From dcac6de1f5b34d52b5f37c73b85c3b627581d413 Mon Sep 17 00:00:00 2001 From: Jan Beulich Date: Thu, 4 Jul 2019 16:07:01 +0200 Subject: [PATCH] x86/vPIC: avoid speculative out of bounds accesses Array indexes used in the I/O port read/write emulation functions are derived from guest controlled values. Where this is not already done, restrict their ranges to limit the side effects of speculative execution. This is part of the speculative hardening effort. Signed-off-by: Jan Beulich Reviewed-by: Andrew Cooper --- xen/arch/x86/hvm/vpic.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/xen/arch/x86/hvm/vpic.c b/xen/arch/x86/hvm/vpic.c index 3f3fb7a4ff..4897a0e05b 100644 --- a/xen/arch/x86/hvm/vpic.c +++ b/xen/arch/x86/hvm/vpic.c @@ -335,7 +335,7 @@ static int vpic_intercept_pic_io( return X86EMUL_OKAY; } - vpic = ¤t->domain->arch.hvm.vpic[port >> 7]; + vpic = ¤t->domain->arch.hvm.vpic[!!(port & 0x80)]; if ( dir == IOREQ_WRITE ) vpic_ioport_write(vpic, port, (uint8_t)*val); @@ -448,7 +448,7 @@ void vpic_init(struct domain *d) void vpic_irq_positive_edge(struct domain *d, int irq) { - struct hvm_hw_vpic *vpic = &d->arch.hvm.vpic[irq >> 3]; + struct hvm_hw_vpic *vpic = &d->arch.hvm.vpic[!!(irq & 8)]; uint8_t mask = 1 << (irq & 7); ASSERT(has_vpic(d)); @@ -466,7 +466,7 @@ void vpic_irq_positive_edge(struct domain *d, int irq) void vpic_irq_negative_edge(struct domain *d, int irq) { - struct hvm_hw_vpic *vpic = &d->arch.hvm.vpic[irq >> 3]; + struct hvm_hw_vpic *vpic = &d->arch.hvm.vpic[!!(irq & 8)]; uint8_t mask = 1 << (irq & 7); ASSERT(has_vpic(d)); -- 2.39.5