Ubuntu
linux package

~apw/ubuntu/+source/linux/+git/pti:pti/artful-retpoline-intelv1--pull

  1. Git
  2. lp:~apw/ubuntu/+source/linux/+git/pti
  3. pti/artful-retpoline-intelv1--pull
Last commit made on 2018-02-04
Get this branch:
git clone -b pti/artful-retpoline-intelv1--pull https://git.launchpad.net/~apw/ubuntu/+source/linux/+git/pti
Only Andy Whitcroft can upload to this branch. If you are Andy Whitcroft please log in for upload directions.

Branch merges

Branch information

Name:
pti/artful-retpoline-intelv1--pull
Repository:
lp:~apw/ubuntu/+source/linux/+git/pti

Recent commits

c50da22... by Josh Poimboeuf

x86/unwind: Fix dereference of untrusted pointer

Tetsuo Handa and Fengguang Wu reported a panic in the unwinder:

  BUG: unable to handle kernel NULL pointer dereference at 000001f2
  IP: update_stack_state+0xd4/0x340
  *pde = 00000000

  Oops: 0000 [#1] PREEMPT SMP
  CPU: 0 PID: 18728 Comm: 01-cpu-hotplug Not tainted 4.13.0-rc4-00170-gb09be67 #592
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.9.3-20161025_171302-gandalf 04/01/2014
  task: bb0b53c0 task.stack: bb3ac000
  EIP: update_stack_state+0xd4/0x340
  EFLAGS: 00010002 CPU: 0
  EAX: 0000a570 EBX: bb3adccb ECX: 0000f401 EDX: 0000a570
  ESI: 00000001 EDI: 000001ba EBP: bb3adc6b ESP: bb3adc3f
   DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
  CR0: 80050033 CR2: 000001f2 CR3: 0b3a7000 CR4: 00140690
  DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
  DR6: fffe0ff0 DR7: 00000400
  Call Trace:
   ? unwind_next_frame+0xea/0x400
   ? __unwind_start+0xf5/0x180
   ? __save_stack_trace+0x81/0x160
   ? save_stack_trace+0x20/0x30
   ? __lock_acquire+0xfa5/0x12f0
   ? lock_acquire+0x1c2/0x230
   ? tick_periodic+0x3a/0xf0
   ? _raw_spin_lock+0x42/0x50
   ? tick_periodic+0x3a/0xf0
   ? tick_periodic+0x3a/0xf0
   ? debug_smp_processor_id+0x12/0x20
   ? tick_handle_periodic+0x23/0xc0
   ? local_apic_timer_interrupt+0x63/0x70
   ? smp_trace_apic_timer_interrupt+0x235/0x6a0
   ? trace_apic_timer_interrupt+0x37/0x3c
   ? strrchr+0x23/0x50
  Code: 0f 95 c1 89 c7 89 45 e4 0f b6 c1 89 c6 89 45 dc 8b 04 85 98 cb 74 bc 88 4d e3 89 45 f0 83 c0 01 84 c9 89 04 b5 98 cb 74 bc 74 3b <8b> 47 38 8b 57 34 c6 43 1d 01 25 00 00 02 00 83 e2 03 09 d0 83
  EIP: update_stack_state+0xd4/0x340 SS:ESP: 0068:bb3adc3f
  CR2: 00000000000001f2
  ---[ end trace 0d147fd4aba8ff50 ]---
  Kernel panic - not syncing: Fatal exception in interrupt

On x86-32, after decoding a frame pointer to get a regs address,
regs_size() dereferences the regs pointer when it checks regs->cs to see
if the regs are user mode. This is dangerous because it's possible that
what looks like a decoded frame pointer is actually a corrupt value, and
we don't want the unwinder to make things worse.

Instead of calling regs_size() on an unsafe pointer, just assume they're
kernel regs to start with. Later, once it's safe to access the regs, we
can do the user mode check and corresponding safety check for the
remaining two regs.

