diff -Nru qemu-2.10+dfsg/debian/changelog qemu-2.10+dfsg/debian/changelog --- qemu-2.10+dfsg/debian/changelog 2018-05-17 14:00:30.000000000 +0000 +++ qemu-2.10+dfsg/debian/changelog 2018-05-23 11:59:37.000000000 +0000 @@ -1,3 +1,15 @@ +qemu (1:2.10+dfsg-0ubuntu3.8) artful-security; urgency=medium + + * SECURITY UPDATE: Speculative Store Bypass + - debian/patches/CVE-2018-3639-2.patch: define the AMD 'virt-ssbd' + CPUID feature bit in target/i386/cpu.c. + - debian/patches/CVE-2018-3639-3.patch: define the Virt SSBD MSR and + handling of it in target/i386/cpu.h, target/i386/kvm.c, + target/i386/machine.c. + - CVE-2018-3639 + + -- Marc Deslauriers Wed, 23 May 2018 07:59:37 -0400 + qemu (1:2.10+dfsg-0ubuntu3.7) artful-security; urgency=medium * SECURITY UPDATE: Speculative Store Bypass diff -Nru qemu-2.10+dfsg/debian/patches/CVE-2018-3639-2.patch qemu-2.10+dfsg/debian/patches/CVE-2018-3639-2.patch --- qemu-2.10+dfsg/debian/patches/CVE-2018-3639-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.10+dfsg/debian/patches/CVE-2018-3639-2.patch 2018-05-23 11:59:26.000000000 +0000 @@ -0,0 +1,32 @@ +From 6cf7cfef30a220709a13b987fc9aca0bd3d63110 Mon Sep 17 00:00:00 2001 +From: Konrad Rzeszutek Wilk +Date: Wed, 16 May 2018 21:37:31 -0400 +Subject: [PATCH v3 2/5] i386: define the AMD 'virt-ssbd' CPUID feature bit + (CVE-2018-3639) + +AMD Zen expose the Intel equivalant to Speculative Store Bypass Disable +via the 0x80000008_EBX[25] CPUID feature bit. + +This needs to be exposed to guest OS to allow them to protect +against CVE-2018-3639. + +Signed-off-by: Konrad Rzeszutek Wilk +--- +v2: Wrong bit position. +--- + target/i386/cpu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: qemu-2.10+dfsg/target/i386/cpu.c +=================================================================== +--- qemu-2.10+dfsg.orig/target/i386/cpu.c 2018-05-18 14:18:05.354980847 -0400 ++++ qemu-2.10+dfsg/target/i386/cpu.c 2018-05-18 14:18:05.350980844 -0400 +@@ -488,7 +488,7 @@ static FeatureWordInfo feature_word_info + "ibpb", NULL, NULL, NULL, + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, +- NULL, NULL, NULL, NULL, ++ NULL, "virt-ssbd", NULL, NULL, + NULL, NULL, NULL, NULL, + }, + .cpuid_eax = 0x80000008, diff -Nru qemu-2.10+dfsg/debian/patches/CVE-2018-3639-3.patch qemu-2.10+dfsg/debian/patches/CVE-2018-3639-3.patch --- qemu-2.10+dfsg/debian/patches/CVE-2018-3639-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.10+dfsg/debian/patches/CVE-2018-3639-3.patch 2018-05-23 11:59:32.000000000 +0000 @@ -0,0 +1,140 @@ +Backport of: + +From 80efc2c39c6b30aa077771903e87f8636af90605 Mon Sep 17 00:00:00 2001 +From: Konrad Rzeszutek Wilk +Date: Wed, 16 May 2018 22:27:11 -0400 +Subject: [PATCH v3 3/5] i386: Define the Virt SSBD MSR and handling of it + (CVE-2018-3639) + +"Some AMD processors only support a non-architectural means of enabling +speculative store bypass disable (SSBD). To allow a simplified view of +this to a guest, an architectural definition has been created through a new +CPUID bit, 0x80000008_EBX[25], and a new MSR, 0xc001011f. With this, a +hypervisor can virtualize the existence of this definition and provide an +architectural method for using SSBD to a guest. + +Add the new CPUID feature, the new MSR and update the existing SSBD +support to use this MSR when present." (from x86/speculation: Add virtualized +speculative store bypass disable support in Linux). + +Signed-off-by: Konrad Rzeszutek Wilk +--- + target/i386/cpu.h | 2 ++ + target/i386/kvm.c | 16 ++++++++++++++-- + target/i386/machine.c | 20 ++++++++++++++++++++ + 3 files changed, 36 insertions(+), 2 deletions(-) + +Index: qemu-2.10+dfsg/target/i386/cpu.h +=================================================================== +--- qemu-2.10+dfsg.orig/target/i386/cpu.h 2018-05-18 14:18:08.690983200 -0400 ++++ qemu-2.10+dfsg/target/i386/cpu.h 2018-05-18 14:18:08.686983198 -0400 +@@ -336,6 +336,7 @@ + #define MSR_IA32_FEATURE_CONTROL 0x0000003a + #define MSR_TSC_ADJUST 0x0000003b + #define MSR_IA32_SPEC_CTRL 0x48 ++#define MSR_VIRT_SSBD 0xc001011f + #define MSR_IA32_TSCDEADLINE 0x6e0 + + #define FEATURE_CONTROL_LOCKED (1<<0) +@@ -1089,6 +1090,7 @@ typedef struct CPUX86State { + uint32_t pkru; + + uint64_t spec_ctrl; ++ uint64_t virt_ssbd; + + /* End of state preserved by INIT (dummy marker). */ + struct {} end_init_save; +Index: qemu-2.10+dfsg/target/i386/kvm.c +=================================================================== +--- qemu-2.10+dfsg.orig/target/i386/kvm.c 2018-05-18 14:18:08.690983200 -0400 ++++ qemu-2.10+dfsg/target/i386/kvm.c 2018-05-18 14:20:49.659111727 -0400 +@@ -91,6 +91,7 @@ static bool has_msr_hv_synic; + static bool has_msr_hv_stimer; + static bool has_msr_xss; + static bool has_msr_spec_ctrl; ++static bool has_msr_virt_ssbd; + + static bool has_msr_architectural_pmu; + static uint32_t num_architectural_pmu_counters; +@@ -1102,6 +1102,10 @@ static int kvm_get_supported_msrs(KVMSta + has_msr_spec_ctrl = true; + continue; + } ++ if (kvm_msr_list->indices[i] == MSR_VIRT_SSBD) { ++ has_msr_virt_ssbd = true; ++ continue; ++ } + if (kvm_msr_list->indices[i] == MSR_IA32_TSCDEADLINE) { + has_msr_tsc_deadline = true; + continue; +@@ -1630,6 +1634,10 @@ static int kvm_put_msrs(X86CPU *cpu, int + if (has_msr_spec_ctrl) { + kvm_msr_entry_add(cpu, MSR_IA32_SPEC_CTRL, env->spec_ctrl); + } ++ if (has_msr_virt_ssbd) { ++ kvm_msr_entry_add(cpu, MSR_VIRT_SSBD, env->virt_ssbd); ++ } ++ + #ifdef TARGET_X86_64 + if (lm_capable_kernel) { + kvm_msr_entry_add(cpu, MSR_CSTAR, env->cstar); +@@ -2007,8 +2015,9 @@ static int kvm_get_msrs(X86CPU *cpu) + if (has_msr_spec_ctrl) { + kvm_msr_entry_add(cpu, MSR_IA32_SPEC_CTRL, 0); + } +- +- ++ if (has_msr_virt_ssbd) { ++ kvm_msr_entry_add(cpu, MSR_VIRT_SSBD, 0); ++ } + if (!env->tsc_valid) { + kvm_msr_entry_add(cpu, MSR_IA32_TSC, 0); + env->tsc_valid = !runstate_is_running(); +@@ -2359,6 +2368,9 @@ static int kvm_get_msrs(X86CPU *cpu) + case MSR_IA32_SPEC_CTRL: + env->spec_ctrl = msrs[i].data; + break; ++ case MSR_VIRT_SSBD: ++ env->virt_ssbd = msrs[i].data; ++ break; + } + } + +Index: qemu-2.10+dfsg/target/i386/machine.c +=================================================================== +--- qemu-2.10+dfsg.orig/target/i386/machine.c 2018-05-18 14:18:08.690983200 -0400 ++++ qemu-2.10+dfsg/target/i386/machine.c 2018-05-18 14:18:08.686983198 -0400 +@@ -837,6 +837,25 @@ static const VMStateDescription vmstate_ + } + }; + ++static bool virt_ssbd_needed(void *opaque) ++{ ++ X86CPU *cpu = opaque; ++ CPUX86State *env = &cpu->env; ++ ++ return env->virt_ssbd != 0; ++} ++ ++static const VMStateDescription vmstate_msr_virt_ssbd = { ++ .name = "cpu/virt_ssbd", ++ .version_id = 1, ++ .minimum_version_id = 1, ++ .needed = virt_ssbd_needed, ++ .fields = (VMStateField[]){ ++ VMSTATE_UINT64(env.virt_ssbd, X86CPU), ++ VMSTATE_END_OF_LIST() ++ } ++}; ++ + VMStateDescription vmstate_x86_cpu = { + .name = "cpu", + .version_id = 12, +@@ -957,6 +976,7 @@ VMStateDescription vmstate_x86_cpu = { + #endif + &vmstate_spec_ctrl, + &vmstate_mcg_ext_ctl, ++ &vmstate_msr_virt_ssbd, + NULL + } + }; diff -Nru qemu-2.10+dfsg/debian/patches/series qemu-2.10+dfsg/debian/patches/series --- qemu-2.10+dfsg/debian/patches/series 2018-05-17 14:00:24.000000000 +0000 +++ qemu-2.10+dfsg/debian/patches/series 2018-05-23 11:59:37.000000000 +0000 @@ -42,3 +42,5 @@ vhost_fix_1.patch vhost_fix_2.patch CVE-2018-3639.patch +CVE-2018-3639-2.patch +CVE-2018-3639-3.patch