KVM: x86: Protect x86_decode_insn from Spectre-v1/L1TF attacks

This fixes a Spectre-v1/L1TF vulnerability in x86_decode_insn().
kvm_emulate_instruction() (an ancestor of x86_decode_insn()) is an exported
symbol, so KVM should treat it conservatively from a security perspective.

Fixes: 045a282ca415 ("KVM: emulator: implement fninit, fnstsw, fnstcw")
Signed-off-by: Nick Finco <nifi@google.com>
Signed-off-by: Marios Pomonis <pomonis@google.com>
Reviewed-by: Andrew Honig <ahonig@google.com>
Cc: stable@vger.kernel.org
Reviewed-by: Jim Mattson <jmattson@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index e9833e345a5c5ab5474e728a1dcb0f52f7e0e659..2d4faefe8dd4358549c02674cdcb8e13608a6649 100644 (file)
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -5288,10 +5288,15 @@ done_prefixes:
                        }
                        break;
                case Escape:
-                       if (ctxt->modrm > 0xbf)
-                               opcode = opcode.u.esc->high[ctxt->modrm - 0xc0];
-                       else
+                       if (ctxt->modrm > 0xbf) {
+                               size_t size = ARRAY_SIZE(opcode.u.esc->high);
+                               u32 index = array_index_nospec(
+                                       ctxt->modrm - 0xc0, size);
+
+                               opcode = opcode.u.esc->high[index];
+                       } else {
                                opcode = opcode.u.esc->op[(ctxt->modrm >> 3) & 7];
+                       }
                        break;
                case InstrDual:
                        if ((ctxt->modrm >> 6) == 3)