Date: Sat, 20 May 2006 01:26:53 +0300 From: Rostislav Krasny <rosti.bsd@gmail.com> To: Colin Percival <cperciva@freebsd.org>, David Xu <davidxu@freebsd.org> Cc: Igor Sysoev <is@rambler-co.ru>, freebsd-current@freebsd.org Subject: [PATCH] FreeBSD-SA-06:14.fpu Message-ID: <20060520012653.41cf7366.rosti.bsd@gmail.com> In-Reply-To: <20060519210105.d4418b6f.rosti.bsd@gmail.com> References: <20060430142408.fcd60069.rosti.bsd@gmail.com> <200605191705.07309.davidxu@freebsd.org> <20060519123406.3cdf83e1.rosti.bsd@gmail.com> <200605191739.41048.davidxu@freebsd.org> <20060519204125.05d23337.rosti.bsd@gmail.com> <20060519210105.d4418b6f.rosti.bsd@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. --Multipart=_Sat__20_May_2006_01_26_53_+0300_/HzafvSPueaQf3V8 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Ok, there is the patch. Attached to this email. I tested it on my i386 6.1-STABLE with GENERIC and with custom MYKERNEL. MYKERNEL doesn't have "options CPU_FXSAVE_LEAK" and it also attached to this email. I changed FXSAVE_LEAK to CPU_FXSAVE_LEAK for consistency with other CPU_* options. I don't have any amd64 machine, so I didn't test this patch on that architecture. Could somebody with amd64 test it? By the way, following command could be used to check how kernel has been compiled, regarding the CPU_FXSAVE_LEAK option: objdump -x /boot/kernel/kernel | grep fpu_clean_state --Multipart=_Sat__20_May_2006_01_26_53_+0300_/HzafvSPueaQf3V8 Content-Type: text/plain; name="fpu.diff" Content-Disposition: attachment; filename="fpu.diff" Content-Transfer-Encoding: 7bit diff -ru src/sys.orig/amd64/amd64/fpu.c src/sys/amd64/amd64/fpu.c --- src/sys.orig/amd64/amd64/fpu.c Sun Apr 23 00:16:39 2006 +++ src/sys/amd64/amd64/fpu.c Fri May 19 21:25:45 2006 @@ -33,6 +33,8 @@ #include <sys/cdefs.h> __FBSDID("$FreeBSD: src/sys/amd64/amd64/fpu.c,v 1.157.2.1 2006/04/19 07:00:35 cperciva Exp $"); +#include "opt_cpu.h" + #include <sys/param.h> #include <sys/systm.h> #include <sys/bus.h> @@ -96,7 +98,9 @@ typedef u_char bool_t; +#ifdef CPU_FXSAVE_LEAK static void fpu_clean_state(void); +#endif int hw_float = 1; SYSCTL_INT(_hw,HW_FLOATINGPT, floatingpoint, @@ -409,7 +413,9 @@ PCPU_SET(fpcurthread, curthread); pcb = PCPU_GET(curpcb); +#ifdef CPU_FXSAVE_LEAK fpu_clean_state(); +#endif if ((pcb->pcb_flags & PCB_FPUINITDONE) == 0) { /* @@ -478,7 +484,9 @@ s = intr_disable(); if (td == PCPU_GET(fpcurthread)) { +#ifdef CPU_FXSAVE_LEAK fpu_clean_state(); +#endif fxrstor(addr); intr_restore(s); } else { @@ -488,6 +496,7 @@ curthread->td_pcb->pcb_flags |= PCB_FPUINITDONE; } +#ifdef CPU_FXSAVE_LEAK /* * On AuthenticAMD processors, the fxrstor instruction does not restore * the x87's stored last instruction pointer, last data pointer, and last @@ -518,6 +527,7 @@ */ __asm __volatile("ffree %%st(7); fld %0" : : "m" (dummy_variable)); } +#endif /* CPU_FXSAVE_LEAK */ /* * This really sucks. We want the acpi version only, but it requires diff -ru src/sys.orig/amd64/conf/GENERIC src/sys/amd64/conf/GENERIC --- src/sys.orig/amd64/conf/GENERIC Mon May 1 11:47:20 2006 +++ src/sys/amd64/conf/GENERIC Fri May 19 21:59:19 2006 @@ -22,6 +22,8 @@ cpu HAMMER ident GENERIC +options CPU_FXSAVE_LEAK # FreeBSD-SA-06:14.fpu fix for AMD + # To statically compile in device wiring instead of /boot/device.hints #hints "GENERIC.hints" # Default