Patch "KVM: arm/arm64: vgic: fix possible spectre-v1 in vgic_mmio_read_apr()" has been added to the 4.14-stable tree

[<gregkh@linuxfoundation.org>]

This is a note to let you know that I've just added the patch titled

    KVM: arm/arm64: vgic: fix possible spectre-v1 in vgic_mmio_read_apr()

to the 4.14-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     kvm-arm-arm64-vgic-fix-possible-spectre-v1-in-vgic_mmio_read_apr.patch
and it can be found in the queue-4.14 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From foo@baz Sun Jun 17 12:13:49 CEST 2018
From: Mark Rutland <mark.rutland@arm.com>
Date: Wed, 25 Apr 2018 17:13:42 +0100
Subject: KVM: arm/arm64: vgic: fix possible spectre-v1 in vgic_mmio_read_apr()

From: Mark Rutland <mark.rutland@arm.com>

[ Upstream commit 5e1ca5e23b167987d5b6d8b08f2d5b7dd2d13f49 ]

It's possible for userspace to control n. Sanitize n when using it as an
array index.

Note that while it appears that n must be bound to the interval [0,3]
due to the way it is extracted from addr, we cannot guarantee that
compiler transformations (and/or future refactoring) will ensure this is
the case, and given this is a slow path it's better to always perform
the masking.

Found by smatch.

Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Acked-by: Christoffer Dall <christoffer.dall@arm.com>
Acked-by: Marc Zyngier <marc.zyngier@arm.com>
Cc: kvmarm@lists.cs.columbia.edu
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 virt/kvm/arm/vgic/vgic-mmio-v2.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/virt/kvm/arm/vgic/vgic-mmio-v2.c
+++ b/virt/kvm/arm/vgic/vgic-mmio-v2.c
@@ -14,6 +14,8 @@
 #include <linux/irqchip/arm-gic.h>
 #include <linux/kvm.h>
 #include <linux/kvm_host.h>
+#include <linux/nospec.h>
+
 #include <kvm/iodev.h>
 #include <kvm/arm_vgic.h>
 
@@ -320,6 +322,9 @@ static unsigned long vgic_mmio_read_apr(
 
 		if (n > vgic_v3_max_apr_idx(vcpu))
 			return 0;
+
+		n = array_index_nospec(n, 4);
+
 		/* GICv3 only uses ICH_AP1Rn for memory mapped (GICv2) guests */
 		return vgicv3->vgic_ap1r[n];
 	}


Patches currently in stable-queue which might be from mark.rutland@arm.com are

queue-4.14/init-fix-false-positives-in-w-x-checking.patch
queue-4.14/mips-dts-boston-fix-pci-bus-dtc-warnings.patch
queue-4.14/kvm-arm-arm64-vgic-fix-possible-spectre-v1-in-vgic_mmio_read_apr.patch
queue-4.14/arm64-ptrace-remove-addr_limit-manipulation.patch
queue-4.14/arm64-fix-possible-spectre-v1-in-ptrace_hbp_get_event.patch
queue-4.14/efi-libstub-arm64-handle-randomized-text_offset.patch