@@ -83,87 +83,97 @@ Subject: [PATCH 2/3] Added PAX_RANDKSTACK

 Signed-off-by: Him Kalyan Bordoloi<bordoloih@vmware.com>

 ---

- arch/x86/entry/entry_64.S    | 17 +++++++++++++++--

- arch/x86/kernel/process_64.c | 17 +++++++++++++++++

+ arch/x86/entry/entry_64.S    | 37 +++++++++++++++++++++++++++++++++++++

+ arch/x86/kernel/process_64.c | 15 +++++++++++++++

  security/Kconfig             | 16 ++++++++++++++++

- 3 files changed, 48 insertions(+), 2 deletions(-)

+ 3 files changed, 68 insertions(+)

 diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S

-index 8ae7ffd..9c1daeb 100644

+index 8ae7ffd..f7c721d 100644

 --- a/arch/x86/entry/entry_64.S

 +++ b/arch/x86/entry/entry_64.S

-@@ -53,6 +53,14 @@ ENTRY(native_usergs_sysret64)

+@@ -53,6 +53,15 @@ ENTRY(native_usergs_sysret64)

  END(native_usergs_sysret64)

  #endif /* CONFIG_PARAVIRT */

-+.macro pax_rand_kstack

 +#ifdef CONFIG_PAX_RANDKSTACK

++.macro PAX_RAND_KSTACK

++	movq	%rsp, %rdi

 +	call	pax_randomize_kstack

 +	movq    %rsp, %rdi

 +	movq    %rax, %rsp

-+#endif

 +.endm

++#endif

 +

  .macro TRACE_IRQS_FLAGS flags:req

  #ifdef CONFIG_TRACE_IRQFLAGS

  	btl	$9, \flags		/* interrupts off? */

-@@ -233,9 +241,20 @@ GLOBAL(entry_SYSCALL_64_after_hwframe)

+@@ -233,9 +242,28 @@ GLOBAL(entry_SYSCALL_64_after_hwframe)

  	TRACE_IRQS_OFF

  	/* IRQs are off. */

--	movq	%rax, %rdi

--	movq	%rsp, %rsi

 +

 +	/*

 +	 * do_syscall_64 expects syscall-nr (pt_regs->orig_ax) as the first

 +	 * argument (%rdi) and pointer to pt_regs as the second argument (%rsi).

 +	 */

++#ifdef CONFIG_PAX_RANDKSTACK

 +	pushq	%rax

++	movq	%rsp, %rdi

 +	call	pax_randomize_kstack

 +	popq	%rdi

 +	movq    %rsp, %rsi

 +	movq    %rax, %rsp

 +

 +	pushq	%rsi

++#else

+ 	movq	%rax, %rdi

+ 	movq	%rsp, %rsi

++#endif

  	call	do_syscall_64		/* returns with IRQs disabled */

++#ifdef CONFIG_PAX_RANDKSTACK

 +	popq	%rsp

++#endif

  	TRACE_IRQS_IRETQ		/* we're about to change IF */

-@@ -401,8 +420,11 @@ ENTRY(ret_from_fork)

+@@ -401,8 +429,17 @@ ENTRY(ret_from_fork)

  2:

  	UNWIND_HINT_REGS

--	movq	%rsp, %rdi

-+	pax_rand_kstack

++#ifdef CONFIG_PAX_RANDKSTACK

++	PAX_RAND_KSTACK

 +	pushq	%rdi

++#else

+ 	movq	%rsp, %rdi

++#endif

  	call	syscall_return_slowpath	/* returns with IRQs disabled */

++#ifdef CONFIG_PAX_RANDKSTACK

 +	popq	%rsp

++#endif

 +

  	TRACE_IRQS_ON			/* user mode is traced as IRQS on */

  	jmp	swapgs_restore_regs_and_return_to_usermode

 diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c

-index 0091a73..a73aab3 100644

+index 0091a73..31b697c 100644

 --- a/arch/x86/kernel/process_64.c

 +++ b/arch/x86/kernel/process_64.c

-@@ -61,6 +61,23 @@

+@@ -61,6 +61,21 @@

  __visible DEFINE_PER_CPU(unsigned long, rsp_scratch);

 +#ifdef CONFIG_PAX_RANDKSTACK

-+unsigned long pax_randomize_kstack(void)

++unsigned long pax_randomize_kstack(struct pt_regs *regs)

 +{

-+        struct task_struct *task = current;

-+        unsigned long time;

-+        unsigned long sp1;

-+

++	unsigned long time;

++	unsigned long sp1;

 +

-+        if (!randomize_va_space)

-+                return (unsigned long)task_pt_regs(task);

++	if (!randomize_va_space)

++		return (unsigned long)regs;

 +

-+        time = rdtsc() & 0xFUL;

-+        sp1 = (unsigned long)task_pt_regs(task) - (time << 4);

++	time = rdtsc() & 0xFUL;

++	sp1 = (unsigned long)regs - (time << 4);

 +	return sp1;

