sys-kernel/coreos-*: fix CVE-2018-14678

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.14.60-r1.ebuild

@@ -2,7 +2,7 @@
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=5
-COREOS_SOURCE_REVISION=""
+COREOS_SOURCE_REVISION="-r1"
 inherit coreos-kernel
 
 DESCRIPTION="CoreOS Linux kernel"

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.17.12-r1.ebuild

@@ -2,7 +2,7 @@
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=5
-COREOS_SOURCE_REVISION=""
+COREOS_SOURCE_REVISION="-r1"
 inherit coreos-kernel
 
 DESCRIPTION="CoreOS Linux kernel"

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.14.60-r1.ebuild

@@ -2,7 +2,7 @@
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=5
-COREOS_SOURCE_REVISION=""
+COREOS_SOURCE_REVISION="-r1"
 inherit coreos-kernel savedconfig
 
 DESCRIPTION="CoreOS Linux kernel modules"

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.17.12-r1.ebuild

@@ -2,7 +2,7 @@
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=5
-COREOS_SOURCE_REVISION=""
+COREOS_SOURCE_REVISION="-r1"
 inherit coreos-kernel savedconfig
 
 DESCRIPTION="CoreOS Linux kernel modules"

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.14.60-r1.ebuild

@@ -37,4 +37,5 @@ UNIPATCH_LIST="
 	${PATCH_DIR}/z0004-xen-netfront-Fix-mismatched-rtnl_unlock.patch \
 	${PATCH_DIR}/z0005-xen-netfront-Update-features-after-registering-netde.patch \
 	${PATCH_DIR}/z0006-ext4-fix-false-negatives-and-false-positives-in-ext4.patch \
+	${PATCH_DIR}/z0007-x86-entry-64-Remove-ebx-handling-from-error_entry-ex.patch \
 "

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.17.12-r1.ebuild

@@ -39,4 +39,5 @@ UNIPATCH_LIST="
 	${PATCH_DIR}/z0002-Add-arm64-coreos-verity-hash.patch \
 	${PATCH_DIR}/z0003-tools-objtool-Makefile-Don-t-fail-on-fallthrough-wit.patch \
 	${PATCH_DIR}/z0004-4.17.x-won-t-boot-due-to-x86-boot-compressed-64-Hand.patch \
+	${PATCH_DIR}/z0005-x86-entry-64-Remove-ebx-handling-from-error_entry-ex.patch \
 "

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.14/z0001-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch

@@ -1,7 +1,7 @@
 From 741a20d2c9ab8fe50df1fbb1d3fd95b22f77065b Mon Sep 17 00:00:00 2001
 From: Vito Caputo <vito.caputo@coreos.com>
 Date: Wed, 25 Nov 2015 02:59:45 -0800
-Subject: [PATCH 1/6] kbuild: derive relative path for KBUILD_SRC from CURDIR
+Subject: [PATCH 1/7] kbuild: derive relative path for KBUILD_SRC from CURDIR
 
 This enables relocating source and build trees to different roots,
 provided they stay reachable relative to one another.  Useful for

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.14/z0002-Add-arm64-coreos-verity-hash.patch

@@ -1,7 +1,7 @@
 From 0e0d8f76240259b590047c39768ddbfe1695d313 Mon Sep 17 00:00:00 2001
 From: Geoff Levand <geoff@infradead.org>
 Date: Fri, 11 Nov 2016 17:28:52 -0800
-Subject: [PATCH 2/6] Add arm64 coreos verity hash
+Subject: [PATCH 2/7] Add arm64 coreos verity hash
 
 Signed-off-by: Geoff Levand <geoff@infradead.org>
 ---

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.14/z0003-tools-objtool-Makefile-Don-t-fail-on-fallthrough-wit.patch

