Linux v4.3-11742-gf6d07df

KVM-svm-unconditionally-intercept-DB.patch

@@ -1,80 +0,0 @@
-From 48bb9bb210c6c2f185d891e3e7a401d849409f84 Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Tue, 10 Nov 2015 13:22:53 +0100
-Subject: [PATCH 2/2] KVM: svm: unconditionally intercept #DB
-
-This is needed to avoid the possibility that the guest triggers
-an infinite stream of #DB exceptions (CVE-2015-8104).
-
-VMX is not affected: because it does not save DR6 in the VMCS,
-it already intercepts #DB unconditionally.
-
-Reported-by: Jan Beulich <jbeulich@suse.com>
-Cc: stable@vger.kernel.org
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
----
- arch/x86/kvm/svm.c | 14 +++-----------
- 1 file changed, 3 insertions(+), 11 deletions(-)
-
-diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
-index 7203b3cc71b5..184e50b3c35a 100644
---- a/arch/x86/kvm/svm.c
-+++ b/arch/x86/kvm/svm.c
-@@ -1111,6 +1111,7 @@ static void init_vmcb(struct vcpu_svm *svm)
- 	set_exception_intercept(svm, UD_VECTOR);
- 	set_exception_intercept(svm, MC_VECTOR);
- 	set_exception_intercept(svm, AC_VECTOR);
-+	set_exception_intercept(svm, DB_VECTOR);
- 
- 	set_intercept(svm, INTERCEPT_INTR);
- 	set_intercept(svm, INTERCEPT_NMI);
-@@ -1645,20 +1646,13 @@ static void svm_set_segment(struct kvm_vcpu *vcpu,
- 	mark_dirty(svm->vmcb, VMCB_SEG);
- }
- 
--static void update_db_bp_intercept(struct kvm_vcpu *vcpu)
-+static void update_bp_intercept(struct kvm_vcpu *vcpu)
- {
- 	struct vcpu_svm *svm = to_svm(vcpu);
- 
--	clr_exception_intercept(svm, DB_VECTOR);
- 	clr_exception_intercept(svm, BP_VECTOR);
- 
--	if (svm->nmi_singlestep)
--		set_exception_intercept(svm, DB_VECTOR);
--
- 	if (vcpu->guest_debug & KVM_GUESTDBG_ENABLE) {
--		if (vcpu->guest_debug &
--		    (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP))
--			set_exception_intercept(svm, DB_VECTOR);
- 		if (vcpu->guest_debug & KVM_GUESTDBG_USE_SW_BP)
- 			set_exception_intercept(svm, BP_VECTOR);
- 	} else
-@@ -1764,7 +1758,6 @@ static int db_interception(struct vcpu_svm *svm)
- 		if (!(svm->vcpu.guest_debug & KVM_GUESTDBG_SINGLESTEP))
- 			svm->vmcb->save.rflags &=
- 				~(X86_EFLAGS_TF | X86_EFLAGS_RF);
--		update_db_bp_intercept(&svm->vcpu);
- 	}
- 
- 	if (svm->vcpu.guest_debug &
-@@ -3753,7 +3746,6 @@ static void enable_nmi_window(struct kvm_vcpu *vcpu)
- 	 */
- 	svm->nmi_singlestep = true;
- 	svm->vmcb->save.rflags |= (X86_EFLAGS_TF | X86_EFLAGS_RF);
--	update_db_bp_intercept(vcpu);
- }
- 
- static int svm_set_tss_addr(struct kvm *kvm, unsigned int addr)
-@@ -4379,7 +4371,7 @@ static struct kvm_x86_ops svm_x86_ops = {
- 	.vcpu_load = svm_vcpu_load,
- 	.vcpu_put = svm_vcpu_put,
- 
--	.update_db_bp_intercept = update_db_bp_intercept,
-+	.update_db_bp_intercept = update_bp_intercept,
- 	.get_msr = svm_get_msr,
- 	.set_msr = svm_set_msr,
- 	.get_segment_base = svm_get_segment_base,
--- 
-2.4.3
-

