linux-stable

mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-01 14:44:12 +00:00

No description

Find a file

Paolo Bonzini 361ce3b917 kvm: avoid speculation-based attacks from out-of-range memslot accesses commit `da27a83fd6` upstream. KVM's mechanism for accessing guest memory translates a guest physical address (gpa) to a host virtual address using the right-shifted gpa (also known as gfn) and a struct kvm_memory_slot. The translation is performed in __gfn_to_hva_memslot using the following formula: hva = slot->userspace_addr + (gfn - slot->base_gfn) * PAGE_SIZE It is expected that gfn falls within the boundaries of the guest's physical memory. However, a guest can access invalid physical addresses in such a way that the gfn is invalid. __gfn_to_hva_memslot is called from kvm_vcpu_gfn_to_hva_prot, which first retrieves a memslot through __gfn_to_memslot. While __gfn_to_memslot does check that the gfn falls within the boundaries of the guest's physical memory or not, a CPU can speculate the result of the check and continue execution speculatively using an illegal gfn. The speculation can result in calculating an out-of-bounds hva. If the resulting host virtual address is used to load another guest physical address, this is effectively a Spectre gadget consisting of two consecutive reads, the second of which is data dependent on the first. Right now it's not clear if there are any cases in which this is exploitable. One interesting case was reported by the original author of this patch, and involves visiting guest page tables on x86. Right now these are not vulnerable because the hva read goes through get_user(), which contains an LFENCE speculation barrier. However, there are patches in progress for x86 uaccess.h to mask kernel addresses instead of using LFENCE; once these land, a guest could use speculation to read from the VMM's ring 3 address space. Other architectures such as ARM already use the address masking method, and would be susceptible to this same kind of data-dependent access gadgets. Therefore, this patch proactively protects from these attacks by masking out-of-bounds gfns in __gfn_to_hva_memslot, which blocks speculation of invalid hvas. Sean Christopherson noted that this patch does not cover kvm_read_guest_offset_cached. This however is limited to a few bytes past the end of the cache, and therefore it is unlikely to be useful in the context of building a chain of data dependent accesses. Reported-by: Artemiy Margaritov <artemiy.margaritov@gmail.com> Co-developed-by: Artemiy Margaritov <artemiy.margaritov@gmail.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2021-06-16 11:53:02 +02:00
arch	powerpc/fsl: set fsl,i2c-erratum-a004447 flag for P1010 i2c controllers	2021-06-16 11:53:02 +02:00
block	blk-mq: Swap two calls in blk_mq_exit_queue()	2021-05-22 10:57:40 +02:00
certs	certs: Fix blacklist flag type confusion	2021-03-03 18:22:46 +01:00
crypto	crypto: api - check for ERR pointers in crypto_destroy_tfm()	2021-05-22 10:57:16 +02:00
Documentation	tweewide: Fix most Shebang lines	2021-06-03 08:36:11 +02:00
drivers	drm: Lock pointer access in drm_master_release()	2021-06-16 11:53:02 +02:00
firmware	Fix built-in early-load Intel microcode alignment	2020-01-23 08:20:30 +01:00
fs	proc: Track /proc/$pid/attr/ opener mm_struct	2021-06-16 11:53:00 +02:00
include	kvm: avoid speculation-based attacks from out-of-range memslot accesses	2021-06-16 11:53:02 +02:00
init	pid: take a reference when initializing `cad_pid`	2021-06-10 12:43:51 +02:00
ipc	ipc/util.c: sysvipc_find_ipc() incorrectly updates position index	2020-05-20 08:17:07 +02:00
kernel	wq: handle VM suspension in stall detection	2021-06-16 11:53:01 +02:00
lib	lib: stackdepot: turn depot_lock spinlock to raw_spinlock	2021-05-22 10:57:43 +02:00
mm	mm, hugetlb: fix simple resv_huge_pages underflow on UFFDIO_COPY	2021-06-10 12:43:51 +02:00
net	netlink: disable IRQs for netlink_lock_table()	2021-06-16 11:53:01 +02:00
samples	samples/bpf: Fix broken tracex1 due to kprobe argument change	2021-05-22 10:57:37 +02:00
scripts	scripts: switch explicitly to Python 3	2021-06-03 08:36:11 +02:00
security	security: commoncap: fix -Wstringop-overread warning	2021-05-22 10:57:21 +02:00
sound	ASoC: sti-sas: add missing MODULE_DEVICE_TABLE	2021-06-16 11:53:00 +02:00
tools	selftests/bpf: make 'dubious pointer arithmetic' test useful	2021-06-10 12:43:53 +02:00
usr	initramfs: restore default compression behavior	2020-04-13 10:34:19 +02:00
virt	KVM: arm64: Fix exclusive limit for IPA size	2021-03-17 16:34:35 +01:00
.cocciconfig
.get_maintainer.ignore
.gitattributes
.gitignore
.mailmap
COPYING
CREDITS
Kbuild
Kconfig
MAINTAINERS	MAINTAINERS: Update drm/i915 bug filing URL	2020-02-28 16:36:12 +01:00
Makefile	Linux 4.14.236	2021-06-10 12:43:54 +02:00
README

README

Linux kernel
============

This file was moved to Documentation/admin-guide/README.rst

Please notice that there are several guides for kernel developers and users.
These guides can be rendered in a number of formats, like HTML and PDF.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.
See Documentation/00-INDEX for a list of what is contained in each file.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.