Fix CVE-2018-3639 (rhbz 1566890 1580713)

KVM-vmx-update-sec-exec-controls-for-UMIP-iff-emulating-UMIP.patch

@@ -1,84 +0,0 @@
-From f96625ad37248a2fb2616f39ee8dff3ebcab3247 Mon Sep 17 00:00:00 2001
-From: Sean Christopherson <sean.j.christopherson@intel.com>
-Date: Mon, 30 Apr 2018 10:01:06 -0700
-Subject: [PATCH] KVM: vmx: update sec exec controls for UMIP iff emulating
- UMIP
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Update SECONDARY_EXEC_DESC for UMIP emulation if and only UMIP
-is actually being emulated.  Skipping the VMCS update eliminates
-unnecessary VMREAD/VMWRITE when UMIP is supported in hardware,
-and on platforms that don't have SECONDARY_VM_EXEC_CONTROL.  The
-latter case resolves a bug where KVM would fill the kernel log
-with warnings due to failed VMWRITEs on older platforms.
-
-Fixes: 0367f205a3b7 ("KVM: vmx: add support for emulating UMIP")
-Cc: stable@vger.kernel.org #4.16
-Reported-by: Paolo Zeppegno <pzeppegno@gmail.com>
-Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
-Suggested-by: Radim Krčmář <rkrcmar@redhat.com>
-Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
-Signed-off-by: Jeremy Cline <jeremy@jcline.org>
----
- arch/x86/kvm/vmx.c | 28 +++++++++++++++-------------
- 1 file changed, 15 insertions(+), 13 deletions(-)
-
-diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
-index 657c93409042..4861811438ff 100644
---- a/arch/x86/kvm/vmx.c
-+++ b/arch/x86/kvm/vmx.c
-@@ -1314,6 +1314,12 @@ static inline bool cpu_has_vmx_vmfunc(void)
- 		SECONDARY_EXEC_ENABLE_VMFUNC;
- }
- 
-+static bool vmx_umip_emulated(void)
-+{
-+	return vmcs_config.cpu_based_2nd_exec_ctrl &
-+		SECONDARY_EXEC_DESC;
-+}
-+
- static inline bool report_flexpriority(void)
- {
- 	return flexpriority_enabled;
-@@ -4494,14 +4500,16 @@ static int vmx_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4)
- 		(to_vmx(vcpu)->rmode.vm86_active ?
- 		 KVM_RMODE_VM_CR4_ALWAYS_ON : KVM_PMODE_VM_CR4_ALWAYS_ON);
- 
--	if ((cr4 & X86_CR4_UMIP) && !boot_cpu_has(X86_FEATURE_UMIP)) {
--		vmcs_set_bits(SECONDARY_VM_EXEC_CONTROL,
--			      SECONDARY_EXEC_DESC);
--		hw_cr4 &= ~X86_CR4_UMIP;
--	} else if (!is_guest_mode(vcpu) ||
--	           !nested_cpu_has2(get_vmcs12(vcpu), SECONDARY_EXEC_DESC))
--		vmcs_clear_bits(SECONDARY_VM_EXEC_CONTROL,
-+	if (!boot_cpu_has(X86_FEATURE_UMIP) && vmx_umip_emulated()) {
-+		if (cr4 & X86_CR4_UMIP) {
-+			vmcs_set_bits(SECONDARY_VM_EXEC_CONTROL,
- 				SECONDARY_EXEC_DESC);
-+			hw_cr4 &= ~X86_CR4_UMIP;
-+		} else if (!is_guest_mode(vcpu) ||
-+			!nested_cpu_has2(get_vmcs12(vcpu), SECONDARY_EXEC_DESC))
-+			vmcs_clear_bits(SECONDARY_VM_EXEC_CONTROL,
-+					SECONDARY_EXEC_DESC);
-+	}
- 
- 	if (cr4 & X86_CR4_VMXE) {
- 		/*
-@@ -9243,12 +9251,6 @@ static bool vmx_xsaves_supported(void)
- 		SECONDARY_EXEC_XSAVES;
- }
- 
--static bool vmx_umip_emulated(void)
--{
--	return vmcs_config.cpu_based_2nd_exec_ctrl &
--		SECONDARY_EXEC_DESC;
--}
--
- static void vmx_recover_nmi_blocking(struct vcpu_vmx *vmx)
- {
- 	u32 exit_intr_info;
--- 
-2.17.0
-

kernel.spec

@@ -42,7 +42,7 @@ Summary: The Linux kernel
 # For non-released -rc kernels, this will be appended after the rcX and
 # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
 #
-%global baserelease 100
+%global baserelease 101
 %global fedora_build %{baserelease}
 
 # base_sublevel is the kernel version we're starting with and patching
@@ -657,8 +657,8 @@ Patch510: 0001-xfs-enhance-dinode-verifier.patch
 # CVE-2018-10323 rhbz 1571627 1571630
 Patch511: 0001-xfs-set-format-back-to-extents-if-xfs_bmap_extents_t.patch
 
-# rhbz 1566258
-Patch512: KVM-vmx-update-sec-exec-controls-for-UMIP-iff-emulating-UMIP.patch
+# CVE-2018-3639 rhbz 1566890 1580713
+Patch512: queue-4.16.patch
 
 # END OF PATCH DEFINITIONS
 
@@ -1933,6 +1933,9 @@ fi
 #
 #
 %changelog
+* Mon May 21 2018 Justin M. Forbes <jforbes@fedoraproject.org> - 4.16.10-101
+- Fix CVE-2018-3639 (rhbz 1566890 1580713)
+
 * Mon May 21 2018 Jeremy Cline <jcline@redhat.com> - 4.16.10-100
 - Linux v4.16.10