KVM-x86-work-around-infinite-loop-in-microcode-when-.patch

@@ -1,92 +0,0 @@
-From adceca1789584fe567828afb7246bd35a8549e94 Mon Sep 17 00:00:00 2001
-From: Eric Northup <digitaleric@google.com>
-Date: Tue, 10 Nov 2015 13:22:52 +0100
-Subject: [PATCH 1/2] KVM: x86: work around infinite loop in microcode when #AC
- is delivered
-
-It was found that a guest can DoS a host by triggering an infinite
-stream of "alignment check" (#AC) exceptions.  This causes the
-microcode to enter an infinite loop where the core never receives
-another interrupt.  The host kernel panics pretty quickly due to the
-effects (CVE-2015-5307).
-
-Signed-off-by: Eric Northup <digitaleric@google.com>
-Cc: stable@vger.kernel.org
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
----
- arch/x86/include/uapi/asm/svm.h | 1 +
- arch/x86/kvm/svm.c              | 8 ++++++++
- arch/x86/kvm/vmx.c              | 5 ++++-
- 3 files changed, 13 insertions(+), 1 deletion(-)
-
-diff --git a/arch/x86/include/uapi/asm/svm.h b/arch/x86/include/uapi/asm/svm.h
-index b5d7640abc5d..8a4add8e4639 100644
---- a/arch/x86/include/uapi/asm/svm.h
-+++ b/arch/x86/include/uapi/asm/svm.h
-@@ -100,6 +100,7 @@
- 	{ SVM_EXIT_EXCP_BASE + UD_VECTOR,       "UD excp" }, \
- 	{ SVM_EXIT_EXCP_BASE + PF_VECTOR,       "PF excp" }, \
- 	{ SVM_EXIT_EXCP_BASE + NM_VECTOR,       "NM excp" }, \
-+	{ SVM_EXIT_EXCP_BASE + AC_VECTOR,       "AC excp" }, \
- 	{ SVM_EXIT_EXCP_BASE + MC_VECTOR,       "MC excp" }, \
- 	{ SVM_EXIT_INTR,        "interrupt" }, \
- 	{ SVM_EXIT_NMI,         "nmi" }, \
-diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
-index f2c8e4917688..7203b3cc71b5 100644
---- a/arch/x86/kvm/svm.c
-+++ b/arch/x86/kvm/svm.c
-@@ -1110,6 +1110,7 @@ static void init_vmcb(struct vcpu_svm *svm)
- 	set_exception_intercept(svm, PF_VECTOR);
- 	set_exception_intercept(svm, UD_VECTOR);
- 	set_exception_intercept(svm, MC_VECTOR);
-+	set_exception_intercept(svm, AC_VECTOR);
- 
- 	set_intercept(svm, INTERCEPT_INTR);
- 	set_intercept(svm, INTERCEPT_NMI);
-@@ -1798,6 +1799,12 @@ static int ud_interception(struct vcpu_svm *svm)
- 	return 1;
- }
- 
-+static int ac_interception(struct vcpu_svm *svm)
-+{
-+	kvm_queue_exception_e(&svm->vcpu, AC_VECTOR, 0);
-+	return 1;
-+}
-+
- static void svm_fpu_activate(struct kvm_vcpu *vcpu)
- {
- 	struct vcpu_svm *svm = to_svm(vcpu);
-@@ -3362,6 +3369,7 @@ static int (*const svm_exit_handlers[])(struct vcpu_svm *svm) = {
- 	[SVM_EXIT_EXCP_BASE + PF_VECTOR]	= pf_interception,
- 	[SVM_EXIT_EXCP_BASE + NM_VECTOR]	= nm_interception,
- 	[SVM_EXIT_EXCP_BASE + MC_VECTOR]	= mc_interception,
-+	[SVM_EXIT_EXCP_BASE + AC_VECTOR]	= ac_interception,
- 	[SVM_EXIT_INTR]				= intr_interception,
- 	[SVM_EXIT_NMI]				= nmi_interception,
- 	[SVM_EXIT_SMI]				= nop_on_interception,
-diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
-index 5eb56ed77c1f..106aa940d3c0 100644
---- a/arch/x86/kvm/vmx.c
-+++ b/arch/x86/kvm/vmx.c
-@@ -1631,7 +1631,7 @@ static void update_exception_bitmap(struct kvm_vcpu *vcpu)
- 	u32 eb;
- 
- 	eb = (1u << PF_VECTOR) | (1u << UD_VECTOR) | (1u << MC_VECTOR) |
--	     (1u << NM_VECTOR) | (1u << DB_VECTOR);
-+	     (1u << NM_VECTOR) | (1u << DB_VECTOR) | (1u << AC_VECTOR);
- 	if ((vcpu->guest_debug &
- 	     (KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_SW_BP)) ==
- 	    (KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_SW_BP))
-@@ -5266,6 +5266,9 @@ static int handle_exception(struct kvm_vcpu *vcpu)
- 		return handle_rmode_exception(vcpu, ex_no, error_code);
- 
- 	switch (ex_no) {
-+	case AC_VECTOR:
-+		kvm_queue_exception_e(vcpu, AC_VECTOR, error_code);
-+		return 1;
- 	case DB_VECTOR:
- 		dr6 = vmcs_readl(EXIT_QUALIFICATION);
- 		if (!(vcpu->guest_debug &
--- 
-2.4.3
-