@@ -1,7 +1,7 @@
 From d14e8b24ed70176794ab95521cc62f5cb14175de Mon Sep 17 00:00:00 2001
 From: David Michael <david.michael@coreos.com>
 Date: Thu, 8 Feb 2018 21:23:12 -0500
-Subject: [PATCH 3/6] tools/objtool/Makefile: Don't fail on fallthrough with
+Subject: [PATCH 3/7] tools/objtool/Makefile: Don't fail on fallthrough with
  new GCCs
 
 ---

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.14/z0004-xen-netfront-Fix-mismatched-rtnl_unlock.patch

@@ -1,7 +1,7 @@
 From b65e40359a4d927c704ad7170dd7b6e77d3aaaa4 Mon Sep 17 00:00:00 2001
 From: Ross Lagerwall <ross.lagerwall@citrix.com>
 Date: Thu, 21 Jun 2018 14:00:20 +0100
-Subject: [PATCH 4/6] xen-netfront: Fix mismatched rtnl_unlock
+Subject: [PATCH 4/7] xen-netfront: Fix mismatched rtnl_unlock
 
 Fixes: f599c64fdf7d ("xen-netfront: Fix race between device setup and open")
 Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk>

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.14/z0005-xen-netfront-Update-features-after-registering-netde.patch

@@ -1,7 +1,7 @@
 From db8a5080561668bdd8cc989c8c02e2dddb42e7b8 Mon Sep 17 00:00:00 2001
 From: Ross Lagerwall <ross.lagerwall@citrix.com>
 Date: Thu, 21 Jun 2018 14:00:21 +0100
-Subject: [PATCH 5/6] xen-netfront: Update features after registering netdev
+Subject: [PATCH 5/7] xen-netfront: Update features after registering netdev
 
 Update the features after calling register_netdev() otherwise the
 device features are not set up correctly and it not possible to change

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.14/z0006-ext4-fix-false-negatives-and-false-positives-in-ext4.patch

@@ -1,7 +1,7 @@
 From 9768a3646f317194d886fd7369d265f3907ddb73 Mon Sep 17 00:00:00 2001
 From: Theodore Ts'o <tytso@mit.edu>
 Date: Sun, 8 Jul 2018 19:35:02 -0400
-Subject: [PATCH 6/6] ext4: fix false negatives *and* false positives in
+Subject: [PATCH 6/7] ext4: fix false negatives *and* false positives in
  ext4_check_descriptors()
 
 commit 44de022c4382541cebdd6de4465d1f4f465ff1dd upstream.

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.14/z0007-x86-entry-64-Remove-ebx-handling-from-error_entry-ex.patch