Reported-and-tested-by: Tetsuo Handa <email address hidden>
Reported-and-tested-by: Fengguang Wu <email address hidden>
Signed-off-by: Josh Poimboeuf <email address hidden>
Cc: Byungchul Park <email address hidden>
Cc: LKP <lkp@01.org>
Cc: Linus Torvalds <email address hidden>
Cc: Peter Zijlstra <email address hidden>
Cc: Thomas Gleixner <email address hidden>
Fixes: 5ed8d8bb38c5 ("x86/unwind: Move common code into update_stack_state()")
Link: http://lkml.kernel.org/r/<email address hidden>
Signed-off-by: Ingo Molnar <email address hidden>

(cherry picked from commit 62dd86ac01f9fb6386d7f8c6b389c3ea4582a50a)
BugLink: http://bugs.launchpad.net/bugs/1747263
Signed-off-by: Andy Whitcroft <email address hidden>

0c1679f... by Andy Whitcroft

UBUNTU: SAUCE: claim mitigation via observable speculation barrier

CVE-2017-5753 (Spectre v1 Intel)

Signed-off-by: Andy Whitcroft <email address hidden>

18170e3... by Martin Schwidefsky <email address hidden>

s390/spinlock: add osb memory barrier

CVE-2017-5753 (Spectre v1 Intel)

Signed-off-by: Martin Schwidefsky <email address hidden>
Signed-off-by: Andy Whitcroft <email address hidden>

540ea91... by Andy Whitcroft

powerpc: add osb barrier

CVE-2017-5753 (Spectre v1 Intel)

Signed-off-by: Andy Whitcroft <email address hidden>

3ee43cb... by Elena Reshetova <email address hidden>

userns: prevent speculative execution

CVE-2017-5753 (Spectre v1 Intel)

Since the pos value in function m_start()
seems to be controllable by userspace and later on
conditionally (upon bound check) used to resolve
map->extent, insert an observable speculation
barrier before its usage. This should prevent
observable speculation on that branch and avoid
kernel memory leak.

Signed-off-by: Elena Reshetova <email address hidden>
Signed-off-by: Andy Whitcroft <email address hidden>

68b1d65... by Elena Reshetova <email address hidden>

udf: prevent speculative execution

CVE-2017-5753 (Spectre v1 Intel)

Since the eahd->appAttrLocation value in function
udf_add_extendedattr() seems to be controllable by
userspace and later on conditionally (upon bound check)
used in following memmove, insert an observable speculation
barrier before its usage. This should prevent
observable speculation on that branch and avoid
kernel memory leak.

Signed-off-by: Elena Reshetova <email address hidden>
Signed-off-by: Andy Whitcroft <email address hidden>

9abafe1... by Elena Reshetova <email address hidden>

net: mpls: prevent speculative execution

CVE-2017-5753 (Spectre v1 Intel)

Since the index value in function mpls_route_input_rcu()
seems to be controllable by userspace and later on
conditionally (upon bound check) used to resolve
platform_label, insert an observable speculation
barrier before its usage. This should prevent
observable speculation on that branch and avoid
kernel memory leak.

Signed-off-by: Elena Reshetova <email address hidden>
Signed-off-by: Andy Whitcroft <email address hidden>

303e4e1... by Elena Reshetova <email address hidden>

fs: prevent speculative execution

CVE-2017-5753 (Spectre v1 Intel)

Since the fd value in function __fcheck_files()
seems to be controllable by userspace and later on
conditionally (upon bound check) used to resolve
fdt->fd, insert an observable speculation
barrier before its usage. This should prevent
observable speculation on that branch and avoid
kernel memory leak.

Signed-off-by: Elena Reshetova <email address hidden>
Signed-off-by: Andy Whitcroft <email address hidden>

2a05491... by Elena Reshetova <email address hidden>

ipv6: prevent speculative execution

CVE-2017-5753 (Spectre v1 Intel)

Since the offset value in function raw6_getfrag()
seems to be controllable by userspace and later on
conditionally (upon bound check) used in the
following memcpy, insert an observable speculation
barrier before its usage. This should prevent
observable speculation on that branch and avoid
kernel memory leak.

Signed-off-by: Elena Reshetova <email address hidden>
Signed-off-by: Andy Whitcroft <email address hidden>

6e14d74... by Elena Reshetova <email address hidden>

ipv4: prevent speculative execution

CVE-2017-5753 (Spectre v1 Intel)

Since the offset value in function raw_getfrag()
seems to be controllable by userspace and later on
conditionally (upon bound check) used in the following
memcpy, insert an observable speculation
barrier before its usage. This should prevent
observable speculation on that branch and avoid
kernel memory leak.

Signed-off-by: Elena Reshetova <email address hidden>
Signed-off-by: Andy Whitcroft <email address hidden>