Date: Sat, 20 May 2006 01:26:53 +0300 From: Rostislav Krasny <rosti.bsd@gmail.com> To: Colin Percival <cperciva@freebsd.org>, David Xu <davidxu@freebsd.org> Cc: Igor Sysoev <is@rambler-co.ru>, freebsd-current@freebsd.org Subject: [PATCH] FreeBSD-SA-06:14.fpu Message-ID: <20060520012653.41cf7366.rosti.bsd@gmail.com> In-Reply-To: <20060519210105.d4418b6f.rosti.bsd@gmail.com> References: <20060430142408.fcd60069.rosti.bsd@gmail.com> <200605191705.07309.davidxu@freebsd.org> <20060519123406.3cdf83e1.rosti.bsd@gmail.com> <200605191739.41048.davidxu@freebsd.org> <20060519204125.05d23337.rosti.bsd@gmail.com> <20060519210105.d4418b6f.rosti.bsd@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format.
--Multipart=_Sat__20_May_2006_01_26_53_+0300_/HzafvSPueaQf3V8
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Ok, there is the patch. Attached to this email. I tested it on my i386
6.1-STABLE with GENERIC and with custom MYKERNEL. MYKERNEL doesn't have
"options CPU_FXSAVE_LEAK" and it also attached to this email. I changed
FXSAVE_LEAK to CPU_FXSAVE_LEAK for consistency with other CPU_* options.
I don't have any amd64 machine, so I didn't test this patch on that
architecture. Could somebody with amd64 test it?
By the way, following command could be used to check how kernel has
been compiled, regarding the CPU_FXSAVE_LEAK option:
objdump -x /boot/kernel/kernel | grep fpu_clean_state
--Multipart=_Sat__20_May_2006_01_26_53_+0300_/HzafvSPueaQf3V8
Content-Type: text/plain;
name="fpu.diff"
Content-Disposition: attachment;
filename="fpu.diff"
Content-Transfer-Encoding: 7bit
diff -ru src/sys.orig/amd64/amd64/fpu.c src/sys/amd64/amd64/fpu.c
--- src/sys.orig/amd64/amd64/fpu.c Sun Apr 23 00:16:39 2006
+++ src/sys/amd64/amd64/fpu.c Fri May 19 21:25:45 2006
@@ -33,6 +33,8 @@
#include <sys/cdefs.h>
__FBSDID("$FreeBSD: src/sys/amd64/amd64/fpu.c,v 1.157.2.1 2006/04/19 07:00:35 cperciva Exp $");
+#include "opt_cpu.h"
+
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/bus.h>
@@ -96,7 +98,9 @@
typedef u_char bool_t;
+#ifdef CPU_FXSAVE_LEAK
static void fpu_clean_state(void);
+#endif
int hw_float = 1;
SYSCTL_INT(_hw,HW_FLOATINGPT, floatingpoint,
@@ -409,7 +413,9 @@
PCPU_SET(fpcurthread, curthread);
pcb = PCPU_GET(curpcb);
+#ifdef CPU_FXSAVE_LEAK
fpu_clean_state();
+#endif
if ((pcb->pcb_flags & PCB_FPUINITDONE) == 0) {
/*
@@ -478,7 +484,9 @@
s = intr_disable();
if (td == PCPU_GET(fpcurthread)) {
+#ifdef CPU_FXSAVE_LEAK
fpu_clean_state();
+#endif
fxrstor(addr);
intr_restore(s);
} else {
@@ -488,6 +496,7 @@
curthread->td_pcb->pcb_flags |= PCB_FPUINITDONE;
}
+#ifdef CPU_FXSAVE_LEAK
/*
* On AuthenticAMD processors, the fxrstor instruction does not restore
* the x87's stored last instruction pointer, last data pointer, and last
@@ -518,6 +527,7 @@
*/
__asm __volatile("ffree %%st(7); fld %0" : : "m" (dummy_variable));
}
+#endif /* CPU_FXSAVE_LEAK */
/*
* This really sucks. We want the acpi version only, but it requires
diff -ru src/sys.orig/amd64/conf/GENERIC src/sys/amd64/conf/GENERIC
--- src/sys.orig/amd64/conf/GENERIC Mon May 1 11:47:20 2006
+++ src/sys/amd64/conf/GENERIC Fri May 19 21:59:19 2006
@@ -22,6 +22,8 @@
cpu HAMMER
ident GENERIC
+options CPU_FXSAVE_LEAK # FreeBSD-SA-06:14.fpu fix for AMD
+
# To statically compile in device wiring instead of /boot/device.hints
#hints "GENERIC.hints" # Default places to look for devices.