@@ -0,0 +1,133 @@
+From 127c328736c4a8a91faf7845e99e7bbfdd248cf2 Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@kernel.org>
+Date: Sun, 22 Jul 2018 11:05:09 -0700
+Subject: [PATCH 7/7] x86/entry/64: Remove %ebx handling from error_entry/exit
+
+error_entry and error_exit communicate the user vs. kernel status of
+the frame using %ebx.  This is unnecessary -- the information is in
+regs->cs.  Just use regs->cs.
+
+This makes error_entry simpler and makes error_exit more robust.
+
+It also fixes a nasty bug.  Before all the Spectre nonsense, the
+xen_failsafe_callback entry point returned like this:
+
+        ALLOC_PT_GPREGS_ON_STACK
+        SAVE_C_REGS
+        SAVE_EXTRA_REGS
+        ENCODE_FRAME_POINTER
+        jmp     error_exit
+
+And it did not go through error_entry.  This was bogus: RBX
+contained garbage, and error_exit expected a flag in RBX.
+
+Fortunately, it generally contained *nonzero* garbage, so the
+correct code path was used.  As part of the Spectre fixes, code was
+added to clear RBX to mitigate certain speculation attacks.  Now,
+depending on kernel configuration, RBX got zeroed and, when running
+some Wine workloads, the kernel crashes.  This was introduced by:
+
+    commit 3ac6d8c787b8 ("x86/entry/64: Clear registers for exceptions/interrupts, to reduce speculation attack surface")
+
+With this patch applied, RBX is no longer needed as a flag, and the
+problem goes away.
+
+I suspect that malicious userspace could use this bug to crash the
+kernel even without the offending patch applied, though.
+
+[ Historical note: I wrote this patch as a cleanup before I was aware
+  of the bug it fixed. ]
+
+[ Note to stable maintainers: this should probably get applied to all
+  kernels.  If you're nervous about that, a more conservative fix to
+  add xorl %ebx,%ebx; incl %ebx before the jump to error_exit should
+  also fix the problem. ]
+
+Reported-and-tested-by: M. Vefa Bicakci <m.v.b@runbox.com>
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Brian Gerst <brgerst@gmail.com>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
+Cc: Dominik Brodowski <linux@dominikbrodowski.net>
+Cc: Greg KH <gregkh@linuxfoundation.org>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Juergen Gross <jgross@suse.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Cc: xen-devel@lists.xenproject.org
+Fixes: 3ac6d8c787b8 ("x86/entry/64: Clear registers for exceptions/interrupts, to reduce speculation attack surface")
+Link: http://lkml.kernel.org/r/b5010a090d3586b2d6e06c7ad3ec5542d1241c45.1532282627.git.luto@kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+---
+ arch/x86/entry/entry_64.S | 18 ++++--------------
+ 1 file changed, 4 insertions(+), 14 deletions(-)
+
+diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S
+index f7bfa701219b..0fae7096ae23 100644
+--- a/arch/x86/entry/entry_64.S
++++ b/arch/x86/entry/entry_64.S
+@@ -933,7 +933,7 @@ ENTRY(\sym)
+ 
+ 	call	\do_sym
+ 
+-	jmp	error_exit			/* %ebx: no swapgs flag */
++	jmp	error_exit
+ 	.endif
+ END(\sym)
+ .endm
+@@ -1166,7 +1166,6 @@ END(paranoid_exit)
+ 
+ /*
+  * Save all registers in pt_regs, and switch GS if needed.
+- * Return: EBX=0: came from user mode; EBX=1: otherwise
+  */
+ ENTRY(error_entry)
+ 	UNWIND_HINT_FUNC
+@@ -1213,7 +1212,6 @@ ENTRY(error_entry)
+ 	 * for these here too.
+ 	 */
+ .Lerror_kernelspace:
+-	incl	%ebx
+ 	leaq	native_irq_return_iret(%rip), %rcx
+ 	cmpq	%rcx, RIP+8(%rsp)
+ 	je	.Lerror_bad_iret
+@@ -1247,28 +1245,20 @@ ENTRY(error_entry)
+ 
+ 	/*
+ 	 * Pretend that the exception came from user mode: set up pt_regs
+-	 * as if we faulted immediately after IRET and clear EBX so that
+-	 * error_exit knows that we will be returning to user mode.
++	 * as if we faulted immediately after IRET.
+ 	 */
+ 	mov	%rsp, %rdi
+ 	call	fixup_bad_iret
+ 	mov	%rax, %rsp
+-	decl	%ebx
+ 	jmp	.Lerror_entry_from_usermode_after_swapgs
+ END(error_entry)
+ 
+-
+-/*
+- * On entry, EBX is a "return to kernel mode" flag:
+- *   1: already in kernel mode, don't need SWAPGS
+- *   0: user gsbase is loaded, we need SWAPGS and standard preparation for return to usermode
+- */
+ ENTRY(error_exit)
+ 	UNWIND_HINT_REGS
+ 	DISABLE_INTERRUPTS(CLBR_ANY)
+ 	TRACE_IRQS_OFF
+-	testl	%ebx, %ebx
+-	jnz	retint_kernel
++	testb	$3, CS(%rsp)
++	jz	retint_kernel
+ 	jmp	retint_user
+ END(error_exit)
+ 
+-- 
+2.17.1
+

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.17/z0001-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch

