@@ -1,6 +1,6 @@

 Summary:	Linux API header files

 Name:		linux-api-headers

-Version:	4.4.144

+Version:	4.4.145

 Release:	1%{?dist}

 License:	GPLv2

 URL:		http://www.kernel.org/

@@ -8,7 +8,7 @@ Group:		System Environment/Kernel

 Vendor:		VMware, Inc.

 Distribution: Photon

 Source0:    	http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz

-%define sha1 linux=604bb959a569c7c94d18aa405dce3a6549c54179

+%define sha1 linux=453ad80ed24996f0b7700d84bf48d38eb0e53cc1

 BuildArch:	noarch

 # From SPECS/linux and used by linux-esx only

 # It provides f*xattrat syscalls

@@ -29,6 +29,8 @@ find /%{buildroot}%{_includedir} \( -name .install -o -name ..install.cmd \) -de

 %defattr(-,root,root)

 %{_includedir}/*

 %changelog

+*   Mon Jul 30 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.145-1

+-   Update to version 4.4.145

 *   Thu Jul 26 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.144-1

 -   Update to version 4.4.144

 *   Mon Jul 16 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.140-1

new file mode 100644

@@ -0,0 +1,87 @@

+From 7e39d8ccbb0889c03ce6dc0dee0e63d78f37d0a9 Mon Sep 17 00:00:00 2001

+From: Kees Cook <keescook@chromium.org>

+Date: Fri, 20 Apr 2018 14:55:31 -0700

+Subject: [PATCH] fork: unconditionally clear stack on fork

+

+commit e01e80634ecdde1dd113ac43b3adad21b47f3957 upstream.

+

+One of the classes of kernel stack content leaks[1] is exposing the

+contents of prior heap or stack contents when a new process stack is

+allocated.  Normally, those stacks are not zeroed, and the old contents

+remain in place.  In the face of stack content exposure flaws, those

+contents can leak to userspace.

+

+Fixing this will make the kernel no longer vulnerable to these flaws, as

+the stack will be wiped each time a stack is assigned to a new process.

+There's not a meaningful change in runtime performance; it almost looks

+like it provides a benefit.

+

+Performing back-to-back kernel builds before:

+	Run times: 157.86 157.09 158.90 160.94 160.80

+	Mean: 159.12

+	Std Dev: 1.54

+

+and after:

+	Run times: 159.31 157.34 156.71 158.15 160.81

+	Mean: 158.46

+	Std Dev: 1.46

+

+Instead of making this a build or runtime config, Andy Lutomirski

+recommended this just be enabled by default.

+

+[1] A noisy search for many kinds of stack content leaks can be seen here:

+https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=linux+kernel+stack+leak

+

+I did some more with perf and cycle counts on running 100,000 execs of

+/bin/true.

+

+before:

+Cycles: 218858861551 218853036130 214727610969 227656844122 224980542841

+Mean:  221015379122.60

+Std Dev: 4662486552.47

+

+after:

+Cycles: 213868945060 213119275204 211820169456 224426673259 225489986348

+Mean:  217745009865.40

+Std Dev: 5935559279.99

+

+It continues to look like it's faster, though the deviation is rather

+wide, but I'm not sure what I could do that would be less noisy.  I'm

+open to ideas!

+

+Link: http://lkml.kernel.org/r/20180221021659.GA37073@beast

+Signed-off-by: Kees Cook <keescook@chromium.org>

+Acked-by: Michal Hocko <mhocko@suse.com>

+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>

+Cc: Andy Lutomirski <luto@kernel.org>

+Cc: Laura Abbott <labbott@redhat.com>

+Cc: Rasmus Villemoes <rasmus.villemoes@prevas.dk>

+Cc: Mel Gorman <mgorman@techsingularity.net>

+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

+[ Srivatsa: Backported to 4.4.y ]

+Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>

+---

+ include/linux/thread_info.h | 6 +-----

+ 1 file changed, 1 insertion(+), 5 deletions(-)

+

+diff --git a/include/linux/thread_info.h b/include/linux/thread_info.h

+index ff307b5..646891f 100644

+--- a/include/linux/thread_info.h

+@@ -55,11 +55,7 @@ extern long do_no_restart_syscall(struct restart_block *parm);

