diff -Nru qemu-2.5+dfsg/debian/changelog qemu-2.5+dfsg/debian/changelog --- qemu-2.5+dfsg/debian/changelog 2017-09-20 11:25:44.000000000 +0000 +++ qemu-2.5+dfsg/debian/changelog 2018-02-01 18:27:41.000000000 +0000 @@ -1,3 +1,26 @@ +qemu (1:2.5+dfsg-5ubuntu10.20) xenial-security; urgency=medium + + * SECURITY UPDATE: Add support for Spectre mitigations (LP: #1744882) + - debian/patches/CVE-2017-5715-1.patch: Lengthen X86CPUDefinition:: + model_id in target-i386/cpu.c. + - debian/patches/CVE-2017-5715-2.patch: Add support for SPEC_CTRL MSR + in target-i386/cpu.h, target-i386/kvm.c, target-i386/machine.c. + - debian/patches/CVE-2017-5715-3pre1.patch: add FEAT_7_0_ECX and + FEAT_7_0_EDX in target-i386/cpu.c, target-i386/cpu.h. + - debian/patches/CVE-2017-5715-3.patch: Add spec-ctrl CPUID bit in + target-i386/cpu.c, target-i386/cpu.h. + - debian/patches/CVE-2017-5715-4.patch: Add FEAT_8000_0008_EBX CPUID + feature word in target-i386/cpu.c, target-i386/cpu.h. + - debian/patches/CVE-2017-5715-5.patch: Add new -IBRS versions of Intel + CPU models in target-i386/cpu.c. + - debian/patches/CVE-2017-5715-s390x-1.patch: add linux-header content + for bpbc in linux-headers/asm-s390/kvm.h, linux-headers/linux/kvm.h. + - debian/patches/CVE-2017-5715-s390x-2.patch: handle bpb feature in + target-s390x/cpu.c, target-s390x/cpu.h, target-s390x/kvm.c. + - CVE-2017-5715 + + -- Marc Deslauriers Thu, 01 Feb 2018 13:27:34 -0500 + qemu (1:2.5+dfsg-5ubuntu10.16) xenial-security; urgency=medium * SECURITY REGRESSION: regression in in USB xHCI emulation (LP: #1718222) diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2017-5715-1.patch qemu-2.5+dfsg/debian/patches/CVE-2017-5715-1.patch --- qemu-2.5+dfsg/debian/patches/CVE-2017-5715-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2017-5715-1.patch 2018-01-23 16:41:14.000000000 +0000 @@ -0,0 +1,44 @@ +Backport of: + +From 807e9869b8c4119b81df902625af818519e01759 Mon Sep 17 00:00:00 2001 +From: Eduardo Habkost +Date: Tue, 9 Jan 2018 13:45:13 -0200 +Subject: [PATCH] i386: Change X86CPUDefinition::model_id to const char* + +It is valid to have a 48-character model ID on CPUID, however the +definition of X86CPUDefinition::model_id is char[48], which can +make the compiler drop the null terminator from the string. + +If a CPU model happens to have 48 bytes on model_id, "-cpu help" +will print garbage and the object_property_set_str() call at +x86_cpu_load_def() will read data outside the model_id array. + +We could increase the array size to 49, but this would mean the +compiler would not issue a warning if a 49-char string is used by +mistake for model_id. + +To make things simpler, simply change model_id to be const char*, +and validate the string length using an assert() on +x86_register_cpudef_type(). + +Reported-by: "Dr. David Alan Gilbert" +Signed-off-by: Eduardo Habkost +Message-Id: <20180109154519.25634-2-ehabkost@redhat.com> +Signed-off-by: Eduardo Habkost +--- + target/i386/cpu.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +Index: qemu-2.5+dfsg/target-i386/cpu.c +=================================================================== +--- qemu-2.5+dfsg.orig/target-i386/cpu.c 2018-01-23 08:11:00.589206587 -0500 ++++ qemu-2.5+dfsg/target-i386/cpu.c 2018-01-23 08:11:39.517240875 -0500 +@@ -657,7 +657,7 @@ struct X86CPUDefinition { + int model; + int stepping; + FeatureWordArray features; +- char model_id[48]; ++ char model_id[49]; + }; + + static X86CPUDefinition builtin_x86_defs[] = { diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2017-5715-2.patch qemu-2.5+dfsg/debian/patches/CVE-2017-5715-2.patch --- qemu-2.5+dfsg/debian/patches/CVE-2017-5715-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2017-5715-2.patch 2018-01-23 13:19:34.000000000 +0000 @@ -0,0 +1,136 @@ +Backport of: + +From a33a2cfe2f771b360b3422f6cdf566a560860bfc Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Tue, 9 Jan 2018 13:45:14 -0200 +Subject: [PATCH] i386: Add support for SPEC_CTRL MSR + +Signed-off-by: Eduardo Habkost +Message-Id: <20180109154519.25634-3-ehabkost@redhat.com> +Signed-off-by: Eduardo Habkost +--- + target/i386/cpu.h | 3 +++ + target/i386/kvm.c | 14 ++++++++++++++ + target/i386/machine.c | 20 ++++++++++++++++++++ + 3 files changed, 37 insertions(+) + +Index: qemu-2.5+dfsg/target-i386/cpu.h +=================================================================== +--- qemu-2.5+dfsg.orig/target-i386/cpu.h 2018-01-23 08:13:32.637325154 -0500 ++++ qemu-2.5+dfsg/target-i386/cpu.h 