deleted file mode 100644

@@ -1,87 +0,0 @@

-From 7e39d8ccbb0889c03ce6dc0dee0e63d78f37d0a9 Mon Sep 17 00:00:00 2001

-From: Kees Cook <keescook@chromium.org>

-Date: Fri, 20 Apr 2018 14:55:31 -0700

-Subject: [PATCH] fork: unconditionally clear stack on fork

-

-commit e01e80634ecdde1dd113ac43b3adad21b47f3957 upstream.

-

-One of the classes of kernel stack content leaks[1] is exposing the

-contents of prior heap or stack contents when a new process stack is

-allocated.  Normally, those stacks are not zeroed, and the old contents

-remain in place.  In the face of stack content exposure flaws, those

-contents can leak to userspace.

-

-Fixing this will make the kernel no longer vulnerable to these flaws, as

-the stack will be wiped each time a stack is assigned to a new process.

-There's not a meaningful change in runtime performance; it almost looks

-like it provides a benefit.

-

-Performing back-to-back kernel builds before:

-	Run times: 157.86 157.09 158.90 160.94 160.80

-	Mean: 159.12

-	Std Dev: 1.54

-

-and after:

-	Run times: 159.31 157.34 156.71 158.15 160.81

-	Mean: 158.46

-	Std Dev: 1.46

-

-Instead of making this a build or runtime config, Andy Lutomirski

-recommended this just be enabled by default.

-

-[1] A noisy search for many kinds of stack content leaks can be seen here:

-https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=linux+kernel+stack+leak

-

-I did some more with perf and cycle counts on running 100,000 execs of

-/bin/true.

-

-before:

-Cycles: 218858861551 218853036130 214727610969 227656844122 224980542841

-Mean:  221015379122.60

-Std Dev: 4662486552.47

-

-after:

-Cycles: 213868945060 213119275204 211820169456 224426673259 225489986348

-Mean:  217745009865.40

-Std Dev: 5935559279.99

-

-It continues to look like it's faster, though the deviation is rather

-wide, but I'm not sure what I could do that would be less noisy.  I'm

-open to ideas!

-

-Link: http://lkml.kernel.org/r/20180221021659.GA37073@beast

-Signed-off-by: Kees Cook <keescook@chromium.org>

-Acked-by: Michal Hocko <mhocko@suse.com>

-Reviewed-by: Andrew Morton <akpm@linux-foundation.org>

-Cc: Andy Lutomirski <luto@kernel.org>

-Cc: Laura Abbott <labbott@redhat.com>

-Cc: Rasmus Villemoes <rasmus.villemoes@prevas.dk>

-Cc: Mel Gorman <mgorman@techsingularity.net>

-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

-[ Srivatsa: Backported to 4.4.y ]

-Signed-off-by: Srivatsa S. Bhat <srivatsa@csail.mit.edu>

- include/linux/thread_info.h | 6 +-----

- 1 file changed, 1 insertion(+), 5 deletions(-)

-

-diff --git a/include/linux/thread_info.h b/include/linux/thread_info.h

-index ff307b5..646891f 100644

-+++ b/include/linux/thread_info.h

-@@ -55,11 +55,7 @@ extern long do_no_restart_syscall(struct restart_block *parm);

- 

- #ifdef __KERNEL__

- 

--#ifdef CONFIG_DEBUG_STACK_USAGE

--# define THREADINFO_GFP		(GFP_KERNEL | __GFP_NOTRACK | __GFP_ZERO)

--#else

--# define THREADINFO_GFP		(GFP_KERNEL | __GFP_NOTRACK)

--#endif

-+#define THREADINFO_GFP		(GFP_KERNEL | __GFP_NOTRACK | __GFP_ZERO)

- 

- /*

-  * flag set/clear/test wrappers

-2.7.4

-

@@ -1,6 +1,6 @@

 #

 # Automatically generated file; DO NOT EDIT.

-# Linux/x86 4.4.139 Kernel Configuration

+# Linux/x86 4.4.148 Kernel Configuration

 #

 CONFIG_64BIT=y

 CONFIG_X86_64=y

@@ -37,7 +37,6 @@ CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y

 CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y

 CONFIG_HAVE_INTEL_TXT=y

 CONFIG_X86_64_SMP=y

-CONFIG_ARCH_HWEIGHT_CFLAGS="-fcall-saved-rdi -fcall-saved-rsi -fcall-saved-rdx -fcall-saved-rcx -fcall-saved-r8 -fcall-saved-r9 -fcall-saved-r10 -fcall-saved-r11"

