diff options
author | Thorsten Leemhuis <fedora@leemhuis.info> | 2018-08-09 13:00:45 +0200 |
---|---|---|
committer | Thorsten Leemhuis <fedora@leemhuis.info> | 2018-08-09 13:00:45 +0200 |
commit | 6f81a82b86e3cb05890f44be79b5f73c3b27e019 (patch) | |
tree | 7ba5f44cba6410bcaa48f80e56edc8ec37a06a7a | |
parent | 3660de93b9ae4909d546342786db31d3f8721f41 (diff) | |
parent | 95234a2661f2a81bb0892fb685ecc27b7ba855ee (diff) | |
download | kernel-6f81a82b86e3cb05890f44be79b5f73c3b27e019.tar.gz kernel-6f81a82b86e3cb05890f44be79b5f73c3b27e019.tar.xz kernel-6f81a82b86e3cb05890f44be79b5f73c3b27e019.zip |
Merge remote-tracking branch 'origin/f28' into f28-user-thl-vanilla-fedora
-rw-r--r-- | kernel.spec | 6 | ||||
-rw-r--r-- | xsa274-linux-4_17.patch | 127 |
2 files changed, 3 insertions, 130 deletions
diff --git a/kernel.spec b/kernel.spec index b94222418..46034fd08 100644 --- a/kernel.spec +++ b/kernel.spec @@ -688,9 +688,6 @@ Patch523: 0001-xfs-More-robust-inode-extent-count-validation.patch # rhbz 1597333 # Patch526: xhci-Fix-perceived-dead-host-due-to-runtime-suspend-.patch -# CVE-2018-14678 rhbz 1608559 1608560 -Patch530: xsa274-linux-4_17.patch - # END OF PATCH DEFINITIONS %endif @@ -1943,6 +1940,9 @@ fi # # %changelog +* Wed Aug 08 2018 Justin M. Forbes <jforbes@redhat.com> - 4.17.13-200 +- Linux v4.17.13 + * Fri Aug 03 2018 Justin M. Forbes <jforbes@fedoraproject.org> - 4.17.12-200 - Linux v4.17.12 - Fixes CVE-2018-14734 (rhbz 1611005 1611007) diff --git a/xsa274-linux-4_17.patch b/xsa274-linux-4_17.patch deleted file mode 100644 index 7a9bbf768..000000000 --- a/xsa274-linux-4_17.patch +++ /dev/null @@ -1,127 +0,0 @@ -From 8df635007e0737887522eebee886155602b8809b Mon Sep 17 00:00:00 2001 -From: Andy Lutomirski <luto@kernel.org> -Date: Sun, 22 Jul 2018 11:05:09 -0700 -Subject: [PATCH] x86/entry/64: Remove %ebx handling from error_entry/exit - -error_entry and error_exit communicate the user vs kernel status of -the frame using %ebx. This is unnecessary -- the information is in -regs->cs. Just use regs->cs. - -This makes error_entry simpler and makes error_exit more robust. - -It also fixes a nasty bug. Before all the Spectre nonsense, The -xen_failsafe_callback entry point returned like this: - - ALLOC_PT_GPREGS_ON_STACK - SAVE_C_REGS - SAVE_EXTRA_REGS - ENCODE_FRAME_POINTER - jmp error_exit - -And it did not go through error_entry. This was bogus: RBX -contained garbage, and error_exit expected a flag in RBX. -Fortunately, it generally contained *nonzero* garbage, so the -correct code path was used. As part of the Spectre fixes, code was -added to clear RBX to mitigate certain speculation attacks. Now, -depending on kernel configuration, RBX got zeroed and, when running -some Wine workloads, the kernel crashes. This was introduced by: - - commit 3ac6d8c787b8 ("x86/entry/64: Clear registers for - exceptions/interrupts, to reduce speculation attack surface") - -With this patch applied, RBX is no longer needed as a flag, and the -problem goes away. - -I suspect that malicious userspace could use this bug to crash the -kernel even without the offending patch applied, though. - -[Historical note: I wrote this patch as a cleanup before I was aware - of the bug it fixed.] - -[Note to stable maintainers: this should probably get applied to all - kernels. If you're nervous about that, a more conservative fix to - add xorl %ebx,%ebx; incl %ebx before the jump to error_exit should - also fix the problem.] - -Cc: Brian Gerst <brgerst@gmail.com> -Cc: Borislav Petkov <bp@alien8.de> -Cc: Dominik Brodowski <linux@dominikbrodowski.net> -Cc: Ingo Molnar <mingo@redhat.com> -Cc: "H. Peter Anvin" <hpa@zytor.com> -Cc: Thomas Gleixner <tglx@linutronix.de> -Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com> -Cc: Juergen Gross <jgross@suse.com> -Cc: xen-devel@lists.xenproject.org -Cc: x86@kernel.org -Cc: stable@vger.kernel.org -Fixes: 3ac6d8c787b8 ("x86/entry/64: Clear registers for exceptions/interrupts, to reduce speculation attack surface") -Reported-and-tested-by: "M. Vefa Bicakci" <m.v.b@runbox.com> -Signed-off-by: Andy Lutomirski <luto@kernel.org> ---- - arch/x86/entry/entry_64.S | 18 ++++-------------- - 1 file changed, 4 insertions(+), 14 deletions(-) - -diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S -index 73a522d53b53..8ae7ffda8f98 100644 ---- a/arch/x86/entry/entry_64.S -+++ b/arch/x86/entry/entry_64.S -@@ -981,7 +981,7 @@ ENTRY(\sym) - - call \do_sym - -- jmp error_exit /* %ebx: no swapgs flag */ -+ jmp error_exit - .endif - END(\sym) - .endm -@@ -1222,7 +1222,6 @@ END(paranoid_exit) - - /* - * Save all registers in pt_regs, and switch GS if needed. -- * Return: EBX=0: came from user mode; EBX=1: otherwise - */ - ENTRY(error_entry) - UNWIND_HINT_FUNC -@@ -1269,7 +1268,6 @@ ENTRY(error_entry) - * for these here too. - */ - .Lerror_kernelspace: -- incl %ebx - leaq native_irq_return_iret(%rip), %rcx - cmpq %rcx, RIP+8(%rsp) - je .Lerror_bad_iret -@@ -1303,28 +1301,20 @@ ENTRY(error_entry) - - /* - * Pretend that the exception came from user mode: set up pt_regs -- * as if we faulted immediately after IRET and clear EBX so that -- * error_exit knows that we will be returning to user mode. -+ * as if we faulted immediately after IRET. - */ - mov %rsp, %rdi - call fixup_bad_iret - mov %rax, %rsp -- decl %ebx - jmp .Lerror_entry_from_usermode_after_swapgs - END(error_entry) - -- --/* -- * On entry, EBX is a "return to kernel mode" flag: -- * 1: already in kernel mode, don't need SWAPGS -- * 0: user gsbase is loaded, we need SWAPGS and standard preparation for return to usermode -- */ - ENTRY(error_exit) - UNWIND_HINT_REGS - DISABLE_INTERRUPTS(CLBR_ANY) - TRACE_IRQS_OFF -- testl %ebx, %ebx -- jnz retint_kernel -+ testb $3, CS(%rsp) -+ jz retint_kernel - jmp retint_user - END(error_exit) - --- -2.18.0 - |