@@ -1,7 +1,7 @@
 From 1565054e3925885a5a727c59145485eb928b65c8 Mon Sep 17 00:00:00 2001
 From: Vito Caputo <vito.caputo@coreos.com>
 Date: Wed, 25 Nov 2015 02:59:45 -0800
-Subject: [PATCH 1/4] kbuild: derive relative path for KBUILD_SRC from CURDIR
+Subject: [PATCH 1/5] kbuild: derive relative path for KBUILD_SRC from CURDIR
 
 This enables relocating source and build trees to different roots,
 provided they stay reachable relative to one another.  Useful for

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.17/z0002-Add-arm64-coreos-verity-hash.patch

@@ -1,7 +1,7 @@
 From d1a996e00fc7b58bfffc3cfcd807c9dde2949634 Mon Sep 17 00:00:00 2001
 From: Geoff Levand <geoff@infradead.org>
 Date: Fri, 11 Nov 2016 17:28:52 -0800
-Subject: [PATCH 2/4] Add arm64 coreos verity hash
+Subject: [PATCH 2/5] Add arm64 coreos verity hash
 
 Signed-off-by: Geoff Levand <geoff@infradead.org>
 ---

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.17/z0003-tools-objtool-Makefile-Don-t-fail-on-fallthrough-wit.patch

@@ -1,7 +1,7 @@
 From 178edc68fcd926a894972ea889b5265428fdc5ac Mon Sep 17 00:00:00 2001
 From: David Michael <david.michael@coreos.com>
 Date: Thu, 8 Feb 2018 21:23:12 -0500
-Subject: [PATCH 3/4] tools/objtool/Makefile: Don't fail on fallthrough with
+Subject: [PATCH 3/5] tools/objtool/Makefile: Don't fail on fallthrough with
  new GCCs
 
 ---

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.17/z0004-4.17.x-won-t-boot-due-to-x86-boot-compressed-64-Hand.patch

@@ -1,7 +1,7 @@
 From 61ceb2881ae20ce661b4cc28cf7369bfccae9086 Mon Sep 17 00:00:00 2001
 From: "Kirill A. Shutemov" <kirill@shutemov.name>
 Date: Wed, 4 Jul 2018 18:08:57 +0300
-Subject: [PATCH 4/4] 4.17.x won't boot due to "x86/boot/compressed/64: Handle
+Subject: [PATCH 4/5] 4.17.x won't boot due to "x86/boot/compressed/64: Handle
  5-level paging boot if kernel is above 4G"
 
 On Tue, Jul 03, 2018 at 05:21:50PM +0300, Kirill A. Shutemov wrote:

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.17/z0005-x86-entry-64-Remove-ebx-handling-from-error_entry-ex.patch

