what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

FreeBSD-SA-06-14.fpu.txt

FreeBSD-SA-06-14.fpu.txt
Posted Apr 26, 2006
Site freebsd.org

FreeBSD Security Advisory FreeBSD-SA-06:14.fpu - FPU information disclosure: On affected processors, a local attacker can monitor the execution path of a process which uses floating-point operations. This may allow an attacker to steal cryptographic keys or other sensitive information.

tags | local, info disclosure
systems | freebsd
SHA-256 | 7a90ad481bb181822f4882bcd4d2e967f8919ef69c8cce7ee8b546a06c7dd4b9

FreeBSD-SA-06-14.fpu.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-06:14.fpu Security Advisory
The FreeBSD Project

Topic: FPU information disclosure

Category: core
Module: sys
Announced: 2006-04-19
Credits: Jan Beulich
Affects: All FreeBSD/i386 and FreeBSD/amd64 releases.
Corrected: 2006-04-19 07:00:35 UTC (RELENG_6, 6.1-STABLE)
2006-04-19 07:00:50 UTC (RELENG_6_1, 6.1-RELEASE)
2006-04-19 07:01:12 UTC (RELENG_6_0, 6.0-RELEASE-p7)
2006-04-19 07:01:30 UTC (RELENG_5, 5.5-STABLE)
2006-04-19 07:01:53 UTC (RELENG_5_4, 5.4-RELEASE-p14)
2006-04-19 07:02:23 UTC (RELENG_5_3, 5.3-RELEASE-p29)
2006-04-19 07:02:43 UTC (RELENG_4, 4.11-STABLE)
2006-04-19 07:03:01 UTC (RELENG_4_11, 4.11-RELEASE-p17)
2006-04-19 07:03:14 UTC (RELENG_4_10, 4.10-RELEASE-p23)
CVE Name: CVE-2006-1056

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

I. Background

The floating-point unit (FPU) of i386 and amd64 processors is derived from
the original 8087 floating-point co-processor. As a result, the FPU
contains the same debugging registers FOP, FIP, and FDP which store the
opcode, instruction address, and data address of the instruction most
recently executed by the FPU.

On processors implementing the "SSE" instruction set, a new pair of
instructions fxsave/fxrstor replaces the earlier fsave/frstor pair used
for saving and restoring the FPU state. These new instructions also
save and restore the contents of the additional registers used by SSE
instructions.

II. Problem Description

On "7th generation" and "8th generation" processors manufactured by AMD,
including the AMD Athlon, Duron, Athlon MP, Athlon XP, Athlon64, Athlon64
FX, Opteron, Turion, and Sempron, the fxsave and fxrstor instructions do
not save and restore the FOP, FIP, and FDP registers unless the exception
summary bit (ES) in the x87 status word is set to 1, indicating that an
unmasked x87 exception has occurred.

This behaviour is consistent with documentation provided by AMD, but is
different from processors from other vendors, which save and restore the
FOP, FIP, and FDP registers regardless of the value of the ES bit. As a
result of this discrepancy remaining unnoticed until now, the FreeBSD
kernel does not restore the contents of the FOP, FIP, and FDP registers
between context switches.

III. Impact

On affected processors, a local attacker can monitor the execution path
of a process which uses floating-point operations. This may allow an
attacker to steal cryptographic keys or other sensitive information.

IV. Workaround

No workaround is available, but systems which do not use AMD Athlon, Duron,
Athlon MP, Athlon XP, Athlon64, Athlon64 FX, Opteron, Turion, or Sempron
processors are not vulnerable.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 4-STABLE, 5-STABLE, or 6-STABLE,
or to the RELENG_6_0, RELENG_5_4, RELENG_5_3, RELENG_4_11, or
RELENG_4_10 security branch dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 4.10,
4.11, 5.3, 5.4, and 6.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 4.x]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:14/fpu4x.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:14/fpu4x.patch.asc

[FreeBSD 5.x and 6.x]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:14/fpu.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:14/fpu.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the
system.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_4
src/sys/i386/isa/npx.c 1.80.2.4
RELENG_4_11
src/UPDATING 1.73.2.91.2.18
src/sys/conf/newvers.sh 1.44.2.39.2.21
src/sys/i386/isa/npx.c 1.80.2.3.14.1
RELENG_4_10
src/UPDATING 1.73.2.90.2.24
src/sys/conf/newvers.sh 1.44.2.34.2.25
src/sys/i386/isa/npx.c 1.80.2.3.12.1
RELENG_5
src/sys/amd64/amd64/fpu.c 1.154.2.2
src/sys/i386/isa/npx.c 1.152.2.4
RELENG_5_4
src/UPDATING 1.342.2.24.2.23
src/sys/conf/newvers.sh 1.62.2.18.2.19
src/sys/amd64/amd64/fpu.c 1.154.2.1.2.1
src/sys/i386/isa/npx.c 1.152.2.3.2.1
RELENG_5_3
src/UPDATING 1.342.2.13.2.32
src/sys/conf/newvers.sh 1.62.2.15.2.34
src/sys/amd64/amd64/fpu.c 1.154.4.1
src/sys/i386/isa/npx.c 1.152.4.1
RELENG_6
src/sys/amd64/amd64/fpu.c 1.157.2.1
src/sys/i386/isa/npx.c 1.162.2.2
RELENG_6_1
src/UPDATING 1.416.2.22.2.1
src/sys/conf/newvers.sh 1.69.2.11.2.1
src/sys/amd64/amd64/fpu.c 1.157.6.1
src/sys/i386/isa/npx.c 1.162.2.1.2.1
RELENG_6_0
src/UPDATING 1.416.2.3.2.12
src/sys/conf/newvers.sh 1.69.2.8.2.8
src/sys/amd64/amd64/fpu.c 1.157.4.1
src/sys/i386/isa/npx.c 1.162.4.1
- -------------------------------------------------------------------------

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1056

The latest revision of this advisory is available at
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:14.fpu.asc

VIII. Acknowledgements

The FreeBSD Security Team would like to thank AMD, and Richard Brunner
specifically, for responding promptly to this issue and providing an
extensive response analyzing the problem.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (FreeBSD)

iD8DBQFEReGUFdaIBMps37IRAnmUAJ4lsl3bpH6duA5u/wssIa01o98BlwCgleWn
a1vJCiLwkkfqHtmBDKxaQ+A=
=4yls
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

January 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    0 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    5 Files
  • 4
    Jan 4th
    5 Files
  • 5
    Jan 5th
    9 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    0 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    18 Files
  • 10
    Jan 10th
    31 Files
  • 11
    Jan 11th
    30 Files
  • 12
    Jan 12th
    33 Files
  • 13
    Jan 13th
    25 Files
  • 14
    Jan 14th
    0 Files
  • 15
    Jan 15th
    0 Files
  • 16
    Jan 16th
    7 Files
  • 17
    Jan 17th
    25 Files
  • 18
    Jan 18th
    38 Files
  • 19
    Jan 19th
    6 Files
  • 20
    Jan 20th
    21 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    24 Files
  • 24
    Jan 24th
    68 Files
  • 25
    Jan 25th
    22 Files
  • 26
    Jan 26th
    20 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close