Linux v4.17.13

3 files changed, 5 insertions, 132 deletions

diff --git a/kernel.spec b/kernel.spec
index 1361ad2b3..981a6581b 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -54,7 +54,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 12
+%define stable_update 13
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -671,9 +671,6 @@ Patch523: 0001-xfs-More-robust-inode-extent-count-validation.patch
 # rhbz 1597333
 # Patch526: xhci-Fix-perceived-dead-host-due-to-runtime-suspend-.patch
 
-# CVE-2018-14678 rhbz 1608559 1608560
-Patch530: xsa274-linux-4_17.patch
-
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1923,6 +1920,9 @@ fi
 #
 #
 %changelog
+* Wed Aug 08 2018 Justin M. Forbes <jforbes@redhat.com> - 4.17.13-200
+- Linux v4.17.13
+
 * Fri Aug 03 2018 Justin M. Forbes <jforbes@fedoraproject.org> - 4.17.12-200
 - Linux v4.17.12
 - Fixes CVE-2018-14734 (rhbz 1611005 1611007)
diff --git a/sources b/sources
index 1103e9631..5602f649d 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
 SHA512 (linux-4.17.tar.xz) = 4d9de340a26155a89ea8773131c76220cc2057f2b5d031b467b60e8b14c1842518e2d60a863d8c695f0f7640f3f18d43826201984a238dade857b6cef79837db
-SHA512 (patch-4.17.12.xz) = 516270daaa65a0f40bf6202909fc1950a8c723b77d5a54089a72eb664c3708ece050c938230cdd3b1b3e281d73c1c5e909def5fe1e0c8ddecbf9fbd43713a3aa
+SHA512 (patch-4.17.13.xz) = 8f77239c6c0393aa6e854f98d0ef0832e0a3e936251805ca1fcde2b5d24e0b086582f68e3f494a4a287b404573c26a867170958d53f3c1bf4c46c4c5697188b2
diff --git a/xsa274-linux-4_17.patch b/xsa274-linux-4_17.patch
deleted file mode 100644
index 7a9bbf768..000000000
--- a/xsa274-linux-4_17.patch
+++ /dev/null
@@ -1,127 +0,0 @@
-From 8df635007e0737887522eebee886155602b8809b Mon Sep 17 00:00:00 2001
-From: Andy Lutomirski <luto@kernel.org>
-Date: Sun, 22 Jul 2018 11:05:09 -0700
-Subject: [PATCH] x86/entry/64: Remove %ebx handling from error_entry/exit
-
-error_entry and error_exit communicate the user vs kernel status of
-the frame using %ebx.  This is unnecessary -- the information is in
-regs->cs.  Just use regs->cs.
-
-This makes error_entry simpler and makes error_exit more robust.
-
-It also fixes a nasty bug.  Before all the Spectre nonsense, The
-xen_failsafe_callback entry point returned like this:
-
-        ALLOC_PT_GPREGS_ON_STACK
-        SAVE_C_REGS
-        SAVE_EXTRA_REGS
-        ENCODE_FRAME_POINTER
-        jmp     error_exit
-
-And it did not go through error_entry.  This was bogus: RBX
-contained garbage, and error_exit expected a flag in RBX.
-Fortunately, it generally contained *nonzero* garbage, so the
-correct code path was used.  As part of the Spectre fixes, code was
-added to clear RBX to mitigate certain speculation attacks.  Now,
-depending on kernel configuration, RBX got zeroed and, when running
-some Wine workloads, the kernel crashes.  This was introduced by:
-
-    commit 3ac6d8c787b8 ("x86/entry/64: Clear registers for
-    exceptions/interrupts, to reduce speculation attack surface")
-
-With this patch applied, RBX is no longer needed as a flag, and the
-problem goes away.
-
-I suspect that malicious userspace could use this bug to crash the
-kernel even without the offending patch applied, though.
-
-[Historical note: I wrote this patch as a cleanup before I was aware
- of the bug it fixed.]
-
-[Note to stable maintainers: this should probably get applied to all
- kernels.  If you're nervous about that, a more conservative fix to
- add xorl %ebx,%ebx; incl %ebx before the jump to error_exit should
- also fix the problem.]
-
-Cc: Brian Gerst <brgerst@gmail.com>
-Cc: Borislav Petkov <bp@alien8.de>
-Cc: Dominik Brodowski <linux@dominikbrodowski.net>
-Cc: Ingo Molnar <mingo@redhat.com>
-Cc: "H. Peter Anvin" <hpa@zytor.com>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
-Cc: Juergen Gross <jgross@suse.com>
-Cc: xen-devel@lists.xenproject.org
-Cc: x86@kernel.org
-Cc: stable@vger.kernel.org
-Fixes: 3ac6d8c787b8 ("x86/entry/64: Clear registers for exceptions/interrupts, to reduce speculation attack surface")
-Reported-and-tested-by: "M. Vefa Bicakci" <m.v.b@runbox.com>
-Signed-off-by: Andy Lutomirski <luto@kernel.org>
----
- arch/x86/entry/entry_64.S | 18 ++++--------------
- 1 file changed, 4 insertions(+), 14 deletions(-)
-
-diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S
-index 73a522d53b53..8ae7ffda8f98 100644
---- a/arch/x86/entry/entry_64.S
-+++ b/arch/x86/entry/entry_64.S
-@@ -981,7 +981,7 @@ ENTRY(\sym)
- 
- 	call	\do_sym
- 
--	jmp	error_exit			/* %ebx: no swapgs flag */
-+	jmp	error_exit
- 	.endif
- END(\sym)
- .endm
-@@ -1222,7 +1222,6 @@ END(paranoid_exit)
- 
- /*
-  * Save all registers in pt_regs, and switch GS if needed.
-- * Return: EBX=0: came from user mode; EBX=1: otherwise
-  */
- ENTRY(error_entry)
- 	UNWIND_HINT_FUNC
-@@ -1269,7 +1268,6 @@ ENTRY(error_entry)
- 	 * for these here too.
- 	 */
- .Lerror_kernelspace:
--	incl	%ebx
- 	leaq	native_irq_return_iret(%rip), %rcx
- 	cmpq	%rcx, RIP+8(%rsp)
- 	je	.Lerror_bad_iret
-@@ -1303,28 +1301,20 @@ ENTRY(error_entry)
- 
- 	/*
- 	 * Pretend that the exception came from user mode: set up pt_regs
--	 * as if we faulted immediately after IRET and clear EBX so that
--	 * error_exit knows that we will be returning to user mode.
-+	 * as if we faulted immediately after IRET.
- 	 */
- 	mov	%rsp, %rdi
- 	call	fixup_bad_iret
- 	mov	%rax, %rsp
--	decl	%ebx
- 	jmp	.Lerror_entry_from_usermode_after_swapgs
- END(error_entry)
- 
--
--/*
-- * On entry, EBX is a "return to kernel mode" flag:
-- *   1: already in kernel mode, don't need SWAPGS
-- *   0: user gsbase is loaded, we need SWAPGS and standard preparation for return to usermode
-- */
- ENTRY(error_exit)
- 	UNWIND_HINT_REGS
- 	DISABLE_INTERRUPTS(CLBR_ANY)
- 	TRACE_IRQS_OFF
--	testl	%ebx, %ebx
--	jnz	retint_kernel
-+	testb	$3, CS(%rsp)
-+	jz	retint_kernel
- 	jmp	retint_user
- END(error_exit)
- 
--- 
-2.18.0
-