:5:1cc::26)
authentication-results: spf=none (sender IP is )
 smtp.mailfrom=JBeulich@suse.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [87.234.252.170]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 22c50ad6-7803-4db8-05ed-08d70ad03ab0
x-microsoft-antispam: BCL:0; PCL:0;
 RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020);
 SRVR:DM6PR18MB2683;
x-ms-traffictypediagnostic: DM6PR18MB2683:
x-microsoft-antispam-prvs: 
 <DM6PR18MB2683D6422B91D68CE0A2782DB3C90@DM6PR18MB2683.namprd18.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:5516;
x-forefront-prvs: 01018CB5B3
x-forefront-antispam-report: SFV:NSPM;
 SFS:(10019020)(4636009)(396003)(136003)(346002)(376002)(39860400002)(366004)(189003)(199004)(81156014)(31686004)(99286004)(256004)(6116002)(8936002)(3846002)(81166006)(14444005)(2351001)(2906002)(8676002)(68736007)(80792005)(25786009)(14454004)(316002)(2501003)(54906003)(486006)(31696002)(6506007)(102836004)(386003)(52116002)(4326008)(71190400001)(71200400001)(26005)(5660300002)(66066001)(66556008)(66946007)(66476007)(64756008)(66446008)(36756003)(86362001)(2616005)(476003)(186003)(478600001)(6512007)(6916009)(53936002)(6486002)(7736002)(305945005)(5640700003)(6436002);
 DIR:OUT; SFP:1102; SCL:1; SRVR:DM6PR18MB2683;
 H:DM6PR18MB3401.namprd18.prod.outlook.com; FPR:; SPF:None; LANG:en;
 PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: suse.com does not designate
 permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 
 F9V2p9Gc/Ov9r8Ss1eA0TbH/UXBGTaWDC8ta6RjRZ/977tTZiQ8DftATGBaCd1XM8CSbqh5KgAe25J7nuQCpIVtAnFCCiKODiODbBuCEHCjexWxWQ31/BVFN+Y9Lqw2LudJ0rEufqjAkqgW921RvFKSTp4VhdpJlJtWRuoZWvST9DucQpw/HexQShW6eyrgt5VPE6A9PE1X9+itQc6RHvqErY27l/lftjrYGiBda0J7X5YeqZuq2mUgqLLZr2Wg6Ha1PBFwRPBUwVgkuzD2HCHbHA8u4TE7vBx+vZWCRdfpEJ1OvkCRwpDpVXmjonEYo9I38Swh52Fu6Br6cb609lqfg7YUveMbKhjQ09CT+qz/4A/uvUfw0esabJttX06ovOox2X/gwQJ7aCQnocbD5Ftwe5XRRkWBFRpFAX6nGgQA=
Content-ID: <65B436ADE4BBE043A10D8CBC04E2F00A@namprd18.prod.outlook.com>
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 22c50ad6-7803-4db8-05ed-08d70ad03ab0
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Jul 2019 16:02:55.2622 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 856b813c-16e5-49a5-85ec-6f081e13b527
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: JBeulich@suse.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR18MB2683
X-OriginatorOrg: suse.com
Subject: [Xen-devel] [PATCH v2] x86/vLAPIC: avoid speculative out of bounds
 accesses
X-BeenThere: xen-devel@lists.xenproject.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>, Wei Liu <wl@xen.org>,
	=?utf-8?q?Roger_Pau_Monn=C3=A9?= <roger.pau@citrix.com>
Errors-To: xen-devel-bounces@lists.xenproject.org
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
X-Virus-Scanned: ClamAV using ClamSMTP

Array indexes used in the MSR read/write emulation functions as well as
the direct VMX / APIC-V hook are derived from guest controlled values.
Restrict their ranges to limit the side effects of speculative
execution.

Along these lines also constrain the vlapic_lvt_mask[] access.

Remove the unused vlapic_lvt_{vector,dm}() instead of adjusting them.

