[kernel] r6627 - in
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian:
patches patches/series
Dann Frazier
dannf at costa.debian.org
Sat May 20 05:44:18 UTC 2006
Author: dannf
Date: Sat May 20 05:44:12 2006
New Revision: 6627
Added:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/217_amd64-fp-reg-leak.diff
Modified:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge3
Log:
* 217_amd64-fp-reg-leak.diff
[SECURITY][amd64] Fix an information leak that allows a process to see
a portion of the floating point state of other processes, possibly exposing
sensitive information.
Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog (original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog Sat May 20 05:44:12 2006
@@ -39,8 +39,12 @@
[SECURITY] Fix remote DoS vulnerability that allows IP fragmented
COOKIE_ECHO and HEARTBEAT SCTP control chunks to cause a kernel panic
See CVE-2006-2272
+ * 217_amd64-fp-reg-leak.diff
+ [SECURITY][amd64] Fix an information leak that allows a process to see
+ a portion of the floating point state of other processes, possibly exposing
+ sensitive information.
- -- dann frazier <dannf at debian.org> Sat, 20 May 2006 00:28:53 -0500
+ -- dann frazier <dannf at debian.org> Sat, 20 May 2006 00:41:41 -0500
kernel-source-2.4.27 (2.4.27-10sarge2) stable-security; urgency=high
Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/217_amd64-fp-reg-leak.diff
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/217_amd64-fp-reg-leak.diff Sat May 20 05:44:12 2006
@@ -0,0 +1,107 @@
+diff-tree d296e6191afbfc63077da02a1386bcd73bd4c1e0 (from 0dba0f6b382bf360a1974fd78538273478dfc784)
+Author: Andi Kleen <ak at suse.de>
+Date: Wed Apr 19 10:22:07 2006 +0200
+
+ [PATCH] i386/x86-64: Fix x87 information leak between processes
+
+ AMD K7/K8 CPUs only save/restore the FOP/FIP/FDP x87 registers in FXSAVE
+ when an exception is pending. This means the value leak through
+ context switches and allow processes to observe some x87 instruction
+ state of other processes.
+
+ This was actually documented by AMD, but nobody recognized it as
+ being different from Intel before.
+
+ The fix first adds an optimization: instead of unconditionally
+ calling FNCLEX after each FXSAVE test if ES is pending and skip
+ it when not needed. Then do a dummy x87 load to clear FOP/FIP/FDP.
+ This means other processes always will only see a constant value
+ defined by the kernel.
+
+ Then it does a ffree st(7) ; fild <l1 address>
+ This is executed unconditionally on FXSAVE capable systems, but has
+ been benchmarked on Intel systems to be reasonably fast.
+
+ I also had to move unlazy_fpu for 64bit to make sure the code
+ always executes with the data segment of the new process to prevent
+ leaking the old one.
+
+ Patch for both i386/x86-64.
+
+ The problem was discovered originally by Jan Beulich. Richard
+ Brunner provided the basic code for the workarounds with contributions
+ from Jan.
+
+ This is CVE-2006-1056
+
+ Signed-off-by: Andi Kleen <ak at suse.de>
+
+diff --git a/arch/i386/kernel/i387.c b/arch/i386/kernel/i387.c
+index b6945c7..3e80fba 100644
+--- a/arch/i386/kernel/i387.c
++++ b/arch/i386/kernel/i387.c
+@@ -11,6 +11,7 @@
+ #include <linux/config.h>
+ #include <linux/sched.h>
+ #include <linux/init.h>
++#include <linux/kernel_stat.h>
+ #include <asm/processor.h>
+ #include <asm/i387.h>
+ #include <asm/math_emu.h>
+@@ -70,8 +71,12 @@ void init_fpu(void)
+ static inline void __save_init_fpu( struct task_struct *tsk )
+ {
+ if ( cpu_has_fxsr ) {
+- asm volatile( "fxsave %0 ; fnclex"
++ asm volatile( "fxsave %0"
+ : "=m" (tsk->thread.i387.fxsave) );
++ if (tsk->thread.i387.fxsave.swd & (1<<7))
++ asm volatile("fnclex");
++ /* AMD CPUs leak F?P. Clear it here */
++ asm volatile("ffree %%st(7) ; fildl %0" :: "m" (kstat.context_swtch));
+ } else {
+ asm volatile( "fnsave %0 ; fwait"
+ : "=m" (tsk->thread.i387.fsave) );
+diff --git a/arch/x86_64/kernel/process.c b/arch/x86_64/kernel/process.c
+index a8df6c9..09924f0 100644
+--- a/arch/x86_64/kernel/process.c
++++ b/arch/x86_64/kernel/process.c
+@@ -564,8 +564,6 @@ struct task_struct *__switch_to(struct t
+ *next = &next_p->thread;
+ struct tss_struct *tss = init_tss + smp_processor_id();
+
+- unlazy_fpu(prev_p);
+-
+ /*
+ * Reload rsp0, LDT and the page table pointer:
+ */
+@@ -583,6 +581,11 @@ struct task_struct *__switch_to(struct t
+ loadsegment(ds, next->ds);
+
+ /*
++ * Must be after DS reload for AMD workaround.
++ */
++ unlazy_fpu(prev_p);
++
++ /*
+ * Switch FS and GS.
+ */
+ {
+diff --git a/include/asm-x86_64/i387.h b/include/asm-x86_64/i387.h
+index a17ce96..5178962 100644
+--- a/include/asm-x86_64/i387.h
++++ b/include/asm-x86_64/i387.h
+@@ -125,8 +125,12 @@ static inline void kernel_fpu_begin(void
+
+ static inline void save_init_fpu( struct task_struct *tsk )
+ {
+- asm volatile( "fxsave %0 ; fnclex"
++ asm volatile( "fxsave %0"
+ : "=m" (tsk->thread.i387.fxsave));
++ if (tsk->thread.i387.fxsave.swd & (1<<7))
++ asm volatile("fnclex");
++ /* AMD CPUs leak F?P through FXSAVE. Clear it here */
++ asm volatile("ffree %st(7) ; fildl %gs:0");
+ tsk->flags &= ~PF_USEDFPU;
+ stts();
+ }
Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge3
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge3 (original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge3 Sat May 20 05:44:12 2006
@@ -8,3 +8,4 @@
+ 214_mcast-ip-route-null-deref.diff
+ 215_sctp-fragment-recurse.diff
+ 216_sctp-fragmented-receive-fix.diff
++ 217_amd64-fp-reg-leak.diff
More information about the Kernel-svn-changes
mailing list