189344 – CVE-2006-1056 FPU Information leak on i386/x86-64 on AMD CPUs

Bug 189344 - CVE-2006-1056 FPU Information leak on i386/x86-64 on AMD CPUs

Summary: CVE-2006-1056 FPU Information leak on i386/x86-64 on AMD CPUs

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 2.1
Classification:	Red Hat
Component:	kernel
Sub Component:
Version:	2.1
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	---
Assignee:	Don Howard
QA Contact:	Brian Brock
Docs Contact:
URL:
Whiteboard:	impact=important,source=vendorsec,rep...
Depends On:
Blocks:	143573
TreeView+	depends on / blocked

Reported:	2006-04-19 12:05 UTC by Marcel Holtmann
Modified:	2007-11-30 22:06 UTC (History)
CC List:	1 user (show)
Fixed In Version:	RHSA-2006-0579
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2006-07-13 11:46:21 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2006:0579	0	normal	SHIPPED_LIVE	Important: kernel security update	2006-07-13 04:00:00 UTC

Description Marcel Holtmann 2006-04-19 12:05:38 UTC

An information leak has been reported that affects the Linux kernel running on
certain AMD processors (CVE-2006-1056). This issue is due to the behavior of
FXSAVE and FXRSTOR instructions on AMD processors is different from the behavior
on Intel processors. The difference is documented in "AMD64 Architecture
Programmer's Manual Volume 5: 64-Bit Media and x87 Floating-Point Instructions
Rev 3.06". This difference was not widely known and therefore Linux kernels
assumed these instructions would have same behavior as on Intel processors.

Under specific conditions this may allow a local user to observe the x87
exception pointers of another process. Although this is a minor information
leak, if the floating point unit is being used for a cryptographic algorithm
this could potentially leak some or all of key data.

According to AMD, this will affect processors with "AuthenticAMD" in the CPUID
vendor string. This includes the 7th generation (Family=06h) and 8th generation
(Family=0Fh) of AMD processors.

This issue has been rated as having important security severity and it affects
all Red Hat Enterprise Linux 2.1, 3, and 4 versions running on AMD processors of
the 7th and 8th generation.

Comment 1 Marcel Holtmann 2006-04-19 23:11:22 UTC

Response from AMD:

http://marc.theaimsgroup.com/?l=linux-kernel&m=114548768214478&w=2

Comment 2 Marcel Holtmann 2006-04-29 20:42:28 UTC

The patch introduced a bug in FP exception handling:

http://marc.theaimsgroup.com/?l=linux-kernel&m=114633448824132&w=2

Comment 3 Don Howard 2006-05-01 18:53:06 UTC

It doesn't look like this applies to pensacola (or rhel3/4) - the exception
status test we adopted internally was done in c, rather than assembly (and is
more readable than the upstream patch, imho):


-		"bt $7,%[fsw] ; jc 1f ; fnclex\n1:",
+		"bt $7,%[fsw] ; jnc 1f ; fnclex\n1:",


pensacola:
               if (tsk->thread.i387.fxsave.swd & (1<<7))
                        asm volatile("fnclex");

Comment 7 Mike Gahagan 2006-07-12 18:21:00 UTC

verifying via code inspection as there doesn't appear to be a reproducer. Change
noted in comment 3 is in arch/i386/kernel/i387.c (line 75)

Comment 9 Red Hat Bugzilla 2006-07-13 11:46:21 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2006-0579.html

Note You need to log in before you can comment on or make changes to this bug.