[main] Update kernel to 5.15.18.1; Address several kernel CVES (#2104)

* Address CVES CVE-2010-0309 CVE-2018-1000026 CVE-2018-16880 CVE-2019-3016 CVE-2019-3819 CVE-2019-3887 CVE-2020-25672 CVE-2021-3564 CVE-2021-45095 CVE-2021-45469 CVE-2021-45480 * bump release * correct nopatch justification * swap patches to nopatches * update kernel to 5.15.18.1 * update rt config version * kernel-rt sig * handle manifest divergence * cm1 --> cm2 * remove redundant patch (upstreamed between 15.2 and 15.18) * condense changelog entries * finish removing 0002-add-linux-syscall...patch * finish removing 0002-add-linux...patch * fix config diff * combine changelog entries
2022-02-14 09:34:50 -08:00 · 2022-02-14 09:34:50 -08:00 · b82585af98
--- a/SPECS-SIGNED/kernel-signed/kernel-signed.spec
+++ b/SPECS-SIGNED/kernel-signed/kernel-signed.spec
@ -9,8 +9,8 @@
 %define uname_r %{version}-%{release}
 Summary:        Signed Linux Kernel for %{buildarch} systems
 Name:           kernel-signed-%{buildarch}
-Version:        5.15.2.1
-Release:        5%{?dist}
+Version:        5.15.18.1
+Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@ -153,6 +153,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %exclude /module_info.ld

 %changelog
+* Mon Feb 07 2022 Cameron Baird <cameronbaird@microsoft.com> - 5.15.18.1-1
+- Update source to 5.15.18.1
+
 * Thu Feb 03 2022 Henry Li <lihl@microsoft.com> - 5.15.2.1-5
 - Bump release number to match kernel release

--- a/SPECS/hyperv-daemons/0002-add-linux-syscall-license-info.patch
+++ b/SPECS/hyperv-daemons/0002-add-linux-syscall-license-info.patch
@ -1,22 +0,0 @@
-From aef4c9944d4dd8f5686823aa74fb54505a6983b4 Mon Sep 17 00:00:00 2001
-From: Rachel <rachelmenge@microsoft.com>
-Date: Tue, 9 Nov 2021 12:21:01 -0500
-Subject: [PATCH] Add license info
-
---
- include/uapi/misc/d3dkmthk.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/include/uapi/misc/d3dkmthk.h b/include/uapi/misc/d3dkmthk.h
-index e752fd5c87d0..bf4fc7228bac 100644
--- a/include/uapi/misc/d3dkmthk.h
-+++ b/include/uapi/misc/d3dkmthk.h
-@@ -1,4 +1,4 @@
-/* SPDX-License-Identifier: GPL-2.0 */
-+/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
- 
- /*
-  * Copyright (c) 2019, Microsoft Corporation.
-- 
-2.17.1
-
--- a/SPECS/hyperv-daemons/hyperv-daemons.signatures.json
+++ b/SPECS/hyperv-daemons/hyperv-daemons.signatures.json
@ -7,6 +7,6 @@
  "hypervkvpd.service": "25339871302f7a47e1aecfa9fc2586c78bc37edb98773752f0a5dec30f0ed3a1",
  "hypervvss.rules": "94cead44245ef6553ab79c0bbac8419e3ff4b241f01bcec66e6f508098cbedd1",
  "hypervvssd.service": "22270d9f0f23af4ea7905f19c1d5d5495e40c1f782cbb87a99f8aec5a011078d",
-  "kernel-5.15.2.1.tar.gz": "4af6adf37dee2281d56abd55195dd71a975e658eabb884b26c79e40338cdfca6"
+  "kernel-5.15.18.1.tar.gz": "58d148df0da4e9c095b8cd1cefac5669c04af700c7c5fa6bc3cc2a97b60a17c3"
 }
 }
--- a/SPECS/hyperv-daemons/hyperv-daemons.spec
+++ b/SPECS/hyperv-daemons/hyperv-daemons.spec
@ -8,7 +8,7 @@
 %global udev_prefix 70
 Summary:        Hyper-V daemons suite
 Name:           hyperv-daemons
-Version:        5.15.2.1
+Version:        5.15.18.1
 Release:        1%{?dist}
 License:        GPLv2+
 Vendor:         Microsoft Corporation
@ -27,7 +27,6 @@ Source102:      hypervvss.rules
 # HYPERV FCOPY DAEMON
 Source201:      hypervfcopyd.service
 Source202:      hypervfcopy.rules
-Patch0:         0002-add-linux-syscall-license-info.patch
 BuildRequires:  gcc
 Requires:       hypervfcopyd = %{version}-%{release}
 Requires:       hypervkvpd = %{version}-%{release}
@ -105,7 +104,6 @@ Contains tools and scripts useful for Hyper-V guests.

