[PATCH] SSE related security hole

Initialize the saved FPU/XMM state in the task struct and fall through
to restore_fpu() to make sure that all state is fully initialized.

This means that old SSE/SSE2 information cannot ever leak into newly
created processes.

diff --git a/arch/i386/kernel/i387.c b/arch/i386/kernel/i387.c
index c237c22fef9ba1f3b7b1138ec727e91811c39108..4020e7bf3b8634c773b25f36b4674a83a58e1a6e 100644 (file)
--- a/arch/i386/kernel/i387.c
+++ b/arch/i386/kernel/i387.c
@@ -31,13 +31,21 @@
  * value at reset if we support XMM instructions and then
  * remeber the current task has used the FPU.
  */
-void init_fpu(void)
+void init_fpu(struct task_struct *tsk)
 {
-       __asm__("fninit");
-       if ( cpu_has_xmm )
-               load_mxcsr(0x1f80);
-               
-       current->used_math = 1;
+       if (cpu_has_fxsr) {
+               memset(&tsk->thread.i387.fxsave, 0, sizeof(struct i387_fxsave_struct));
+               tsk->thread.i387.fxsave.cwd = 0x37f;
+               if (cpu_has_xmm)
+                       tsk->thread.i387.fxsave.mxcsr = 0x1f80;
+       } else {
+               memset(&tsk->thread.i387.fsave, 0, sizeof(struct i387_fsave_struct));
+               tsk->thread.i387.fsave.cwd = 0xffff037f;
+               tsk->thread.i387.fsave.swd = 0xffff0000;
+               tsk->thread.i387.fsave.twd = 0xffffffff;
+               tsk->thread.i387.fsave.fos = 0xffff0000;
+       }
+       tsk->used_math = 1;
 }
 
 /*

diff --git a/arch/i386/kernel/traps.c b/arch/i386/kernel/traps.c
index ad8aa377c1ef94e5094a4aa0d41cb2295f2ee713..f473ac6f6c7ff83f485ed1dc17c6037848b445e9 100644 (file)
--- a/arch/i386/kernel/traps.c
+++ b/arch/i386/kernel/traps.c
@@ -757,13 +757,12 @@ asmlinkage void do_spurious_interrupt_bug(struct pt_regs * regs,
  */
 asmlinkage void math_state_restore(struct pt_regs regs)
 {
+       struct task_struct *tsk = current;
        clts();         /* Allow maths ops (or we recurse) */
 
-       if (current->used_math) {
-               restore_fpu(current);
-       } else {
-               init_fpu();
-       }
+       if (!tsk->used_math)
+               init_fpu(tsk);
+       restore_fpu(tsk);
        set_thread_flag(TIF_USEDFPU);   /* So we fnsave on switch_to() */
 }
 

diff --git a/include/asm-i386/i387.h b/include/asm-i386/i387.h
index b8b60c2744e98ea8eb4e2f153b26d1f49a4bd69f..1efeb37910ce8caf9bb6f58b9be76f3bbee75ddb 100644 (file)
--- a/include/asm-i386/i387.h
+++ b/include/asm-i386/i387.h
@@ -17,7 +17,7 @@
 #include <asm/sigcontext.h>
 #include <asm/user.h>
 
-extern void init_fpu(void);
+extern void init_fpu(struct task_struct *);
 /*
  * FPU lazy state save handling...
  */