diff --git a/SOURCES/kvm-i386-define-the-ssbd-CPUID-feature-bit-CVE-2018-3639.patch b/SOURCES/kvm-i386-define-the-ssbd-CPUID-feature-bit-CVE-2018-3639.patch new file mode 100644 index 0000000..389f6f5 --- /dev/null +++ b/SOURCES/kvm-i386-define-the-ssbd-CPUID-feature-bit-CVE-2018-3639.patch @@ -0,0 +1,52 @@ +From f5a29669048a0a889348839c8707f7f10b0bec48 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Wed, 9 May 2018 09:06:29 +0100 +Subject: [PATCH] i386: define the 'ssbd' CPUID feature bit (CVE-2018-3639) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Daniel P. Berrangé +Bugzilla: 1574075 +RH-Acked-by: Eduardo Habkost +RH-Acked-by: Paolo Bonzini +RH-Acked-by: Miroslav Rezanina + +New microcode introduces the "Speculative Store Bypass Disable" +CPUID feature bit. This needs to be exposed to guest OS to allow +them to protect against CVE-2018-3639. + +Signed-off-by: Daniel P. Berrangé +--- + target-i386/cpu.c | 2 +- + target-i386/cpu.h | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/target-i386/cpu.c b/target-i386/cpu.c +index 08b43f5..539c202 100644 +--- a/target-i386/cpu.c ++++ b/target-i386/cpu.c +@@ -173,7 +173,7 @@ static const char *cpuid_7_0_edx_feature_name[] = { + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, + NULL, NULL, "spec-ctrl", "stibp", +- NULL, "arch-facilities", NULL, NULL, ++ NULL, "arch-facilities", NULL, "ssbd", + }; + + static const char *cpuid_80000008_ebx_feature_name[] = { +diff --git a/target-i386/cpu.h b/target-i386/cpu.h +index a8a640a..da84443 100644 +--- a/target-i386/cpu.h ++++ b/target-i386/cpu.h +@@ -590,6 +590,7 @@ typedef uint32_t FeatureWordArray[FEATURE_WORDS]; + #define CPUID_7_0_EDX_AVX512_4VNNIW (1U << 2) /* AVX512 Neural Network Instructions */ + #define CPUID_7_0_EDX_AVX512_4FMAPS (1U << 3) /* AVX512 Multiply Accumulation Single Precision */ + #define CPUID_7_0_EDX_SPEC_CTRL (1U << 26) /* Indirect Branch - Restrict Speculation */ ++#define CPUID_7_0_EDX_SPEC_CTRL_SSBD (1U << 31) /* Speculative Store Bypass Disable */ + + #define CPUID_8000_0008_EBX_IBPB (1U << 12) /* Indirect Branch Prediction Barrier */ + +-- +1.8.3.1 + diff --git a/SPECS/qemu-kvm.spec b/SPECS/qemu-kvm.spec index 9513bd7..5ef35b6 100644 --- a/SPECS/qemu-kvm.spec +++ b/SPECS/qemu-kvm.spec @@ -76,7 +76,7 @@ Obsoletes: %1 < %{obsoletes_version} \ Summary: QEMU is a machine emulator and virtualizer Name: %{pkgname}%{?pkgsuffix} Version: 1.5.3 -Release: 156%{?dist}.1 +Release: 156%{?dist}.2 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped Epoch: 10 License: GPLv2+ and LGPLv2+ and BSD @@ -3869,6 +3869,8 @@ Patch1905: kvm-io-skip-updates-to-client-if-websocket-output-buffer.patch Patch1906: kvm-vga-add-ram_addr_t-cast.patch # For bz#1567913 - CVE-2018-7858 qemu-kvm: Qemu: cirrus: OOB access when updating vga display [rhel-7] [rhel-7.5.z] Patch1907: kvm-vga-fix-region-calculation.patch +# For bz#1574075 - EMBARGOED CVE-2018-3639 qemu-kvm: Kernel: omega-4 [rhel-7.5.z] +Patch1908: kvm-i386-define-the-ssbd-CPUID-feature-bit-CVE-2018-3639.patch BuildRequires: zlib-devel @@ -5954,6 +5956,7 @@ tar -xf %{SOURCE21} %patch1905 -p1 %patch1906 -p1 %patch1907 -p1 +%patch1908 -p1 %build buildarch="%{kvm_target}-softmmu" @@ -6399,6 +6402,11 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || : %{_mandir}/man8/qemu-nbd.8* %changelog +* Fri May 11 2018 Miroslav Rezanina - 1.5.3-156.el7_5.2 +- kvm-i386-define-the-ssbd-CPUID-feature-bit-CVE-2018-3639.patch [bz#1574075] +- Resolves: bz#1574075 + (EMBARGOED CVE-2018-3639 qemu-kvm: Kernel: omega-4 [rhel-7.5.z]) + * Mon Apr 16 2018 Miroslav Rezanina - 1.5.3-156.el7_5.1 - kvm-vga-add-ram_addr_t-cast.patch [bz#1567913] - kvm-vga-fix-region-calculation.patch [bz#1567913]