Linux v4.17.13
This commit is contained in:
parent
c274f6a4ee
commit
95234a2661
|
@ -54,7 +54,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 12
|
||||
%define stable_update 13
|
||||
# Set rpm version accordingly
|
||||
%if 0%{?stable_update}
|
||||
%define stablerev %{stable_update}
|
||||
|
@ -671,9 +671,6 @@ Patch523: 0001-xfs-More-robust-inode-extent-count-validation.patch
|
|||
# rhbz 1597333
|
||||
# Patch526: xhci-Fix-perceived-dead-host-due-to-runtime-suspend-.patch
|
||||
|
||||
# CVE-2018-14678 rhbz 1608559 1608560
|
||||
Patch530: xsa274-linux-4_17.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
@ -1923,6 +1920,9 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Wed Aug 08 2018 Justin M. Forbes <jforbes@redhat.com> - 4.17.13-200
|
||||
- Linux v4.17.13
|
||||
|
||||
* Fri Aug 03 2018 Justin M. Forbes <jforbes@fedoraproject.org> - 4.17.12-200
|
||||
- Linux v4.17.12
|
||||
- Fixes CVE-2018-14734 (rhbz 1611005 1611007)
|
||||
|
|
2
sources
2
sources
|
@ -1,2 +1,2 @@
|
|||
SHA512 (linux-4.17.tar.xz) = 4d9de340a26155a89ea8773131c76220cc2057f2b5d031b467b60e8b14c1842518e2d60a863d8c695f0f7640f3f18d43826201984a238dade857b6cef79837db
|
||||
SHA512 (patch-4.17.12.xz) = 516270daaa65a0f40bf6202909fc1950a8c723b77d5a54089a72eb664c3708ece050c938230cdd3b1b3e281d73c1c5e909def5fe1e0c8ddecbf9fbd43713a3aa
|
||||
SHA512 (patch-4.17.13.xz) = 8f77239c6c0393aa6e854f98d0ef0832e0a3e936251805ca1fcde2b5d24e0b086582f68e3f494a4a287b404573c26a867170958d53f3c1bf4c46c4c5697188b2
|
||||
|
|
|
@ -1,127 +0,0 @@
|
|||
From 8df635007e0737887522eebee886155602b8809b Mon Sep 17 00:00:00 2001
|
||||
From: Andy Lutomirski <luto@kernel.org>
|
||||
Date: Sun, 22 Jul 2018 11:05:09 -0700
|
||||
Subject: [PATCH] x86/entry/64: Remove %ebx handling from error_entry/exit
|
||||
|
||||
error_entry and error_exit communicate the user vs kernel status of
|
||||
the frame using %ebx. This is unnecessary -- the information is in
|
||||
regs->cs. Just use regs->cs.
|
||||
|
||||
This makes error_entry simpler and makes error_exit more robust.
|
||||
|
||||
It also fixes a nasty bug. Before all the Spectre nonsense, The
|
||||
xen_failsafe_callback entry point returned like this:
|
||||
|
||||
ALLOC_PT_GPREGS_ON_STACK
|
||||
SAVE_C_REGS
|
||||
SAVE_EXTRA_REGS
|
||||
ENCODE_FRAME_POINTER
|
||||
jmp error_exit
|
||||
|
||||
And it did not go through error_entry. This was bogus: RBX
|
||||
contained garbage, and error_exit expected a flag in RBX.
|
||||
Fortunately, it generally contained *nonzero* garbage, so the
|
||||
correct code path was used. As part of the Spectre fixes, code was
|
||||
added to clear RBX to mitigate certain speculation attacks. Now,
|
||||
depending on kernel configuration, RBX got zeroed and, when running
|
||||
some Wine workloads, the kernel crashes. This was introduced by:
|
||||
|
||||
commit 3ac6d8c787b8 ("x86/entry/64: Clear registers for
|
||||
exceptions/interrupts, to reduce speculation attack surface")
|
||||
|
||||
With this patch applied, RBX is no longer needed as a flag, and the
|
||||
problem goes away.
|
||||
|
||||
I suspect that malicious userspace could use this bug to crash the
|
||||
kernel even without the offending patch applied, though.
|
||||
|
||||
[Historical note: I wrote this patch as a cleanup before I was aware
|
||||
of the bug it fixed.]
