From security-advisories@freebsd.org Wed Apr 19 11:09:37 2006 From: FreeBSD Security Advisories To: Bugtraq Date: Wed, 19 Apr 2006 07:11:27 GMT Subject: FreeBSD Security Advisory FreeBSD-SA-06:14.fpu -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-06:14.fpu Security Advisory The FreeBSD Project Topic: FPU information disclosure Category: core Module: sys Announced: 2006-04-19 Credits: Jan Beulich Affects: All FreeBSD/i386 and FreeBSD/amd64 releases. Corrected: 2006-04-19 07:00:35 UTC (RELENG_6, 6.1-STABLE) 2006-04-19 07:00:50 UTC (RELENG_6_1, 6.1-RELEASE) 2006-04-19 07:01:12 UTC (RELENG_6_0, 6.0-RELEASE-p7) 2006-04-19 07:01:30 UTC (RELENG_5, 5.5-STABLE) 2006-04-19 07:01:53 UTC (RELENG_5_4, 5.4-RELEASE-p14) 2006-04-19 07:02:23 UTC (RELENG_5_3, 5.3-RELEASE-p29) 2006-04-19 07:02:43 UTC (RELENG_4, 4.11-STABLE) 2006-04-19 07:03:01 UTC (RELENG_4_11, 4.11-RELEASE-p17) 2006-04-19 07:03:14 UTC (RELENG_4_10, 4.10-RELEASE-p23) CVE Name: CVE-2006-1056 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The floating-point unit (FPU) of i386 and amd64 processors is derived from the original 8087 floating-point co-processor. As a result, the FPU contains the same debugging registers FOP, FIP, and FDP which store the opcode, instruction address, and data address of the instruction most recently executed by the FPU. On processors implementing the "SSE" instruction set, a new pair of instructions fxsave/fxrstor replaces the earlier fsave/frstor pair used for saving and restoring the FPU state. These new instructions also save and restore the contents of the additional registers used by SSE instructions. II. Problem Description On "7th generation" and "8th generation" processors manufactured by AMD, including the AMD Athlon, Duron, Athlon MP, Athlon XP, Athlon64, Athlon64 FX, Opteron, Turion, and Sempron, the fxsave and fxrstor instructions do not save and restore the FOP, FIP, and FDP registers unless the exception summary bit (ES) in the x87 status word is set to 1, indicating that an unmasked x87 exception has occurred. This behaviour is consistent with documentation provided by AMD, but is different from processors from other vendors, which save and restore the FOP, FIP, and FDP registers regardless of the value of the ES bit. As a result of this discrepancy remaining unnoticed until now, the FreeBSD kernel does not restore the contents of the FOP, FIP, and FDP registers between context switches. III. Impact On affected processors, a local attacker can monitor the execution path of a process which uses floating-point operations. This may allow an attacker to steal cryptographic keys or other sensitive information. IV. Workaround No workaround is available, but systems which do not use AMD Athlon, Duron, Athlon MP, Athlon XP, Athlon64, Athlon64 FX, Opteron, Turion, or Sempron processors are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE, 5-STABLE, or 6-STABLE, or to the RELENG_6_0, RELENG_5_4, RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 4.10, 4.11, 5.3, 5.4, and 6.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 4.x] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:14/fpu4x.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:14/fpu4x.patch.asc [FreeBSD 5.x and 6.x] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:14/fpu.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:14/fpu.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 src/sys/i386/isa/npx.c 1.80.2.4 RELENG_4_11 src/UPDATING 1.73.2.91.2.18 src/sys/conf/newvers.sh 1.44.2.39.2.21 src/sys/i386/isa/npx.c 1.80.2.3.14.1 RELENG_4_10 src/UPDATING 1.73.2.90.2.24 src/sys/conf/newvers.sh 1.44.2.34.2.25 src/sys/i386/isa/npx.c 1.80.2.3.12.1 RELENG_5 src/sys/amd64/amd64/fpu.c 1.154.2.2 src/sys/i386/isa/npx.c 1.152.2.4 RELENG_5_4 src/UPDATING 1.342.2.24.2.23 src/sys/conf/newvers.sh 1.62.2.18.2.19 src/sys/amd64/amd64/fpu.c 1.154.2.1.2.1 src/sys/i386/isa/npx.c 1.152.2.3.2.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.32 src/sys/conf/newvers.sh 1.62.2.15.2.34 src/sys/amd64/amd64/fpu.c 1.154.4.1 src/sys/i386/isa/npx.c 1.152.4.1 RELENG_6 src/sys/amd64/amd64/fpu.c 1.157.2.1 src/sys/i386/isa/npx.c 1.162.2.2 RELENG_6_1 src/UPDATING 1.416.2.22.2.1 src/sys/conf/newvers.sh 1.69.2.11.2.1 src/sys/amd64/amd64/fpu.c 1.157.6.1 src/sys/i386/isa/npx.c 1.162.2.1.2.1 RELENG_6_0 src/UPDATING 1.416.2.3.2.12 src/sys/conf/newvers.sh 1.69.2.8.2.8 src/sys/amd64/amd64/fpu.c 1.157.4.1 src/sys/i386/isa/npx.c 1.162.4.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1056 The latest revision of this advisory is available at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:14.fpu.asc VIII. Acknowledgements The FreeBSD Security Team would like to thank AMD, and Richard Brunner specifically, for responding promptly to this issue and providing an extensive response analyzing the problem. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQFEReGUFdaIBMps37IRAnmUAJ4lsl3bpH6duA5u/wssIa01o98BlwCgleWn a1vJCiLwkkfqHtmBDKxaQ+A= =4yls -----END PGP SIGNATURE-----