diff -ru src/sys.orig/amd64/conf/NOTES src/sys/amd64/conf/NOTES
--- src/sys.orig/amd64/conf/NOTES Mon May 1 11:47:20 2006
+++ src/sys/amd64/conf/NOTES Fri May 19 22:04:44 2006
@@ -57,6 +57,12 @@
# Options for CPU features.
#
+# CPU_FXSAVE_LEAK enables security workaround of FPU registers leak by FXSAVE
+# and FXRSTOR instructions of "7th generation" and "8th generation" processors
+# manufactured by AMD. For more information read a FreeBSD-SA-06:14.fpu
+# security advisory.
+options CPU_FXSAVE_LEAK
+
#
# PERFMON causes the driver for Pentium/Pentium Pro performance counters
# to be compiled. See perfmon(4) for more information.
diff -ru src/sys.orig/conf/options.amd64 src/sys/conf/options.amd64
--- src/sys.orig/conf/options.amd64 Thu Jun 30 02:23:16 2005
+++ src/sys/conf/options.amd64 Fri May 19 21:03:35 2006
@@ -49,6 +49,7 @@
# EOF
# -------------------------------
HAMMER opt_cpu.h
+CPU_FXSAVE_LEAK opt_cpu.h
PPC_PROBE_CHIPSET opt_ppc.h
PPC_DEBUG opt_ppc.h
PSM_HOOKRESUME opt_psm.h
diff -ru src/sys.orig/conf/options.i386 src/sys/conf/options.i386
--- src/sys.orig/conf/options.i386 Sat Jul 2 23:06:42 2005
+++ src/sys/conf/options.i386 Fri May 19 20:46:27 2006
@@ -52,6 +52,7 @@
CPU_ELAN_XTAL opt_cpu.h
CPU_ENABLE_LONGRUN opt_cpu.h
CPU_FASTER_5X86_FPU opt_cpu.h
+CPU_FXSAVE_LEAK opt_cpu.h
CPU_GEODE opt_cpu.h
CPU_I486_ON_386 opt_cpu.h
CPU_IORT opt_cpu.h
diff -ru src/sys.orig/i386/conf/GENERIC src/sys/i386/conf/GENERIC
--- src/sys.orig/i386/conf/GENERIC Mon May 1 11:48:01 2006
+++ src/sys/i386/conf/GENERIC Fri May 19 21:58:25 2006
@@ -24,6 +24,8 @@
cpu I686_CPU
ident GENERIC
+options CPU_FXSAVE_LEAK # FreeBSD-SA-06:14.fpu fix for AMD
+
# To statically compile in device wiring instead of /boot/device.hints
#hints "GENERIC.hints" # Default places to look for devices.
diff -ru src/sys.orig/i386/conf/NOTES src/sys/i386/conf/NOTES
--- src/sys.orig/i386/conf/NOTES Thu May 11 15:41:40 2006
+++ src/sys/i386/conf/NOTES Fri May 19 22:23:11 2006
@@ -118,6 +118,11 @@
#
# CPU_FASTER_5X86_FPU enables faster FPU exception handler.
#
+# CPU_FXSAVE_LEAK enables security workaround of FPU registers leak by FXSAVE
+# and FXRSTOR instructions of "7th generation" and "8th generation" processors
+# manufactured by AMD. For more information read a FreeBSD-SA-06:14.fpu
+# security advisory.