 CONFIG_ARCH_SUPPORTS_UPROBES=y

 CONFIG_FIX_EARLYCON_MEM=y

 CONFIG_PGTABLE_LEVELS=4

@@ -386,6 +385,7 @@ CONFIG_FREEZER=y

 # CONFIG_ZONE_DMA is not set

 CONFIG_SMP=y

 CONFIG_X86_FEATURE_NAMES=y

+CONFIG_X86_FAST_FEATURE_TESTS=y

 CONFIG_X86_X2APIC=y

 # CONFIG_X86_MPPARSE is not set

 CONFIG_RETPOLINE=y

@@ -4208,7 +4208,6 @@ CONFIG_DEFAULT_IO_DELAY_TYPE=0

 CONFIG_OPTIMIZE_INLINING=y

 # CONFIG_DEBUG_ENTRY is not set

 # CONFIG_DEBUG_NMI_SELFTEST is not set

-# CONFIG_X86_DEBUG_STATIC_CPU_HAS is not set

 # CONFIG_X86_DEBUG_FPU is not set

 # CONFIG_PUNIT_ATOM_DEBUG is not set

@@ -1,6 +1,6 @@

 #

 # Automatically generated file; DO NOT EDIT.

-# Linux/x86 4.4.139 Kernel Configuration

+# Linux/x86 4.4.148 Kernel Configuration

 #

 CONFIG_64BIT=y

 CONFIG_X86_64=y

@@ -36,7 +36,6 @@ CONFIG_AUDIT_ARCH=y

 CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y

 CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y

 CONFIG_X86_64_SMP=y

-CONFIG_ARCH_HWEIGHT_CFLAGS="-fcall-saved-rdi -fcall-saved-rsi -fcall-saved-rdx -fcall-saved-rcx -fcall-saved-r8 -fcall-saved-r9 -fcall-saved-r10 -fcall-saved-r11"