X.509-Fix-the-time-validation-ver-3.patch

@@ -1,85 +0,0 @@
-From 7db4b65eb11683e19ecb607501fa96a8cfac835f Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Thu, 12 Nov 2015 11:38:40 +0000
-Subject: [PATCH] X.509: Fix the time validation [ver #3]
-
-This fixes CVE-2015-5327.  It affects kernels from 4.3-rc1 onwards.
-
-Fix the X.509 time validation to use month number-1 when looking up the
-number of days in that month.  Also put the month number validation before
-doing the lookup so as not to risk overrunning the array.
-
-This can be tested by doing the following:
-
-cat <<EOF | openssl x509 -outform DER | keyctl padd asymmetric "" @s
------BEGIN CERTIFICATE-----
-MIIDbjCCAlagAwIBAgIJAN/lUld+VR4hMA0GCSqGSIb3DQEBCwUAMCkxETAPBgNV
-BAoMCGxvY2FsLWNhMRQwEgYDVQQDDAtzaWduaW5nIGtleTAeFw0xNTA5MDEyMTMw
-MThaFw0xNjA4MzEyMTMwMThaMCkxETAPBgNVBAoMCGxvY2FsLWNhMRQwEgYDVQQD
-DAtzaWduaW5nIGtleTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANrn
-crcMfMeG67nagX4+m02Xk9rkmsMKI5XTUxbikROe7GSUVJ27sPVPZp4mgzoWlvhh
-jfK8CC/qhEhwep8Pgg4EJZyWOjhZb7R97ckGvLIoUC6IO3FC2ZnR7WtmWDgo2Jcj
-VlXwJdHhKU1VZwulh81O61N8IBKqz2r/kDhIWiicUCUkI/Do/RMRfKAoDBcSh86m
-gOeIAGfq62vbiZhVsX5dOE8Oo2TK5weAvwUIOR7OuGBl5AqwFlPnXQolewiHzKry
-THg9e44HfzG4Mi6wUvcJxVaQT1h5SrKD779Z5+8+wf1JLaooetcEUArvWyuxCU59
-qxA4lsTjBwl4cmEki+cCAwEAAaOBmDCBlTAMBgNVHRMEBTADAQH/MAsGA1UdDwQE
-AwIHgDAdBgNVHQ4EFgQUyND/eKUis7ep/hXMJ8iZMdUhI+IwWQYDVR0jBFIwUIAU
-yND/eKUis7ep/hXMJ8iZMdUhI+KhLaQrMCkxETAPBgNVBAoMCGxvY2FsLWNhMRQw
-EgYDVQQDDAtzaWduaW5nIGtleYIJAN/lUld+VR4hMA0GCSqGSIb3DQEBCwUAA4IB
-AQAMqm1N1yD5pimUELLhT5eO2lRdGUfTozljRxc7e2QT3RLk2TtGhg65JFFN6eml
-XS58AEPVcAsSLDlR6WpOpOLB2giM0+fV/eYFHHmh22yqTJl4YgkdUwyzPdCHNOZL
-hmSKeY9xliHb6PNrNWWtZwhYYvRaO2DX4GXOMR0Oa2O4vaYu6/qGlZOZv3U6qZLY
-wwHEJSrqeBDyMuwN+eANHpoSpiBzD77S4e+7hUDJnql4j6xzJ65+nWJ89fCrQypR
-4sN5R3aGeIh3QAQUIKpHilwek0CtEaYERgc5m+jGyKSc1rezJW62hWRTaitOc+d5
-G5hh+9YpnYcxQHEKnZ7rFNKJ
------END CERTIFICATE-----
-EOF
-
-If the patch works, the above should emit a key ID from the new key being
-accepted; without the patch, it will give a bad message error.
-
-Reported-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
-Tested-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
-Acked-by: David Woodhouse <David.Woodhouse@intel.com>
----
- crypto/asymmetric_keys/x509_cert_parser.c | 12 +++++++-----
- 1 file changed, 7 insertions(+), 5 deletions(-)
-
-diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c
-index 3000ea3b6687..021d39c0ba75 100644
---- a/crypto/asymmetric_keys/x509_cert_parser.c
-+++ b/crypto/asymmetric_keys/x509_cert_parser.c
-@@ -531,7 +531,11 @@ int x509_decode_time(time64_t *_t,  size_t hdrlen,
- 	if (*p != 'Z')
- 		goto unsupported_time;
- 
--	mon_len = month_lengths[mon];
-+	if (year < 1970 ||
-+	    mon < 1 || mon > 12)
-+		goto invalid_time;
-+
-+	mon_len = month_lengths[mon - 1];
- 	if (mon == 2) {
- 		if (year % 4 == 0) {
- 			mon_len = 29;
-@@ -543,14 +547,12 @@ int x509_decode_time(time64_t *_t,  size_t hdrlen,
- 		}
- 	}
- 
--	if (year < 1970 ||
--	    mon < 1 || mon > 12 ||
--	    day < 1 || day > mon_len ||
-+	if (day < 1 || day > mon_len ||
- 	    hour > 23 ||
- 	    min > 59 ||
- 	    sec > 59)
- 		goto invalid_time;
--	
-+
- 	*_t = mktime64(year, mon, day, hour, min, sec);
- 	return 0;
- 
--- 
-2.4.3
-