2018-01-23 08:13:32.637325154 -0500 +@@ -316,6 +316,7 @@ + #define MSR_IA32_APICBASE_BASE (0xfffffU<<12) + #define MSR_IA32_FEATURE_CONTROL 0x0000003a + #define MSR_TSC_ADJUST 0x0000003b ++#define MSR_IA32_SPEC_CTRL 0x48 + #define MSR_IA32_TSCDEADLINE 0x6e0 + + #define MSR_P6_PERFCTR0 0xc1 +@@ -905,6 +906,8 @@ typedef struct CPUX86State { + uint64_t pat; + uint32_t smbase; + ++ uint64_t spec_ctrl; ++ + /* End of state preserved by INIT (dummy marker). */ + struct {} end_init_save; + +Index: qemu-2.5+dfsg/target-i386/kvm.c +=================================================================== +--- qemu-2.5+dfsg.orig/target-i386/kvm.c 2018-01-23 08:13:32.637325154 -0500 ++++ qemu-2.5+dfsg/target-i386/kvm.c 2018-01-23 08:13:32.637325154 -0500 +@@ -88,6 +88,7 @@ static bool has_msr_hv_vpindex; + static bool has_msr_hv_runtime; + static bool has_msr_mtrr; + static bool has_msr_xss; ++static bool has_msr_spec_ctrl; + + static bool has_msr_architectural_pmu; + static uint32_t num_architectural_pmu_counters; +@@ -920,6 +921,10 @@ static int kvm_get_supported_msrs(KVMSta + has_msr_tsc_adjust = true; + continue; + } ++ if (kvm_msr_list->indices[i] == MSR_IA32_SPEC_CTRL) { ++ has_msr_spec_ctrl = true; ++ continue; ++ } + if (kvm_msr_list->indices[i] == MSR_IA32_TSCDEADLINE) { + has_msr_tsc_deadline = true; + continue; +@@ -1433,6 +1438,9 @@ static int kvm_put_msrs(X86CPU *cpu, int + if (has_msr_xss) { + kvm_msr_entry_set(&msrs[n++], MSR_IA32_XSS, env->xss); + } ++ if (has_msr_spec_ctrl) { ++ kvm_msr_entry_set(&msrs[n++], MSR_IA32_SPEC_CTRL, env->spec_ctrl); ++ } + #ifdef TARGET_X86_64 + if (lm_capable_kernel) { + kvm_msr_entry_set(&msrs[n++], MSR_CSTAR, env->cstar); +@@ -1441,6 +1448,7 @@ static int kvm_put_msrs(X86CPU *cpu, int + kvm_msr_entry_set(&msrs[n++], MSR_LSTAR, env->lstar); + } + #endif ++ + /* + * The following MSRs have side effects on the guest or are too heavy + * for normal writeback. Limit them to reset or full state updates. +@@ -1817,6 +1825,9 @@ static int kvm_get_msrs(X86CPU *cpu) + if (has_msr_xss) { + msrs[n++].index = MSR_IA32_XSS; + } ++ if (has_msr_spec_ctrl) { ++ msrs[n++].index = MSR_IA32_SPEC_CTRL; ++ } + + + if (!env->tsc_valid) { +@@ -2084,6 +2095,9 @@ static int kvm_get_msrs(X86CPU *cpu) + env->mtrr_var[MSR_MTRRphysIndex(index)].base = msrs[i].data; + } + break; ++ case MSR_IA32_SPEC_CTRL: ++ env->spec_ctrl = msrs[i].data; ++ break; + } + } + +Index: qemu-2.5+dfsg/target-i386/machine.c +=================================================================== +--- qemu-2.5+dfsg.orig/target-i386/machine.c 2018-01-23 08:13:32.637325154 -0500 ++++ qemu-2.5+dfsg/target-i386/machine.c 2018-01-23 08:14:00.865343019 -0500 +@@ -775,6 +775,25 @@ static const VMStateDescription vmstate_ + } + }; + ++static bool spec_ctrl_needed(void *opaque) ++{ ++ X86CPU *cpu = opaque; ++ CPUX86State *env = &cpu->env; ++ ++ return env->spec_ctrl != 0; ++} ++ ++static const VMStateDescription vmstate_spec_ctrl = { ++ .name = "cpu/spec_ctrl", ++ .version_id = 1, ++ .minimum_version_id = 1, ++ .needed = spec_ctrl_needed, ++ .fields = (VMStateField[]){ ++ VMSTATE_UINT64(env.spec_ctrl, X86CPU), ++ VMSTATE_END_OF_LIST() ++ } ++}; ++ + VMStateDescription vmstate_x86_cpu = { + .name = "cpu", + .version_id = 12, +@@ -895,6 +914,7 @@ VMStateDescription vmstate_x86_cpu = { + &vmstate_msr_hyperv_runtime, + &vmstate_avx512, + &vmstate_xss, ++ &vmstate_spec_ctrl, + NULL + } + }; diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2017-5715-3.patch qemu-2.5+dfsg/debian/patches/CVE-2017-5715-3.patch --- qemu-2.5+dfsg/debian/patches/CVE-2017-5715-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2017-5715-3.patch 2018-01-23 13:38:59.000000000 +0000 @@ -0,0 +1,42 @@ +Backport of: + +From a2381f0934432ef2cd47a335348ba8839632164c Mon Sep 17 00:00:00 2001 +From: Eduardo Habkost +Date: Tue, 9 Jan 2018 13:45:15 -0200 +Subject: [PATCH] i386: Add spec-ctrl CPUID bit + +Add the feature name and a CPUID_7_0_EDX_SPEC_CTRL macro. + +Signed-off-by: Eduardo Habkost +Message-Id: <20180109154519.25634-4-ehabkost@redhat.com> +Signed-off-by: Eduardo Habkost +--- + target/i386/cpu.c | 2 +- + target/i386/cpu.h | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +Index: qemu-2.5+dfsg/target-i386/cpu.c +=================================================================== +--- qemu-2.5+dfsg.orig/target-i386/cpu.c 2018-01-23 08:37:26.925477474 -0500 ++++ qemu-2.5+dfsg/target-i386/cpu.c 2018-01-23 08:38:13.949660831 -0500 +@@ -274,7 +274,7 @@ static const char *cpuid_7_0_edx_feature + NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, +- NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, ++ NULL, NULL, "spec-ctrl", NULL, NULL, NULL, NULL, NULL, + }; + + static const char *cpuid_apm_edx_feature_name[] = { +Index: qemu-2.5+dfsg/target-i386/cpu.h +=================================================================== +--- qemu-2.5+dfsg.orig/target-i386/cpu.h 2018-01-23 08:37:26.925477474 -0500 ++++ qemu-2.5+dfsg/target-i386/cpu.h 2018-01-23 08:38:45.069776604 -0500 +@@ -587,6 +587,7 @@ typedef uint32_t FeatureWordArray[FEATUR + #define CPUID_7_0_EBX_AVX512PF (1U << 26) /* AVX-512 Prefetch */ + #define CPUID_7_0_EBX_AVX512ER (1U << 27) /* AVX-512 Exponential and Reciprocal */ + #define CPUID_7_0_EBX_AVX512CD (1U << 28) /* AVX-512 Conflict Detection */ ++#define CPUID_7_0_EDX_SPEC_CTRL (1U << 26) /* Speculation Control */ + + #define CPUID_XSAVE_XSAVEOPT (1U << 0) + #define CPUID_XSAVE_XSAVEC (1U << 1) diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2017-5715-3pre1.patch qemu-2.5+dfsg/debian/patches/CVE-2017-5715-3pre1.patch --- qemu-2.5+dfsg/debian/patches/CVE-2017-5715-3pre1.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2017-5715-3pre1.patch 2018-01-26 18:57:34.000000000 +0000 @@ -0,0 +1,82 @@ +Description: add FEAT_7_0_ECX and FEAT_7_0_EDX for backporting reasons +Author: Marc Deslaurers + +Index: qemu-2.5+dfsg/target-i386/cpu.c +=================================================================== +--- qemu-2.5+dfsg.orig/target-i386/cpu.c 2018-01-26 13:56:38.968031594 -0500 ++++ qemu-2.5+dfsg/target-i386/cpu.c 2018-01-26 13:57:31.064095105 -0500 +@@ -263,6 +263,20 @@ static const char *cpuid_7_0_ebx_feature + "clwb", NULL, "avx512pf", "avx512er", "avx512cd", NULL, NULL, NULL, + }; + ++static const char *cpuid_7_0_ecx_feature_name[] = { ++ NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, ++ NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, ++ NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, ++ NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, ++}; ++ ++static const char *cpuid_7_0_edx_feature_name[] = { ++ NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, ++ NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, ++ NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, ++ NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, ++}; ++ + static const char *cpuid_apm_edx_feature_name[] = { + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, +@@ -352,6 +366,8 @@ static const char *cpuid_6_feature_name[ + CPUID_7_0_EBX_FSGSBASE, CPUID_7_0_EBX_HLE, CPUID_7_0_EBX_AVX2, + CPUID_7_0_EBX_ERMS, CPUID_7_0_EBX_INVPCID, CPUID_7_0_EBX_RTM, + CPUID_7_0_EBX_RDSEED */ ++#define TCG_7_0_ECX_FEATURES 0 ++#define TCG_7_0_EDX_FEATURES 0 + #define TCG_APM_FEATURES 0 + #define TCG_6_EAX_FEATURES CPUID_6_EAX_ARAT + +@@ -402,6 +418,20 @@ static FeatureWordInfo feature_word_info + .cpuid_eax = 0x8000000A, .cpuid_reg = R_EDX, + .tcg_features = TCG_SVM_FEATURES, + }, ++ [FEAT_7_0_ECX] = { ++ .feat_names = cpuid_7_0_ecx_feature_name, ++ .cpuid_eax = 7, ++ .cpuid_needs_ecx = true, .cpuid_ecx = 0, ++ .cpuid_reg = R_ECX, ++ .tcg_features = TCG_7_0_ECX_FEATURES, ++ }, ++ [FEAT_7_0_EDX] = { ++ .feat_names = cpuid_7_0_edx_feature_name, ++ .cpuid_eax = 7, ++ .cpuid_needs_ecx = true, .cpuid_ecx = 0, ++ .cpuid_reg = R_EDX, ++ .tcg_features = TCG_7_0_EDX_FEATURES, ++ }, + [FEAT_7_0_EBX] = { + .feat_names = cpuid_7_0_ebx_feature_name, + .cpuid_eax = 7, +@@ -2390,8 +2420,8 @@ void cpu_x86_cpuid(CPUX86State *env, uin + if (count == 0) { + *eax = 0; /* Maximum ECX value for sub-leaves */ + *ebx = env->features[FEAT_7_0_EBX]; /* Feature flags */ +- *ecx = 0; /* Reserved */ +- *edx = 0; /* Reserved */ ++ *ecx = env->features[FEAT_7_0_ECX]; /* Feature flags */ ++ *edx = env->features[FEAT_7_0_EDX]; /* Feature flags */ + } else { + *eax = 0; + *ebx = 0; +Index: qemu-2.5+dfsg/target-i386/cpu.h +=================================================================== +--- qemu-2.5+dfsg.orig/target-i386/cpu.h 2018-01-26 13:56:38.968031594 -0500 ++++ qemu-2.5+dfsg/target-i386/cpu.h 2018-01-26 13:56:38.968031594 -0500 +@@ -415,6 +415,8 @@ typedef enum FeatureWord { + FEAT_1_EDX, /* CPUID[1].EDX */ + FEAT_1_ECX, /* CPUID[1].ECX */ + FEAT_7_0_EBX, /* CPUID[EAX=7,ECX=0].EBX */ ++ FEAT_7_0_ECX, /* CPUID[EAX=7,ECX=0].ECX */ ++ FEAT_7_0_EDX, /* CPUID[EAX=7,ECX=0].EDX */ + FEAT_8000_0001_EDX, /* CPUID[8000_0001].EDX */ + FEAT_8000_0001_ECX, /* CPUID[8000_0001].ECX */ + FEAT_8000_0007_EDX, /* CPUID[8000_0007].EDX */ diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2017-5715-4.patch qemu-2.5+dfsg/debian/patches/CVE-2017-5715-4.patch --- qemu-2.5+dfsg/debian/patches/CVE-2017-5715-4.