 %prep
 %setup -q -n CBL-Mariner-Linux-Kernel-rolling-lts-mariner-%{version}
-%patch0 -p1

 %build
 pushd tools/hv
@ -221,6 +219,9 @@ fi
 %{_sbindir}/lsvmbus

 %changelog
+* Mon Feb 07 2022 Cameron Baird <cameronbaird@microsoft.com> - 5.15.18.1-1
+- Update source to 5.15.18.1
+
 * Thu Jan 06 2022 Rachel Menge <rachelmenge@microsoft.com> - 5.15.2.1-1
 - Update source to 5.15.2.1

--- a/SPECS/kernel-headers/0002-add-linux-syscall-license-info.patch
+++ b/SPECS/kernel-headers/0002-add-linux-syscall-license-info.patch
@ -1,22 +0,0 @@
-From aef4c9944d4dd8f5686823aa74fb54505a6983b4 Mon Sep 17 00:00:00 2001
-From: Rachel <rachelmenge@microsoft.com>
-Date: Tue, 9 Nov 2021 12:21:01 -0500
-Subject: [PATCH] Add license info
-
---
- include/uapi/misc/d3dkmthk.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/include/uapi/misc/d3dkmthk.h b/include/uapi/misc/d3dkmthk.h
-index e752fd5c87d0..bf4fc7228bac 100644
--- a/include/uapi/misc/d3dkmthk.h
-+++ b/include/uapi/misc/d3dkmthk.h
-@@ -1,4 +1,4 @@
-/* SPDX-License-Identifier: GPL-2.0 */
-+/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
- 
- /*
-  * Copyright (c) 2019, Microsoft Corporation.
-- 
-2.17.1
-
--- a/SPECS/kernel-headers/kernel-headers.signatures.json
+++ b/SPECS/kernel-headers/kernel-headers.signatures.json
@ -1,5 +1,5 @@
 {
 "Signatures": {
-  "kernel-5.15.2.1.tar.gz": "4af6adf37dee2281d56abd55195dd71a975e658eabb884b26c79e40338cdfca6"
+  "kernel-5.15.18.1.tar.gz": "58d148df0da4e9c095b8cd1cefac5669c04af700c7c5fa6bc3cc2a97b60a17c3"
 }
 }
--- a/SPECS/kernel-headers/kernel-headers.spec
+++ b/SPECS/kernel-headers/kernel-headers.spec
@ -1,7 +1,7 @@
 Summary:        Linux API header files
 Name:           kernel-headers
-Version:        5.15.2.1
-Release:        5%{?dist}
+Version:        5.15.18.1
+Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@ -9,7 +9,6 @@ Group:          System Environment/Kernel
 URL:            https://github.com/microsoft/CBL-Mariner-Linux-Kernel
 #Source0:       https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/%%{version}.tar.gz
 Source0:        kernel-%{version}.tar.gz
-Patch0:         0002-add-linux-syscall-license-info.patch
 # Historical name shipped by other distros
 Provides:       glibc-kernheaders = %{version}-%{release}
 BuildArch:      noarch
@ -19,7 +18,6 @@ The Linux API Headers expose the kernel's API for use by Glibc.

 %prep
 %setup -q -n CBL-Mariner-Linux-Kernel-rolling-lts-mariner-%{version}
-%patch0 -p1

 %build
 make mrproper
@ -39,6 +37,9 @@ cp -rv usr/include/* /%{buildroot}%{_includedir}
 %{_includedir}/*

 %changelog
+* Mon Feb 07 2022 Cameron Baird <cameronbaird@microsoft.com> - 5.15.18.1-1
+- Update source to 5.15.18.1
+
 * Thu Feb 03 2022 Henry Li <lihl@microsoft.com> - 5.15.2.1-5
 - Bump release number to match kernel release