gitrev

@@ -1 +1 @@
-5d50ac70fe98518dbf620bfba8184254663125eb
+f6d07dfcb15aad199d7351d3122eabd506968daf

kernel.spec

@@ -67,7 +67,7 @@ Summary: The Linux kernel
 # The rc snapshot level
 %define rcrev 0
 # The git snapshot level
-%define gitrev 8
+%define gitrev 9
 # Set rpm version accordingly
 %define rpmversion 4.%{upstream_sublevel}.0
 %endif
@@ -588,21 +588,12 @@ Patch510: 0001-iwlwifi-Add-new-PCI-IDs-for-the-8260-series.patch
 #CVE-2015-7990 rhbz 1276437 1276438
 Patch511: RDS-fix-race-condition-when-sending-a-message-on-unb.patch
 
-#CVE-2015-5307 rhbz 1277172 1279688
-Patch550: KVM-x86-work-around-infinite-loop-in-microcode-when-.patch
-
-#CVE-2015-8104 rhbz 1278496 1279691
-Patch551: KVM-svm-unconditionally-intercept-DB.patch
-
 #rhbz 1269300
 Patch552: megaraid_sas-Do-not-use-PAGE_SIZE-for-max_sectors.patch
 
 #rhbz 1275490
 Patch553: ideapad-laptop-Add-Lenovo-Yoga-900-to-no_hw_rfkill-d.patch
 
-#CVE-2015-5327
-Patch554: X.509-Fix-the-time-validation-ver-3.patch
-
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2046,6 +2037,9 @@ fi
 #
 # 
 %changelog
+* Fri Nov 13 2015 Laura Abbott <labbott@redhat.com> - 4.4.0-0.rc0.git9.1
+- Linux v4.3-11742-gf6d07df
+
 * Thu Nov 12 2015 Laura Abbott <labbott@redhat.com> - 4.4.0-0.rc0.git8.1
 - Linux v4.3-11626-g5d50ac7
 - Set CONFIG_SECTION_MISMATCH_WARN_ONLY since powerpc has mismatches

sources

@@ -1,3 +1,3 @@
 58b35794eee3b6d52ce7be39357801e7  linux-4.3.tar.xz
 7c516c9528b9f9aac0136944b0200b7e  perf-man-4.3.tar.gz
-7969fc8a820c526832269b78dbef685b  patch-4.3-git8.xz
+c7b1044c5b496e671c45b29558ed6b84  patch-4.3-git9.xz