@@ -0,0 +1,133 @@
+From c9017bec96f9cdd3c9434b44e0d28da2c8573b47 Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@kernel.org>
+Date: Sun, 22 Jul 2018 11:05:09 -0700
+Subject: [PATCH 5/5] x86/entry/64: Remove %ebx handling from error_entry/exit
+
+error_entry and error_exit communicate the user vs. kernel status of
+the frame using %ebx.  This is unnecessary -- the information is in
+regs->cs.  Just use regs->cs.
+
+This makes error_entry simpler and makes error_exit more robust.
+
+It also fixes a nasty bug.  Before all the Spectre nonsense, the
+xen_failsafe_callback entry point returned like this:
+
+        ALLOC_PT_GPREGS_ON_STACK
+        SAVE_C_REGS
+        SAVE_EXTRA_REGS
+        ENCODE_FRAME_POINTER
+        jmp     error_exit
+
+And it did not go through error_entry.  This was bogus: RBX
+contained garbage, and error_exit expected a flag in RBX.
+
+Fortunately, it generally contained *nonzero* garbage, so the
+correct code path was used.  As part of the Spectre fixes, code was
+added to clear RBX to mitigate certain speculation attacks.  Now,
+depending on kernel configuration, RBX got zeroed and, when running
+some Wine workloads, the kernel crashes.  This was introduced by:
+
+    commit 3ac6d8c787b8 ("x86/entry/64: Clear registers for exceptions/interrupts, to reduce speculation attack surface")
+
+With this patch applied, RBX is no longer needed as a flag, and the
+problem goes away.
+
+I suspect that malicious userspace could use this bug to crash the
+kernel even without the offending patch applied, though.
+
+[ Historical note: I wrote this patch as a cleanup before I was aware
+  of the bug it fixed. ]
+
+[ Note to stable maintainers: this should probably get applied to all
+  kernels.  If you're nervous about that, a more conservative fix to
+  add xorl %ebx,%ebx; incl %ebx before the jump to error_exit should
+  also fix the problem. ]
+
+Reported-and-tested-by: M. Vefa Bicakci <m.v.b@runbox.com>
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Brian Gerst <brgerst@gmail.com>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
+Cc: Dominik Brodowski <linux@dominikbrodowski.net>
+Cc: Greg KH <gregkh@linuxfoundation.org>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Juergen Gross <jgross@suse.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Cc: xen-devel@lists.xenproject.org
+Fixes: 3ac6d8c787b8 ("x86/entry/64: Clear registers for exceptions/interrupts, to reduce speculation attack surface")
+Link: http://lkml.kernel.org/r/b5010a090d3586b2d6e06c7ad3ec5542d1241c45.1532282627.git.luto@kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+---
+ arch/x86/entry/entry_64.S | 18 ++++--------------
+ 1 file changed, 4 insertions(+), 14 deletions(-)
+
+diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S
+index 3166b9674429..b9699e63ceda 100644
+--- a/arch/x86/entry/entry_64.S
++++ b/arch/x86/entry/entry_64.S
+@@ -981,7 +981,7 @@ ENTRY(\sym)
+ 
+ 	call	\do_sym
+ 
+-	jmp	error_exit			/* %ebx: no swapgs flag */
++	jmp	error_exit
+ 	.endif
+ END(\sym)
+ .endm
+@@ -1222,7 +1222,6 @@ END(paranoid_exit)
+ 
+ /*
+  * Save all registers in pt_regs, and switch GS if needed.
+- * Return: EBX=0: came from user mode; EBX=1: otherwise
+  */
+ ENTRY(error_entry)
+ 	UNWIND_HINT_FUNC
+@@ -1269,7 +1268,6 @@ ENTRY(error_entry)
+ 	 * for these here too.
+ 	 */
+ .Lerror_kernelspace:
+-	incl	%ebx
+ 	leaq	native_irq_return_iret(%rip), %rcx
+ 	cmpq	%rcx, RIP+8(%rsp)
+ 	je	.Lerror_bad_iret
+@@ -1303,28 +1301,20 @@ ENTRY(error_entry)
+ 
+ 	/*
+ 	 * Pretend that the exception came from user mode: set up pt_regs
+-	 * as if we faulted immediately after IRET and clear EBX so that
+-	 * error_exit knows that we will be returning to user mode.
++	 * as if we faulted immediately after IRET.
+ 	 */
+ 	mov	%rsp, %rdi
+ 	call	fixup_bad_iret
+ 	mov	%rax, %rsp
+-	decl	%ebx
+ 	jmp	.Lerror_entry_from_usermode_after_swapgs
+ END(error_entry)
+ 
+-
+-/*
+- * On entry, EBX is a "return to kernel mode" flag:
+- *   1: already in kernel mode, don't need SWAPGS
+- *   0: user gsbase is loaded, we need SWAPGS and standard preparation for return to usermode
+- */
+ ENTRY(error_exit)
+ 	UNWIND_HINT_REGS
+ 	DISABLE_INTERRUPTS(CLBR_ANY)
+ 	TRACE_IRQS_OFF
+-	testl	%ebx, %ebx
+-	jnz	retint_kernel
++	testb	$3, CS(%rsp)
++	jz	retint_kernel
+ 	jmp	retint_user
+ END(error_exit)
+ 
+-- 
+2.17.1
+