--- a/SPECS/kernel-hyperv/0002-add-linux-syscall-license-info.patch
+++ b/SPECS/kernel-hyperv/0002-add-linux-syscall-license-info.patch
@ -1,22 +0,0 @@
-From aef4c9944d4dd8f5686823aa74fb54505a6983b4 Mon Sep 17 00:00:00 2001
-From: Rachel <rachelmenge@microsoft.com>
-Date: Tue, 9 Nov 2021 12:21:01 -0500
-Subject: [PATCH] Add license info
-
---
- include/uapi/misc/d3dkmthk.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/include/uapi/misc/d3dkmthk.h b/include/uapi/misc/d3dkmthk.h
-index e752fd5c87d0..bf4fc7228bac 100644
--- a/include/uapi/misc/d3dkmthk.h
-+++ b/include/uapi/misc/d3dkmthk.h
-@@ -1,4 +1,4 @@
-/* SPDX-License-Identifier: GPL-2.0 */
-+/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
- 
- /*
-  * Copyright (c) 2019, Microsoft Corporation.
-- 
-2.17.1
-
--- a/SPECS/kernel-hyperv/config
+++ b/SPECS/kernel-hyperv/config
@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86_64 5.15.2.1 Kernel Configuration
+# Linux/x86_64 5.15.18.1 Kernel Configuration
 #
 CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0"
 CONFIG_CC_IS_GCC=y
@ -5721,7 +5721,6 @@ CONFIG_MXM_WMI=m
 # CONFIG_SENSORS_HDAPS is not set
 # CONFIG_THINKPAD_ACPI is not set
 # CONFIG_THINKPAD_LMI is not set
-CONFIG_X86_PLATFORM_DRIVERS_INTEL=y
 # CONFIG_INTEL_ATOMISP2_PM is not set
 # CONFIG_INTEL_SAR_INT1092 is not set
 # CONFIG_INTEL_PMC_CORE is not set
@ -6544,6 +6543,7 @@ CONFIG_PSTORE_COMPRESS_DEFAULT="deflate"
 # CONFIG_PSTORE_PMSG is not set
 # CONFIG_PSTORE_FTRACE is not set
 # CONFIG_PSTORE_RAM is not set
+# CONFIG_PSTORE_BLK is not set
 # CONFIG_SYSV_FS is not set
 # CONFIG_UFS_FS is not set
 # CONFIG_EROFS_FS is not set
--- a/SPECS/kernel-hyperv/kernel-hyperv.signatures.json
+++ b/SPECS/kernel-hyperv/kernel-hyperv.signatures.json
@ -1,8 +1,8 @@
 {
 "Signatures": {
  "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0",
-  "config": "6768df3a43545b994fc42ca1ad565a03f2c7b0601c3dccb3df3b70e46d360181",
-  "kernel-5.15.2.1.tar.gz": "4af6adf37dee2281d56abd55195dd71a975e658eabb884b26c79e40338cdfca6",
+  "config": "a0de6ad29cbff6e3de101a53f13e6823d3692f409eb963958de7f4561861fb8d",
+  "kernel-5.15.18.1.tar.gz": "58d148df0da4e9c095b8cd1cefac5669c04af700c7c5fa6bc3cc2a97b60a17c3",
  "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f"
 }
 }
--- a/SPECS/kernel-hyperv/kernel-hyperv.spec
+++ b/SPECS/kernel-hyperv/kernel-hyperv.spec
@ -3,8 +3,8 @@
 %define uname_r %{version}-%{release}
 Summary:        Linux Kernel optimized for Hyper-V
 Name:           kernel-hyperv
-Version:        5.15.2.1
-Release:        5%{?dist}
+Version:        5.15.18.1
+Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@ -15,7 +15,6 @@ Source0:        kernel-%{version}.tar.gz
 Source1:        config
 Source2:        sha512hmac-openssl.sh
 Source3:        cbl-mariner-ca-20211013.pem
-Patch0:         0002-add-linux-syscall-license-info.patch
 BuildRequires:  audit-devel
 BuildRequires:  bash
 BuildRequires:  bc
@ -85,7 +84,6 @@ This package contains the 'perf' performance analysis tools for Linux kernel.

 %prep
 %setup -q -n CBL-Mariner-Linux-Kernel-rolling-lts-mariner-%{version}
-%patch0 -p1

 %build
 make mrproper
@ -256,6 +254,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %{_includedir}/perf/perf_dlfilter.h

 %changelog
+* Mon Feb 07 2022 Cameron Baird <cameronbaird@microsoft.com> - 5.15.18.1-1
+- Update source to 5.15.18.1
+
 * Thu Feb 03 2022 Henry Li <lihl@microsoft.com> - 5.15.2.1-5
