-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                        ESB-2006.0272 -- [FreeBSD]
                        FPU information disclosure
                               20 April 2006

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           kernel
Publisher:         FreeBSD
Operating System:  FreeBSD 4.10, 4.11, 5.3, 5.4, 6.0
Platform:          AMD Athlon
                   Duron
                   Athlon MP
                   Athlon XP
                   Athlon64
                   Athlon64 FX
                   Opteron
                   Turion
                   Sempron
Impact:            Access Confidential Data
Access:            Existing Account
CVE Names:         CVE-2006-1056

Original Bulletin: 
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:14.fpu.asc

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-06:14.fpu                                        Security Advisory
                                                          The FreeBSD Project

Topic:          FPU information disclosure

Category:       core
Module:         sys
Announced:      2006-04-19
Credits:        Jan Beulich
Affects:        All FreeBSD/i386 and FreeBSD/amd64 releases.
Corrected:      2006-04-19 07:00:35 UTC (RELENG_6, 6.1-STABLE)
                2006-04-19 07:00:50 UTC (RELENG_6_1, 6.1-RELEASE)
                2006-04-19 07:01:12 UTC (RELENG_6_0, 6.0-RELEASE-p7)
                2006-04-19 07:01:30 UTC (RELENG_5, 5.5-STABLE)
                2006-04-19 07:01:53 UTC (RELENG_5_4, 5.4-RELEASE-p14)
                2006-04-19 07:02:23 UTC (RELENG_5_3, 5.3-RELEASE-p29)
                2006-04-19 07:02:43 UTC (RELENG_4, 4.11-STABLE)
                2006-04-19 07:03:01 UTC (RELENG_4_11, 4.11-RELEASE-p17)
                2006-04-19 07:03:14 UTC (RELENG_4_10, 4.10-RELEASE-p23)
CVE Name:       CVE-2006-1056

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

I.   Background

The floating-point unit (FPU) of i386 and amd64 processors is derived from
the original 8087 floating-point co-processor.  As a result, the FPU
contains the same debugging registers FOP, FIP, and FDP which store the
opcode, instruction address, and data address of the instruction most
recently executed by the FPU.

On processors implementing the "SSE" instruction set, a new pair of
instructions fxsave/fxrstor replaces the earlier fsave/frstor pair used
for saving and restoring the FPU state.  These new instructions also
save and restore the contents of the additional registers used by SSE
instructions.

II.  Problem Description

On "7th generation" and "8th generation" processors manufactured by AMD,
including the AMD Athlon, Duron, Athlon MP, Athlon XP, Athlon64, Athlon64
FX, Opteron, Turion, and Sempron, the fxsave and fxrstor instructions do
not save and restore the FOP, FIP, and FDP registers unless the exception
summary bit (ES) in the x87 status word is set to 1, indicating that an
unmasked x87 exception has occurred.

This behaviour is consistent with documentation provided by AMD, but is
different from processors from other vendors, which save and restore the
FOP, FIP, and FDP registers regardless of the value of the ES bit.  As a
result of this discrepancy remaining unnoticed until now, the FreeBSD
kernel does not restore the contents of the FOP, FIP, and FDP registers
between context switches.

III. Impact

On affected processors, a local attacker can monitor the execution path
of a process which uses floating-point operations.  This may allow an
attacker to steal cryptographic keys or other sensitive information.

IV.  Workaround

No workaround is available, but systems which do not use AMD Athlon, Duron,
Athlon MP, Athlon XP, Athlon64, Athlon64 FX, Opteron, Turion, or Sempron
processors are not vulnerable.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to 4-STABLE, 5-STABLE, or 6-STABLE,
or to the RELENG_6_0, RELENG_5_4, RELENG_5_3, RELENG_4_11, or
RELENG_4_10 security branch dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 4.10,
4.11, 5.3, 5.4, and 6.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 4.x]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:14/fpu4x.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:14/fpu4x.patch.asc

[FreeBSD 5.x and 6.x]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:14/fpu.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:14/fpu.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch                                                           Revision
  Path
- - -------------------------------------------------------------------------
RELENG_4
  src/sys/i386/isa/npx.c                                         1.80.2.4
RELENG_4_11
  src/UPDATING                                             1.73.2.91.2.18
  src/sys/conf/newvers.sh                                  1.44.2.39.2.21
  src/sys/i386/isa/npx.c                                    1.80.2.3.14.1
RELENG_4_10
  src/UPDATING                                             1.73.2.90.2.24
  src/sys/conf/newvers.sh                                  1.44.2.34.2.25
  src/sys/i386/isa/npx.c                                    1.80.2.3.12.1
RELENG_5
  src/sys/amd64/amd64/fpu.c                                     1.154.2.2
  src/sys/i386/isa/npx.c                                        1.152.2.4
RELENG_5_4
  src/UPDATING                                            1.342.2.24.2.23
  src/sys/conf/newvers.sh                                  1.62.2.18.2.19
  src/sys/amd64/amd64/fpu.c                                 1.154.2.1.2.1
  src/sys/i386/isa/npx.c                                    1.152.2.3.2.1
RELENG_5_3
  src/UPDATING                                            1.342.2.13.2.32
  src/sys/conf/newvers.sh                                  1.62.2.15.2.34
  src/sys/amd64/amd64/fpu.c                                     1.154.4.1
  src/sys/i386/isa/npx.c                                        1.152.4.1
RELENG_6
  src/sys/amd64/amd64/fpu.c                                     1.157.2.1
  src/sys/i386/isa/npx.c                                        1.162.2.2
RELENG_6_1
  src/UPDATING                                             1.416.2.22.2.1
  src/sys/conf/newvers.sh                                   1.69.2.11.2.1
  src/sys/amd64/amd64/fpu.c                                     1.157.6.1
  src/sys/i386/isa/npx.c                                    1.162.2.1.2.1
RELENG_6_0
  src/UPDATING                                             1.416.2.3.2.12
  src/sys/conf/newvers.sh                                    1.69.2.8.2.8
  src/sys/amd64/amd64/fpu.c                                     1.157.4.1
  src/sys/i386/isa/npx.c                                        1.162.4.1
- - -------------------------------------------------------------------------

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1056

The latest revision of this advisory is available at
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:14.fpu.asc

VIII. Acknowledgements

The FreeBSD Security Team would like to thank AMD, and Richard Brunner
specifically, for responding promptly to this issue and providing an
extensive response analyzing the problem.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (FreeBSD)

iD8DBQFEReGUFdaIBMps37IRAnmUAJ4lsl3bpH6duA5u/wssIa01o98BlwCgleWn
a1vJCiLwkkfqHtmBDKxaQ+A=
=4yls
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBREbAUCh9+71yA2DNAQJedAP/RZ0YaT3GCLp00udoqyxhl8hMrLHFIkgn
hIrF4pR5Ga/hgrGCDW9iXPy9/1Wy96CKDziltUp6CBsjHKkWVFW80T6p9o4/QpIi
vpEleIpuVisBvcefFNw9cmlfPEYZ7nTskh6dqgSTQAU7stb5mdM67uv7T1A0gJNB
C0I4oCXyrlE=
=vvn6
-----END PGP SIGNATURE-----