Fix CVE-2018-14678 (rhbz 1608559 1608560)

2 files changed, 131 insertions, 0 deletions

diff --git a/kernel.spec b/kernel.spec
index 2649f382d..106174750 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -674,6 +674,9 @@ Patch523: 0001-xfs-More-robust-inode-extent-count-validation.patch
 # rhbz 1602971
 Patch529: ext4-fix-false-negative-and-false-positives.patch
 
+# CVE-2018-14678 rhbz 1608559 1608560
+Patch530: xsa274-linux-4_17.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1926,6 +1929,7 @@ fi
 * Mon Jul 30 2018 Justin M. Forbes <jforbes@fedoraproject.org> - 4.17.11-200
 - Linux v4.17.11
 - Turn off kernel-headers for the split
+- Fix CVE-2018-14678 (rhbz 1608559 1608560)
 
 * Wed Jul 25 2018 Justin M. Forbes <jforbes@fedoraproject.org> - 4.17.10-200
 - Linux v4.17.10
diff --git a/xsa274-linux-4_17.patch b/xsa274-linux-4_17.patch
new file mode 100644
index 000000000..7a9bbf768
--- /dev/null
+++ b/xsa274-linux-4_17.patch
@@ -0,0 +1,127 @@
+From 8df635007e0737887522eebee886155602b8809b Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@kernel.org>
+Date: Sun, 22 Jul 2018 11:05:09 -0700
+Subject: [PATCH] x86/entry/64: Remove %ebx handling from error_entry/exit
+
+error_entry and error_exit communicate the user vs kernel status of
+the frame using %ebx.  This is unnecessary -- the information is in
+regs->cs.  Just use regs->cs.
+
+This makes error_entry simpler and makes error_exit more robust.
+
+It also fixes a nasty bug.  Before all the Spectre nonsense, The
+xen_failsafe_callback entry point returned like this:
+
+        ALLOC_PT_GPREGS_ON_STACK
+        SAVE_C_REGS
+        SAVE_EXTRA_REGS
+        ENCODE_FRAME_POINTER
+        jmp     error_exit
+
+And it did not go through error_entry.  This was bogus: RBX
+contained garbage, and error_exit expected a flag in RBX.
+Fortunately, it generally contained *nonzero* garbage, so the
+correct code path was used.  As part of the Spectre fixes, code was
+added to clear RBX to mitigate certain speculation attacks.  Now,
+depending on kernel configuration, RBX got zeroed and, when running
+some Wine workloads, the kernel crashes.  This was introduced by:
+
+    commit 3ac6d8c787b8 ("x86/entry/64: Clear registers for
+    exceptions/interrupts, to reduce speculation attack surface")
+
+With this patch applied, RBX is no longer needed as a flag, and the
+problem goes away.
+
+I suspect that malicious userspace could use this bug to crash the
+kernel even without the offending patch applied, though.
+
+[Historical note: I wrote this patch as a cleanup before I was aware
+ of the bug it fixed.]
+
+[Note to stable maintainers: this should probably get applied to all
+ kernels.  If you're nervous about that, a more conservative fix to
+ add xorl %ebx,%ebx; incl %ebx before the jump to error_exit should
+ also fix the problem.]
+
+Cc: Brian Gerst <brgerst@gmail.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Dominik Brodowski <linux@dominikbrodowski.net>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Cc: Juergen Gross <jgross@suse.com>
+Cc: xen-devel@lists.xenproject.org
+Cc: x86@kernel.org
+Cc: stable@vger.kernel.org
+Fixes: 3ac6d8c787b8 ("x86/entry/64: Clear registers for exceptions/interrupts, to reduce speculation attack surface")
+Reported-and-tested-by: "M. Vefa Bicakci" <m.v.b@runbox.com>
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+---
+ arch/x86/entry/entry_64.S | 18 ++++--------------
+ 1 file changed, 4 insertions(+), 14 deletions(-)
+
+diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S
+index 73a522d53b53..8ae7ffda8f98 100644
+--- a/arch/x86/entry/entry_64.S
++++ b/arch/x86/entry/entry_64.S
+@@ -981,7 +981,7 @@ ENTRY(\sym)
+ 
+ 	call	\do_sym
+ 
+-	jmp	error_exit			/* %ebx: no swapgs flag */
++	jmp	error_exit
+ 	.endif
+ END(\sym)
+ .endm
+@@ -1222,7 +1222,6 @@ END(paranoid_exit)
+ 
+ /*
+  * Save all registers in pt_regs, and switch GS if needed.
+- * Return: EBX=0: came from user mode; EBX=1: otherwise
+  */
+ ENTRY(error_entry)
+ 	UNWIND_HINT_FUNC
+@@ -1269,7 +1268,6 @@ ENTRY(error_entry)
+ 	 * for these here too.
+ 	 */
+ .Lerror_kernelspace:
+-	incl	%ebx
+ 	leaq	native_irq_return_iret(%rip), %rcx
+ 	cmpq	%rcx, RIP+8(%rsp)
+ 	je	.Lerror_bad_iret
+@@ -1303,28 +1301,20 @@ ENTRY(error_entry)
+ 
+ 	/*
+ 	 * Pretend that the exception came from user mode: set up pt_regs
+-	 * as if we faulted immediately after IRET and clear EBX so that
+-	 * error_exit knows that we will be returning to user mode.
++	 * as if we faulted immediately after IRET.
+ 	 */
+ 	mov	%rsp, %rdi
+ 	call	fixup_bad_iret
+ 	mov	%rax, %rsp
+-	decl	%ebx
+ 	jmp	.Lerror_entry_from_usermode_after_swapgs
+ END(error_entry)
+ 
+-
+-/*
+- * On entry, EBX is a "return to kernel mode" flag:
+- *   1: already in kernel mode, don't need SWAPGS
+- *   0: user gsbase is loaded, we need SWAPGS and standard preparation for return to usermode
+- */
+ ENTRY(error_exit)
+ 	UNWIND_HINT_REGS
+ 	DISABLE_INTERRUPTS(CLBR_ANY)
+ 	TRACE_IRQS_OFF
+-	testl	%ebx, %ebx
+-	jnz	retint_kernel
++	testb	$3, CS(%rsp)
++	jz	retint_kernel
+ 	jmp	retint_user
+ END(error_exit)
+ 
+-- 
+2.18.0
+