SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


Try our Premium Alert Service
 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   OS (UNIX)  >   FreeBSD Kernel Vendors:   FreeBSD
FreeBSD Floating Point Unit Kernel Implementation Error May Let Local Users Obtain Sensitive Information
SecurityTracker Alert ID:  1015966
SecurityTracker URL:  http://securitytracker.com/id/1015966
CVE Reference:   CVE-2006-1056   (Links to External Site)
Date:  Apr 19 2006
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.10, 4.11, 5.3, 5.4, 5.5, 6.0, 6.1
Description:   A vulnerability was reported in FreeBSD when running on AMD processors. A local user may be able to obtain sensitive information.

On "7th generation" and "8th generation" processors manufactured by AMD, the fxsave and fxrstor instructions do not save and restore the FOP, FIP, and FDP registers unless the exception summary bit (ES) in the x87 status word is set (whereas other processors store this information regardless of the ES bit).

As a result, the FreeBSD kernel does not restore the contents of the FOP, FIP, and FDP registers between context switches. This may allow a local user to monitor the execution path of a process that uses floating-point operations to obtain potentially sensitive information.

Systems that do not use AMD Athlon, Duron, Athlon MP, Athlon XP, Athlon64, Athlon64 FX, Opteron, Turion, or Sempron processors are not affected.

The vendor credits Jan Beulich with reporting this vulnerability.

Impact:   A local user can monitor the execution path of a process that uses floating-point operations, which may allow the user to obtain cryptographic keys or other potentially sensitive information.
Solution:   The vendor has issued a fix and has provided the following solution information [quoted]:

Perform one of the following:

1) Upgrade your vulnerable system to 4-STABLE, 5-STABLE, or 6-STABLE,
or to the RELENG_6_0, RELENG_5_4, RELENG_5_3, RELENG_4_11, or
RELENG_4_10 security branch dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 4.10,
4.11, 5.3, 5.4, and 6.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 4.x]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:14/fpu4x.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:14/fpu4x.patch.asc

[FreeBSD 5.x and 6.x]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:14/fpu.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:14/fpu.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the
system.

The FreeBSD advisory is available at:

ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:14.fpu.asc

Vendor URL:  www.freebsd.org/ (Links to External Site)
Cause:   Access control error

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jun 8 2006 (NetBSD Issues Fix) FreeBSD Floating Point Unit Kernel Implementation Error May Let Local Users Obtain Sensitive Information
NetBSD has issued a fix.
Jul 13 2006 (Red Hat Issues Fix) FreeBSD Floating Point Unit Kernel Implementation Error May Let Local Users Obtain Sensitive Information
Red Hat has released a fix for Red Hat Enterprise Linux 2.1, which is affected by this AMD-based floating point vulnerability.
Aug 11 2006 (Red Hat Issues Fix) FreeBSD Floating Point Unit Kernel Implementation Error May Let Local Users Obtain Sensitive Information
Red Hat has released a fix for Red Hat Enterprise Linux 4, which is affected by this AMD-based floating point vulnerability.



 Source Message Contents

Subject:  FreeBSD Security Advisory FreeBSD-SA-06:14.fpu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-06:14.fpu                                        Security Advisory
                                                          The FreeBSD Project

Topic:          FPU information disclosure

Category:       core
Module:         sys
Announced:      2006-04-19
Credits:        Jan Beulich
Affects:        All FreeBSD/i386 and FreeBSD/amd64 releases.
Corrected:      2006-04-19 07:00:35 UTC (RELENG_6, 6.1-STABLE)
                2006-04-19 07:00:50 UTC (RELENG_6_1, 6.1-RELEASE)
                2006-04-19 07:01:12 UTC (RELENG_6_0, 6.0-RELEASE-p7)
                2006-04-19 07:01:30 UTC (RELENG_5, 5.5-STABLE)
                2006-04-19 07:01:53 UTC (RELENG_5_4, 5.4-RELEASE-p14)
                2006-04-19 07:02:23 UTC (RELENG_5_3, 5.3-RELEASE-p29)
                2006-04-19 07:02:43 UTC (RELENG_4, 4.11-STABLE)
                2006-04-19 07:03:01 UTC (RELENG_4_11, 4.11-RELEASE-p17)
                2006-04-19 07:03:14 UTC (RELENG_4_10, 4.10-RELEASE-p23)
CVE Name:       CVE-2006-1056

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

I.   Background

The floating-point unit (FPU) of i386 and amd64 processors is derived from
the original 8087 floating-point co-processor.  As a result, the FPU
contains the same debugging registers FOP, FIP, and FDP which store the
opcode, instruction address, and data address of the instruction most
recently executed by the FPU.

