Add patch for RH1566890

2019-04-17 05:34:59 +01:00 · 2019-04-17 05:34:59 +01:00 · 19a00b350c
commit 19a00b350c
parent f3e7cf77df
2 changed files with 75 additions and 8 deletions
--- a/java-11-openjdk.spec
+++ b/java-11-openjdk.spec
@ -946,7 +946,7 @@ Provides: java-src%{?1} = %{epoch}:%{version}-%{release}

 Name:    java-%{javaver}-%{origin}
 Version: %{newjavaver}.%{buildver}
-Release: 8%{?dist}
+Release: 9%{?dist}
 # java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons
 # and this change was brought into RHEL-4. java-1.5.0-ibm packages
 # also included the epoch in their virtual provides. This created a
@ -1019,13 +1019,6 @@ Patch2:    rh1648644-java_access_bridge_privileged_security.patch
 # Not currently suitable to go upstream as it disables curves
 # for all providers unconditionally
 Patch525: rh1022017-reduce_ssl_curves.patch
-Patch3:    rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
-# PR3694, RH1340845: Add security.useSystemPropertiesFile option to java.security to use system crypto policy
-Patch4: pr3694-rh1340845-support_fedora_rhel_system_crypto_policy.patch
-# System NSS via SunEC Provider
-Patch5: pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch
-# PR3695: Allow use of system crypto policy to be disabled by the user
-Patch6: pr3695-toggle_system_crypto_policy.patch

 #############################################
 #
@ -1045,6 +1038,15 @@ Patch6: pr3695-toggle_system_crypto_policy.patch
 Patch8:    jdk8210416-rh1632174-compile_fdlibm_with_o2_ffp_contract_off_on_gcc_clang_arches.patch
 # 8210425, RHBZ#1632174: [x86] sharedRuntimeTrig/sharedRuntimeTrans compiled without optimization
 Patch9:    jdk8210425-rh1632174-sharedRuntimeTrig_sharedRuntimeTrans_compiled_without_optimization.patch
+Patch3:    rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
+# PR3694, RH1340845: Add security.useSystemPropertiesFile option to java.security to use system crypto policy
+Patch4: pr3694-rh1340845-support_fedora_rhel_system_crypto_policy.patch
+# System NSS via SunEC Provider
+Patch5: pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch
+# RH1566890: CVE-2018-3639
+Patch6:    rh1566890-CVE_2018_3639-speculative_store_bypass.patch
+# PR3695: Allow use of system crypto policy to be disabled by the user
+Patch7: pr3695-toggle_system_crypto_policy.patch

 #############################################
 #
@ -1314,6 +1316,7 @@ pushd %{top_level_dir_name}
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
+%patch7 -p1
 %patch8 -p1
 %patch9 -p1
 %patch10 -p1
@ -1872,6 +1875,9 @@ require "copy_jdk_configs.lua"


 %changelog
+* Thu Mar 21 2019 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.2.7-9
+- Add patch for RH1566890
+
 * Wed Mar 20 2019 Peter Robinson <pbrobinson@fedoraproject.org> 1:11.0.2.7-8
 - Drop chkconfig dep, 1.7 shipped in f24

--- a/rh1566890-CVE_2018_3639-speculative_store_bypass.patch
+++ b/rh1566890-CVE_2018_3639-speculative_store_bypass.patch
@ -0,0 +1,61 @@
+diff --git openjdk/src/hotspot/os/linux/os_linux.cpp openjdk/src/hotspot/os/linux/os_linux.cpp
+--- openjdk/src/hotspot/os/linux/os_linux.cpp
+++ openjdk/src/hotspot/os/linux/os_linux.cpp
+@@ -107,6 +107,8 @@
+ # include <inttypes.h>
+ # include <sys/ioctl.h>
+ 
+#include <sys/prctl.h>
+
+ #ifndef _GNU_SOURCE
+   #define _GNU_SOURCE
+   #include <sched.h>
+@@ -4984,6 +4986,48 @@
+ extern void report_error(char* file_name, int line_no, char* title,
+                          char* format, ...);
+ 
+/* Per task speculation control */
+#ifndef PR_GET_SPECULATION_CTRL
+# define PR_GET_SPECULATION_CTRL    52
+#endif
+#ifndef PR_SET_SPECULATION_CTRL
+# define PR_SET_SPECULATION_CTRL    53
+#endif
+/* Speculation control variants */
+#ifndef PR_SPEC_STORE_BYPASS
+# define PR_SPEC_STORE_BYPASS          0
+#endif
+/* Return and control values for PR_SET/GET_SPECULATION_CTRL */
+
+#ifndef PR_SPEC_NOT_AFFECTED
+# define PR_SPEC_NOT_AFFECTED          0
+#endif
+#ifndef PR_SPEC_PRCTL
+# define PR_SPEC_PRCTL                 (1UL << 0)
+#endif
+#ifndef PR_SPEC_ENABLE
+# define PR_SPEC_ENABLE                (1UL << 1)
+#endif
+#ifndef PR_SPEC_DISABLE
+# define PR_SPEC_DISABLE               (1UL << 2)
+#endif
+#ifndef PR_SPEC_FORCE_DISABLE
+# define PR_SPEC_FORCE_DISABLE         (1UL << 3)
+#endif
+#ifndef PR_SPEC_DISABLE_NOEXEC
+# define PR_SPEC_DISABLE_NOEXEC        (1UL << 4)
+#endif
+
+static void set_speculation() __attribute__((constructor));
+static void set_speculation() {
+  if ( prctl(PR_SET_SPECULATION_CTRL,
+             PR_SPEC_STORE_BYPASS,
+             PR_SPEC_DISABLE_NOEXEC, 0, 0) == 0 ) {
+    return;
+  }
+  prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0);
+}
+
+ // this is called _before_ most of the global arguments have been parsed
+ void os::init(void) {
+   char dummy;   // used to get a guess on initial stack address