diff options
author | Justin M. Forbes <jforbes@fedoraproject.org> | 2018-07-30 09:13:33 -0500 |
---|---|---|
committer | Justin M. Forbes <jforbes@fedoraproject.org> | 2018-07-30 09:13:33 -0500 |
commit | 27910d55bed8c9576863acfefb6964062487d0a8 (patch) | |
tree | d5f68f499306e3ede838bcf387a6a59872a0e49c | |
parent | 0d298e70b508f90883846cfc82f2918d1a561c0f (diff) | |
download | kernel-27910d55bed8c9576863acfefb6964062487d0a8.tar.gz kernel-27910d55bed8c9576863acfefb6964062487d0a8.tar.xz kernel-27910d55bed8c9576863acfefb6964062487d0a8.zip |
Fix CVE-2018-14678 (rhbz 1608559 1608560)
-rw-r--r-- | kernel.spec | 4 | ||||
-rw-r--r-- | xsa274-linux-4_17.patch | 127 |
2 files changed, 131 insertions, 0 deletions
diff --git a/kernel.spec b/kernel.spec index 2649f382d..106174750 100644 --- a/kernel.spec +++ b/kernel.spec @@ -674,6 +674,9 @@ Patch523: 0001-xfs-More-robust-inode-extent-count-validation.patch # rhbz 1602971 Patch529: ext4-fix-false-negative-and-false-positives.patch +# CVE-2018-14678 rhbz 1608559 1608560 +Patch530: xsa274-linux-4_17.patch + # END OF PATCH DEFINITIONS %endif @@ -1926,6 +1929,7 @@ fi * Mon Jul 30 2018 Justin M. Forbes <jforbes@fedoraproject.org> - 4.17.11-200 - Linux v4.17.11 - Turn off kernel-headers for the split +- Fix CVE-2018-14678 (rhbz 1608559 1608560) * Wed Jul 25 2018 Justin M. Forbes <jforbes@fedoraproject.org> - 4.17.10-200 - Linux v4.17.10 diff --git a/xsa274-linux-4_17.patch b/xsa274-linux-4_17.patch new file mode 100644 index 000000000..7a9bbf768 --- /dev/null +++ b/xsa274-linux-4_17.patch @@ -0,0 +1,127 @@ +From 8df635007e0737887522eebee886155602b8809b Mon Sep 17 00:00:00 2001 +From: Andy Lutomirski <luto@kernel.org> +Date: Sun, 22 Jul 2018 11:05:09 -0700 +Subject: [PATCH] x86/entry/64: Remove %ebx handling from error_entry/exit + +error_entry and error_exit communicate the user vs kernel status of +the frame using %ebx. This is unnecessary -- the information is in +regs->cs. Just use regs->cs. + +This makes error_entry simpler and makes error_exit more robust. + +It also fixes a nasty bug. Before all the Spectre nonsense, The +xen_failsafe_callback entry point returned like this: + + ALLOC_PT_GPREGS_ON_STACK + SAVE_C_REGS + SAVE_EXTRA_REGS + ENCODE_FRAME_POINTER + jmp error_exit + +And it did not go through error_entry. This was bogus: RBX +contained garbage, and error_exit expected a flag in RBX. +Fortunately, it generally contained *nonzero* garbage, so the +correct code path was used. As part of the Spectre fixes, code was +added to clear RBX to mitigate certain speculation attacks. Now, +depending on kernel configuration, RBX got zeroed and, when running +some Wine workloads, the kernel crashes. This was introduced by: + + commit 3ac6d8c787b8 ("x86/entry/64: Clear registers for + exceptions/interrupts, to reduce speculation attack surface") + +With this patch applied, RBX is no longer needed as a flag, and the +problem goes away. + +I suspect that malicious userspace could use this bug to crash the +kernel even without the offending patch applied, though. + +[Historical note: I wrote this patch as a cleanup before I was aware + of the bug it fixed.] + +[Note to stable maintainers: this should probably get applied to all + kernels. If you're nervous about that, a more conservative fix to + add xorl %ebx,%ebx; incl %ebx before the jump to error_exit should + also fix the problem.] + +Cc: Brian Gerst <brgerst@gmail.com> +Cc: Borislav Petkov <bp@alien8.de> +Cc: Dominik Brodowski <linux@dominikbrodowski.net> +Cc: Ingo Molnar <mingo@redhat.com> +Cc: "H. Peter Anvin" <hpa@zytor.com> +Cc: Thomas Gleixner <tglx@linutronix.de> +Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com> +Cc: Juergen Gross <jgross@suse.com> +Cc: xen-devel@lists.xenproject.org +Cc: x86@kernel.org +Cc: stable@vger.kernel.org +Fixes: 3ac6d8c787b8 ("x86/entry/64: Clear registers for exceptions/interrupts, to reduce speculation attack surface") +Reported-and-tested-by: "M. Vefa Bicakci" <m.v.b@runbox.com> +Signed-off-by: Andy Lutomirski <luto@kernel.org> +--- + arch/x86/entry/entry_64.S | 18 ++++-------------- + 1 file changed, 4 insertions(+), 14 deletions(-) + +diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S +index 73a522d53b53..8ae7ffda8f98 100644 +--- a/arch/x86/entry/entry_64.S ++++ b/arch/x86/entry/entry_64.S +@@ -981,7 +981,7 @@ ENTRY(\sym) + + call \do_sym + +- jmp error_exit /* %ebx: no swapgs flag */ ++ jmp error_exit + .endif + END(\sym) + .endm +@@ -1222,7 +1222,6 @@ END(paranoid_exit) + + /* + * Save all registers in pt_regs, and switch GS if needed. +- * Return: EBX=0: came from user mode; EBX=1: otherwise + */ + ENTRY(error_entry) + UNWIND_HINT_FUNC +@@ -1269,7 +1268,6 @@ ENTRY(error_entry) + * for these here too. + */ + .Lerror_kernelspace: +- incl %ebx + leaq native_irq_return_iret(%rip), %rcx + cmpq %rcx, RIP+8(%rsp) + je .Lerror_bad_iret +@@ -1303,28 +1301,20 @@ ENTRY(error_entry) + + /* + * Pretend that the exception came from user mode: set up pt_regs +- * as if we faulted immediately after IRET and clear EBX so that +- * error_exit knows that we will be returning to user mode. ++ * as if we faulted immediately after IRET. + */ + mov %rsp, %rdi + call fixup_bad_iret + mov %rax, %rsp +- decl %ebx + jmp .Lerror_entry_from_usermode_after_swapgs + END(error_entry) + +- +-/* +- * On entry, EBX is a "return to kernel mode" flag: +- * 1: already in kernel mode, don't need SWAPGS +- * 0: user gsbase is loaded, we need SWAPGS and standard preparation for return to usermode +- */ + ENTRY(error_exit) + UNWIND_HINT_REGS + DISABLE_INTERRUPTS(CLBR_ANY) + TRACE_IRQS_OFF +- testl %ebx, %ebx +- jnz retint_kernel ++ testb $3, CS(%rsp) ++ jz retint_kernel + jmp retint_user + END(error_exit) + +-- +2.18.0 + |