[kernel] r6627 - in dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: patches patches/series

Dann Frazier dannf at costa.debian.org
Sat May 20 05:44:18 UTC 2006 

Author: dannf
Date: Sat May 20 05:44:12 2006
New Revision: 6627

Added:
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/217_amd64-fp-reg-leak.diff
Modified:
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge3

Log:
* 217_amd64-fp-reg-leak.diff
  [SECURITY][amd64] Fix an information leak that allows a process to see
  a portion of the floating point state of other processes, possibly exposing
  sensitive information.

Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	(original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	Sat May 20 05:44:12 2006
@@ -39,8 +39,12 @@
     [SECURITY] Fix remote DoS vulnerability that allows IP fragmented
     COOKIE_ECHO and HEARTBEAT SCTP control chunks to cause a kernel panic
     See CVE-2006-2272
+  * 217_amd64-fp-reg-leak.diff
+    [SECURITY][amd64] Fix an information leak that allows a process to see
+    a portion of the floating point state of other processes, possibly exposing
+    sensitive information.
 
- -- dann frazier <dannf at debian.org>  Sat, 20 May 2006 00:28:53 -0500
+ -- dann frazier <dannf at debian.org>  Sat, 20 May 2006 00:41:41 -0500
 
 kernel-source-2.4.27 (2.4.27-10sarge2) stable-security; urgency=high
 

Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/217_amd64-fp-reg-leak.diff
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/217_amd64-fp-reg-leak.diff	Sat May 20 05:44:12 2006
@@ -0,0 +1,107 @@
+diff-tree d296e6191afbfc63077da02a1386bcd73bd4c1e0 (from 0dba0f6b382bf360a1974fd78538273478dfc784)
+Author: Andi Kleen <ak at suse.de>
+Date:   Wed Apr 19 10:22:07 2006 +0200
+
+    [PATCH] i386/x86-64: Fix x87 information leak between processes
+    
+    AMD K7/K8 CPUs only save/restore the FOP/FIP/FDP x87 registers in FXSAVE
+    when an exception is pending.  This means the value leak through
+    context switches and allow processes to observe some x87 instruction
+    state of other processes.
+    
+    This was actually documented by AMD, but nobody recognized it as
+    being different from Intel before.
+    
+    The fix first adds an optimization: instead of unconditionally
+    calling FNCLEX after each FXSAVE test if ES is pending and skip
+    it when not needed. Then do a dummy x87 load to clear FOP/FIP/FDP.
+    This means other processes always will only see a constant value
+    defined by the kernel.
+    
+    Then it does a ffree st(7) ; fild <l1 address>
+    This is executed unconditionally on FXSAVE capable systems, but has
+    been benchmarked on Intel systems to be reasonably fast.
+    
+    I also had to move unlazy_fpu for 64bit to make sure the code
+    always executes with the data segment of the new process to prevent
+    leaking the old one.
+    
+    Patch for both i386/x86-64.
+    
+    The problem was discovered originally by Jan Beulich. Richard
+    Brunner provided the basic code for the workarounds with contributions
+    from Jan.
+    
+    This is CVE-2006-1056
+    
+    Signed-off-by: Andi Kleen <ak at suse.de>
+
+diff --git a/arch/i386/kernel/i387.c b/arch/i386/kernel/i387.c
+index b6945c7..3e80fba 100644
+--- a/arch/i386/kernel/i387.c
++++ b/arch/i386/kernel/i387.c
+@@ -11,6 +11,7 @@
+ #include <linux/config.h>
+ #include <linux/sched.h>
+ #include <linux/init.h>
++#include <linux/kernel_stat.h>
+ #include <asm/processor.h>
+ #include <asm/i387.h>
+ #include <asm/math_emu.h>
+@@ -70,8 +71,12 @@ void init_fpu(void)
+ static inline void __save_init_fpu( struct task_struct *tsk )
+ {
+ 	if ( cpu_has_fxsr ) {
+-		asm volatile( "fxsave %0 ; fnclex"
++		asm volatile( "fxsave %0"
+ 			      : "=m" (tsk->thread.i387.fxsave) );
++		if (tsk->thread.i387.fxsave.swd & (1<<7))
++			asm volatile("fnclex");
++		/* AMD CPUs leak F?P. Clear it here */
++		asm volatile("ffree %%st(7) ; fildl %0" :: "m" (kstat.context_swtch));
+ 	} else {
+ 		asm volatile( "fnsave %0 ; fwait"
+ 			      : "=m" (tsk->thread.i387.fsave) );
+diff --git a/arch/x86_64/kernel/process.c b/arch/x86_64/kernel/process.c
+index a8df6c9..09924f0 100644
+--- a/arch/x86_64/kernel/process.c
++++ b/arch/x86_64/kernel/process.c
+@@ -564,8 +564,6 @@ struct task_struct *__switch_to(struct t
+ 				 *next = &next_p->thread;
+ 	struct tss_struct *tss = init_tss + smp_processor_id();
+ 
+-	unlazy_fpu(prev_p);
+-
+ 	/*
+ 	 * Reload rsp0, LDT and the page table pointer:
+ 	 */
+@@ -583,6 +581,11 @@ struct task_struct *__switch_to(struct t
+ 		loadsegment(ds, next->ds);
+ 
+ 	/* 
++  	 * Must be after DS reload for AMD workaround.
++	 */
++	unlazy_fpu(prev_p);
++
++	/* 
+ 	 * Switch FS and GS.
+ 	 */
+ 	{ 
+diff --git a/include/asm-x86_64/i387.h b/include/asm-x86_64/i387.h
+index a17ce96..5178962 100644
+--- a/include/asm-x86_64/i387.h
++++ b/include/asm-x86_64/i387.h
+@@ -125,8 +125,12 @@ static inline void kernel_fpu_begin(void
+ 
+ static inline void save_init_fpu( struct task_struct *tsk )
+ {
+-	asm volatile( "fxsave %0 ; fnclex"
++	asm volatile( "fxsave %0"
+ 		      : "=m" (tsk->thread.i387.fxsave));
++	if (tsk->thread.i387.fxsave.swd & (1<<7))
++		asm volatile("fnclex");
++	/* AMD CPUs leak F?P through FXSAVE. Clear it here */
++	asm volatile("ffree %st(7) ; fildl %gs:0");
+ 	tsk->flags &= ~PF_USEDFPU;
+ 	stts();
+ }

Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge3
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge3	(original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge3	Sat May 20 05:44:12 2006
@@ -8,3 +8,4 @@
 + 214_mcast-ip-route-null-deref.diff
 + 215_sctp-fragment-recurse.diff
 + 216_sctp-fragmented-receive-fix.diff
++ 217_amd64-fp-reg-leak.diff

More information about the Kernel-svn-changes mailing list