diff options
Diffstat (limited to 'external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2018-12126_CVE-2018-12127_CVE-2018-12130_CVE-2019-11091_p2.patch')
-rw-r--r-- | external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2018-12126_CVE-2018-12127_CVE-2018-12130_CVE-2019-11091_p2.patch | 116 |
1 files changed, 116 insertions, 0 deletions
diff --git a/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2018-12126_CVE-2018-12127_CVE-2018-12130_CVE-2019-11091_p2.patch b/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2018-12126_CVE-2018-12127_CVE-2018-12130_CVE-2019-11091_p2.patch new file mode 100644 index 00000000..b39e8662 --- /dev/null +++ b/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2018-12126_CVE-2018-12127_CVE-2018-12130_CVE-2019-11091_p2.patch @@ -0,0 +1,116 @@ +From c811c618c114c4a6493ede602bdca22d33c1972a Mon Sep 17 00:00:00 2001 +From: Jiri Denemark <jdenemar@redhat.com> +Date: Tue, 9 Apr 2019 12:35:52 +0200 +Subject: [PATCH 04/11] cpu_map: Define md-clear CPUID bit +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 + +The bit is set when microcode provides the mechanism to invoke a flush +of various exploitable CPU buffers by invoking the VERW instruction. + +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +Signed-off-by: Jiri Denemark <jdenemar@redhat.com> +Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> +(cherry picked from commit 538d873571d7a682852dc1d70e5f4478f4d64e85) + +Conflicts: + src/cpu_map/x86_features.xml + - missing pconfig feature + + tests/cputestdata/x86_64-cpuid-Xeon-Platinum-8268-guest.xml + tests/cputestdata/x86_64-cpuid-Xeon-Platinum-8268-host.xml + - test data missing downstream + + tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml + tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml + - intel-pt feature is missing + - stibp feature is missing + +Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> + +Upstream-Status: Backport + +CVE: CVE-2018-12126 +CVE: CVE-2018-12127 +CVE: CVE-2018-12130 +CVE: CVE-2019-11091 + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + src/cpu_map/x86_features.xml | 3 +++ + tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml | 2 +- + tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml | 1 + + tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml | 1 + + tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml | 1 + + 5 files changed, 7 insertions(+), 1 deletion(-) + +diff --git a/src/cpu_map/x86_features.xml b/src/cpu_map/x86_features.xml +index 109c653..c8ae540 100644 +--- a/src/cpu_map/x86_features.xml ++++ b/src/cpu_map/x86_features.xml +@@ -290,6 +290,9 @@ + <feature name='avx512-4fmaps'> + <cpuid eax_in='0x07' ecx_in='0x00' edx='0x00000008'/> + </feature> ++ <feature name='md-clear'> <!-- md_clear --> ++ <cpuid eax_in='0x07' ecx_in='0x00' edx='0x00000400'/> ++ </feature> + <feature name='spec-ctrl'> + <cpuid eax_in='0x07' ecx_in='0x00' edx='0x04000000'/> + </feature> +diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml +index 0deca9f..74763a4 100644 +--- a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml ++++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml +@@ -2,7 +2,7 @@ + <cpudata arch='x86'> + <cpuid eax_in='0x00000001' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0xf7fa3203' edx='0x0f8bfbff'/> + <cpuid eax_in='0x00000006' ecx_in='0x00' eax='0x00000004' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/> +- <cpuid eax_in='0x00000007' ecx_in='0x00' eax='0x00000000' ebx='0x009c4fbb' ecx='0x00000000' edx='0x8c000000'/> ++ <cpuid eax_in='0x00000007' ecx_in='0x00' eax='0x00000000' ebx='0x009c4fbb' ecx='0x00000000' edx='0x8c000400'/> + <cpuid eax_in='0x0000000d' ecx_in='0x01' eax='0x00000007' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/> + <cpuid eax_in='0x80000001' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000121' edx='0x2c100800'/> + </cpudata> +diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml +index 993db80..29c1fdb 100644 +--- a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml ++++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml +@@ -19,6 +19,7 @@ + <feature policy='require' name='osxsave'/> + <feature policy='require' name='tsc_adjust'/> + <feature policy='require' name='clflushopt'/> ++ <feature policy='require' name='md-clear'/> + <feature policy='require' name='ssbd'/> + <feature policy='require' name='xsaves'/> + <feature policy='require' name='pdpe1gb'/> +diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml +index 074a39b..2003ca9 100644 +--- a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml ++++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml +@@ -20,6 +20,7 @@ + <feature name='osxsave'/> + <feature name='tsc_adjust'/> + <feature name='clflushopt'/> ++ <feature name='md-clear'/> + <feature name='ssbd'/> + <feature name='xsaves'/> + <feature name='pdpe1gb'/> +diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml +index 1984bd4..d6529c5 100644 +--- a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml ++++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml +@@ -5,6 +5,7 @@ + <feature policy='require' name='hypervisor'/> + <feature policy='require' name='tsc_adjust'/> + <feature policy='require' name='clflushopt'/> ++ <feature policy='require' name='md-clear'/> + <feature policy='require' name='ssbd'/> + <feature policy='require' name='pdpe1gb'/> + </cpu> +-- +2.7.4 + |