An information leak has been reported that affects the Linux kernel running on certain AMD processors (CVE-2006-1056). This issue is due to the behavior of FXSAVE and FXRSTOR instructions on AMD processors is different from the behavior on Intel processors. The difference is documented in "AMD64 Architecture Programmer's Manual Volume 5: 64-Bit Media and x87 Floating-Point Instructions Rev 3.06". This difference was not widely known and therefore Linux kernels assumed these instructions would have same behavior as on Intel processors. Under specific conditions this may allow a local user to observe the x87 exception pointers of another process. Although this is a minor information leak, if the floating point unit is being used for a cryptographic algorithm this could potentially leak some or all of key data. According to AMD, this will affect processors with "AuthenticAMD" in the CPUID vendor string. This includes the 7th generation (Family=06h) and 8th generation (Family=0Fh) of AMD processors. This issue has been rated as having important security severity and it affects all Red Hat Enterprise Linux 2.1, 3, and 4 versions running on AMD processors of the 7th and 8th generation.
Response from AMD: http://marc.theaimsgroup.com/?l=linux-kernel&m=114548768214478&w=2
The patch introduced a bug in FP exception handling: http://marc.theaimsgroup.com/?l=linux-kernel&m=114633448824132&w=2
It doesn't look like this applies to pensacola (or rhel3/4) - the exception status test we adopted internally was done in c, rather than assembly (and is more readable than the upstream patch, imho): - "bt $7,%[fsw] ; jc 1f ; fnclex\n1:", + "bt $7,%[fsw] ; jnc 1f ; fnclex\n1:", pensacola: if (tsk->thread.i387.fxsave.swd & (1<<7)) asm volatile("fnclex");
verifying via code inspection as there doesn't appear to be a reproducer. Change noted in comment 3 is in arch/i386/kernel/i387.c (line 75)
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2006-0579.html