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2017-5715-4.patch 2018-01-26 18:58:45.000000000 +0000 @@ -0,0 +1,85 @@ +Backport of: + +From 1b3420e1c4d523c49866cca4e7544753201cd43d Mon Sep 17 00:00:00 2001 +From: Eduardo Habkost +Date: Tue, 9 Jan 2018 13:45:16 -0200 +Subject: [PATCH] i386: Add FEAT_8000_0008_EBX CPUID feature word + +Add the new feature word and the "ibpb" feature flag. + +Based on a patch by Paolo Bonzini. + +Signed-off-by: Eduardo Habkost +Message-Id: <20180109154519.25634-5-ehabkost@redhat.com> +Signed-off-by: Eduardo Habkost +--- + target/i386/cpu.c | 19 ++++++++++++++++++- + target/i386/cpu.h | 3 +++ + 2 files changed, 21 insertions(+), 1 deletion(-) + +Index: qemu-2.5+dfsg/target-i386/cpu.c +=================================================================== +--- qemu-2.5+dfsg.orig/target-i386/cpu.c 2018-01-26 13:58:43.108182602 -0500 ++++ qemu-2.5+dfsg/target-i386/cpu.c 2018-01-26 13:58:43.108182602 -0500 +@@ -288,6 +288,17 @@ static const char *cpuid_apm_edx_feature + NULL, NULL, NULL, NULL, + }; + ++static const char *cpuid_8000_0008_ebx_feature_name[] = { ++ NULL, NULL, NULL, NULL, ++ NULL, NULL, NULL, NULL, ++ NULL, NULL, NULL, NULL, ++ "ibpb", NULL, NULL, NULL, ++ NULL, NULL, NULL, NULL, ++ NULL, NULL, NULL, NULL, ++ NULL, NULL, NULL, NULL, ++ NULL, NULL, NULL, NULL, ++}; ++ + static const char *cpuid_xsave_feature_name[] = { + "xsaveopt", "xsavec", "xgetbv1", "xsaves", + NULL, NULL, NULL, NULL, +@@ -446,6 +457,13 @@ static FeatureWordInfo feature_word_info + .tcg_features = TCG_APM_FEATURES, + .unmigratable_flags = CPUID_APM_INVTSC, + }, ++ [FEAT_8000_0008_EBX] = { ++ .feat_names = cpuid_8000_0008_ebx_feature_name, ++ .cpuid_eax = 0x80000008, ++ .cpuid_reg = R_EBX, ++ .tcg_features = 0, ++ .unmigratable_flags = 0, ++ }, + [FEAT_XSAVE] = { + .feat_names = cpuid_xsave_feature_name, + .cpuid_eax = 0xd, +@@ -2585,7 +2603,7 @@ void cpu_x86_cpuid(CPUX86State *env, uin + *eax = 0x00000020; /* 32 bits physical */ + } + } +- *ebx = 0; ++ *ebx = env->features[FEAT_8000_0008_EBX]; + *ecx = 0; + *edx = 0; + if (cs->nr_cores * cs->nr_threads > 1) { +Index: qemu-2.5+dfsg/target-i386/cpu.h +=================================================================== +--- qemu-2.5+dfsg.orig/target-i386/cpu.h 2018-01-26 13:58:43.108182602 -0500 ++++ qemu-2.5+dfsg/target-i386/cpu.h 2018-01-26 13:58:43.108182602 -0500 +@@ -420,6 +420,7 @@ typedef enum FeatureWord { + FEAT_8000_0001_EDX, /* CPUID[8000_0001].EDX */ + FEAT_8000_0001_ECX, /* CPUID[8000_0001].ECX */ + FEAT_8000_0007_EDX, /* CPUID[8000_0007].EDX */ ++ FEAT_8000_0008_EBX, /* CPUID[8000_0008].EBX */ + FEAT_C000_0001_EDX, /* CPUID[C000_0001].EDX */ + FEAT_KVM, /* CPUID[4000_0001].EAX (KVM_CPUID_FEATURES) */ + FEAT_SVM, /* CPUID[8000_000A].EDX */ +@@ -589,6 +590,8 @@ typedef uint32_t FeatureWordArray[FEATUR + #define CPUID_7_0_EBX_AVX512CD (1U << 28) /* AVX-512 Conflict Detection */ + #define CPUID_7_0_EDX_SPEC_CTRL (1U << 26) /* Speculation Control */ + ++#define CPUID_8000_0008_EBX_IBPB (1U << 12) /* Indirect Branch Prediction Barrier */ ++ + #define CPUID_XSAVE_XSAVEOPT (1U << 0) + #define CPUID_XSAVE_XSAVEC (1U << 1) + #define CPUID_XSAVE_XGETBV1 (1U << 2) diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2017-5715-5.patch qemu-2.5+dfsg/debian/patches/CVE-2017-5715-5.patch --- qemu-2.5+dfsg/debian/patches/CVE-2017-5715-5.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2017-5715-5.patch 2018-01-26 18:58:49.000000000 +0000 @@ -0,0 +1,367 @@ +Backport of: + +From ac96c41354b7e4c70b756342d9b686e31ab87458 Mon Sep 17 00:00:00 2001 +From: Eduardo Habkost +Date: Tue, 9 Jan 2018 13:45:17 -0200 +Subject: [PATCH] i386: Add new -IBRS versions of Intel CPU models + +The new MSR IA32_SPEC_CTRL MSR was introduced by a recent Intel +microcode updated and can be used by OSes to mitigate +CVE-2017-5715. Unfortunately we can't change the existing CPU +models without breaking existing setups, so users need to +explicitly update their VM configuration to use the new *-IBRS +CPU model if they want to expose IBRS to guests. + +The new CPU models are simple copies of the existing CPU models, +with just CPUID_7_0_EDX_SPEC_CTRL added and model_id updated. + +Cc: Jiri Denemark +Signed-off-by: Eduardo Habkost +Message-Id: <20180109154519.25634-6-ehabkost@redhat.com> +Signed-off-by: Eduardo Habkost +--- + target/i386/cpu.c | 379 +++++++++++++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 378 insertions(+), 1 deletion(-) + +Index: qemu-2.5+dfsg/target-i386/cpu.c +=================================================================== +--- qemu-2.5+dfsg.orig/target-i386/cpu.c 2018-01-26 13:58:47.104187445 -0500 ++++ qemu-2.5+dfsg/target-i386/cpu.c 2018-01-26 13:58:47.104187445 -0500 +@@ -1014,6 +1014,31 @@ static X86CPUDefinition builtin_x86_defs + .model_id = "Intel Core i7 9xx (Nehalem Class Core i7)", + }, + { ++ .name = "Nehalem-IBRS", ++ .level = 11, ++ .vendor = CPUID_VENDOR_INTEL, ++ .family = 6, ++ .model = 26, ++ .stepping = 3, ++ .features[FEAT_1_EDX] = ++ CPUID_VME | CPUID_SSE2 | CPUID_SSE | CPUID_FXSR | CPUID_MMX | ++ CPUID_CLFLUSH | CPUID_PSE36 | CPUID_PAT | CPUID_CMOV | CPUID_MCA | ++ CPUID_PGE | CPUID_MTRR | CPUID_SEP | CPUID_APIC | CPUID_CX8 | ++ CPUID_MCE | CPUID_PAE | CPUID_MSR | CPUID_TSC | CPUID_PSE | ++ CPUID_DE | CPUID_FP87, ++ .features[FEAT_1_ECX] = ++ CPUID_EXT_POPCNT | CPUID_EXT_SSE42 | CPUID_EXT_SSE41 | ++ CPUID_EXT_CX16 | CPUID_EXT_SSSE3 | CPUID_EXT_SSE3, ++ .features[FEAT_7_0_EDX] = ++ CPUID_7_0_EDX_SPEC_CTRL, ++ .features[FEAT_8000_0001_EDX] = ++ CPUID_EXT2_LM | CPUID_EXT2_SYSCALL | CPUID_EXT2_NX, ++ .features[FEAT_8000_0001_ECX] = ++ CPUID_EXT3_LAHF_LM, ++ .xlevel = 0x80000008, ++ .model_id = "Intel Core i7 9xx (Nehalem Core i7, IBRS update)", ++ }, ++ { + .name = "Westmere", + .level = 11, + .vendor = CPUID_VENDOR_INTEL, +@@ -1040,6 +1065,34 @@ static X86CPUDefinition builtin_x86_defs + .model_id = "Westmere E56xx/L56xx/X56xx (Nehalem-C)", + }, + { ++ .name = "Westmere-IBRS", ++ .level = 11, ++ .vendor = CPUID_VENDOR_INTEL, ++ .family = 6, ++ .model = 44, ++ .stepping = 1, ++ .features[FEAT_1_EDX] = ++ CPUID_VME | CPUID_SSE2 | CPUID_SSE | CPUID_FXSR | CPUID_MMX | ++ CPUID_CLFLUSH | CPUID_PSE36 | CPUID_PAT | CPUID_CMOV | CPUID_MCA | ++ CPUID_PGE | CPUID_MTRR | CPUID_SEP | CPUID_APIC | CPUID_CX8 | ++ CPUID_MCE | CPUID_PAE | CPUID_MSR | CPUID_TSC | CPUID_PSE | ++ CPUID_DE | CPUID_FP87, ++ .features[FEAT_1_ECX] = ++ CPUID_EXT_AES | CPUID_EXT_POPCNT | CPUID_EXT_SSE42 | ++ CPUID_EXT_SSE41 | CPUID_EXT_CX16 | CPUID_EXT_SSSE3 | ++ CPUID_EXT_PCLMULQDQ | CPUID_EXT_SSE3, ++ .features[FEAT_8000_0001_EDX] = ++ CPUID_EXT2_LM | CPUID_EXT2_SYSCALL | CPUID_EXT2_NX, ++ .features[FEAT_8000_0001_ECX] = ++ CPUID_EXT3_LAHF_LM, ++ .features[FEAT_7_0_EDX] = ++ CPUID_7_0_EDX_SPEC_CTRL, ++ .features[FEAT_6_EAX] = ++ CPUID_6_EAX_ARAT, ++ .xlevel = 0x80000008, ++ .model_id = "Westmere E56xx/L56xx/X56xx (IBRS update)", ++ }, ++ { + .name = "SandyBridge", + .level = 0xd, + .vendor = CPUID_VENDOR_INTEL, +@@ -1071,6 +1124,39 @@ static X86CPUDefinition builtin_x86_defs + .model_id = "Intel Xeon E312xx (Sandy Bridge)", + }, + { ++ .name = "SandyBridge-IBRS", ++ .level = 0xd, ++ .vendor = CPUID_VENDOR_INTEL, ++ .family = 6, ++ .model = 42, ++ .stepping = 1, ++ .features[FEAT_1_EDX] = ++ CPUID_VME | CPUID_SSE2 | CPUID_SSE | CPUID_FXSR | CPUID_MMX | ++ CPUID_CLFLUSH | CPUID_PSE36 | CPUID_PAT | CPUID_CMOV | CPUID_MCA | ++ CPUID_PGE | CPUID_MTRR | CPUID_SEP | CPUID_APIC | CPUID_CX8 | ++ CPUID_MCE | CPUID_PAE | CPUID_MSR | CPUID_TSC | CPUID_PSE | ++ CPUID_DE | CPUID_FP87, ++ .features[FEAT_1_ECX] = ++ CPUID_EXT_AVX | CPUID_EXT_XSAVE | CPUID_EXT_AES | ++ CPUID_EXT_TSC_DEADLINE_TIMER | CPUID_EXT_POPCNT | ++ CPUID_EXT_X2APIC | CPUID_EXT_SSE42 | CPUID_EXT_SSE41 | ++ CPUID_EXT_CX16 | CPUID_EXT_SSSE3 | CPUID_EXT_PCLMULQDQ | ++ CPUID_EXT_SSE3, ++ .features[FEAT_8000_0001_EDX] = ++ CPUID_EXT2_LM | CPUID_EXT2_RDTSCP | CPUID_EXT2_NX | ++ CPUID_EXT2_SYSCALL, ++ .features[FEAT_8000_0001_ECX] = ++ CPUID_EXT3_LAHF_LM, ++ .features[FEAT_7_0_EDX] = ++ CPUID_7_0_EDX_SPEC_CTRL, ++ .features[FEAT_XSAVE] = ++ CPUID_XSAVE_XSAVEOPT, ++ .features[FEAT_6_EAX] = ++ CPUID_6_EAX_ARAT, ++ .xlevel = 0x80000008, ++ .model_id = "Intel Xeon E312xx (Sandy Bridge, IBRS update)", ++ }, ++ { + .name = "IvyBridge", + .level = 0xd, + .vendor = CPUID_VENDOR_INTEL, +@@ -1105,6 +1191,42 @@ static X86CPUDefinition builtin_x86_defs + .model_id = "Intel Xeon E3-12xx v2 (Ivy Bridge)", + }, + { ++ .name = "IvyBridge-IBRS", ++ .level = 0xd, ++ .vendor = CPUID_VENDOR_INTEL, ++ .family = 6, ++ .model = 58, ++ .stepping = 9, ++ .features[FEAT_1_EDX] = ++ CPUID_VME | CPUID_SSE2 | CPUID_SSE | CPUID_FXSR | CPUID_MMX | ++ CPUID_CLFLUSH | CPUID_PSE36 | CPUID_PAT | CPUID_CMOV | CPUID_MCA | ++ CPUID_PGE | CPUID_MTRR | CPUID_SEP | CPUID_APIC | CPUID_CX8 | ++ CPUID_MCE | CPUID_PAE | CPUID_MSR | CPUID_TSC | CPUID_PSE | ++ CPUID_DE | CPUID_FP87, ++ .features[FEAT_1_ECX] = ++ CPUID_EXT_AVX | CPUID_EXT_XSAVE | CPUID_EXT_AES | ++ CPUID_EXT_TSC_DEADLINE_TIMER | CPUID_EXT_POPCNT | ++ CPUID_EXT_X2APIC | CPUID_EXT_SSE42 | CPUID_EXT_SSE41 | ++ CPUID_EXT_CX16 | CPUID_EXT_SSSE3 | CPUID_EXT_PCLMULQDQ | ++ CPUID_EXT_SSE3 | CPUID_EXT_F16C | CPUID_EXT_RDRAND, ++ .features[FEAT_7_0_EBX] = ++ CPUID_7_0_EBX_FSGSBASE | CPUID_7_0_EBX_SMEP | ++ CPUID_7_0_EBX_ERMS, ++ .features[FEAT_8000_0001_EDX] = ++ CPUID_EXT2_LM | CPUID_EXT2_RDTSCP | CPUID_EXT2_NX | ++ CPUID_EXT2_SYSCALL, ++ .features[FEAT_8000_0001_ECX] = ++ CPUID_EXT3_LAHF_LM, ++ .features[FEAT_7_0_EDX] = ++ CPUID_7_0_EDX_SPEC_CTRL, ++ .features[FEAT_XSAVE] = ++ CPUID_XSAVE_XSAVEOPT, ++ .features[FEAT_6_EAX] = ++ CPUID_6_EAX_ARAT, ++ .xlevel = 0x80000008, ++ .model_id = "Intel Xeon E3-12xx v2 (Ivy Bridge, IBRS)", ++ }, ++ { + .name = "Haswell-noTSX", + .level = 0xd, + .vendor = CPUID_VENDOR_INTEL, +@@ -1139,7 +1261,46 @@ static X86CPUDefinition builtin_x86_defs + CPUID_6_EAX_ARAT, + .xlevel = 0x80000008, + .model_id = "Intel Core Processor (Haswell, no TSX)", +- }, { ++ }, ++ { ++ .name = "Haswell-noTSX-IBRS", ++ .level = 0xd, ++ .vendor = CPUID_VENDOR_INTEL, ++ .family = 6, ++ .model = 60, ++ .stepping = 1, ++ .features[FEAT_1_EDX] = ++ CPUID_VME | CPUID_SSE2 | CPUID_SSE | CPUID_FXSR | CPUID_MMX | ++ CPUID_CLFLUSH | CPUID_PSE36 | CPUID_PAT | CPUID_CMOV | CPUID_MCA | ++ CPUID_PGE | CPUID_MTRR | CPUID_SEP | CPUID_APIC | CPUID_CX8 | ++ CPUID_MCE | CPUID_PAE | CPUID_MSR | CPUID_TSC | CPUID_PSE | ++ CPUID_DE | CPUID_FP87, ++ .features[FEAT_1_ECX] = ++ CPUID_EXT_AVX | CPUID_EXT_XSAVE | CPUID_EXT_AES | ++ CPUID_EXT_POPCNT | CPUID_EXT_X2APIC | CPUID_EXT_SSE42 | ++ CPUID_EXT_SSE41 | CPUID_EXT_CX16 | CPUID_EXT_SSSE3 | ++ CPUID_EXT_PCLMULQDQ | CPUID_EXT_SSE3 | ++ CPUID_EXT_TSC_DEADLINE_TIMER | CPUID_EXT_FMA | CPUID_EXT_MOVBE | ++ CPUID_EXT_PCID | CPUID_EXT_F16C | CPUID_EXT_RDRAND, ++ .features[FEAT_8000_0001_EDX] = ++ CPUID_EXT2_LM | CPUID_EXT2_RDTSCP | CPUID_EXT2_NX | ++ CPUID_EXT2_SYSCALL, ++ .features[FEAT_8000_0001_ECX] = ++ CPUID_EXT3_ABM | CPUID_EXT3_LAHF_LM, ++ .features[FEAT_7_0_EDX] = ++ CPUID_7_0_EDX_SPEC_CTRL, ++ .features[FEAT_7_0_EBX] = ++ CPUID_7_0_EBX_FSGSBASE | CPUID_7_0_EBX_BMI1 | ++ CPUID_7_0_EBX_AVX2 | CPUID_7_0_EBX_SMEP | ++ CPUID_7_0_EBX_BMI2 | CPUID_7_0_EBX_ERMS | CPUID_7_0_EBX_INVPCID, ++ .features[FEAT_XSAVE] = ++ CPUID_XSAVE_XSAVEOPT, ++ .features[FEAT_6_EAX] = ++ CPUID_6_EAX_ARAT, ++ .xlevel = 0x80000008, ++ .model_id = "Intel Core Processor (Haswell, no TSX, IBRS)", ++ }, ++ { + .name = "Haswell", + .level = 0xd, + .vendor = CPUID_VENDOR_INTEL, +@@ -1177,6 +1338,45 @@ static X86CPUDefinition builtin_x86_defs + .model_id = "Intel Core Processor (Haswell)", + }, + { ++ .name = "Haswell-IBRS", ++ .level = 0xd, ++ .vendor = CPUID_VENDOR_INTEL, ++ .family = 6, ++ .model = 60, ++ .stepping = 1, ++ .features[FEAT_1_EDX] = ++ CPUID_VME | CPUID_SSE2 | CPUID_SSE | CPUID_FXSR | CPUID_MMX | ++ CPUID_CLFLUSH | CPUID_PSE36 | CPUID_PAT | CPUID_CMOV | CPUID_MCA | ++ CPUID_PGE | CPUID_MTRR | CPUID_SEP | CPUID_APIC | CPUID_CX8 | ++ CPUID_MCE | CPUID_PAE | CPUID_MSR | CPUID_TSC | CPUID_PSE | ++ CPUID_DE | CPUID_FP87, ++ .features[FEAT_1_ECX] = ++ CPUID_EXT_AVX | CPUID_EXT_XSAVE | CPUID_EXT_AES | ++ CPUID_EXT_POPCNT | CPUID_EXT_X2APIC | CPUID_EXT_SSE42 | ++ CPUID_EXT_SSE41 | CPUID_EXT_CX16 | CPUID_EXT_SSSE3 | ++ CPUID_EXT_PCLMULQDQ | CPUID_EXT_SSE3 | ++ CPUID_EXT_TSC_DEADLINE_TIMER | CPUID_EXT_FMA | CPUID_EXT_MOVBE | ++ CPUID_EXT_PCID | CPUID_EXT_F16C | CPUID_EXT_RDRAND, ++ .features[FEAT_8000_0001_EDX] = ++ CPUID_EXT2_LM | CPUID_EXT2_RDTSCP | CPUID_EXT2_NX | ++ CPUID_EXT2_SYSCALL, ++ .features[FEAT_8000_0001_ECX] = ++ CPUID_EXT3_ABM | CPUID_EXT3_LAHF_LM, ++ .features[FEAT_7_0_EDX] = ++ CPUID_7_0_EDX_SPEC_CTRL, ++ .features[FEAT_7_0_EBX] = ++ CPUID_7_0_EBX_FSGSBASE | CPUID_7_0_EBX_BMI1 | ++ CPUID_7_0_EBX_HLE | CPUID_7_0_EBX_AVX2 | CPUID_7_0_EBX_SMEP | ++ CPUID_7_0_EBX_BMI2 | CPUID_7_0_EBX_ERMS | CPUID_7_0_EBX_INVPCID | ++ CPUID_7_0_EBX_RTM, ++ .features[FEAT_XSAVE] = ++ CPUID_XSAVE_XSAVEOPT, ++ .features[FEAT_6_EAX] = ++ CPUID_6_EAX_ARAT, ++ .xlevel = 0x80000008, ++ .model_id = "Intel Core Processor (Haswell, IBRS)", ++ }, ++ { + .name = "Broadwell-noTSX", + .level = 0xd, + .vendor = CPUID_VENDOR_INTEL, +@@ -1215,6 +1415,46 @@ static X86CPUDefinition builtin_x86_defs + .model_id = "Intel Core