From: Jan Beulich <jbeulich@suse.com>
Date: Thu, 4 Jul 2019 14:07:01 +0000 (+0200)
Subject: x86/vPIC: avoid speculative out of bounds accesses
X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=dcac6de1f5b34d52b5f37c73b85c3b627581d413;p=people%2Froyger%2Fxen.git

x86/vPIC: avoid speculative out of bounds accesses

Array indexes used in the I/O port read/write emulation functions are
derived from guest controlled values. Where this is not already done,
restrict their ranges to limit the side effects of speculative execution.

This is part of the speculative hardening effort.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
---

diff --git a/xen/arch/x86/hvm/vpic.c b/xen/arch/x86/hvm/vpic.c
index 3f3fb7a4ff..4897a0e05b 100644
--- a/xen/arch/x86/hvm/vpic.c
+++ b/xen/arch/x86/hvm/vpic.c
@@ -335,7 +335,7 @@ static int vpic_intercept_pic_io(
         return X86EMUL_OKAY;
     }
 
-    vpic = &current->domain->arch.hvm.vpic[port >> 7];
+    vpic = &current->domain->arch.hvm.vpic[!!(port & 0x80)];
 
     if ( dir == IOREQ_WRITE )
         vpic_ioport_write(vpic, port, (uint8_t)*val);
@@ -448,7 +448,7 @@ void vpic_init(struct domain *d)
 
 void vpic_irq_positive_edge(struct domain *d, int irq)
 {
-    struct hvm_hw_vpic *vpic = &d->arch.hvm.vpic[irq >> 3];
+    struct hvm_hw_vpic *vpic = &d->arch.hvm.vpic[!!(irq & 8)];
     uint8_t mask = 1 << (irq & 7);
 
     ASSERT(has_vpic(d));
@@ -466,7 +466,7 @@ void vpic_irq_positive_edge(struct domain *d, int irq)
 
 void vpic_irq_negative_edge(struct domain *d, int irq)
 {
-    struct hvm_hw_vpic *vpic = &d->arch.hvm.vpic[irq >> 3];
+    struct hvm_hw_vpic *vpic = &d->arch.hvm.vpic[!!(irq & 8)];
     uint8_t mask = 1 << (irq & 7);
 
     ASSERT(has_vpic(d));