 - Enable CONFIG_X86_SGX and CONFIG_X86_SGX_KVM

--- a/SPECS/kernel-rt/0002-add-linux-syscall-license-info.patch
+++ b/SPECS/kernel-rt/0002-add-linux-syscall-license-info.patch
@ -1,22 +0,0 @@
-From aef4c9944d4dd8f5686823aa74fb54505a6983b4 Mon Sep 17 00:00:00 2001
-From: Rachel <rachelmenge@microsoft.com>
-Date: Tue, 9 Nov 2021 12:21:01 -0500
-Subject: [PATCH] Add license info
-
---
- include/uapi/misc/d3dkmthk.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/include/uapi/misc/d3dkmthk.h b/include/uapi/misc/d3dkmthk.h
-index e752fd5c87d0..bf4fc7228bac 100644
--- a/include/uapi/misc/d3dkmthk.h
-+++ b/include/uapi/misc/d3dkmthk.h
-@@ -1,4 +1,4 @@
-/* SPDX-License-Identifier: GPL-2.0 */
-+/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
- 
- /*
-  * Copyright (c) 2019, Microsoft Corporation.
-- 
-2.17.1
-
--- a/SPECS/kernel-rt/config
+++ b/SPECS/kernel-rt/config
@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86_64 5.15.2.1 Kernel Configuration
+# Linux/x86_64 5.15.18.1 Kernel Configuration
 #
 CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0"
 CONFIG_CC_IS_GCC=y
@ -5729,7 +5729,6 @@ CONFIG_MXM_WMI=m
 # CONFIG_SENSORS_HDAPS is not set
 # CONFIG_THINKPAD_ACPI is not set
 # CONFIG_THINKPAD_LMI is not set
-CONFIG_X86_PLATFORM_DRIVERS_INTEL=y
 # CONFIG_INTEL_ATOMISP2_PM is not set
 # CONFIG_INTEL_SAR_INT1092 is not set
 # CONFIG_INTEL_PMC_CORE is not set
@ -6547,6 +6546,7 @@ CONFIG_PSTORE_COMPRESS_DEFAULT="deflate"
 # CONFIG_PSTORE_PMSG is not set
 # CONFIG_PSTORE_FTRACE is not set
 # CONFIG_PSTORE_RAM is not set
+# CONFIG_PSTORE_BLK is not set
 # CONFIG_SYSV_FS is not set
 # CONFIG_UFS_FS is not set
 # CONFIG_EROFS_FS is not set
--- a/SPECS/kernel-rt/kernel-rt.signatures.json
+++ b/SPECS/kernel-rt/kernel-rt.signatures.json
@ -1,8 +1,8 @@
 {
 "Signatures": {
  "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0",
-  "config": "f9a1999f5f2bcf9a5fd37f1c1fbf417900e87dbad3690ae041fbf8faa19019ee",
-  "kernel-5.15.2.1.tar.gz": "4af6adf37dee2281d56abd55195dd71a975e658eabb884b26c79e40338cdfca6",
+  "config": "986612ea8d9fb9e1874147485b973a60688804fba93435ea63ea23bf754eadc2",
+  "kernel-5.15.18.1.tar.gz": "58d148df0da4e9c095b8cd1cefac5669c04af700c7c5fa6bc3cc2a97b60a17c3",
  "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f"
 }
 }
--- a/SPECS/kernel-rt/kernel-rt.spec
+++ b/SPECS/kernel-rt/kernel-rt.spec
@ -1,10 +1,10 @@
 %global security_hardening none
 %global sha512hmac bash %{_sourcedir}/sha512hmac-openssl.sh
-%define uname_r %{version}-rt20-%{release}
+%define uname_r %{version}-rt28-%{release}
 Summary:        Realtime Linux Kernel
 Name:           kernel-rt
-Version:        5.15.2.1
-Release:        4%{?dist}
+Version:        5.15.18.1
+Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@ -15,8 +15,7 @@ Source0:        kernel-%{version}.tar.gz
 Source1:        config
 Source2:        sha512hmac-openssl.sh
 Source3:        cbl-mariner-ca-20211013.pem
-Patch1:         0002-add-linux-syscall-license-info.patch
-Patch2:         0003-realtime20.patch
+Patch0:         patch-5.15.18-rt28.patch
 # Kernel CVEs are addressed by moving to a newer version of the stable kernel.
 # Since kernel CVEs are filed against the upstream kernel version and not the
 # stable kernel version, our automated tooling will still flag the CVE as not
@ -131,8 +130,7 @@ manipulation of eBPF programs and maps.

