Bug 190083 - [PATCH] i386/x86-64: Fix x87 information leak between processes (CVE-2006-1056)
[PATCH] i386/x86-64: Fix x87 information leak between processes (CVE-2006-1056)
Status: CLOSED DUPLICATE of bug 200034
Product: Fedora Legacy
Classification: Retired
Component: kernel (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
http://www.kernel.org/git/?p=linux/ke...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-04-27 08:59 EDT by James Kosin
Modified: 2007-04-18 13:42 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-07-24 18:23:18 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch for CVE-2006-1056 (3.29 KB, patch)
2006-04-27 08:59 EDT, James Kosin
no flags Details | Diff

  None (edit)
Description James Kosin 2006-04-27 08:59:08 EDT
[PATCH] i386/x86-64: Fix x87 information leak between processes

AMD K7/K8 CPUs only save/restore the FOP/FIP/FDP x87 registers in FXSAVE
when an exception is pending. This means the value leak through
context switches and allow processes to observe some x87 instruction
state of other processes.

This was actually documented by AMD, but nobody recognized it as
being different from Intel before.

The fix first adds an optimization: instead of unconditionally
calling FNCLEX after each FXSAVE test if ES is pending and skip
it when not needed. Then do a dummy x87 load to clear FOP/FIP/FDP.
This means other processes always will only see a constant value
defined by the kernel.

Then it does a ffree st(7) ; fild
This is executed unconditionally on FXSAVE capable systems, but has
been benchmarked on Intel systems to be reasonably fast.

I also had to move unlazy_fpu for 64bit to make sure the code
always executes with the data segment of the new process to prevent
leaking the old one.

Patch for both i386/x86-64.

The problem was discovered originally by Jan Beulich. Richard
Brunner provided the basic code for the workarounds with contributions
from Jan.

This is CVE-2006-1056

Signed-off-by: Andi Kleen

arch/i386/kernel/i387.c
arch/x86_64/kernel/process.c
include/asm-x86_64/i387.h
Comment 1 James Kosin 2006-04-27 08:59:08 EDT
Created attachment 128306 [details]
Patch for CVE-2006-1056
Comment 2 Marc Deslauriers 2006-07-24 18:23:18 EDT

*** This bug has been marked as a duplicate of 200034 ***

Note You need to log in before you can comment on or make changes to this bug.