Add patch for RH1566890

This commit is contained in:
Andrew Hughes 2019-04-17 05:34:59 +01:00
parent f3e7cf77df
commit 19a00b350c
2 changed files with 75 additions and 8 deletions

View File

@ -946,7 +946,7 @@ Provides: java-src%{?1} = %{epoch}:%{version}-%{release}
Name: java-%{javaver}-%{origin} Name: java-%{javaver}-%{origin}
Version: %{newjavaver}.%{buildver} Version: %{newjavaver}.%{buildver}
Release: 8%{?dist} Release: 9%{?dist}
# java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons # java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons
# and this change was brought into RHEL-4. java-1.5.0-ibm packages # and this change was brought into RHEL-4. java-1.5.0-ibm packages
# also included the epoch in their virtual provides. This created a # also included the epoch in their virtual provides. This created a
@ -1019,13 +1019,6 @@ Patch2: rh1648644-java_access_bridge_privileged_security.patch
# Not currently suitable to go upstream as it disables curves # Not currently suitable to go upstream as it disables curves
# for all providers unconditionally # for all providers unconditionally
Patch525: rh1022017-reduce_ssl_curves.patch Patch525: rh1022017-reduce_ssl_curves.patch
Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
# PR3694, RH1340845: Add security.useSystemPropertiesFile option to java.security to use system crypto policy
Patch4: pr3694-rh1340845-support_fedora_rhel_system_crypto_policy.patch
# System NSS via SunEC Provider
Patch5: pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch
# PR3695: Allow use of system crypto policy to be disabled by the user
Patch6: pr3695-toggle_system_crypto_policy.patch
############################################# #############################################
# #
@ -1045,6 +1038,15 @@ Patch6: pr3695-toggle_system_crypto_policy.patch
Patch8: jdk8210416-rh1632174-compile_fdlibm_with_o2_ffp_contract_off_on_gcc_clang_arches.patch Patch8: jdk8210416-rh1632174-compile_fdlibm_with_o2_ffp_contract_off_on_gcc_clang_arches.patch
# 8210425, RHBZ#1632174: [x86] sharedRuntimeTrig/sharedRuntimeTrans compiled without optimization # 8210425, RHBZ#1632174: [x86] sharedRuntimeTrig/sharedRuntimeTrans compiled without optimization
Patch9: jdk8210425-rh1632174-sharedRuntimeTrig_sharedRuntimeTrans_compiled_without_optimization.patch Patch9: jdk8210425-rh1632174-sharedRuntimeTrig_sharedRuntimeTrans_compiled_without_optimization.patch
Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
# PR3694, RH1340845: Add security.useSystemPropertiesFile option to java.security to use system crypto policy
Patch4: pr3694-rh1340845-support_fedora_rhel_system_crypto_policy.patch
# System NSS via SunEC Provider
Patch5: pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch
# RH1566890: CVE-2018-3639
Patch6: rh1566890-CVE_2018_3639-speculative_store_bypass.patch
# PR3695: Allow use of system crypto policy to be disabled by the user
Patch7: pr3695-toggle_system_crypto_policy.patch
############################################# #############################################
# #
@ -1314,6 +1316,7 @@ pushd %{top_level_dir_name}
%patch4 -p1 %patch4 -p1
%patch5 -p1 %patch5 -p1
%patch6 -p1 %patch6 -p1
%patch7 -p1
%patch8 -p1 %patch8 -p1
%patch9 -p1 %patch9 -p1
%patch10 -p1 %patch10 -p1
@ -1872,6 +1875,9 @@ require "copy_jdk_configs.lua"
%changelog %changelog
* Thu Mar 21 2019 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.2.7-9
- Add patch for RH1566890
* Wed Mar 20 2019 Peter Robinson <pbrobinson@fedoraproject.org> 1:11.0.2.7-8 * Wed Mar 20 2019 Peter Robinson <pbrobinson@fedoraproject.org> 1:11.0.2.7-8
- Drop chkconfig dep, 1.7 shipped in f24 - Drop chkconfig dep, 1.7 shipped in f24

View File

@ -0,0 +1,61 @@
diff --git openjdk/src/hotspot/os/linux/os_linux.cpp openjdk/src/hotspot/os/linux/os_linux.cpp
--- openjdk/src/hotspot/os/linux/os_linux.cpp
+++ openjdk/src/hotspot/os/linux/os_linux.cpp
@@ -107,6 +107,8 @@
# include <inttypes.h>
# include <sys/ioctl.h>
+#include <sys/prctl.h>
+
#ifndef _GNU_SOURCE
#define _GNU_SOURCE
#include <sched.h>
@@ -4984,6 +4986,48 @@
extern void report_error(char* file_name, int line_no, char* title,
char* format, ...);
+/* Per task speculation control */
+#ifndef PR_GET_SPECULATION_CTRL
+# define PR_GET_SPECULATION_CTRL 52
+#endif
+#ifndef PR_SET_SPECULATION_CTRL
+# define PR_SET_SPECULATION_CTRL 53
+#endif
+/* Speculation control variants */
+#ifndef PR_SPEC_STORE_BYPASS
+# define PR_SPEC_STORE_BYPASS 0
+#endif
+/* Return and control values for PR_SET/GET_SPECULATION_CTRL */
+
+#ifndef PR_SPEC_NOT_AFFECTED
+# define PR_SPEC_NOT_AFFECTED 0
+#endif
+#ifndef PR_SPEC_PRCTL
+# define PR_SPEC_PRCTL (1UL << 0)
+#endif
+#ifndef PR_SPEC_ENABLE
+# define PR_SPEC_ENABLE (1UL << 1)
+#endif
+#ifndef PR_SPEC_DISABLE
+# define PR_SPEC_DISABLE (1UL << 2)
+#endif
+#ifndef PR_SPEC_FORCE_DISABLE
+# define PR_SPEC_FORCE_DISABLE (1UL << 3)
+#endif
+#ifndef PR_SPEC_DISABLE_NOEXEC
+# define PR_SPEC_DISABLE_NOEXEC (1UL << 4)
+#endif
+
+static void set_speculation() __attribute__((constructor));
+static void set_speculation() {
+ if ( prctl(PR_SET_SPECULATION_CTRL,
+ PR_SPEC_STORE_BYPASS,
+ PR_SPEC_DISABLE_NOEXEC, 0, 0) == 0 ) {
+ return;
+ }
+ prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0);
+}
+
// this is called _before_ most of the global arguments have been parsed
void os::init(void) {
char dummy; // used to get a guess on initial stack address