 %prep
 %setup -q -n CBL-Mariner-Linux-Kernel-rolling-lts-mariner-%{version}
-%patch1 -p1
-%patch2 -p1
+%patch0 -p1

 %build
 make mrproper
@ -346,6 +344,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %{_sysconfdir}/bash_completion.d/bpftool

 %changelog
+* Mon Feb 07 2022 Cameron Baird <cameronbaird@microsoft.com> - 5.15.18.1-1
+- Update source to 5.15.18.1
+
 * Thu Feb 03 2022 Cameron Baird <cameronbaird@microsoft.com> - 5.15.2.1-4
 - Bump release number to match kernel release

--- a/SPECS/kernel-rt/patch-5.15.18-rt28.patch
+++ b/SPECS/kernel-rt/patch-5.15.18-rt28.patch
--- a/SPECS/kernel/0002-add-linux-syscall-license-info.patch
+++ b/SPECS/kernel/0002-add-linux-syscall-license-info.patch
@ -1,22 +0,0 @@
-From aef4c9944d4dd8f5686823aa74fb54505a6983b4 Mon Sep 17 00:00:00 2001
-From: Rachel <rachelmenge@microsoft.com>
-Date: Tue, 9 Nov 2021 12:21:01 -0500
-Subject: [PATCH] Add license info
-
---
- include/uapi/misc/d3dkmthk.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/include/uapi/misc/d3dkmthk.h b/include/uapi/misc/d3dkmthk.h
-index e752fd5c87d0..bf4fc7228bac 100644
--- a/include/uapi/misc/d3dkmthk.h
-+++ b/include/uapi/misc/d3dkmthk.h
-@@ -1,4 +1,4 @@
-/* SPDX-License-Identifier: GPL-2.0 */
-+/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
- 
- /*
-  * Copyright (c) 2019, Microsoft Corporation.
-- 
-2.17.1
-
--- a/SPECS/kernel/CVE-2010-0309.nopatch
+++ b/SPECS/kernel/CVE-2010-0309.nopatch
@ -0,0 +1,3 @@
+CVE-2010-0309 - already patched in 5.15.2.1 stable kernel
+Upstream: ee73f656a604d5aa9df86a97102e4e462dd79924
+Stable: ee73f656a604d5aa9df86a97102e4e462dd79924
--- a/SPECS/kernel/CVE-2018-1000026.nopatch
+++ b/SPECS/kernel/CVE-2018-1000026.nopatch
@ -0,0 +1,6 @@
+CVE-2018-1000026 - already patched in 5.15.18.1 stable kernel
+Upstream: 2b16f048729bf35e6c28a40cbfad07239f9dcd90
+Stable:  2b16f048729bf35e6c28a40cbfad07239f9dcd9
+
+Upstream: 8914a595110a6eca69a5e275b323f5d09e18f4f9
+Stable:   8914a595110a6eca69a5e275b323f5d09e18f4f9
--- a/SPECS/kernel/CVE-2018-16880.nopatch
+++ b/SPECS/kernel/CVE-2018-16880.nopatch
@ -0,0 +1,3 @@
+CVE-2018-16880 - already patched in 5.15.18.1 stable kernel
+Upstream: b46a0bf78ad7b150ef5910da83859f7f5a514ffd
+Stable: b46a0bf78ad7b150ef5910da83859f7f5a514ffd
--- a/SPECS/kernel/CVE-2019-3016.nopatch
+++ b/SPECS/kernel/CVE-2019-3016.nopatch
@ -0,0 +1,15 @@
+CVE-2019-3016 - already patched in 5.15.18.1 stable kernel
+Upstream: 1eff70a9abd46f175defafd29bc17ad456f398a7
+Stable: 1eff70a9abd46f175defafd29bc17ad456f398a7
+
+Upstream: 8c6de56a42e0c657955e12b882a81ef07d1d073e
+Stable:  8c6de56a42e0c657955e12b882a81ef07d1d073e
+
+Upstream: 917248144db5d7320655dbb41d3af0b8a0f3d589
+Stable: 917248144db5d7320655dbb41d3af0b8a0f3d589
+
+Upstream: a6bd811f1209fe1c64c9f6fd578101d6436c6b6e
+Stable: a6bd811f1209fe1c64c9f6fd578101d6436c6b6e
+
+Upstream: b043138246a41064527cf019a3d51d9f015e9796
+Stable:  b043138246a41064527cf019a3d51d9f015e9796
--- a/SPECS/kernel/CVE-2019-3819.nopatch
+++ b/SPECS/kernel/CVE-2019-3819.nopatch
@ -0,0 +1,3 @@
+CVE-2019-3819 - already patched in 5.15.18.1 stable kernel
+Upstream: 13054abbaa4f1fd4e6f3b4b63439ec033b4c8035
+Stable: 13054abbaa4f1fd4e6f3b4b63439ec033b4c8035
--- a/SPECS/kernel/CVE-2019-3887.nopatch
+++ b/SPECS/kernel/CVE-2019-3887.nopatch
@ -0,0 +1,6 @@
+CVE-2019-3887 - already patched in 5.15.2.1 stable kernel
+Upstream: acff78477b9b4f26ecdf65733a4ed77fe837e9dc
+Stable:  acff78477b9b4f26ecdf65733a4ed77fe837e9dc
+
+Upstream: c73f4c998e1fd4249b9edfa39e23f4fda2b9b041
+Stable:  c73f4c998e1fd4249b9edfa39e23f4fda2b9b041
--- a/SPECS/kernel/CVE-2020-25672.nopatch
+++ b/SPECS/kernel/CVE-2020-25672.nopatch
@ -0,0 +1,3 @@
+CVE-2020-25672 - already patched in 5.15.18.1 stable kernel
+Upstream: d7737d4257459ca8921ff911c88937be1a11ea9d
+Stable: d7737d4257459ca8921ff911c88937be1a11ea9d
--- a/SPECS/kernel/CVE-2021-3564.nopatch
+++ b/SPECS/kernel/CVE-2021-3564.nopatch
@ -0,0 +1,3 @@
+CVE-2021-3564 - already patched in 5.15.18.1 stable kernel
+Upstream: bcd0f93353326954817a4f9fa55ec57fb38acbb0
+Stable: 6a137caec23aeb9e036cdfd8a46dd8a366460e5d
--- a/SPECS/kernel/CVE-2021-45095.nopatch
+++ b/SPECS/kernel/CVE-2021-45095.nopatch
@ -0,0 +1,3 @@
+CVE-2021-45095 - already patched in 5.15.18.1 stable kernel
+Upstream: bcd0f93353326954817a4f9fa55ec57fb38acbb0 
+Stable:  9ca97a693aa8b86e8424f0047198ea3ab997d50f