This is part of the speculative hardening effort.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
v2: Drop changes to vlapic_mmio_{read,write}(). Drop
     VLAPIC_OFFSET_MASK(). Also tweak guest_wrmsr_x2apic().

--- a/xen/arch/x86/hvm/vlapic.c
+++ b/xen/arch/x86/hvm/vlapic.c
@@ -23,6 +23,7 @@
  #include <xen/domain.h>
  #include <xen/domain_page.h>
  #include <xen/event.h>
+#include <xen/nospec.h>
  #include <xen/trace.h>
  #include <xen/lib.h>
  #include <xen/sched.h>
@@ -65,12 +66,6 @@ static const unsigned int vlapic_lvt_mas
       LVT_MASK
  };
  
-#define vlapic_lvt_vector(vlapic, lvt_type)                     \
-    (vlapic_get_reg(vlapic, lvt_type) & APIC_VECTOR_MASK)
-
-#define vlapic_lvt_dm(vlapic, lvt_type)                         \
-    (vlapic_get_reg(vlapic, lvt_type) & APIC_MODE_MASK)
-
  #define vlapic_lvtt_period(vlapic)                              \
      ((vlapic_get_reg(vlapic, APIC_LVTT) & APIC_TIMER_MODE_MASK) \
       == APIC_TIMER_MODE_PERIODIC)
@@ -676,7 +671,7 @@ int guest_rdmsr_x2apic(const struct vcpu
      };
      const struct vlapic *vlapic = vcpu_vlapic(v);
      uint64_t high = 0;
-    uint32_t reg = msr - MSR_X2APIC_FIRST, offset = reg << 4;
+    uint32_t reg = msr - MSR_X2APIC_FIRST, offset;
  
      /*
       * The read side looks as if it might be safe to use outside of current
@@ -686,9 +681,14 @@ int guest_rdmsr_x2apic(const struct vcpu
      ASSERT(v == current);
  
      if ( !vlapic_x2apic_mode(vlapic) ||
-         (reg >= sizeof(readable) * 8) || !test_bit(reg, readable) )
+         (reg >= sizeof(readable) * 8) )
+        return X86EMUL_EXCEPTION;
+
+    reg = array_index_nospec(reg, sizeof(readable) * 8);
+    if ( !test_bit(reg, readable) )
          return X86EMUL_EXCEPTION;
  
+    offset = reg << 4;
      if ( offset == APIC_ICR )
          high = (uint64_t)vlapic_read_aligned(vlapic, APIC_ICR2) << 32;
  
@@ -867,7 +867,7 @@ void vlapic_reg_write(struct vcpu *v, un
      case APIC_LVTERR:       /* LVT Error Reg */
          if ( vlapic_sw_disabled(vlapic) )
              val |= APIC_LVT_MASKED;
-        val &= vlapic_lvt_mask[(reg - APIC_LVTT) >> 4];
+        val &= array_access_nospec(vlapic_lvt_mask, (reg - APIC_LVTT) >> 4);
          vlapic_set_reg(vlapic, reg, val);
          if ( reg == APIC_LVT0 )
          {
@@ -957,7 +957,7 @@ static int vlapic_mmio_write(struct vcpu
  int vlapic_apicv_write(struct vcpu *v, unsigned int offset)
  {
      struct vlapic *vlapic = vcpu_vlapic(v);
-    uint32_t val = vlapic_get_reg(vlapic, offset);
+    uint32_t val = vlapic_get_reg(vlapic, offset & ~0xf);
  
      if ( vlapic_x2apic_mode(vlapic) )
      {
@@ -1053,7 +1053,7 @@ int guest_wrmsr_x2apic(struct vcpu *v, u
          }
      }
  
-    vlapic_reg_write(v, offset, msr_content);
+    vlapic_reg_write(v, array_index_nospec(offset, PAGE_SIZE), msr_content);
  
      return X86EMUL_OKAY;
  }