|
||||
|
||||
[Note to stable maintainers: this should probably get applied to all
|
||||
kernels. If you're nervous about that, a more conservative fix to
|
||||
add xorl %ebx,%ebx; incl %ebx before the jump to error_exit should
|
||||
also fix the problem.]
|
||||
|
||||
Cc: Brian Gerst <brgerst@gmail.com>
|
||||
Cc: Borislav Petkov <bp@alien8.de>
|
||||
Cc: Dominik Brodowski <linux@dominikbrodowski.net>
|
||||
Cc: Ingo Molnar <mingo@redhat.com>
|
||||
Cc: "H. Peter Anvin" <hpa@zytor.com>
|
||||
Cc: Thomas Gleixner <tglx@linutronix.de>
|
||||
Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
|
||||
Cc: Juergen Gross <jgross@suse.com>
|
||||
Cc: xen-devel@lists.xenproject.org
|
||||
Cc: x86@kernel.org
|
||||
Cc: stable@vger.kernel.org
|
||||
Fixes: 3ac6d8c787b8 ("x86/entry/64: Clear registers for exceptions/interrupts, to reduce speculation attack surface")
|
||||
Reported-and-tested-by: "M. Vefa Bicakci" <m.v.b@runbox.com>
|
||||
Signed-off-by: Andy Lutomirski <luto@kernel.org>
|
||||
---
|
||||
arch/x86/entry/entry_64.S | 18 ++++--------------
|
||||
1 file changed, 4 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S
|
||||
index 73a522d53b53..8ae7ffda8f98 100644
|
||||
--- a/arch/x86/entry/entry_64.S
|
||||
+++ b/arch/x86/entry/entry_64.S
|
||||
@@ -981,7 +981,7 @@ ENTRY(\sym)
|
||||
|
||||
call \do_sym
|
||||
|
||||
- jmp error_exit /* %ebx: no swapgs flag */
|
||||
+ jmp error_exit
|
||||
.endif
|
||||
END(\sym)
|
||||
.endm
|
||||
@@ -1222,7 +1222,6 @@ END(paranoid_exit)
|
||||
|
||||
/*
|
||||
* Save all registers in pt_regs, and switch GS if needed.
|
||||
- * Return: EBX=0: came from user mode; EBX=1: otherwise
|
||||
*/
|
||||
ENTRY(error_entry)
|
||||
UNWIND_HINT_FUNC
|
||||
@@ -1269,7 +1268,6 @@ ENTRY(error_entry)
|
||||
* for these here too.
|
||||
*/
|
||||
.Lerror_kernelspace:
|
||||
- incl %ebx
|
||||
leaq native_irq_return_iret(%rip), %rcx
|
||||
cmpq %rcx, RIP+8(%rsp)
|
||||
je .Lerror_bad_iret
|
||||
@@ -1303,28 +1301,20 @@ ENTRY(error_entry)
|
||||
|
||||
/*
|
||||
* Pretend that the exception came from user mode: set up pt_regs
|
||||
- * as if we faulted immediately after IRET and clear EBX so that
|
||||
- * error_exit knows that we will be returning to user mode.
|
||||
+ * as if we faulted immediately after IRET.
|
||||
*/
|
||||
mov %rsp, %rdi
|
||||
call fixup_bad_iret
|
||||
mov %rax, %rsp
|
||||
- decl %ebx
|
||||
jmp .Lerror_entry_from_usermode_after_swapgs
|
||||
END(error_entry)
|
||||
|
||||
-
|
||||
-/*
|
||||
- * On entry, EBX is a "return to kernel mode" flag:
|
||||
- * 1: already in kernel mode, don't need SWAPGS
|
||||
- * 0: user gsbase is loaded, we need SWAPGS and standard preparation for return to usermode
|
||||
- */
|
||||
ENTRY(error_exit)
|
||||
UNWIND_HINT_REGS
|
||||
DISABLE_INTERRUPTS(CLBR_ANY)
|
||||
TRACE_IRQS_OFF
|
||||
- testl %ebx, %ebx
|
||||
- jnz retint_kernel
|
||||
+ testb $3, CS(%rsp)
|
||||
+ jz retint_kernel
|
||||
jmp retint_user
|
||||
END(error_exit)
|
||||
|
||||
--
|
||||
2.18.0
|
||||
|
Loading…
Reference in New Issue