--- a/SPECS/kernel/CVE-2021-45469.nopatch
+++ b/SPECS/kernel/CVE-2021-45469.nopatch
@ -0,0 +1,3 @@
+CVE-2021-45469 - already patched in 5.15.18.1 stable kernel
+Upstream: 5598b24efaf4892741c798b425d543e4bed357a1 
+Stable:  a8a9d753edd7f71e6a2edaa580d8182530b68791
--- a/SPECS/kernel/CVE-2021-45480.nopatch
+++ b/SPECS/kernel/CVE-2021-45480.nopatch
@ -0,0 +1,3 @@
+CVE-2021-45480 - already patched in 5.15.18.1 stable kernel
+Upstream: 5f9562ebe710c307adc5f666bf1a2162ee7977c0
+Stable:  68014890e4382ff9192e1357be39b7d0455665fa
--- a/SPECS/kernel/config
+++ b/SPECS/kernel/config
@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86_64 5.15.2.1 Kernel Configuration
+# Linux/x86_64 5.15.18.1 Kernel Configuration
 #
 CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0"
 CONFIG_CC_IS_GCC=y
@ -5741,7 +5741,6 @@ CONFIG_MXM_WMI=m
 # CONFIG_SENSORS_HDAPS is not set
 # CONFIG_THINKPAD_ACPI is not set
 # CONFIG_THINKPAD_LMI is not set
-CONFIG_X86_PLATFORM_DRIVERS_INTEL=y
 # CONFIG_INTEL_ATOMISP2_PM is not set
 # CONFIG_INTEL_SAR_INT1092 is not set
 # CONFIG_INTEL_PMC_CORE is not set
@ -6564,6 +6563,7 @@ CONFIG_PSTORE_COMPRESS_DEFAULT="deflate"
 # CONFIG_PSTORE_PMSG is not set
 # CONFIG_PSTORE_FTRACE is not set
 # CONFIG_PSTORE_RAM is not set
+# CONFIG_PSTORE_BLK is not set
 # CONFIG_SYSV_FS is not set
 # CONFIG_UFS_FS is not set
 # CONFIG_EROFS_FS is not set
--- a/SPECS/kernel/config_aarch64
+++ b/SPECS/kernel/config_aarch64
@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/arm64 5.15.2.1 Kernel Configuration
+# Linux/arm64 5.15.18.1 Kernel Configuration
 #
 CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0"
 CONFIG_CC_IS_GCC=y
@ -8775,6 +8775,7 @@ CONFIG_PSTORE_COMPRESS_DEFAULT="deflate"
 # CONFIG_PSTORE_PMSG is not set
 # CONFIG_PSTORE_FTRACE is not set
 # CONFIG_PSTORE_RAM is not set
+# CONFIG_PSTORE_BLK is not set
 # CONFIG_SYSV_FS is not set
 # CONFIG_UFS_FS is not set
 # CONFIG_EROFS_FS is not set
--- a/SPECS/kernel/kernel.signatures.json
+++ b/SPECS/kernel/kernel.signatures.json
@ -1,9 +1,9 @@
 {
 "Signatures": {
  "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0",
-  "config": "a4ed225b39b3d81d9d07e6a876e4fc9a806fa10e19562420274e22e0634cf4f5",
-  "config_aarch64": "e6b0d9e723c02a65663a98aa2ea6cee9f7c1d66fab2cc8fad54c71aceb16a1ff",
-  "kernel-5.15.2.1.tar.gz": "4af6adf37dee2281d56abd55195dd71a975e658eabb884b26c79e40338cdfca6",
+  "config": "9e15a76c5c92d9608220f7cd6de41460b411bfcce03a68ba53885011e365fef3",
+  "config_aarch64": "585f4ce6d8fb621003134e3283987281a0f7a745f78d21f33e56d0f7361cd27f",
+  "kernel-5.15.18.1.tar.gz": "58d148df0da4e9c095b8cd1cefac5669c04af700c7c5fa6bc3cc2a97b60a17c3",
  "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f"
 }
 }
--- a/SPECS/kernel/kernel.spec
+++ b/SPECS/kernel/kernel.spec
@ -6,8 +6,8 @@
 %endif
 Summary:        Linux Kernel
 Name:           kernel
-Version:        5.15.2.1
-Release:        5%{?dist}
+Version:        5.15.18.1
+Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@ -19,7 +19,6 @@ Source1:        config
 Source2:        config_aarch64
 Source3:        sha512hmac-openssl.sh
 Source4:        cbl-mariner-ca-20211013.pem
-Patch0:         0002-add-linux-syscall-license-info.patch
 # Kernel CVEs are addressed by moving to a newer version of the stable kernel.
 # Since kernel CVEs are filed against the upstream kernel version and not the
 # stable kernel version, our automated tooling will still flag the CVE as not
@ -27,6 +26,17 @@ Patch0:         0002-add-linux-syscall-license-info.patch
 # To indicate a kernel CVE is fixed to our automated tooling, add nopatch files
 # but do not apply them as a real patch. Each nopatch file should contain
 # information on why the CVE nopatch was applied.
+Patch1001:      CVE-2020-25672.nopatch
+Patch1002:      CVE-2018-16880.nopatch
+Patch1003:      CVE-2018-1000026.nopatch
+Patch1004:      CVE-2019-3016.nopatch
+Patch1005:      CVE-2019-3819.nopatch
+Patch1006:      CVE-2019-3887.nopatch
+Patch1007:      CVE-2010-0309.nopatch
+Patch1008:      CVE-2021-3564.nopatch
+Patch1009:      CVE-2021-45469.nopatch
+Patch1010:      CVE-2021-45480.nopatch
+Patch1011:      CVE-2021-45095.nopatch
 BuildRequires:  audit-devel
 BuildRequires:  bash
 BuildRequires:  bc
@ -133,7 +143,6 @@ manipulation of eBPF programs and maps.

