[4.14,23/49] kvm: avoid speculation-based attacks from out-of-range memslot accesses

From: Paolo Bonzini <pbonzini@redhat.com>

From: Paolo Bonzini <pbonzini@redhat.com>

commit da27a83fd6cc7780fea190e1f5c19e87019da65c upstream.

KVM's mechanism for accessing guest memory translates a guest physical
address (gpa) to a host virtual address using the right-shifted gpa
(also known as gfn) and a struct kvm_memory_slot.  The translation is
performed in __gfn_to_hva_memslot using the following formula:

      hva = slot->userspace_addr + (gfn - slot->base_gfn) * PAGE_SIZE

It is expected that gfn falls within the boundaries of the guest's
physical memory.  However, a guest can access invalid physical addresses
in such a way that the gfn is invalid.

__gfn_to_hva_memslot is called from kvm_vcpu_gfn_to_hva_prot, which first
retrieves a memslot through __gfn_to_memslot.  While __gfn_to_memslot
does check that the gfn falls within the boundaries of the guest's
physical memory or not, a CPU can speculate the result of the check and
continue execution speculatively using an illegal gfn. The speculation
can result in calculating an out-of-bounds hva.  If the resulting host
virtual address is used to load another guest physical address, this
is effectively a Spectre gadget consisting of two consecutive reads,
the second of which is data dependent on the first.

Right now it's not clear if there are any cases in which this is
exploitable.  One interesting case was reported by the original author
of this patch, and involves visiting guest page tables on x86.  Right
now these are not vulnerable because the hva read goes through get_user(),
which contains an LFENCE speculation barrier.  However, there are
patches in progress for x86 uaccess.h to mask kernel addresses instead of
using LFENCE; once these land, a guest could use speculation to read
from the VMM's ring 3 address space.  Other architectures such as ARM
already use the address masking method, and would be susceptible to
this same kind of data-dependent access gadgets.  Therefore, this patch
proactively protects from these attacks by masking out-of-bounds gfns
in __gfn_to_hva_memslot, which blocks speculation of invalid hvas.

Sean Christopherson noted that this patch does not cover
kvm_read_guest_offset_cached.  This however is limited to a few bytes
past the end of the cache, and therefore it is unlikely to be useful in
the context of building a chain of data dependent accesses.

Reported-by: Artemiy Margaritov <artemiy.margaritov@gmail.com>
Co-developed-by: Artemiy Margaritov <artemiy.margaritov@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/linux/kvm_host.h |   10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

Message ID	20210614102642.628329913@linuxfoundation.org
State	New
Headers	show Return-Path: <stable-owner@kernel.org> X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.9 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 47C82C48BE8 for <stable@archiver.kernel.org>; Mon, 14 Jun 2021 10:39:27 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 27C1661004 for <stable@archiver.kernel.org>; Mon, 14 Jun 2021 10:39:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233152AbhFNKlZ (ORCPT <rfc822;stable@archiver.kernel.org>); Mon, 14 Jun 2021 06:41:25 -0400 Received: from mail.kernel.org ([198.145.29.99]:46840 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233964AbhFNKjV (ORCPT <rfc822;stable@vger.kernel.org>); Mon, 14 Jun 2021 06:39:21 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id E2925613DE; Mon, 14 Jun 2021 10:34:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1623666848; bh=IzP+zjdyfA44WrSx2mr8hcZVCnLv+rDj6ZWbVWdx618=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ZN7DFtafis4OzULG7XDI7bC3TPTa31OGzsEHOUJ/+nnQUTBolenr+l/yAZHX0xvhu SfrbiG1mXu1jQPHeUHW4GXiOpWuoUG+YkzJgj1DO4fslwcRtxHl50+DAeMfeH3NVet RBADZVsus2MOpzri8gtHi6RT1m3bazwWvx5JU6Dw= From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org, Artemiy Margaritov <artemiy.margaritov@gmail.com>, Paolo Bonzini <pbonzini@redhat.com> Subject: [PATCH 4.14 23/49] kvm: avoid speculation-based attacks from out-of-range memslot accesses Date: Mon, 14 Jun 2021 12:27:16 +0200 Message-Id: <20210614102642.628329913@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210614102641.857724541@linuxfoundation.org> References: <20210614102641.857724541@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: <stable.vger.kernel.org> X-Mailing-List: stable@vger.kernel.org
Series	None \| expand [4.14,02/49] net/nfc/rawsock.c: fix a permission check bug [4.14,04/49] isdn: mISDN: netjet: Fix crash in nj_probe: [4.14,05/49] bonding: init notify_work earlier to avoid uninitialized use [4.14,06/49] netlink: disable IRQs for netlink_lock_table() [4.14,11/49] scsi: vmw_pvscsi: Set correct residual data length [4.14,12/49] scsi: target: qla2xxx: Wait for stop_phase1 at WWN removal [4.14,13/49] net: macb: ensure the device is available before accessing GEMGXL control registers [4.14,16/49] bnx2x: Fix missing error code in bnx2x_iov_init_one() [4.14,19/49] i2c: mpc: Make use of i2c_recover_bus() [4.14,20/49] i2c: mpc: implement erratum A-004447 workaround [4.14,22/49] drm: Lock pointer access in drm_master_release() [4.14,23/49] kvm: avoid speculation-based attacks from out-of-range memslot accesses [4.14,27/49] USB: f_ncm: ncm_bitrate (speed) is unsigned [4.14,28/49] usb: dwc3: ep0: fix NULL pointer exception [4.14,30/49] usb: gadget: f_fs: Ensure io_completion_wq is idle during unbind [4.14,34/49] usb: gadget: eem: fix wrong eem header operation [4.14,35/49] usb: fix various gadgets null ptr deref on 10gbps cabling. [4.14,37/49] regulator: core: resolve supply for boot-on/always-on regulators [4.14,39/49] perf: Fix data race between pin_count increment/decrement [4.14,40/49] NFS: Fix a potential NULL dereference in nfs_get_client() [4.14,41/49] perf session: Correct buffer copying when peeking events [4.14,43/49] NFS: Fix use-after-free in nfs4_init_client() [4.14,45/49] scsi: core: Fix error handling of scsi_host_alloc() [4.14,46/49] scsi: core: Put .shost_dev in failure path if host state changes to RUNNING [4.14,48/49] ftrace: Do not blindly read the ip address in ftrace_bug()

[4.14,23/49] kvm: avoid speculation-based attacks from out-of-range memslot accesses

Commit Message

Patch