Processor (Broadwell, no TSX)", + }, + { ++ .name = "Broadwell-noTSX-IBRS", ++ .level = 0xd, ++ .vendor = CPUID_VENDOR_INTEL, ++ .family = 6, ++ .model = 61, ++ .stepping = 2, ++ .features[FEAT_1_EDX] = ++ CPUID_VME | CPUID_SSE2 | CPUID_SSE | CPUID_FXSR | CPUID_MMX | ++ CPUID_CLFLUSH | CPUID_PSE36 | CPUID_PAT | CPUID_CMOV | CPUID_MCA | ++ CPUID_PGE | CPUID_MTRR | CPUID_SEP | CPUID_APIC | CPUID_CX8 | ++ CPUID_MCE | CPUID_PAE | CPUID_MSR | CPUID_TSC | CPUID_PSE | ++ CPUID_DE | CPUID_FP87, ++ .features[FEAT_1_ECX] = ++ CPUID_EXT_AVX | CPUID_EXT_XSAVE | CPUID_EXT_AES | ++ CPUID_EXT_POPCNT | CPUID_EXT_X2APIC | CPUID_EXT_SSE42 | ++ CPUID_EXT_SSE41 | CPUID_EXT_CX16 | CPUID_EXT_SSSE3 | ++ CPUID_EXT_PCLMULQDQ | CPUID_EXT_SSE3 | ++ CPUID_EXT_TSC_DEADLINE_TIMER | CPUID_EXT_FMA | CPUID_EXT_MOVBE | ++ CPUID_EXT_PCID | CPUID_EXT_F16C | CPUID_EXT_RDRAND, ++ .features[FEAT_8000_0001_EDX] = ++ CPUID_EXT2_LM | CPUID_EXT2_RDTSCP | CPUID_EXT2_NX | ++ CPUID_EXT2_SYSCALL, ++ .features[FEAT_8000_0001_ECX] = ++ CPUID_EXT3_ABM | CPUID_EXT3_LAHF_LM | CPUID_EXT3_3DNOWPREFETCH, ++ .features[FEAT_7_0_EDX] = ++ CPUID_7_0_EDX_SPEC_CTRL, ++ .features[FEAT_7_0_EBX] = ++ CPUID_7_0_EBX_FSGSBASE | CPUID_7_0_EBX_BMI1 | ++ CPUID_7_0_EBX_AVX2 | CPUID_7_0_EBX_SMEP | ++ CPUID_7_0_EBX_BMI2 | CPUID_7_0_EBX_ERMS | CPUID_7_0_EBX_INVPCID | ++ CPUID_7_0_EBX_RDSEED | CPUID_7_0_EBX_ADX | ++ CPUID_7_0_EBX_SMAP, ++ .features[FEAT_XSAVE] = ++ CPUID_XSAVE_XSAVEOPT, ++ .features[FEAT_6_EAX] = ++ CPUID_6_EAX_ARAT, ++ .xlevel = 0x80000008, ++ .model_id = "Intel Core Processor (Broadwell, no TSX, IBRS)", ++ }, ++ { + .name = "Broadwell", + .level = 0xd, + .vendor = CPUID_VENDOR_INTEL, +@@ -1253,6 +1493,46 @@ static X86CPUDefinition builtin_x86_defs + .model_id = "Intel Core Processor (Broadwell)", + }, + { ++ .name = "Broadwell-IBRS", ++ .level = 0xd, ++ .vendor = CPUID_VENDOR_INTEL, ++ .family = 6, ++ .model = 61, ++ .stepping = 2, ++ .features[FEAT_1_EDX] = ++ CPUID_VME | CPUID_SSE2 | CPUID_SSE | CPUID_FXSR | CPUID_MMX | ++ CPUID_CLFLUSH | CPUID_PSE36 | CPUID_PAT | CPUID_CMOV | CPUID_MCA | ++ CPUID_PGE | CPUID_MTRR | CPUID_SEP | CPUID_APIC | CPUID_CX8 | ++ CPUID_MCE | CPUID_PAE | CPUID_MSR | CPUID_TSC | CPUID_PSE | ++ CPUID_DE | CPUID_FP87, ++ .features[FEAT_1_ECX] = ++ CPUID_EXT_AVX | CPUID_EXT_XSAVE | CPUID_EXT_AES | ++ CPUID_EXT_POPCNT | CPUID_EXT_X2APIC | CPUID_EXT_SSE42 | ++ CPUID_EXT_SSE41 | CPUID_EXT_CX16 | CPUID_EXT_SSSE3 | ++ CPUID_EXT_PCLMULQDQ | CPUID_EXT_SSE3 | ++ CPUID_EXT_TSC_DEADLINE_TIMER | CPUID_EXT_FMA | CPUID_EXT_MOVBE | ++ CPUID_EXT_PCID | CPUID_EXT_F16C | CPUID_EXT_RDRAND, ++ .features[FEAT_8000_0001_EDX] = ++ CPUID_EXT2_LM | CPUID_EXT2_RDTSCP | CPUID_EXT2_NX | ++ CPUID_EXT2_SYSCALL, ++ .features[FEAT_8000_0001_ECX] = ++ CPUID_EXT3_ABM | CPUID_EXT3_LAHF_LM | CPUID_EXT3_3DNOWPREFETCH, ++ .features[FEAT_7_0_EDX] = ++ CPUID_7_0_EDX_SPEC_CTRL, ++ .features[FEAT_7_0_EBX] = ++ CPUID_7_0_EBX_FSGSBASE | CPUID_7_0_EBX_BMI1 | ++ CPUID_7_0_EBX_HLE | CPUID_7_0_EBX_AVX2 | CPUID_7_0_EBX_SMEP | ++ CPUID_7_0_EBX_BMI2 | CPUID_7_0_EBX_ERMS | CPUID_7_0_EBX_INVPCID | ++ CPUID_7_0_EBX_RTM | CPUID_7_0_EBX_RDSEED | CPUID_7_0_EBX_ADX | ++ CPUID_7_0_EBX_SMAP, ++ .features[FEAT_XSAVE] = ++ CPUID_XSAVE_XSAVEOPT, ++ .features[FEAT_6_EAX] = ++ CPUID_6_EAX_ARAT, ++ .xlevel = 0x80000008, ++ .model_id = "Intel Core Processor (Broadwell, IBRS)", ++ }, ++ { + .name = "Opteron_G1", + .level = 5, + .vendor = CPUID_VENDOR_AMD, diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2017-5715-s390x-1.patch qemu-2.5+dfsg/debian/patches/CVE-2017-5715-s390x-1.patch --- qemu-2.5+dfsg/debian/patches/CVE-2017-5715-s390x-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2017-5715-s390x-1.patch 2018-01-30 15:22:46.000000000 +0000 @@ -0,0 +1,47 @@ +From 2b5da606042dd21890e044e9749b43952315856d Mon Sep 17 00:00:00 2001 +From: Christian Borntraeger +Date: Wed, 17 Jan 2018 13:47:14 +0100 +Subject: [PATCH v3 1/3] header sync + +add linux-header content for bpbc + +Signed-off-by: Christian Borntraeger +--- + linux-headers/asm-s390/kvm.h | 4 ++++ + linux-headers/linux/kvm.h | 1 + + 2 files changed, 5 insertions(+) + +Index: qemu-2.5+dfsg/linux-headers/asm-s390/kvm.h +=================================================================== +--- qemu-2.5+dfsg.orig/linux-headers/asm-s390/kvm.h ++++ qemu-2.5+dfsg/linux-headers/asm-s390/kvm.h +@@ -151,6 +151,7 @@ struct kvm_guest_debug_arch { + #define KVM_SYNC_ARCH0 (1UL << 4) + #define KVM_SYNC_PFAULT (1UL << 5) + #define KVM_SYNC_VRS (1UL << 