 %prep
 %setup -q -n CBL-Mariner-Linux-Kernel-rolling-lts-mariner-%{version}
-%patch0 -p1

 %build
 make mrproper
@ -375,6 +384,12 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %{_sysconfdir}/bash_completion.d/bpftool

 %changelog
+* Mon Feb 07 2022 Cameron Baird <cameronbaird@microsoft.com> - 5.15.18.1-1
+- Update source to 5.15.18.1
+- Address CVE-2010-0309, CVE-2018-1000026, CVE-2018-16880, CVE-2019-3016,
+  CVE-2019-3819, CVE-2019-3887, CVE-2020-25672, CVE-2021-3564, CVE-2021-45095, 
+  CVE-2021-45469, CVE-2021-45480
+
 * Thu Feb 03 2022 Henry Li <lihl@microsoft.com> - 5.15.2.1-5
 - Enable CONFIG_X86_SGX and CONFIG_X86_SGX_KVM

--- a/cgmanifest.json
+++ b/cgmanifest.json
@ -6760,8 +6760,8 @@
        "type": "other",
        "other": {
          "name": "hyperv-daemons",
-          "version": "5.15.2.1",
-          "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.15.2.1.tar.gz"
+          "version": "5.15.18.1",
+          "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.15.18.1.tar.gz"
        }
      }
    },
@ -8551,8 +8551,8 @@
        "type": "other",
        "other": {
          "name": "kernel",
-          "version": "5.15.2.1",
-          "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.15.2.1.tar.gz"
+          "version": "5.15.18.1",
+          "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.15.18.1.tar.gz"
        }
      }
    },
@ -8561,8 +8561,8 @@
        "type": "other",
        "other": {
          "name": "kernel-headers",
-          "version": "5.15.2.1",
-          "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.15.2.1.tar.gz"
+          "version": "5.15.18.1",
+          "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.15.18.1.tar.gz"
        }
      }
    },
@ -8571,8 +8571,8 @@
        "type": "other",
        "other": {
          "name": "kernel-hyperv",
-          "version": "5.15.2.1",
-          "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.15.2.1.tar.gz"
+          "version": "5.15.18.1",
+          "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.15.18.1.tar.gz"
        }
      }
    },
@ -8581,8 +8581,8 @@
        "type": "other",
        "other": {
          "name": "kernel-rt",
-          "version": "5.15.2.1",
-          "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.15.2.1.tar.gz"
+          "version": "5.15.18.1",
+          "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.15.18.1.tar.gz"
        }
      }
    },
--- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@ -1,5 +1,5 @@
 filesystem-1.1-8.cm2.aarch64.rpm
-kernel-headers-5.15.2.1-5.cm2.noarch.rpm
+kernel-headers-5.15.18.1-1.cm2.noarch.rpm
 glibc-2.34-2.cm2.aarch64.rpm
 glibc-devel-2.34-2.cm2.aarch64.rpm
 glibc-i18n-2.34-2.cm2.aarch64.rpm
--- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@ -1,5 +1,5 @@
 filesystem-1.1-8.cm2.x86_64.rpm
-kernel-headers-5.15.2.1-5.cm2.noarch.rpm
+kernel-headers-5.15.18.1-1.cm2.noarch.rpm
 glibc-2.34-2.cm2.x86_64.rpm
 glibc-devel-2.34-2.cm2.x86_64.rpm
 glibc-i18n-2.34-2.cm2.x86_64.rpm
--- a/toolkit/resources/manifests/package/toolchain_aarch64.txt
+++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@ -131,7 +131,7 @@ intltool-0.51.0-7.cm2.noarch.rpm
 itstool-2.0.6-4.cm2.noarch.rpm
 kbd-2.2.0-1.cm2.aarch64.rpm
 kbd-debuginfo-2.2.0-1.cm2.aarch64.rpm
-kernel-headers-5.15.2.1-5.cm2.noarch.rpm
+kernel-headers-5.15.18.1-1.cm2.noarch.rpm
 kmod-29-1.cm2.aarch64.rpm
 kmod-debuginfo-29-1.cm2.aarch64.rpm
 kmod-devel-29-1.cm2.aarch64.rpm
--- a/toolkit/resources/manifests/package/toolchain_x86_64.txt
+++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@ -131,7 +131,7 @@ intltool-0.51.0-7.cm2.noarch.rpm
 itstool-2.0.6-4.cm2.noarch.rpm
 kbd-2.2.0-1.cm2.x86_64.rpm
 kbd-debuginfo-2.2.0-1.cm2.x86_64.rpm
-kernel-headers-5.15.2.1-5.cm2.noarch.rpm
+kernel-headers-5.15.18.1-1.cm2.noarch.rpm
 kmod-29-1.cm2.x86_64.rpm
 kmod-debuginfo-29-1.cm2.x86_64.rpm
 kmod-devel-29-1.cm2.x86_64.rpm
--- a/toolkit/scripts/toolchain/container/0002-add-linux-syscall-license-info.patch
+++ b/toolkit/scripts/toolchain/container/0002-add-linux-syscall-license-info.patch
@ -1,22 +0,0 @@
-From aef4c9944d4dd8f5686823aa74fb54505a6983b4 Mon Sep 17 00:00:00 2001
-From: Rachel <rachelmenge@microsoft.com>
-Date: Tue, 9 Nov 2021 12:21:01 -0500
-Subject: [PATCH] Add license info
-
---
- include/uapi/misc/d3dkmthk.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/include/uapi/misc/d3dkmthk.h b/include/uapi/misc/d3dkmthk.h
-index e752fd5c87d0..bf4fc7228bac 100644
--- a/include/uapi/misc/d3dkmthk.h
-+++ b/include/uapi/misc/d3dkmthk.h
-@@ -1,4 +1,4 @@
-/* SPDX-License-Identifier: GPL-2.0 */
-+/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
- 
- /*
-  * Copyright (c) 2019, Microsoft Corporation.
-- 
-2.17.1
-
--- a/toolkit/scripts/toolchain/container/Dockerfile
+++ b/toolkit/scripts/toolchain/container/Dockerfile
@ -48,7 +48,6 @@ COPY [ "./toolchain-sha256sums", \
       "./toolchain-local-wget-list", \
       "./rpm-define-RPM-LD-FLAGS.patch", \
       "./linker-script-readonly-keyword-support.patch", \
-       "./0002-add-linux-syscall-license-info.patch", \
       "$LFS/tools/" ]

