Date: Tue, 11 Jan 2022 19:38:52 +0000 (UTC) From: FreeBSD Errata Notices <errata-notices@freebsd.org> To: FreeBSD Errata Notices <errata-notices@freebsd.org> Subject: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-22:02.xsave Message-ID: <20220111193852.3BBF21D8DD@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-EN-22:02.xsave Errata Notice The FreeBSD Project Topic: Incorrect XSAVE state size Category: core Module: kernel Announced: 2022-01-11 Affects: All supported versions of FreeBSD. Corrected: 2021-12-12 02:49:50 UTC (stable/13, 13.0-STABLE) 2022-01-11 18:14:58 UTC (releng/13.0, 13.0-RELEASE-p6) 2021-12-12 02:49:50 UTC (stable/12, 12.3-STABLE) 2022-01-11 18:19:21 UTC (releng/12.3, 12.3-RELEASE-p1) 2022-01-11 18:33:11 UTC (releng/12.2, 12.2-RELEASE-p12) For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background Contemporary x86 CPUs support the XSAVE instruction, "Save Processor Extended tates." Some but not all CPUs support the so-called init optimization for XSAVE. The optimization means that the CPU may not write all of the state on XSAVE, and indicates that it did not in xstate_bv. Whether or not this happens depends on "complex internal microarchitectural conditions." On signal delivery, the OS provides the saved context interrupted by the signal to the signal handler. The context includes all CPU state available to userspace, including FPU registers (XSAVE area). Also, upon return from the signal handler, the saved context is restored, which allows the handler to modify the main program flow. When the init optimization kicks in, the OS tries to hide the effects of the init state optimization from the signal handler by filling in parts of the XSAVE area. The CPU reports sizes of some of the XSAVE state regions, but two of them are fixed and must be hard-coded by the kernel. II. Problem Description The hard-coded size for state region 1 (SSE/XMM) was incorrect, effectively filling the xmm8 through xmm15 registers with arbitrary values on signal return when the init optimization occurred. III. Impact On amd64 and i386 systems, application memory may become corrupted, leading to incorrect behaviour. Other platforms are not affected. IV. Workaround Use of XSAVEOPT may be disabled by adding the following line to loader.conf: hw.cpu_stdext_disable=0x1 V. Solution Upgrade your system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) To update your system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for an errata update" 2) To update your system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/EN-22:02/xsave.patch # fetch https://security.FreeBSD.org/patches/EN-22:02/xsave.patch.asc # gpg --verify xsave.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ 1d6ebddb62bc stable/13-n248578 releng/13.0/ f2caded7f590 releng/13.0-n244769 stable/12/ r371242 releng/12.3/ r371483 releng/12.2/ r371488 - ------------------------------------------------------------------------- For FreeBSD 13 and later: Run the following command to see which files were modified by a particular commit: # git show --stat <commit hash> Or visit the following URL, replacing NNNNNN with the hash: <URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD For FreeBSD 12 and earlier: Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> VII. References <URL:https://reviews.freebsd.org/D33390> <URL:https://github.com/golang/go/issues/46272> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-22:02.xsave.asc> -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmHd2CUACgkQ05eS9J6n 5cKE+w//bOsl0ry/Vx4OaIFzX52Blp6iu5nYoSwFu9wipTq5d07xL+UhXT3bbnRN yzxJz4KLkBlBaorwN0OX9N3/bjErOq10QMzzcX2jQnvixgIhV9oxqZoOoMcehfVp 9L2yo1JNhXkn0ysKU2ysxpi1F/9t9xATcqxxC1PuSbl1N143qTnmRB5EWDi9Ygan sjFgBhcTmfz3gATxwKP0hz25KaXO+/0WwZzYHCnGYncPnfh12OgKCkMDi6H2v54R 7+Rl0JtbycK257UIACki/s1FgbiIXkQuPLILD3YBn1kuXFPDhlIBKeK4NLu0G5DQ 6vqYHKrP5RssGsXdROVpjTe4eO1VkKQAkMI9NHCo6SOStbHcOqiB0bdz0TuGYyQN uhI5we2tqDb6uhZBi0az4c+yKp58d+2dF8DizRKGelDjDNby/1L09XAiybnR8liN YcHPV/v0Sx/QPjX9sfutMkhtpw28OdPeqoAQyzW9+VSeTC4z61CDmFi9qrN7Vpne KIvLbgaBYFMSsN4oeG5CfZzlemLNkk8R+5JKmPCxoewX9r7jj2gr9yMqXcmQhjyR 46z0Xp9JL0ovYzvfA9g0nV9tPxmRsAuOL2k7C4nPI38kXbCUlOuCjcNc7EP/gdfi e7sNXtXwzRDWgO4ipHfLeqzmAnxXy42vFpD2Be5RjbsqXdcH+6I= =ejFK -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20220111193852.3BBF21D8DD>