 +}

 +#endif

@@ -198,3 +208,5 @@ index 564e975..7ef4ec8 100644

  endif

  source security/keys/Kconfig

+-- 

+2.7.4

@@ -34,7 +34,7 @@ Subject: [PATCH 3/3] Added rap_plugin

  arch/x86/crypto/twofish-x86_64-asm_64-3way.S       |   2 +-

  arch/x86/crypto/twofish-x86_64-asm_64.S            |   4 +-

  arch/x86/entry/Makefile                            |   2 +

- arch/x86/entry/common.c                            |  61 +++

+ arch/x86/entry/common.c                            |  51 ++

  arch/x86/events/amd/iommu.h                        |   2 +-

  arch/x86/include/asm/e820/api.h                    |   2 +-

  arch/x86/include/asm/fixmap.h                      |   2 +-

@@ -104,7 +104,7 @@ Subject: [PATCH 3/3] Added rap_plugin

  kernel/sched/core.c                                |   4 +-

  kernel/sched/deadline.c                            |   4 +-

  kernel/sched/rt.c                                  |   4 +-

- kernel/sched/sched.h                               |   8 +-

+ kernel/sched/sched.h                               |   9 +-

  mm/filemap.c                                       |   6 +-

  mm/readahead.c                                     |   2 +-

  net/bridge/br_private.h                            |   3 +-

@@ -117,7 +117,7 @@ Subject: [PATCH 3/3] Added rap_plugin

  scripts/gcc-plugins/rap_plugin/rap_plugin.c        | 534 ++++++++++++++++++++

  scripts/gcc-plugins/rap_plugin/sip.c               |  96 ++++

  security/Kconfig                                   |  18 +

- 113 files changed, 2506 insertions(+), 750 deletions(-)

+ 113 files changed, 2496 insertions(+), 751 deletions(-)

  create mode 100644 scripts/gcc-plugins/rap_plugin/Makefile

  create mode 100644 scripts/gcc-plugins/rap_plugin/rap.h

  create mode 100644 scripts/gcc-plugins/rap_plugin/rap_fptr_pass.c

@@ -125,7 +125,6 @@ Subject: [PATCH 3/3] Added rap_plugin

  create mode 100644 scripts/gcc-plugins/rap_plugin/rap_plugin.c

  create mode 100644 scripts/gcc-plugins/rap_plugin/sip.c

-

 diff --git a/arch/x86/crypto/aesni-intel_asm.S b/arch/x86/crypto/aesni-intel_asm.S

 index d27a506..25fbe8f 100644

 --- a/arch/x86/crypto/aesni-intel_asm.S

@@ -1094,39 +1093,28 @@ index 06fc70c..03f4755 100644

 +CFLAGS_REMOVE_syscall_32.o = $(RAP_PLUGIN_ABS_CFLAGS)

 +CFLAGS_REMOVE_syscall_64.o = $(RAP_PLUGIN_ABS_CFLAGS)

 diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c

-index 3b2490b..589aae7 100644

+index 3b2490b..0806da8 100644

 --- a/arch/x86/entry/common.c

 +++ b/arch/x86/entry/common.c

-@@ -286,8 +286,28 @@ __visible void do_syscall_64(unsigned long nr, struct pt_regs *regs)

- 	 */

+@@ -287,7 +287,17 @@ __visible void do_syscall_64(unsigned long nr, struct pt_regs *regs)

  	nr &= __SYSCALL_MASK;

  	if (likely(nr < NR_syscalls)) {

+ 		nr = array_index_nospec(nr, NR_syscalls);

 +#ifdef CONFIG_PAX_RAP

-+		asm volatile("movq %[param1],%%rdi\n\t"

-+			"movq %[param2],%%rsi\n\t"

-+			"movq %[param3],%%rdx\n\t"

-+			"movq %[param4],%%rcx\n\t"

-+			"movq %[param5],%%r8\n\t"

-+			"movq %[param6],%%r9\n\t"

++		asm volatile("movq %[param],%%rdi\n\t"

 +			"call *%P[syscall]\n\t"

 +			"mov %%rax,%[result]\n\t"

 +			: [result] "=m" (regs->ax)

 +			: [syscall] "m" (sys_call_table[nr]),

-+			[param1] "m" (regs->di),

-+			[param2] "m" (regs->si),

-+			[param3] "m" (regs->dx),

-+			[param4] "m" (regs->r10),

-+			[param5] "m" (regs->r8),

-+			[param6] "m" (regs->r9)

-+			: "ax", "di", "si", "dx", "cx", "r8", "r9", "r10", "r11", "memory");

++			[param] "m" (regs)

++			: "ax", "di", "memory");

 +#else

- 		nr = array_index_nospec(nr, NR_syscalls);

  		regs->ax = sys_call_table[nr](regs);

 +#endif

  	}

  	syscall_return_slowpath(regs);

-@@ -331,10 +351,51 @@ static __always_inline void do_syscall_32_irqs_on(struct pt_regs *regs)

+@@ -331,10 +341,51 @@ static __always_inline void do_syscall_32_irqs_on(struct pt_regs *regs)

  		 * the high bits are zero.  Make sure we zero-extend all

  		 * of the args.