places to look for devices. diff -ru src/sys.orig/amd64/conf/NOTES src/sys/amd64/conf/NOTES --- src/sys.orig/amd64/conf/NOTES Mon May 1 11:47:20 2006 +++ src/sys/amd64/conf/NOTES Fri May 19 22:04:44 2006 @@ -57,6 +57,12 @@ # Options for CPU features. # +# CPU_FXSAVE_LEAK enables security workaround of FPU registers leak by FXSAVE +# and FXRSTOR instructions of "7th generation" and "8th generation" processors +# manufactured by AMD. For more information read a FreeBSD-SA-06:14.fpu +# security advisory. +options CPU_FXSAVE_LEAK + # # PERFMON causes the driver for Pentium/Pentium Pro performance counters # to be compiled. See perfmon(4) for more information. diff -ru src/sys.orig/conf/options.amd64 src/sys/conf/options.amd64 --- src/sys.orig/conf/options.amd64 Thu Jun 30 02:23:16 2005 +++ src/sys/conf/options.amd64 Fri May 19 21:03:35 2006 @@ -49,6 +49,7 @@ # EOF # ------------------------------- HAMMER opt_cpu.h +CPU_FXSAVE_LEAK opt_cpu.h PPC_PROBE_CHIPSET opt_ppc.h PPC_DEBUG opt_ppc.h PSM_HOOKRESUME opt_psm.h diff -ru src/sys.orig/conf/options.i386 src/sys/conf/options.i386 --- src/sys.orig/conf/options.i386 Sat Jul 2 23:06:42 2005 +++ src/sys/conf/options.i386 Fri May 19 20:46:27 2006 @@ -52,6 +52,7 @@ CPU_ELAN_XTAL opt_cpu.h CPU_ENABLE_LONGRUN opt_cpu.h CPU_FASTER_5X86_FPU opt_cpu.h +CPU_FXSAVE_LEAK opt_cpu.h CPU_GEODE opt_cpu.h CPU_I486_ON_386 opt_cpu.h CPU_IORT opt_cpu.h diff -ru src/sys.orig/i386/conf/GENERIC src/sys/i386/conf/GENERIC --- src/sys.orig/i386/conf/GENERIC Mon May 1 11:48:01 2006 +++ src/sys/i386/conf/GENERIC Fri May 19 21:58:25 2006 @@ -24,6 +24,8 @@ cpu I686_CPU ident GENERIC +options CPU_FXSAVE_LEAK # FreeBSD-SA-06:14.fpu fix for AMD + # To statically compile in device wiring instead of /boot/device.hints #hints "GENERIC.hints" # Default places to look for devices. diff -ru src/sys.orig/i386/conf/NOTES src/sys/i386/conf/NOTES --- src/sys.orig/i386/conf/NOTES Thu May 11 15:41:40 2006 +++ src/sys/i386/conf/NOTES Fri May 19 22:23:11 2006 @@ -118,6 +118,11 @@ # # CPU_FASTER_5X86_FPU enables faster FPU exception handler. # +# CPU_FXSAVE_LEAK enables security workaround of FPU registers leak by FXSAVE +# and FXRSTOR instructions of "7th generation" and "8th generation" processors +# manufactured by AMD. For more information read a FreeBSD-SA-06:14.fpu +# security advisory. +# # CPU_GEODE is for the SC1100 Geode embedded processor. This option # is necessary because the i8254 timecounter is toast. # @@ -192,6 +197,7 @@ options CPU_ELAN_XTAL=32768000 options CPU_ENABLE_LONGRUN options CPU_FASTER_5X86_FPU +options CPU_FXSAVE_LEAK options CPU_GEODE options CPU_I486_ON_386 options CPU_IORT diff -ru src/sys.orig/i386/isa/npx.c src/sys/i386/isa/npx.c --- src/sys.orig/i386/isa/npx.c Mon May 1 11:48:01 2006 +++ src/sys/i386/isa/npx.c Fri May 19 21:18:23 2006 @@ -142,7 +142,7 @@ typedef u_char bool_t; -#ifdef CPU_ENABLE_SSE +#if defined(CPU_ENABLE_SSE) && defined(CPU_FXSAVE_LEAK) static void fpu_clean_state(void); #endif @@ -956,7 +956,7 @@ fnsave(addr); } -#ifdef CPU_ENABLE_SSE +#if defined(CPU_ENABLE_SSE) && defined(CPU_FXSAVE_LEAK) /* * On AuthenticAMD processors, the fxrstor instruction does not restore * the x87's stored last instruction pointer, last data pointer, and last @@ -987,7 +987,7 @@ */ __asm __volatile("ffree %%st(7); fld %0" : : "m" (dummy_variable)); } -#endif /* CPU_ENABLE_SSE */ +#endif /* CPU_ENABLE_SSE && CPU_FXSAVE_LEAK */ static void fpurstor(addr) @@ -996,7 +996,9 @@ #ifdef CPU_ENABLE_SSE if (cpu_fxsr) { +#ifdef CPU_FXSAVE_LEAK fpu_clean_state(); +#endif fxrstor(addr); } else #endif --Multipart=_Sat__20_May_2006_01_26_53_+0300_/HzafvSPueaQf3V8 Content-Type: text/plain; name="MYKERNEL" Content-Disposition: attachment; filename="MYKERNEL" Content-Transfer-Encoding: 7bit machine i386 cpu I686_CPU ident MYKERNEL #makeoptions DEBUG=-g # Build kernel with gdb(1) debug symbols options SCHED_4BSD # 4BSD scheduler options PREEMPTION # Enable kernel thread preemption options PQ_CACHESIZE=256 # L2 cache size in Kb options INET # InterNETworking options INET6 # IPv6 communications protocols options FFS # Berkeley Fast Filesystem options SOFTUPDATES # Enable FFS soft updates support options UFS_ACL # Support for access control lists options UFS_DIRHASH # Improve performance on big directories options MSDOSFS # MSDOS Filesystem options CD9660 # ISO 9660 Filesystem options PROCFS # Process filesystem (requires PSEUDOFS) options PSEUDOFS # Pseudo-filesystem framework options COMPAT_43 # Compatible with BSD 4.3 [KEEP THIS!] options SYSVSHM # SYSV-style shared memory options SYSVMSG # SYSV-style message queues options SYSVSEM # SYSV-style semaphores options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions options KBD_INSTALL_CDEV # install a CDEV entry in /dev options ADAPTIVE_GIANT # Giant mutex is adaptive. device apic # I/O APIC # Bus support. device pci # Floppy drives device fdc # ATA and ATAPI devices device ata device atadisk # ATA disk drives device atapicd # ATAPI CDROM drives options ATA_STATIC_ID # Static device numbering # atkbdc0 controls both the keyboard and the PS/2 mouse device atkbdc # AT keyboard controller device atkbd # AT keyboard device psm # PS/2 mouse device vga # VGA video card driver # syscons is the default console driver, resembling an SCO console device sc device agp # support several AGP chipsets # Power management support (see NOTES for more options) #device apm # Add suspend/resume support for the i8254. device pmtimer # Serial (COM) ports device sio # 8250, 16[45]50 based serial ports # Parallel port device ppc device ppbus # Parallel port bus (required) device lpt # Printer # Sound device sound # Generic sound driver device snd_ich # Intel ICH PCI embedded audio in a chipset # PCI Ethernet NICs that use the common MII bus controller code. # NOTE: Be sure to keep the 'device miibus' line in order to use these NICs! device miibus # MII bus support device fxp # Intel EtherExpress PRO/100B (82557, 82558) # Pseudo devices. device loop # Network loopback device random # Entropy device device ether # Ethernet support device pty # Pseudo-ttys (telnet etc) # The `bpf' device enables the Berkeley Packet Filter. # Be aware of the administrative consequences of enabling this! # Note that 'bpf' is required for DHCP. device bpf # Berkeley packet filter # USB support device uhci # UHCI PCI->USB interface device ohci # OHCI PCI->USB interface device ehci # EHCI PCI->USB interface (USB 2.0) device usb # USB Bus (required) device ugen # Generic --Multipart=_Sat__20_May_2006_01_26_53_+0300_/HzafvSPueaQf3V8--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060520012653.41cf7366.rosti.bsd>