Attachment 84693 Details for Bug 130028 – amd-fxsave-24

[patch] amd-fxsave-24

amd-fxsave-24 (text/plain), 3.46 KB, created by Sune Kloppenborg Jeppesen (RETIRED) on 2006-04-15 00:55:00 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Sune Kloppenborg Jeppesen (RETIRED)

Created: 2006-04-15 00:55:00 UTC

Size: 3.46 KB

patch

obsolete

>i386/x86-64: Fix x87 information leak between processes
>
>AMD K7/K8 CPUs only save/restore the FOP/FIP/FDP x87 registers in FXSAVE
>when an exception is pending.  This means the value leak through
>context switches and allow processes to observe some x87 instruction 
>state of other processes.
>
>This was actually documented by AMD, but nobody recognized it as
>being different from Intel before.
>
>The fix first adds an optimization: instead of unconditionally 
>calling FNCLEX after each FXSAVE test if ES is pending and skip
>it when not needed. Then do a dummy x87 load to clear FOP/FIP/FDP.
>This means other processes always will only see a constant value
>defined by the kernel.
>
>Then it does a ffree st(7) ; fild <l1 address> 
>This is executed unconditionally on FXSAVE capable systems, but has 
>been benchmarked on Intel systems to be reasonably fast. 
>
>I also had to move unlazy_fpu for 64bit to make sure the code
>always executes with the data segment of the new process to prevent
>leaking the old one.
>
>Patch for both i386/x86-64.
>
>The problem was discovered originally by Jan Beulich. Richard
>Brunner provided the basic code for the workarounds with contributions
>from Jan. 
>
>This is CVE-2006-1056
>
>Signed-off-by: Andi Kleen <ak@suse.de>
>
>Index: linux-2.4.32-work/arch/i386/kernel/i387.c
>===================================================================
>--- linux-2.4.32-work.orig/arch/i386/kernel/i387.c
>+++ linux-2.4.32-work/arch/i386/kernel/i387.c
>@@ -11,6 +11,7 @@
> #include <linux/config.h>
> #include <linux/sched.h>
> #include <linux/init.h>
>+#include <linux/kernel_stat.h>
> #include <asm/processor.h>
> #include <asm/i387.h>
> #include <asm/math_emu.h>
>@@ -70,8 +71,12 @@ void init_fpu(void)
> static inline void __save_init_fpu( struct task_struct *tsk )
> {
> 	if ( cpu_has_fxsr ) {
>-		asm volatile( "fxsave %0 ; fnclex"
>+		asm volatile( "fxsave %0"
> 			      : "=m" (tsk->thread.i387.fxsave) );
>+		if (tsk->thread.i387.fxsave.swd & (1<<7))
>+			asm volatile("fnclex");
>+		/* AMD CPUs leak F?P. Clear it here */
>+		asm volatile("ffree %%st(7) ; fildl %0" :: "m" (kstat.context_swtch));
> 	} else {
> 		asm volatile( "fnsave %0 ; fwait"
> 			      : "=m" (tsk->thread.i387.fsave) );
>Index: linux-2.4.32-work/include/asm-x86_64/i387.h
>===================================================================
>--- linux-2.4.32-work.orig/include/asm-x86_64/i387.h
>+++ linux-2.4.32-work/include/asm-x86_64/i387.h
>@@ -125,8 +125,12 @@ static inline void kernel_fpu_begin(void
> 
> static inline void save_init_fpu( struct task_struct *tsk )
> {
>-	asm volatile( "fxsave %0 ; fnclex"
>+	asm volatile( "fxsave %0"
> 		      : "=m" (tsk->thread.i387.fxsave));
>+	if (tsk->thread.i387.fxsave.swd & (1<<7))
>+		asm volatile("fnclex");
>+	/* AMD CPUs leak F?P through FXSAVE. Clear it here */
>+	asm volatile("ffree %st(7) ; fildl %gs:0");
> 	tsk->flags &= ~PF_USEDFPU;
> 	stts();
> }
>Index: linux-2.4.32-work/arch/x86_64/kernel/process.c
>===================================================================
>--- linux-2.4.32-work.orig/arch/x86_64/kernel/process.c
>+++ linux-2.4.32-work/arch/x86_64/kernel/process.c
>@@ -564,8 +564,6 @@ struct task_struct *__switch_to(struct t
> 				 *next = &next_p->thread;
> 	struct tss_struct *tss = init_tss + smp_processor_id();
> 
>-	unlazy_fpu(prev_p);
>-
> 	/*
> 	 * Reload rsp0, LDT and the page table pointer:
> 	 */
>@@ -583,6 +581,11 @@ struct task_struct *__switch_to(struct t
> 		loadsegment(ds, next->ds);
> 
> 	/* 
>+  	 * Must be after DS reload for AMD workaround.
>+	 */
>+	unlazy_fpu(prev_p);
>+
>+	/* 
> 	 * Switch FS and GS.
> 	 */
> 	{

Actions: View | Diff

Attachments on bug 130028: 84692 | 84693 | 84938