diff options
author | Justin M. Forbes <jforbes@fedoraproject.org> | 2018-08-09 03:48:48 -0500 |
---|---|---|
committer | Justin M. Forbes <jforbes@fedoraproject.org> | 2018-08-09 03:48:48 -0500 |
commit | 95234a2661f2a81bb0892fb685ecc27b7ba855ee (patch) | |
tree | 118e678736cadc203162208f96f259ba378db3e9 | |
parent | c274f6a4eead224a1e0c846be19ad0e2c19c69c0 (diff) | |
download | kernel-95234a2661f2a81bb0892fb685ecc27b7ba855ee.tar.gz kernel-95234a2661f2a81bb0892fb685ecc27b7ba855ee.tar.xz kernel-95234a2661f2a81bb0892fb685ecc27b7ba855ee.zip |
Linux v4.17.13
-rw-r--r-- | kernel.spec | 8 | ||||
-rw-r--r-- | sources | 2 | ||||
-rw-r--r-- | xsa274-linux-4_17.patch | 127 |
3 files changed, 5 insertions, 132 deletions
diff --git a/kernel.spec b/kernel.spec index 1361ad2b3..981a6581b 100644 --- a/kernel.spec +++ b/kernel.spec @@ -54,7 +54,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 12 +%define stable_update 13 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -671,9 +671,6 @@ Patch523: 0001-xfs-More-robust-inode-extent-count-validation.patch # rhbz 1597333 # Patch526: xhci-Fix-perceived-dead-host-due-to-runtime-suspend-.patch -# CVE-2018-14678 rhbz 1608559 1608560 -Patch530: xsa274-linux-4_17.patch - # END OF PATCH DEFINITIONS %endif @@ -1923,6 +1920,9 @@ fi # # %changelog +* Wed Aug 08 2018 Justin M. Forbes <jforbes@redhat.com> - 4.17.13-200 +- Linux v4.17.13 + * Fri Aug 03 2018 Justin M. Forbes <jforbes@fedoraproject.org> - 4.17.12-200 - Linux v4.17.12 - Fixes CVE-2018-14734 (rhbz 1611005 1611007) @@ -1,2 +1,2 @@ SHA512 (linux-4.17.tar.xz) = 4d9de340a26155a89ea8773131c76220cc2057f2b5d031b467b60e8b14c1842518e2d60a863d8c695f0f7640f3f18d43826201984a238dade857b6cef79837db -SHA512 (patch-4.17.12.xz) = 516270daaa65a0f40bf6202909fc1950a8c723b77d5a54089a72eb664c3708ece050c938230cdd3b1b3e281d73c1c5e909def5fe1e0c8ddecbf9fbd43713a3aa +SHA512 (patch-4.17.13.xz) = 8f77239c6c0393aa6e854f98d0ef0832e0a3e936251805ca1fcde2b5d24e0b086582f68e3f494a4a287b404573c26a867170958d53f3c1bf4c46c4c5697188b2 diff --git a/xsa274-linux-4_17.patch b/xsa274-linux-4_17.patch deleted file mode 100644 index 7a9bbf768..000000000 --- a/xsa274-linux-4_17.patch +++ /dev/null @@ -1,127 +0,0 @@ -From 8df635007e0737887522eebee886155602b8809b Mon Sep 17 00:00:00 2001 -From: Andy Lutomirski <luto@kernel.org> -Date: Sun, 22 Jul 2018 11:05:09 -0700 -Subject: [PATCH] x86/entry/64: Remove %ebx handling from error_entry/exit - -error_entry and error_exit communicate the user vs kernel status of -the frame using %ebx. This is unnecessary -- the information is in -regs->cs. Just use regs->cs. - -This makes error_entry simpler and makes error_exit more robust. - -It also fixes a nasty bug. Before all the Spectre nonsense, The -xen_failsafe_callback entry point returned like this: - - ALLOC_PT_GPREGS_ON_STACK - SAVE_C_REGS - SAVE_EXTRA_REGS - ENCODE_FRAME_POINTER - jmp error_exit - -And it did not go through error_entry. This was bogus: RBX -contained garbage, and error_exit expected a flag in RBX. -Fortunately, it generally contained *nonzero* garbage, so the -correct code path was used. As part of the Spectre fixes, code was -added to clear RBX to mitigate certain