Message ID | 20191211204753.242298-8-pomonis@google.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | KVM: x86: Extend Spectre-v1 mitigation | expand |
On Wed, Dec 11, 2019 at 12:48 PM Marios Pomonis <pomonis@google.com> wrote: > > This fixes a Spectre-v1/L1TF vulnerability in fixed_msr_to_seg_unit(). > This function contains index computations based on the > (attacker-controlled) MSR number. > > Fixes: commit de9aef5e1ad6 ("KVM: MTRR: introduce fixed_mtrr_segment table") > > Signed-off-by: Nick Finco <nifi@google.com> > Signed-off-by: Marios Pomonis <pomonis@google.com> > Reviewed-by: Andrew Honig <ahonig@google.com> > Cc: stable@vger.kernel.org Reviewed-by: Jim Mattson <jmattson@google.com>
diff --git a/arch/x86/kvm/mtrr.c b/arch/x86/kvm/mtrr.c index 25ce3edd1872..7f0059aa30e1 100644 --- a/arch/x86/kvm/mtrr.c +++ b/arch/x86/kvm/mtrr.c @@ -192,11 +192,15 @@ static bool fixed_msr_to_seg_unit(u32 msr, int *seg, int *unit) break; case MSR_MTRRfix16K_80000 ... MSR_MTRRfix16K_A0000: *seg = 1; - *unit = msr - MSR_MTRRfix16K_80000; + *unit = array_index_nospec( + msr - MSR_MTRRfix16K_80000, + MSR_MTRRfix16K_A0000 - MSR_MTRRfix16K_80000 + 1); break; case MSR_MTRRfix4K_C0000 ... MSR_MTRRfix4K_F8000: *seg = 2; - *unit = msr - MSR_MTRRfix4K_C0000; + *unit = array_index_nospec( + msr - MSR_MTRRfix4K_C0000, + MSR_MTRRfix4K_F8000 - MSR_MTRRfix4K_C0000 + 1); break; default: return false;