kernel_optimize_test/include
Paolo Bonzini 7af299b977 kvm: avoid speculation-based attacks from out-of-range memslot accesses
commit da27a83fd6cc7780fea190e1f5c19e87019da65c upstream.

KVM's mechanism for accessing guest memory translates a guest physical
address (gpa) to a host virtual address using the right-shifted gpa
(also known as gfn) and a struct kvm_memory_slot.  The translation is
performed in __gfn_to_hva_memslot using the following formula:

      hva = slot->userspace_addr + (gfn - slot->base_gfn) * PAGE_SIZE

It is expected that gfn falls within the boundaries of the guest's
physical memory.  However, a guest can access invalid physical addresses
in such a way that the gfn is invalid.

__gfn_to_hva_memslot is called from kvm_vcpu_gfn_to_hva_prot, which first
retrieves a memslot through __gfn_to_memslot.  While __gfn_to_memslot
does check that the gfn falls within the boundaries of the guest's
physical memory or not, a CPU can speculate the result of the check and
continue execution speculatively using an illegal gfn. The speculation
can result in calculating an out-of-bounds hva.  If the resulting host
virtual address is used to load another guest physical address, this
is effectively a Spectre gadget consisting of two consecutive reads,
the second of which is data dependent on the first.

Right now it's not clear if there are any cases in which this is
exploitable.  One interesting case was reported by the original author
of this patch, and involves visiting guest page tables on x86.  Right
now these are not vulnerable because the hva read goes through get_user(),
which contains an LFENCE speculation barrier.  However, there are
patches in progress for x86 uaccess.h to mask kernel addresses instead of
using LFENCE; once these land, a guest could use speculation to read
from the VMM's ring 3 address space.  Other architectures such as ARM
already use the address masking method, and would be susceptible to
this same kind of data-dependent access gadgets.  Therefore, this patch
proactively protects from these attacks by masking out-of-bounds gfns
in __gfn_to_hva_memslot, which blocks speculation of invalid hvas.

Sean Christopherson noted that this patch does not cover
kvm_read_guest_offset_cached.  This however is limited to a few bytes
past the end of the cache, and therefore it is unlikely to be useful in
the context of building a chain of data dependent accesses.

Reported-by: Artemiy Margaritov <artemiy.margaritov@gmail.com>
Co-developed-by: Artemiy Margaritov <artemiy.margaritov@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-06-16 12:01:40 +02:00
..
acpi ACPI: scan: Use unique number for instance_no 2021-03-30 14:32:06 +02:00
asm-generic static_call: Allow module use without exposing static_call_key 2021-03-30 14:31:53 +02:00
clocksource
crypto crypto: poly1305 - fix poly1305_core_setkey() declaration 2021-05-14 09:50:13 +02:00
drm
dt-bindings
keys security: keys: trusted: fix TPM2 authorizations 2021-05-14 09:50:20 +02:00
kunit
kvm
linux kvm: avoid speculation-based attacks from out-of-range memslot accesses 2021-06-16 12:01:40 +02:00
math-emu
media media: v4l2-ctrls: fix reference to freed memory 2021-05-11 14:47:39 +02:00
memory
misc
net net: caif: add proper error handling 2021-06-10 13:39:24 +02:00
pcmcia
ras
rdma
scsi Fix misc new gcc warnings 2021-05-11 14:47:36 +02:00
soc
sound ALSA: hda: intel-nhlt: verify config type 2021-03-09 11:11:14 +01:00
target scsi: target: core: Add cmd length set before cmd complete 2021-03-17 17:06:25 +01:00
trace SUNRPC: Remove trace_xprt_transmit_queued 2021-05-19 10:13:03 +02:00
uapi netfilter: xt_SECMARK: add new revision to fix structure layout 2021-05-19 10:13:06 +02:00
vdso
video
xen