Since L1 and L2 share branch prediction modes (guest {kernel,user}), the
hardware will not protect indirect branches in L1 from steering by a
malicious agent in L2. However, IBRS guarantees this protection. (For
basic IBRS, a value of 1 must be written to IA32_SPEC_CTRL.IBRS after
the transition from L2 to L1.)
Fix the regression introduced in commit 5c911beff20a ("KVM: nVMX: Skip
IBPB when switching between vmcs01 and vmcs02") by issuing an IBPB when
emulating a VM-exit from L2 to L1.
This is CVE-2022-2196.
v2: Reworded some comments [Sean].
Jim Mattson (2):
KVM: VMX: Guest usage of IA32_SPEC_CTRL is likely
KVM: VMX: Execute IBPB on emulated VM-exit when guest has IBRS
arch/x86/kvm/vmx/nested.c | 11 +++++++++++
arch/x86/kvm/vmx/vmx.c | 10 ++++++----
2 files changed, 17 insertions(+), 4 deletions(-)
--
2.38.0.413.g74048e4d9e-goog