 CONFIG_ARCH_SUPPORTS_UPROBES=y

 CONFIG_FIX_EARLYCON_MEM=y

 CONFIG_PGTABLE_LEVELS=4

@@ -374,6 +373,7 @@ CONFIG_FREEZER=y

 # CONFIG_ZONE_DMA is not set

 CONFIG_SMP=y

 CONFIG_X86_FEATURE_NAMES=y

+CONFIG_X86_FAST_FEATURE_TESTS=y

 CONFIG_X86_X2APIC=y

 CONFIG_X86_MPPARSE=y

 CONFIG_RETPOLINE=y

@@ -2966,7 +2966,6 @@ CONFIG_DEFAULT_IO_DELAY_TYPE=3

 # CONFIG_OPTIMIZE_INLINING is not set

 # CONFIG_DEBUG_ENTRY is not set

 # CONFIG_DEBUG_NMI_SELFTEST is not set

-# CONFIG_X86_DEBUG_STATIC_CPU_HAS is not set

 # CONFIG_X86_DEBUG_FPU is not set

 # CONFIG_PUNIT_ATOM_DEBUG is not set

@@ -3001,6 +3000,7 @@ CONFIG_CRYPTO_HASH=y

 CONFIG_CRYPTO_HASH2=y

 CONFIG_CRYPTO_RNG=y

 CONFIG_CRYPTO_RNG2=y

+CONFIG_CRYPTO_RNG_DEFAULT=m

 CONFIG_CRYPTO_PCOMP2=y

 CONFIG_CRYPTO_AKCIPHER2=y

 CONFIG_CRYPTO_AKCIPHER=y

@@ -3028,7 +3028,7 @@ CONFIG_CRYPTO_GLUE_HELPER_X86=m

 # CONFIG_CRYPTO_GCM is not set

 # CONFIG_CRYPTO_CHACHA20POLY1305 is not set

 # CONFIG_CRYPTO_SEQIV is not set

-# CONFIG_CRYPTO_ECHAINIV is not set

+CONFIG_CRYPTO_ECHAINIV=m

 #

 # Block modes

@@ -3130,8 +3130,12 @@ CONFIG_CRYPTO_DEFLATE=m

 # Random Number Generation

 #

 CONFIG_CRYPTO_ANSI_CPRNG=m

-# CONFIG_CRYPTO_DRBG_MENU is not set

-# CONFIG_CRYPTO_JITTERENTROPY is not set

+CONFIG_CRYPTO_DRBG_MENU=m

+CONFIG_CRYPTO_DRBG_HMAC=y

+CONFIG_CRYPTO_DRBG_HASH=y

+CONFIG_CRYPTO_DRBG_CTR=y

+CONFIG_CRYPTO_DRBG=m

+CONFIG_CRYPTO_JITTERENTROPY=m

 CONFIG_CRYPTO_USER_API=y

 CONFIG_CRYPTO_USER_API_HASH=y

 CONFIG_CRYPTO_USER_API_SKCIPHER=y

@@ -1,7 +1,7 @@

 %global security_hardening none

 Summary:       Kernel

 Name:          linux-esx

-Version:       4.4.147

+Version:       4.4.148

 Release:       1%{?dist}

 License:       GPLv2

 URL:           http://www.kernel.org/

@@ -9,7 +9,7 @@ Group:         System Environment/Kernel

 Vendor:        VMware, Inc.

 Distribution:  Photon

 Source0:       http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz

-%define sha1 linux=0d15c05764b90855d0ce5521dd378cb90ea28745

+%define sha1 linux=bf904804cb2a24b709e4de424cb7e08f2f79dd1b

 Source1:       config-esx

 Patch0:        double-tcp_mem-limits.patch

 Patch1:        linux-4.4-sysctl-sched_weighted_cpuload_uses_rla.patch

@@ -66,9 +66,6 @@ Patch48:        0008-xfs-enhance-dinode-verifier.patch

 # For Spectre

 Patch67: 0169-x86-syscall-Clear-unused-extra-registers-on-syscall-.patch

-Patch70: 0001-fork-unconditionally-clear-stack-on-fork.patch

-

-

 BuildRequires: bc

 BuildRequires: kbd

 BuildRequires: kmod

@@ -151,8 +148,6 @@ The Linux package contains the Linux kernel doc files

 %patch67 -p1

-%patch70 -p1

-

 %build

 # patch vmw_balloon driver

 sed -i 's/module_init/late_initcall/' drivers/misc/vmw_balloon.c

@@ -240,6 +235,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg

 /usr/src/linux-headers-%{uname_r}

 %changelog

+*   Fri Aug 17 2018 Bo Gan <ganb@vmware.com> 4.4.148-1

+-   Update to version 4.4.148 (l1tf fixes)

 *   Thu Aug 09 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.147-1

 -   Update to version 4.4.147 to fix CVE-2018-12233.

 *   Tue Aug 07 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.146-1

@@ -1,7 +1,7 @@

 %global security_hardening none

 Summary:        Kernel

 Name:           linux

-Version:    	4.4.147

+Version:    	4.4.148

 Release:        1%{?kat_build:.%kat_build}%{?dist}

 License:    	GPLv2

 URL:        	http://www.kernel.org/

@@ -9,7 +9,7 @@ Group:        	System Environment/Kernel

 Vendor:         VMware, Inc.

 Distribution: 	Photon

 Source0:    	http://www.kernel.org/pub/linux/kernel/v4.x/%{name}-%{version}.tar.xz

-%define sha1 linux=0d15c05764b90855d0ce5521dd378cb90ea28745

+%define sha1 linux=bf904804cb2a24b709e4de424cb7e08f2f79dd1b

 Source1:	config

 %define ena_version 1.1.3

 Source2:    	https://github.com/amzn/amzn-drivers/archive/ena_linux_1.1.3.tar.gz

@@ -66,8 +66,6 @@ Patch41:        0008-xfs-enhance-dinode-verifier.patch

 # For Spectre

 Patch67: 0169-x86-syscall-Clear-unused-extra-registers-on-syscall-.patch

-Patch70: 0001-fork-unconditionally-clear-stack-on-fork.patch

-

 %if 0%{?kat_build:1}

 Patch1000:	%{kat_build}.patch

@@ -183,8 +181,6 @@ This package contains the 'perf' performance analysis tools for Linux kernel.

 %patch67 -p1

-%patch70 -p1

-

 %if 0%{?kat_build:1}

 %patch1000 -p1

 %endif

@@ -340,6 +336,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg

 /usr/share/perf-core

 %changelog

+*   Fri Aug 17 2018 Bo Gan <ganb@vmware.com> 4.4.148-1

+-   Update to version 4.4.148 (l1tf fixes)

 *   Thu Aug 09 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.147-1

 -   Update to version 4.4.147 to fix CVE-2018-12233.

 *   Tue Aug 07 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.146-1