+ 

+ #ifdef __KERNEL__

+ 

+-#ifdef CONFIG_DEBUG_STACK_USAGE

+-# define THREADINFO_GFP		(GFP_KERNEL | __GFP_NOTRACK | __GFP_ZERO)

+-#else

+-# define THREADINFO_GFP		(GFP_KERNEL | __GFP_NOTRACK)

+-#endif

++#define THREADINFO_GFP		(GFP_KERNEL | __GFP_NOTRACK | __GFP_ZERO)

+ 

+ /*

+  * flag set/clear/test wrappers

+-- 

+2.7.4

+

@@ -1,7 +1,7 @@

 %global security_hardening none

 Summary:       Kernel

 Name:          linux-esx

-Version:       4.4.144

+Version:       4.4.145

 Release:       1%{?dist}

 License:       GPLv2

 URL:           http://www.kernel.org/

@@ -9,7 +9,7 @@ Group:         System Environment/Kernel

 Vendor:        VMware, Inc.

 Distribution:  Photon

 Source0:       http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz

-%define sha1 linux=604bb959a569c7c94d18aa405dce3a6549c54179

+%define sha1 linux=453ad80ed24996f0b7700d84bf48d38eb0e53cc1

 Source1:       config-esx

 Patch0:        double-tcp_mem-limits.patch

 Patch1:        linux-4.4-sysctl-sched_weighted_cpuload_uses_rla.patch

@@ -78,6 +78,8 @@ Patch65: 0154-udf-prevent-speculative-execution.patch

 Patch66: 0155-userns-prevent-speculative-execution.patch

 Patch67: 0169-x86-syscall-Clear-unused-extra-registers-on-syscall-.patch

+Patch70: 0001-fork-unconditionally-clear-stack-on-fork.patch

+

 BuildRequires: bc

 BuildRequires: kbd

@@ -173,6 +175,7 @@ The Linux package contains the Linux kernel doc files

 %patch66 -p1

 %patch67 -p1

+%patch70 -p1

 %build

 # patch vmw_balloon driver

@@ -261,6 +264,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg

 /usr/src/linux-headers-%{uname_r}

 %changelog

+*   Mon Jul 30 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.145-1

+-   Update to version 4.4.145 and clear stack on fork.

 *   Thu Jul 26 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.144-1

 -   Update to version 4.4.144 and fix CVE-2018-10322

 *   Mon Jul 16 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.140-1

@@ -1,7 +1,7 @@

 %global security_hardening none

 Summary:        Kernel

 Name:           linux

-Version:    	4.4.144

+Version:    	4.4.145

 Release:        1%{?kat_build:.%kat_build}%{?dist}

 License:    	GPLv2

 URL:        	http://www.kernel.org/

@@ -9,7 +9,7 @@ Group:        	System Environment/Kernel

 Vendor:         VMware, Inc.

 Distribution: 	Photon

 Source0:    	http://www.kernel.org/pub/linux/kernel/v4.x/%{name}-%{version}.tar.xz

-%define sha1 linux=604bb959a569c7c94d18aa405dce3a6549c54179

+%define sha1 linux=453ad80ed24996f0b7700d84bf48d38eb0e53cc1

 Source1:	config

 %define ena_version 1.1.3

 Source2:    	https://github.com/amzn/amzn-drivers/archive/ena_linux_1.1.3.tar.gz

@@ -78,6 +78,8 @@ Patch65: 0154-udf-prevent-speculative-execution.patch

 Patch66: 0155-userns-prevent-speculative-execution.patch

 Patch67: 0169-x86-syscall-Clear-unused-extra-registers-on-syscall-.patch

+Patch70: 0001-fork-unconditionally-clear-stack-on-fork.patch

+

 %if 0%{?kat_build:1}

 Patch1000:	%{kat_build}.patch

@@ -205,6 +207,7 @@ This package contains the 'perf' performance analysis tools for Linux kernel.

 %patch66 -p1

 %patch67 -p1

+%patch70 -p1

 %if 0%{?kat_build:1}

 %patch1000 -p1

@@ -361,6 +364,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg

 /usr/share/perf-core

 %changelog

+*   Mon Jul 30 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.145-1

+-   Update to version 4.4.145 and clear stack on fork.

 *   Thu Jul 26 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.144-1

 -   Update to version 4.4.144 and fix CVE-2018-10322

 *   Mon Jul 16 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.140-1