On processors implementing the "SSE" instruction set, a new pair of
instructions fxsave/fxrstor replaces the earlier fsave/frstor pair used
for saving and restoring the FPU state.  These new instructions also
save and restore the contents of the additional registers used by SSE
instructions.

II.  Problem Description

On "7th generation" and "8th generation" processors manufactured by AMD,
including the AMD Athlon, Duron, Athlon MP, Athlon XP, Athlon64, Athlon64
FX, Opteron, Turion, and Sempron, the fxsave and fxrstor instructions do
not save and restore the FOP, FIP, and FDP registers unless the exception
summary bit (ES) in the x87 status word is set to 1, indicating that an
unmasked x87 exception has occurred.

This behaviour is consistent with documentation provided by AMD, but is
different from processors from other vendors, which save and restore the
FOP, FIP, and FDP registers regardless of the value of the ES bit.  As a
result of this discrepancy remaining unnoticed until now, the FreeBSD
kernel does not restore the contents of the FOP, FIP, and FDP registers
between context switches.

III. Impact

On affected processors, a local attacker can monitor the execution path
of a process which uses floating-point operations.  This may allow an
attacker to steal cryptographic keys or other sensitive information.

IV.  Workaround

No workaround is available, but systems which do not use AMD Athlon, Duron,
Athlon MP, Athlon XP, Athlon64, Athlon64 FX, Opteron, Turion, or Sempron
processors are not vulnerable.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to 4-STABLE, 5-STABLE, or 6-STABLE,
or to the RELENG_6_0, RELENG_5_4, RELENG_5_3, RELENG_4_11, or
RELENG_4_10 security branch dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 4.10,
4.11, 5.3, 5.4, and 6.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 4.x]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:14/fpu4x.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:14/fpu4x.patch.asc

[FreeBSD 5.x and 6.x]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:14/fpu.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:14/fpu.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch                                                           Revision
  Path
- -------------------------------------------------------------------------
RELENG_4
  src/sys/i386/isa/npx.c                                         1.80.2.4
RELENG_4_11
  src/UPDATING                                             1.73.2.91.2.18
  src/sys/conf/newvers.sh                                  1.44.2.39.2.21
  src/sys/i386/isa/npx.c                                    1.80.2.3.14.1
RELENG_4_10
  src/UPDATING                                             1.73.2.90.2.24
  src/sys/conf/newvers.sh                                  1.44.2.34.2.25
  src/sys/i386/isa/npx.c                                    1.80.2.3.12.1
RELENG_5
  src/sys/amd64/amd64/fpu.c                                     1.154.2.2
  src/sys/i386/isa/npx.c                                        1.152.2.4
RELENG_5_4
  src/UPDATING                                            1.342.2.24.2.23
  src/sys/conf/newvers.sh                                  1.62.2.18.2.19
  src/sys/amd64/amd64/fpu.c                                 1.154.2.1.2.1
  src/sys/i386/isa/npx.c                                    1.152.2.3.2.1
RELENG_5_3
  src/UPDATING                                            1.342.2.13.2.32
  src/sys/conf/newvers.sh                                  1.62.2.15.2.34
  src/sys/amd64/amd64/fpu.c                                     1.154.4.1
  src/sys/i386/isa/npx.c                                        1.152.4.1
RELENG_6
  src/sys/amd64/amd64/fpu.c                                     1.157.2.1
  src/sys/i386/isa/npx.c                                        1.162.2.2
RELENG_6_1
  src/UPDATING                                             1.416.2.22.2.1
  src/sys/conf/newvers.sh                                   1.69.2.11.2.1
  src/sys/amd64/amd64/fpu.c                                     1.157.6.1
  src/sys/i386/isa/npx.c                                    1.162.2.1.2.1
RELENG_6_0
  src/UPDATING                                             1.416.2.3.2.12
  src/sys/conf/newvers.sh                                    1.69.2.8.2.8
  src/sys/amd64/amd64/fpu.c                                     1.157.4.1
  src/sys/i386/isa/npx.c                                        1.162.4.1
- -------------------------------------------------------------------------

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1056

The latest revision of this advisory is available at
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:14.fpu.asc

VIII. Acknowledgements

The FreeBSD Security Team would like to thank AMD, and Richard Brunner
specifically, for responding promptly to this issue and providing an
extensive response analyzing the problem.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (FreeBSD)

iD8DBQFEReGUFdaIBMps37IRAnmUAJ4lsl3bpH6duA5u/wssIa01o98BlwCgleWn
a1vJCiLwkkfqHtmBDKxaQ+A=
=4yls
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security-notifications@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@freebsd.org"

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, SecurityGlobal.net LLC