Re: [PATCH] kvm: vmx: Scrub hardware GPRs at VM-exit

Jan Kiszka <jan.kiszka@xxxxxx> · Mon, 8 Jan 2018 10:57:32 +0100

On 2018-01-08 09:58, Jack Wang wrote:
> 2018-01-07 11:40 GMT+01:00 Jan Kiszka <jan.kiszka@xxxxxx>:
>> On 2018-01-03 23:31, Jim Mattson wrote:
>>> Guest GPR values are live in the hardware GPRs at VM-exit.  Do not
>>> leave any guest values in hardware GPRs after the guest GPR values are
>>> saved to the vcpu_vmx structure.
>>>
>>> This is a partial mitigation for CVE 2017-5715 and CVE 2017-5753.
>>> Specifically, it defeats the Project Zero PoC for CVE 2017-5715.
>>>
>>> Suggested-by: Eric Northup <digitaleric@xxxxxxxxxx>
>>> Signed-off-by: Jim Mattson <jmattson@xxxxxxxxxx>
>>> Reviewed-by: Eric Northup <digitaleric@xxxxxxxxxx>
>>> Reviewed-by: Benjamin Serebrin <serebrin@xxxxxxxxxx>
>>> Reviewed-by: Andrew Honig <ahonig@xxxxxxxxxx>
>>> ---
>>>  arch/x86/kvm/vmx.c | 14 +++++++++++++-
>>>  1 file changed, 13 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
>>> index 669f5f74857d..850baff9d107 100644
>>> --- a/arch/x86/kvm/vmx.c
>>> +++ b/arch/x86/kvm/vmx.c
>>> @@ -9649,6 +9649,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
>>>               /* Save guest registers, load host registers, keep flags */
>>>               "mov %0, %c[wordsize](%%" _ASM_SP ") \n\t"
>>>               "pop %0 \n\t"
>>> +             "setbe %c[fail](%0)\n\t"
>>>               "mov %%" _ASM_AX ", %c[rax](%0) \n\t"
>>>               "mov %%" _ASM_BX ", %c[rbx](%0) \n\t"
>>>               __ASM_SIZE(pop) " %c[rcx](%0) \n\t"
>>> @@ -9665,12 +9666,23 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
>>>               "mov %%r13, %c[r13](%0) \n\t"
>>>               "mov %%r14, %c[r14](%0) \n\t"
>>>               "mov %%r15, %c[r15](%0) \n\t"
>>> +             "xor %%r8d,  %%r8d \n\t"
>>> +             "xor %%r9d,  %%r9d \n\t"
>>> +             "xor %%r10d, %%r10d \n\t"
>>> +             "xor %%r11d, %%r11d \n\t"
>>> +             "xor %%r12d, %%r12d \n\t"
>>> +             "xor %%r13d, %%r13d \n\t"
>>> +             "xor %%r14d, %%r14d \n\t"
>>> +             "xor %%r15d, %%r15d \n\t"
>>>  #endif
>>>               "mov %%cr2, %%" _ASM_AX "   \n\t"
>>>               "mov %%" _ASM_AX ", %c[cr2](%0) \n\t"
>>>
>>> +             "xor %%eax, %%eax \n\t"
>>> +             "xor %%ebx, %%ebx \n\t"
>>> +             "xor %%esi, %%esi \n\t"
>>> +             "xor %%edi, %%edi \n\t"
>>>               "pop  %%" _ASM_BP "; pop  %%" _ASM_DX " \n\t"
>>> -             "setbe %c[fail](%0) \n\t"
>>>               ".pushsection .rodata \n\t"
>>>               ".global vmx_return \n\t"
>>>               "vmx_return: " _ASM_PTR " 2b \n\t"
>>>
>>
>> Shouldn't this be done on AMD as well, or is the answer "microcode
>> update" there?
>>
>> Jan
> Paolo added it, already in linus tree Linux 4.15-rc7
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0cb5b30698fdc8f6b4646012e3acb4ddce430788

Thanks, I didn't noticed this.

Jan