ChangeLog-2.6.16.9

commit 9d395d1961a0eeb9e8b1ef2854f3ca8f0b985266
Author: Greg Kroah-Hartman <[email protected]>
Date: Tue Apr 18 23:10:14 2006 -0700

Linux 2.6.16.9

commit 7466f9e72dac13452d871a3fb72fc7bd9c93c864
Author: Andi Kleen <[email protected]>
Date: Wed Apr 19 07:17:31 2006 +0200

[PATCH] i386/x86-64: Fix x87 information leak between processes (CVE-2006-1056)

AMD K7/K8 CPUs only save/restore the FOP/FIP/FDP x87 registers in FXSAVE
when an exception is pending.  This means the value leak through context
switches and allow processes to observe some x87 instruction state of
other processes.

This was actually documented by AMD, but nobody recognized it as being
different from Intel before.

The fix first adds an optimization: instead of unconditionally calling
FNCLEX after each FXSAVE test if ES is pending and skip it when not
needed. Then do a x87 load from a kernel variable to clear FOP/FIP/FDP.

This means other processes always will only see a constant value defined
by the kernel in their FP state.

I took some pain to make sure to chose a variable that's already in L1
during context switch to make the overhead of this low.

Also alternative() is used to patch away the new code on CPUs who don't
need it.

Patch for both i386/x86-64.

The problem was discovered originally by Jan Beulich. Richard Brunner
provided the basic code for the workarounds, with contribution from Jan.

This is CVE-2006-1056

Cc: [email protected]
Cc: [email protected]
Signed-off-by: Andi Kleen <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>