6) ++#define KVM_SYNC_BPBC (1UL << 10) + /* definition of registers in kvm_run */ + struct kvm_sync_regs { + __u64 prefix; /* prefix register */ +@@ -168,6 +169,9 @@ struct kvm_sync_regs { + __u64 vrs[32][2]; /* vector registers */ + __u8 reserved[512]; /* for future vector expansion */ + __u32 fpc; /* only valid with vector registers */ ++ __u8 bpbc : 1; /* bp mode */ ++ __u8 reserved2 : 7; ++ __u8 padding1[51]; /* riccb needs to be 64byte aligned */ + }; + + #define KVM_REG_S390_TODPR (KVM_REG_S390 | KVM_REG_SIZE_U32 | 0x1) +Index: qemu-2.5+dfsg/linux-headers/linux/kvm.h +=================================================================== +--- qemu-2.5+dfsg.orig/linux-headers/linux/kvm.h ++++ qemu-2.5+dfsg/linux-headers/linux/kvm.h +@@ -831,6 +831,7 @@ struct kvm_ppc_smmu_info { + #define KVM_CAP_GUEST_DEBUG_HW_WPS 120 + #define KVM_CAP_SPLIT_IRQCHIP 121 + #define KVM_CAP_IOEVENTFD_ANY_LENGTH 122 ++#define KVM_CAP_S390_BPB 152 + + #ifdef KVM_CAP_IRQ_ROUTING + diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2017-5715-s390x-2.patch qemu-2.5+dfsg/debian/patches/CVE-2017-5715-s390x-2.patch --- qemu-2.5+dfsg/debian/patches/CVE-2017-5715-s390x-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/CVE-2017-5715-s390x-2.patch 2018-01-30 15:23:03.000000000 +0000 @@ -0,0 +1,71 @@ +From 068c92ebd09ce505ba1785da706e557f1294156a Mon Sep 17 00:00:00 2001 +From: Christian Borntraeger +Date: Fri, 12 Jan 2018 17:34:47 +0100 +Subject: [PATCH v3 2/3] s390x/kvm: Handle bpb feature + +We need to handle the bpb control on reset. Normally +stfle.82 is transparent (and the normal guest part works without +hypervisor activity), but we need to handle it on reset +to properly allow an admin to use nobp=0 after reboot. +As we have no CPU model we do not migrate the state. This is +ok as the guest kernel will update the flags really quick when +the feature is in use. + +Signed-off-by: Christian Borntraeger +--- + target-s390x/cpu.c | 1 + + target-s390x/cpu.h | 1 + + target-s390x/kvm.c | 9 +++++++++ + 3 files changed, 11 insertions(+) + +Index: qemu-2.5+dfsg/target-s390x/cpu.c +=================================================================== +--- qemu-2.5+dfsg.orig/target-s390x/cpu.c 2018-01-30 10:23:00.161551819 -0500 ++++ qemu-2.5+dfsg/target-s390x/cpu.c 2018-01-30 10:23:00.145551800 -0500 +@@ -95,6 +95,7 @@ static void s390_cpu_reset(CPUState *s) + CPUS390XState *env = &cpu->env; + + env->pfault_token = -1UL; ++ env->bpbc = false; + scc->parent_reset(s); + cpu->env.sigp_order = 0; + s390_cpu_set_state(CPU_STATE_STOPPED, cpu); +Index: qemu-2.5+dfsg/target-s390x/cpu.h +=================================================================== +--- qemu-2.5+dfsg.orig/target-s390x/cpu.h 2018-01-30 10:23:00.161551819 -0500 ++++ qemu-2.5+dfsg/target-s390x/cpu.h 2018-01-30 10:23:00.145551800 -0500 +@@ -90,6 +90,7 @@ typedef struct CPUS390XState { + + uint32_t fpc; /* floating-point control register */ + uint32_t cc_op; ++ bool bpbc; /* branch prediction blocking */ + + float_status fpu_status; /* passed to softfloat lib */ + +Index: qemu-2.5+dfsg/target-s390x/kvm.c +=================================================================== +--- qemu-2.5+dfsg.orig/target-s390x/kvm.c 2018-01-30 10:23:00.161551819 -0500 ++++ qemu-2.5+dfsg/target-s390x/kvm.c 2018-01-30 10:23:00.145551800 -0500 +@@ -420,6 +420,11 @@ int kvm_arch_put_registers(CPUState *cs, + } + } + ++ if (can_sync_regs(cs, KVM_SYNC_BPBC)) { ++ cs->kvm_run->s.regs.bpbc = env->bpbc; ++ cs->kvm_run->kvm_dirty_regs |= KVM_SYNC_BPBC; ++ } ++ + /* Finally the prefix */ + if (can_sync_regs(cs, KVM_SYNC_PREFIX)) { + cs->kvm_run->s.regs.prefix = env->psa; +@@ -517,6 +522,10 @@ int kvm_arch_get_registers(CPUState *cs) + kvm_get_one_reg(cs, KVM_REG_S390_PP, &env->pp); + } + ++ if (can_sync_regs(cs, KVM_SYNC_BPBC)) { ++ env->bpbc = cs->kvm_run->s.regs.bpbc; ++ } ++ + /* pfault parameters */ + if (can_sync_regs(cs, KVM_SYNC_PFAULT)) { + env->pfault_token = cs->kvm_run->s.regs.pft; diff -Nru qemu-2.5+dfsg/debian/patches/series qemu-2.5+dfsg/debian/patches/series --- qemu-2.5+dfsg/debian/patches/series 2017-09-20 11:24:53.000000000 +0000 +++ qemu-2.5+dfsg/debian/patches/series 2018-01-30 15:22:58.000000000 +0000 @@ -208,3 +208,12 @@ CVE-2017-11434.patch CVE-2017-12809.patch CVE-2017-9375-regression.patch +CVE-2017-5715-1.patch +CVE-2017-5715-2.patch +CVE-2017-5715-3pre1.patch +CVE-2017-5715-3.patch + +CVE-2017-5715-4.patch +CVE-2017-5715-5.patch +CVE-2017-5715-s390x-1.patch +CVE-2017-5715-s390x-2.patch