diff --git a/SOURCES/kvm-i386-define-the-ssbd-CPUID-feature-bit-CVE-2018-3639.patch b/SOURCES/kvm-i386-define-the-ssbd-CPUID-feature-bit-CVE-2018-3639.patch
new file mode 100644
index 0000000..389f6f5
--- /dev/null
+++ b/SOURCES/kvm-i386-define-the-ssbd-CPUID-feature-bit-CVE-2018-3639.patch
@@ -0,0 +1,52 @@
+From f5a29669048a0a889348839c8707f7f10b0bec48 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Wed, 9 May 2018 09:06:29 +0100
+Subject: [PATCH] i386: define the 'ssbd' CPUID feature bit (CVE-2018-3639)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Daniel P. Berrangé <berrange@redhat.com>
+Bugzilla: 1574075
+RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+New microcode introduces the "Speculative Store Bypass Disable"
+CPUID feature bit. This needs to be exposed to guest OS to allow
+them to protect against CVE-2018-3639.
+
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+---
+ target-i386/cpu.c | 2 +-
+ target-i386/cpu.h | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/target-i386/cpu.c b/target-i386/cpu.c
+index 08b43f5..539c202 100644
+--- a/target-i386/cpu.c
++++ b/target-i386/cpu.c
+@@ -173,7 +173,7 @@ static const char *cpuid_7_0_edx_feature_name[] = {
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, "spec-ctrl", "stibp",
+- NULL, "arch-facilities", NULL, NULL,
++ NULL, "arch-facilities", NULL, "ssbd",
+ };
+
+ static const char *cpuid_80000008_ebx_feature_name[] = {
+diff --git a/target-i386/cpu.h b/target-i386/cpu.h
+index a8a640a..da84443 100644
+--- a/target-i386/cpu.h
++++ b/target-i386/cpu.h
+@@ -590,6 +590,7 @@ typedef uint32_t FeatureWordArray[FEATURE_WORDS];
+ #define CPUID_7_0_EDX_AVX512_4VNNIW (1U << 2) /* AVX512 Neural Network Instructions */
+ #define CPUID_7_0_EDX_AVX512_4FMAPS (1U << 3) /* AVX512 Multiply Accumulation Single Precision */
+ #define CPUID_7_0_EDX_SPEC_CTRL (1U << 26) /* Indirect Branch - Restrict Speculation */
++#define CPUID_7_0_EDX_SPEC_CTRL_SSBD (1U << 31) /* Speculative Store Bypass Disable */
+
+ #define CPUID_8000_0008_EBX_IBPB (1U << 12) /* Indirect Branch Prediction Barrier */
+
+--
+1.8.3.1
+
diff --git a/SPECS/qemu-kvm.spec b/SPECS/qemu-kvm.spec
index 9513bd7..5ef35b6 100644
--- a/SPECS/qemu-kvm.spec
+++ b/SPECS/qemu-kvm.spec
@@ -76,7 +76,7 @@ Obsoletes: %1 < %{obsoletes_version} \
Summary: QEMU is a machine emulator and virtualizer
Name: %{pkgname}%{?pkgsuffix}
Version: 1.5.3
-Release: 156%{?dist}.1
+Release: 156%{?dist}.2
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
Epoch: 10
License: GPLv2+ and LGPLv2+ and BSD
@@ -3869,6 +3869,8 @@ Patch1905: kvm-io-skip-updates-to-client-if-websocket-output-buffer.patch
Patch1906: kvm-vga-add-ram_addr_t-cast.patch
# For bz#1567913 - CVE-2018-7858 qemu-kvm: Qemu: cirrus: OOB access when updating vga display [rhel-7] [rhel-7.5.z]
Patch1907: kvm-vga-fix-region-calculation.patch
+# For bz#1574075 - EMBARGOED CVE-2018-3639 qemu-kvm: Kernel: omega-4 [rhel-7.5.z]
+Patch1908: kvm-i386-define-the-ssbd-CPUID-feature-bit-CVE-2018-3639.patch
BuildRequires: zlib-devel
@@ -5954,6 +5956,7 @@ tar -xf %{SOURCE21}
%patch1905 -p1
%patch1906 -p1
%patch1907 -p1
+%patch1908 -p1
%build
buildarch="%{kvm_target}-softmmu"
@@ -6399,6 +6402,11 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || :
%{_mandir}/man8/qemu-nbd.8*
%changelog
+* Fri May 11 2018 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-156.el7_5.2
+- kvm-i386-define-the-ssbd-CPUID-feature-bit-CVE-2018-3639.patch [bz#1574075]
+- Resolves: bz#1574075
+ (EMBARGOED CVE-2018-3639 qemu-kvm: Kernel: omega-4 [rhel-7.5.z])
+
* Mon Apr 16 2018 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-156.el7_5.1
- kvm-vga-add-ram_addr_t-cast.patch [bz#1567913]
- kvm-vga-fix-region-calculation.patch [bz#1567913]