  		 */

@@ -5527,7 +5515,7 @@ index c7742dc..39668dc 100644

  	unsigned char		idle_balance;

-@@ -1088,7 +1092,7 @@ init_numa_balancing(unsigned long clone_flags, struct task_struct *p)

+@@ -1088,7 +1091,7 @@ init_numa_balancing(unsigned long clone_flags, struct task_struct *p)

  static inline void

  queue_balance_callback(struct rq *rq,

@@ -5536,7 +5524,7 @@ index c7742dc..39668dc 100644

  		       void (*func)(struct rq *rq))

  {

  	lockdep_assert_held(&rq->lock);

-@@ -1096,7 +1100,7 @@ queue_balance_callback(struct rq *rq,

+@@ -1096,7 +1099,7 @@ queue_balance_callback(struct rq *rq,

  	if (unlikely(head->next))

  		return;

@@ -2,7 +2,7 @@

 Summary:        Kernel

 Name:           linux-secure

 Version:        4.18.9

-Release:        2%{?kat_build:.%kat_build}%{?dist}

+Release:        3%{?kat_build:.%kat_build}%{?dist}

 License:        GPLv2

 URL:            http://www.kernel.org/

 Group:          System Environment/Kernel

@@ -233,6 +233,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg

 /usr/src/linux-headers-%{uname_r}

 %changelog

+*   Tue Oct 30 2018 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.18.9-3

+-   Fix PAX randkstack and RAP plugin patches to avoid boot panic.

 *   Mon Oct 22 2018 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.18.9-2

 -   Use updated steal time accounting patch.

 *   Tue Sep 25 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.18.9-1

@@ -262,7 +264,7 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg

 -   Version update

 *   Wed Oct 11 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.53-3

 -   Add patch "KVM: Don't accept obviously wrong gsi values via

-    KVM_IRQFD" to fix CVE-2017-1000252.

+-   KVM_IRQFD" to fix CVE-2017-1000252.

 *   Tue Oct 10 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.53-2

 -   Build hang (at make oldconfig) fix.

 *   Thu Oct 05 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.53-1

@@ -285,7 +287,7 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg

 *   Wed Aug 09 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.41-2

 -   Fix CVE-2017-7542

 -   [bugfix] Added ccm,gcm,ghash,lzo crypto modules to avoid

-    panic on modprobe tcrypt

+-   panic on modprobe tcrypt

 *   Mon Aug 07 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.41-1

 -   Version update

 *   Fri Aug 04 2017 Bo Gan <ganb@vmware.com> 4.9.38-6

@@ -313,7 +315,7 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg

 -   Fix CVE-2017-1000364 ("stack clash") and CVE-2017-9605

 *   Thu Jun 8 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.31-1

 -   Fix CVE-2017-8890, CVE-2017-9074, CVE-2017-9075, CVE-2017-9076

-    CVE-2017-9077 and CVE-2017-9242

+-   CVE-2017-9077 and CVE-2017-9242

 -   [feature] IPV6 netfilter NAT table support

 *   Fri May 26 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.30-1

 -   Fix CVE-2017-7487 and CVE-2017-9059

@@ -340,11 +342,11 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg

 -   .config: disable XEN guest (needs rap_plugin verification)

 *   Wed Feb 22 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.9-2

 -   rap_plugin improvement: throw error on function type casting

-    function signatures were cleaned up using this feature.

+-   function signatures were cleaned up using this feature.

 -   Added RAP_ENTRY for asm functions.

 *   Thu Feb 09 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.9-1

 -   Update to linux-4.9.9 to fix CVE-2016-10153, CVE-2017-5546,

-    CVE-2017-5547, CVE-2017-5548 and CVE-2017-5576.

+-   CVE-2017-5547, CVE-2017-5548 and CVE-2017-5576.

 -   Added aufs support.

 -   Added PAX_RANDKSTACK feature.

 -   Extra func signatures cleanup to fix 1809717 and 1809722.

@@ -358,7 +360,7 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg

 *   Mon Dec 12 2016 Alexey Makhalov <amakhalov@vmware.com> 4.9.0-1

 -   Update to linux-4.9.0

 -   Add paravirt stolen time accounting feature (from linux-esx),

-    but disable it by default (no-vmw-sta cmdline parameter)

+-   but disable it by default (no-vmw-sta cmdline parameter)

 -   Use vmware_io_delay() to keep "void fn(void)" signature

 *   Wed Nov 30 2016 Alexey Makhalov <amakhalov@vmware.com> 4.8.0-2

 -   Expand `uname -r` with release number

@@ -369,4 +371,4 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg

 -   .config: add netfilter_xt_match_{cgroup,ipvs} support

 -   .config: disable /dev/mem

 *   Mon Oct 17 2016 Alexey Makhalov <amakhalov@vmware.com> 4.8.0-1

-    Initial commit.

+-   Initial commit.