+#
# CPU_GEODE is for the SC1100 Geode embedded processor. This option
# is necessary because the i8254 timecounter is toast.
#
@@ -192,6 +197,7 @@
options CPU_ELAN_XTAL=32768000
options CPU_ENABLE_LONGRUN
options CPU_FASTER_5X86_FPU
+options CPU_FXSAVE_LEAK
options CPU_GEODE
options CPU_I486_ON_386
options CPU_IORT
diff -ru src/sys.orig/i386/isa/npx.c src/sys/i386/isa/npx.c
--- src/sys.orig/i386/isa/npx.c Mon May 1 11:48:01 2006
+++ src/sys/i386/isa/npx.c Fri May 19 21:18:23 2006
@@ -142,7 +142,7 @@
typedef u_char bool_t;
-#ifdef CPU_ENABLE_SSE
+#if defined(CPU_ENABLE_SSE) && defined(CPU_FXSAVE_LEAK)
static void fpu_clean_state(void);
#endif
@@ -956,7 +956,7 @@
fnsave(addr);
}
-#ifdef CPU_ENABLE_SSE
+#if defined(CPU_ENABLE_SSE) && defined(CPU_FXSAVE_LEAK)
/*
* On AuthenticAMD processors, the fxrstor instruction does not restore
* the x87's stored last instruction pointer, last data pointer, and last
@@ -987,7 +987,7 @@
*/
__asm __volatile("ffree %%st(7); fld %0" : : "m" (dummy_variable));
}
-#endif /* CPU_ENABLE_SSE */
+#endif /* CPU_ENABLE_SSE && CPU_FXSAVE_LEAK */
static void
fpurstor(addr)
@@ -996,7 +996,9 @@
#ifdef CPU_ENABLE_SSE
if (cpu_fxsr) {
+#ifdef CPU_FXSAVE_LEAK
fpu_clean_state();
+#endif
fxrstor(addr);
} else
#endif
--Multipart=_Sat__20_May_2006_01_26_53_+0300_/HzafvSPueaQf3V8
Content-Type: text/plain;
name="MYKERNEL"
Content-Disposition: attachment;
filename="MYKERNEL"
Content-Transfer-Encoding: 7bit
machine i386
cpu I686_CPU
ident MYKERNEL
#makeoptions DEBUG=-g # Build kernel with gdb(1) debug symbols
options SCHED_4BSD # 4BSD scheduler
options PREEMPTION # Enable kernel thread preemption
options PQ_CACHESIZE=256 # L2 cache size in Kb
options INET # InterNETworking
options INET6 # IPv6 communications protocols
options FFS # Berkeley Fast Filesystem
options SOFTUPDATES # Enable FFS soft updates support
options UFS_ACL # Support for access control lists
options UFS_DIRHASH # Improve performance on big directories
options MSDOSFS # MSDOS Filesystem
options CD9660 # ISO 9660 Filesystem
options PROCFS # Process filesystem (requires PSEUDOFS)
options PSEUDOFS # Pseudo-filesystem framework
options COMPAT_43 # Compatible with BSD 4.3 [KEEP THIS!]
options SYSVSHM # SYSV-style shared memory
options SYSVMSG # SYSV-style message queues
options SYSVSEM # SYSV-style semaphores
options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
options ADAPTIVE_GIANT # Giant mutex is adaptive.
device apic # I/O APIC
# Bus support.
device pci
# Floppy drives
device fdc
# ATA and ATAPI devices
device ata
device atadisk # ATA disk drives
device atapicd # ATAPI CDROM drives
options ATA_STATIC_ID # Static device numbering
# atkbdc0 controls both the keyboard and the PS/2 mouse
device atkbdc # AT keyboard controller
device atkbd # AT keyboard
device psm # PS/2 mouse
device vga # VGA video card driver
# syscons is the default console driver, resembling an SCO console
device sc
device agp # support several AGP chipsets
# Power management support (see NOTES for more options)
#device apm
# Add suspend/resume support for the i8254.
device pmtimer
# Serial (COM) ports
device sio # 8250, 16[45]50 based serial ports
# Parallel port
device ppc
device ppbus # Parallel port bus (required)
device lpt # Printer
# Sound
device sound # Generic sound driver
device snd_ich # Intel ICH PCI embedded audio in a chipset
# PCI Ethernet NICs that use the common MII bus controller code.
# NOTE: Be sure to keep the 'device miibus' line in order to use these NICs!
device miibus # MII bus support
device fxp # Intel EtherExpress PRO/100B (82557, 82558)
# Pseudo devices.
device loop # Network loopback
device random # Entropy device
device ether # Ethernet support
device pty # Pseudo-ttys (telnet etc)
# The `bpf' device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
# Note that 'bpf' is required for DHCP.
device bpf # Berkeley packet filter
# USB support
device uhci # UHCI PCI->USB interface
device ohci # OHCI PCI->USB interface
device ehci # EHCI PCI->USB interface (USB 2.0)
device usb # USB Bus (required)
device ugen # Generic
--Multipart=_Sat__20_May_2006_01_26_53_+0300_/HzafvSPueaQf3V8--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060520012653.41cf7366.rosti.bsd>