FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeBSD -- FPU information disclosure

Affected systems
6.0 < FreeBSD < 6.0_7
5.4 < FreeBSD < 5.4_14
5.3 < FreeBSD < 5.3_29
5 < FreeBSD < 5.3
4.11 < FreeBSD < 4.11_17
4.10 < FreeBSD < 4.10_23
FreeBSD < 4.10

Details

VuXML ID 1fa4c9f1-cfca-11da-a672-000e0c2e438a
Discovery 2006-04-19
Entry 2006-04-19
Modified 2006-06-09

Problem Description

On "7th generation" and "8th generation" processors manufactured by AMD, including the AMD Athlon, Duron, Athlon MP, Athlon XP, Athlon64, Athlon64 FX, Opteron, Turion, and Sempron, the fxsave and fxrstor instructions do not save and restore the FOP, FIP, and FDP registers unless the exception summary bit (ES) in the x87 status word is set to 1, indicating that an unmasked x87 exception has occurred.

This behaviour is consistent with documentation provided by AMD, but is different from processors from other vendors, which save and restore the FOP, FIP, and FDP registers regardless of the value of the ES bit. As a result of this discrepancy remaining unnoticed until now, the FreeBSD kernel does not restore the contents of the FOP, FIP, and FDP registers between context switches.

Impact

On affected processors, a local attacker can monitor the execution path of a process which uses floating-point operations. This may allow an attacker to steal cryptographic keys or other sensitive information.

Workaround

No workaround is available, but systems which do not use AMD Athlon, Duron, Athlon MP, Athlon XP, Athlon64, Athlon64 FX, Opteron, Turion, or Sempron processors are not vulnerable.

References

CVE Name CVE-2006-1056
FreeBSD Advisory SA-06:14.fpu