 # Download source, then create lfs user and group.
@ -58,7 +57,7 @@ COPY [ "./toolchain-sha256sums", \
 WORKDIR $LFS/sources
 RUN wget -nv --no-clobber --timeout=30 --no-check-certificate --continue --input-file=$LFS/tools/toolchain-local-wget-list --directory-prefix=$LFS/sources; exit 0
 RUN wget -nv --no-clobber --timeout=30 --continue --input-file=$LFS/tools/toolchain-remote-wget-list --directory-prefix=$LFS/sources; exit 0
-RUN wget -nv --no-clobber --timeout=30 --continue https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.15.2.1.tar.gz -O kernel-5.15.2.1.tar.gz --directory-prefix=$LFS/sources; exit 0
+RUN wget -nv --no-clobber --timeout=30 --continue https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.15.18.1.tar.gz -O kernel-5.15.18.1.tar.gz --directory-prefix=$LFS/sources; exit 0
 USER root
 RUN sha256sum -c $LFS/tools/toolchain-sha256sums && \
    groupadd lfs && \
--- a/toolkit/scripts/toolchain/container/toolchain-sha256sums
+++ b/toolkit/scripts/toolchain/container/toolchain-sha256sums
@ -26,7 +26,7 @@ fd4829912cddd12f84181c3451cc752be224643e87fac497b69edddadc49b4f2  gmp-6.2.1.tar.
 5c10da312460aec721984d5d83246d24520ec438dd48d7ab5a05dbc0d6d6823c  grep-3.7.tar.xz
 3a48a9d6c97750bfbd535feeb5be0111db6406ddb7bb79fc680809cda6d828a5  groff-1.22.3.tar.gz
 9b9a95d68fdcb936849a4d6fada8bf8686cddf58b9b26c9c4289ed0c92a77907  gzip-1.11.tar.xz
-4af6adf37dee2281d56abd55195dd71a975e658eabb884b26c79e40338cdfca6  kernel-5.15.2.1.tar.gz
+58d148df0da4e9c095b8cd1cefac5669c04af700c7c5fa6bc3cc2a97b60a17c3  kernel-5.15.18.1.tar.gz
 b60d58d12632ecf1e8fad7316dc82c6b9738a35625746b47ecdcaf4aed176176  libarchive-3.4.2.tar.gz
 b630b7c484271b3ba867680d6a14b10a86cfa67247a14631b14c06731d5a458b  libcap-2.26.tar.xz
 0d72e12e4f2afff67fd7b9df0a24d7ba42b5a7c9211ac5b3dcccc5cd8b286f2b  libpipeline-1.5.0.tar.gz
--- a/toolkit/scripts/toolchain/container/toolchain_build_in_chroot.sh
+++ b/toolkit/scripts/toolchain/container/toolchain_build_in_chroot.sh
@ -67,16 +67,14 @@ set -e
 #
 cd /sources

-echo Linux-5.15.2.1 API Headers
-tar xf kernel-5.15.2.1.tar.gz
-cp /tools/0002-add-linux-syscall-license-info.patch CBL-Mariner-Linux-Kernel-rolling-lts-mariner-5.15.2.1/
-pushd CBL-Mariner-Linux-Kernel-rolling-lts-mariner-5.15.2.1
-patch -p1 -i 0002-add-linux-syscall-license-info.patch
+echo Linux-5.15.18.1 API Headers
+tar xf kernel-5.15.18.1.tar.gz
+pushd CBL-Mariner-Linux-Kernel-rolling-lts-mariner-5.15.18.1
 make mrproper
 make headers
 cp -rv usr/include/* /usr/include
 popd
-rm -rf CBL-Mariner-Linux-Kernel-rolling-lts-mariner-5.15.2.1
+rm -rf CBL-Mariner-Linux-Kernel-rolling-lts-mariner-5.15.18.1
 touch /logs/status_kernel_headers_complete

 echo 6.8. Man-pages-5.02
--- a/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh
+++ b/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh
@ -114,16 +114,14 @@ rm -rf gcc-11.2.0

 touch $LFS/logs/temptoolchain/status_gcc_pass1_complete

-echo Linux-5.15.2.1 API Headers
-tar xf kernel-5.15.2.1.tar.gz
-cp /tools/0002-add-linux-syscall-license-info.patch CBL-Mariner-Linux-Kernel-rolling-lts-mariner-5.15.2.1/
-pushd CBL-Mariner-Linux-Kernel-rolling-lts-mariner-5.15.2.1
-patch -p1 -i 0002-add-linux-syscall-license-info.patch
+echo Linux-5.15.18.1 API Headers
+tar xf kernel-5.15.18.1.tar.gz
+pushd CBL-Mariner-Linux-Kernel-rolling-lts-mariner-5.15.18.1
 make mrproper
 make headers
 cp -rv usr/include/* /tools/include
 popd
-rm -rf CBL-Mariner-Linux-Kernel-rolling-lts-mariner-5.15.2.1
+rm -rf CBL-Mariner-Linux-Kernel-rolling-lts-mariner-5.15.18.1

 touch $LFS/logs/temptoolchain/status_kernel_headers_complete