From c1394147772e5e57a53889b9a1e3a03c05fdbab7 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Mon, 16 May 2016 10:23:44 -0400
Subject: Linux v4.6

---
 kernel.spec | 11 +++++++----
 sources     |  6 ++----
 2 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/kernel.spec b/kernel.spec
index 3310bb8ee..934753126 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -6,7 +6,7 @@ Summary: The Linux kernel
 # For a stable, released kernel, released_kernel should be 1. For rawhide
 # and/or a kernel built from an rc or git snapshot, released_kernel should
 # be 0.
-%global released_kernel 0
+%global released_kernel 1
 
 # Sign modules on x86.  Make sure the config files match this setting if more
 # architectures are added.
@@ -48,7 +48,7 @@ Summary: The Linux kernel
 # base_sublevel is the kernel version we're starting with and patching
 # on top of -- for example, 3.1-rc7-git1 starts with a 3.0 base,
 # which yields a base_sublevel of 0.
-%define base_sublevel 5
+%define base_sublevel 6
 
 ## If this is a released kernel ##
 %if 0%{?released_kernel}
@@ -67,9 +67,9 @@ Summary: The Linux kernel
 # The next upstream release sublevel (base_sublevel+1)
 %define upstream_sublevel %(echo $((%{base_sublevel} + 1)))
 # The rc snapshot level
-%define rcrev 7
+%define rcrev 0
 # The git snapshot level
-%define gitrev 3
+%define gitrev 0
 # Set rpm version accordingly
 %define rpmversion 4.%{upstream_sublevel}.0
 %endif
@@ -2144,6 +2144,9 @@ fi
 #
 # 
 %changelog
+* Mon May 16 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.6.0-1
+- Linux v4.6
+
 * Fri May 13 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.6.0-0.rc7.git3.1
 - Linux v4.6-rc7-116-ga2ccb68b1e6a
 
diff --git a/sources b/sources
index 029c11672..34226deb0 100644
--- a/sources
+++ b/sources
@@ -1,4 +1,2 @@
-a60d48eee08ec0536d5efb17ca819aef  linux-4.5.tar.xz
-6f557fe90b800b615c85c2ca04da6154  perf-man-4.5.tar.gz
-2089df8a0f142e2a1cdcaca0f133e47d  patch-4.6-rc7.xz
-bf56da06679952234c9a2f31d2d259c8  patch-4.6-rc7-git3.xz
+d2927020e24a76da4ab482a8bc3e9ef3  linux-4.6.tar.xz
+fd23b14b9d474c3dfacb6e8ee82d3a51  perf-man-4.6.tar.gz
-- 
cgit 


From 6c1de60a560a0f0b51e027541afd5ef12e6d392d Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Mon, 16 May 2016 10:26:31 -0400
Subject: CVE-2016-3713 kvm: out-of-bounds access in set_var_mtrr_msr (rhbz
 1332139 1336410)

---
 KVM-MTRR-remove-MSR-0x2f8.patch | 49 +++++++++++++++++++++++++++++++++++++++++
 kernel.spec                     |  4 ++++
 2 files changed, 53 insertions(+)
 create mode 100644 KVM-MTRR-remove-MSR-0x2f8.patch

diff --git a/KVM-MTRR-remove-MSR-0x2f8.patch b/KVM-MTRR-remove-MSR-0x2f8.patch
new file mode 100644
index 000000000..8066b2e8f
--- /dev/null
+++ b/KVM-MTRR-remove-MSR-0x2f8.patch
@@ -0,0 +1,49 @@
+From bb0f06280beb6507226627a85076ae349a23fe22 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>
+Date: Mon, 16 May 2016 09:45:35 -0400
+Subject: [PATCH] KVM: MTRR: remove MSR 0x2f8
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+MSR 0x2f8 accessed the 124th Variable Range MTRR ever since MTRR support
+was introduced by 9ba075a664df ("KVM: MTRR support").
+
+0x2f8 became harmful when 910a6aae4e2e ("KVM: MTRR: exactly define the
+size of variable MTRRs") shrinked the array of VR MTRRs from 256 to 8,
+which made access to index 124 out of bounds.  The surrounding code only
+WARNs in this situation, thus the guest gained a limited read/write
+access to struct kvm_arch_vcpu.
+
+0x2f8 is not a valid VR MTRR MSR, because KVM has/advertises only 16 VR
+MTRR MSRs, 0x200-0x20f.  Every VR MTRR is set up using two MSRs, 0x2f8
+was treated as a PHYSBASE and 0x2f9 would be its PHYSMASK, but 0x2f9 was
+not implemented in KVM, therefore 0x2f8 could never do anything useful
+and getting rid of it is safe.
+
+This fixes CVE-2016-TBD.
+
+Fixes: 910a6aae4e2e ("KVM: MTRR: exactly define the size of variable MTRRs")
+Cc: stable@vger.kernel.org
+Reported-by: David Matlack <dmatlack@google.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+---
+ arch/x86/kvm/mtrr.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/arch/x86/kvm/mtrr.c b/arch/x86/kvm/mtrr.c
+index 3f8c732117ec..c146f3c262c3 100644
+--- a/arch/x86/kvm/mtrr.c
++++ b/arch/x86/kvm/mtrr.c
+@@ -44,8 +44,6 @@ static bool msr_mtrr_valid(unsigned msr)
+ 	case MSR_MTRRdefType:
+ 	case MSR_IA32_CR_PAT:
+ 		return true;
+-	case 0x2f8:
+-		return true;
+ 	}
+ 	return false;
+ }
+-- 
+2.5.5
+
diff --git a/kernel.spec b/kernel.spec
index 934753126..00e375fb9 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -619,6 +619,9 @@ Patch714: ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch
 Patch715: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch
 Patch716: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch
 
+#CVE-2016-3713 rhbz 1332139 1336410
+Patch717: KVM-MTRR-remove-MSR-0x2f8.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2146,6 +2149,7 @@ fi
 %changelog
 * Mon May 16 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.6.0-1
 - Linux v4.6
+- CVE-2016-3713 kvm: out-of-bounds access in set_var_mtrr_msr (rhbz 1332139 1336410)
 
 * Fri May 13 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.6.0-0.rc7.git3.1
 - Linux v4.6-rc7-116-ga2ccb68b1e6a
-- 
cgit