speculation attacks. Now, -depending on kernel configuration, RBX got zeroed and, when running -some Wine workloads, the kernel crashes. This was introduced by: - - commit 3ac6d8c787b8 ("x86/entry/64: Clear registers for - exceptions/interrupts, to reduce speculation attack surface") - -With this patch applied, RBX is no longer needed as a flag, and the -problem goes away. - -I suspect that malicious userspace could use this bug to crash the -kernel even without the offending patch applied, though. - -[Historical note: I wrote this patch as a cleanup before I was aware - of the bug it fixed.] - -[Note to stable maintainers: this should probably get applied to all - kernels. If you're nervous about that, a more conservative fix to - add xorl %ebx,%ebx; incl %ebx before the jump to error_exit should - also fix the problem.] - -Cc: Brian Gerst <brgerst@gmail.com> -Cc: Borislav Petkov <bp@alien8.de> -Cc: Dominik Brodowski <linux@dominikbrodowski.net> -Cc: Ingo Molnar <mingo@redhat.com> -Cc: "H. Peter Anvin" <hpa@zytor.com> -Cc: Thomas Gleixner <tglx@linutronix.de> -Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com> -Cc: Juergen Gross <jgross@suse.com> -Cc: xen-devel@lists.xenproject.org -Cc: x86@kernel.org -Cc: stable@vger.kernel.org -Fixes: 3ac6d8c787b8 ("x86/entry/64: Clear registers for exceptions/interrupts, to reduce speculation attack surface") -Reported-and-tested-by: "M. Vefa Bicakci" <m.v.b@runbox.com> -Signed-off-by: Andy Lutomirski <luto@kernel.org> ---- - arch/x86/entry/entry_64.S | 18 ++++-------------- - 1 file changed, 4 insertions(+), 14 deletions(-) - -diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S -index 73a522d53b53..8ae7ffda8f98 100644 ---- a/arch/x86/entry/entry_64.S -+++ b/arch/x86/entry/entry_64.S -@@ -981,7 +981,7 @@ ENTRY(\sym) - - call \do_sym - -- jmp error_exit /* %ebx: no swapgs flag */ -+ jmp error_exit - .endif - END(\sym) - .endm -@@ -1222,7 +1222,6 @@ END(paranoid_exit) - - /* - * Save all registers in pt_regs, and switch GS if needed. -- * Return: EBX=0: came from user mode; EBX=1: otherwise - */ - ENTRY(error_entry) - UNWIND_HINT_FUNC -@@ -1269,7 +1268,6 @@ ENTRY(error_entry) - * for these here too. - */ - .Lerror_kernelspace: -- incl %ebx - leaq native_irq_return_iret(%rip), %rcx - cmpq %rcx, RIP+8(%rsp) - je .Lerror_bad_iret -@@ -1303,28 +1301,20 @@ ENTRY(error_entry) - - /* - * Pretend that the exception came from user mode: set up pt_regs -- * as if we faulted immediately after IRET and clear EBX so that -- * error_exit knows that we will be returning to user mode. -+ * as if we faulted immediately after IRET. - */ - mov %rsp, %rdi - call fixup_bad_iret - mov %rax, %rsp -- decl %ebx - jmp .Lerror_entry_from_usermode_after_swapgs - END(error_entry) - -- --/* -- * On entry, EBX is a "return to kernel mode" flag: -- * 1: already in kernel mode, don't need SWAPGS -- * 0: user gsbase is loaded, we need SWAPGS and standard preparation for return to usermode -- */ - ENTRY(error_exit) - UNWIND_HINT_REGS - DISABLE_INTERRUPTS(CLBR_ANY) - TRACE_IRQS_OFF -- testl %ebx, %ebx -- jnz retint_kernel -+ testb $3, CS(%rsp) -+ jz retint_kernel - jmp retint_user - END(error_exit) - --- -2.18.0 - |