On Wed, Oct 19, 2022, Jim Mattson wrote:
> Since L1 and L2 share branch prediction modes (guest {kernel,user}), the
> hardware will not protect indirect branches in L1 from steering by a
> malicious agent in L2. However, IBRS guarantees this protection. (For
> basic IBRS, a value of 1 must be written to IA32_SPEC_CTRL.IBRS after
> the transition from L2 to L1.)
>
> Fix the regression introduced in commit 5c911beff20a ("KVM: nVMX: Skip
> IBPB when switching between vmcs01 and vmcs02") by issuing an IBPB when
> emulating a VM-exit from L2 to L1.
>
> This is CVE-2022-2196.
>
> v2: Reworded some comments [Sean].
>
> Jim Mattson (2):
> KVM: VMX: Guest usage of IA32_SPEC_CTRL is likely
> KVM: VMX: Execute IBPB on emulated VM-exit when guest has IBRS
>
> arch/x86/kvm/vmx/nested.c | 11 +++++++++++
> arch/x86/kvm/vmx/vmx.c | 10 ++++++----
> 2 files changed, 17 insertions(+), 4 deletions(-)
>
> --
Merged to kvm/queue, thanks!
https://lore.kernel.org/all/Y4lHxds8pvBhxXFX@xxxxxxxxxx
