From c0096a08f97d9a51a9527f51c74d54df76c4ca4d Mon Sep 17 00:00:00 2001
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 18 Sep 2019 21:33:40 +0200
Subject: [PATCH] [x86] ptrace: fix up botched merge of spectrev1 fix
 (CVE-2019-15902)

---
 debian/changelog                              |  1 +
 ...ix-up-botched-merge-of-spectrev1-fix.patch | 44 +++++++++++++++++++
 debian/patches/series                         |  1 +
 3 files changed, 46 insertions(+)
 create mode 100644 debian/patches/bugfix/x86/x86-ptrace-fix-up-botched-merge-of-spectrev1-fix.patch

diff --git a/debian/changelog b/debian/changelog
index f76431682..5dde8228e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -7,6 +7,7 @@ linux (4.19.67-2+deb10u1) UNRELEASED; urgency=medium
 
   [ Salvatore Bonaccorso ]
   * vhost: make sure log_num < in_num (CVE-2019-14835)
+  * [x86] ptrace: fix up botched merge of spectrev1 fix (CVE-2019-15902)
 
  -- Romain Perier <romain.perier@gmail.com>  Wed, 28 Aug 2019 13:28:09 +0200
 
diff --git a/debian/patches/bugfix/x86/x86-ptrace-fix-up-botched-merge-of-spectrev1-fix.patch b/debian/patches/bugfix/x86/x86-ptrace-fix-up-botched-merge-of-spectrev1-fix.patch
new file mode 100644
index 000000000..b9daadb14
--- /dev/null
+++ b/debian/patches/bugfix/x86/x86-ptrace-fix-up-botched-merge-of-spectrev1-fix.patch
@@ -0,0 +1,44 @@
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Wed, 4 Sep 2019 12:27:18 +0200
+Subject: x86/ptrace: fix up botched merge of spectrev1 fix
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=69f692bb7e684592aaba779299bc576626d414b4
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-15902
+
+I incorrectly merged commit 31a2fbb390fe ("x86/ptrace: Fix possible
+spectre-v1 in ptrace_get_debugreg()") when backporting it, as was
+graciously pointed out at
+https://grsecurity.net/teardown_of_a_failed_linux_lts_spectre_fix.php
+
+Resolve the upstream difference with the stable kernel merge to properly
+protect things.
+
+Reported-by: Brad Spengler <spender@grsecurity.net>
+Cc: Dianzhang Chen <dianzhangchen0@gmail.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: <bp@alien8.de>
+Cc: <hpa@zytor.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/ptrace.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/arch/x86/kernel/ptrace.c b/arch/x86/kernel/ptrace.c
+index 8d20fb09722c..7f377f8792aa 100644
+--- a/arch/x86/kernel/ptrace.c
++++ b/arch/x86/kernel/ptrace.c
+@@ -651,11 +651,10 @@ static unsigned long ptrace_get_debugreg(struct task_struct *tsk, int n)
+ {
+ 	struct thread_struct *thread = &tsk->thread;
+ 	unsigned long val = 0;
+-	int index = n;
+ 
+ 	if (n < HBP_NUM) {
++		int index = array_index_nospec(n, HBP_NUM);
+ 		struct perf_event *bp = thread->ptrace_bps[index];
+-		index = array_index_nospec(index, HBP_NUM);
+ 
+ 		if (bp)
+ 			val = bp->hw.info.address;
+-- 
+2.23.0
+
diff --git a/debian/patches/series b/debian/patches/series
index 7137208d9..2108173e4 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -165,6 +165,7 @@ bugfix/all/netfilter-conntrack-use-consistent-ct-id-hash-calcul.patch
 bugfix/all/ALSA-usb-audio-Fix-an-OOB-bug-in-parse_audio_mixer_unit.patch
 bugfix/all/ALSA-usb-audio-Fix-a-stack-buffer-overflow-bug-in-check_input_term.patch
 bugfix/all/vhost-make-sure-log_num-in_num.patch
+bugfix/x86/x86-ptrace-fix-up-botched-merge-of-spectrev1-fix.patch
 
 # Fix exported symbol versions
 bugfix/all/module-disable-matching-missing-version-crc.patch