147 lines
5.5 KiB
Text
147 lines
5.5 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA512
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-18:07.lazyfpu Security Advisory
|
|
The FreeBSD Project
|
|
|
|
Topic: Lazy FPU State Restore Information Disclosure
|
|
|
|
Category: core
|
|
Module: kernel
|
|
Announced: 2018-06-21
|
|
Credits: Julian Stecklina from Amazon Germany
|
|
Thomas Prescher from Cyberus Technology GmbH
|
|
Zdenek Sojka from SYSGO AG
|
|
Colin Percival
|
|
Affects: All supported version of FreeBSD.
|
|
Corrected: 2018-06-14 18:50:49 UTC (stable/11, 11.2-PRERELEASE)
|
|
2018-06-15 13:21:37 UTC (releng/11.2, 11.2-RC3)
|
|
2018-06-21 05:17:13 UTC (releng/11.1, 11.1-RELEASE-p11)
|
|
CVE Name: CVE-2018-3665
|
|
|
|
Special Note: This advisory only addresses this issue for FreeBSD 11.x on
|
|
i386 and amd64. We expect to update this advisory to include
|
|
10.x in the near future.
|
|
|
|
For general information regarding FreeBSD Security Advisories,
|
|
including descriptions of the fields above, security branches, and the
|
|
following sections, please visit <URL:https://security.FreeBSD.org/>.
|
|
|
|
I. Background
|
|
|
|
Modern CPUs have a floating point unit (FPU) which needs to maintain state
|
|
per thread. One technique is to only save and to only restore the FPU state
|
|
for a thread when a thread attempts to utilize the FPU. This technique is
|
|
called Lazy FPU state restore.
|
|
|
|
II. Problem Description
|
|
|
|
A subset of Intel processors can allow a local thread to infer data from
|
|
another thread through a speculative execution side channel when Lazy FPU
|
|
state restore is used.
|
|
|
|
III. Impact
|
|
|
|
Any local thread can potentially read FPU state information from other
|
|
threads running on the host. This could include cryptographic keys when the
|
|
AES-NI CPU feature is present.
|
|
|
|
IV. Workaround
|
|
|
|
No workaround is available, but non-Intel branded CPUs are not believed
|
|
to be vulnerable.
|
|
|
|
V. Solution
|
|
|
|
The patch changes from Lazy FPU state restore to Eager FPU state restore.
|
|
This new technique is the recommended practice from Intel and in some cases
|
|
can actually increase performance, depending on workload.
|
|
|
|
Perform one of the following:
|
|
|
|
1) Upgrade your vulnerable system to a supported FreeBSD stable or
|
|
release / security branch (releng) dated after the correction date.
|
|
|
|
Afterward, reboot the system.
|
|
|
|
2) To update your vulnerable system via a binary patch:
|
|
|
|
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
|
platforms can be updated via the freebsd-update(8) utility:
|
|
|
|
# freebsd-update fetch
|
|
# freebsd-update install
|
|
|
|
Afterward, reboot the system.
|
|
|
|
3) To update your vulnerable system via a source code patch:
|
|
|
|
The following patches have been verified to apply to the applicable
|
|
FreeBSD release branches.
|
|
|
|
a) Download the relevant patch from the location below, and verify the
|
|
detached PGP signature using your PGP utility.
|
|
|
|
[FreeBSD 11.1]
|
|
# fetch https://security.FreeBSD.org/patches/SA-18:07/lazyfpu-11.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-18:07/lazyfpu-11.patch.asc
|
|
# gpg --verify lazyfpu-11.patch.asc
|
|
|
|
b) Apply the patch. Execute the following commands as root:
|
|
|
|
# cd /usr/src
|
|
# patch < /path/to/patch
|
|
|
|
c) Recompile your kernel as described in
|
|
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
|
|
system.
|
|
|
|
VI. Correction details
|
|
|
|
The following list contains the correction revision numbers for each
|
|
affected branch.
|
|
|
|
Branch/path Revision
|
|
- -------------------------------------------------------------------------
|
|
stable/11/ r335169
|
|
releng/11.2/ r335196
|
|
releng/11.1/ r335465
|
|
- -------------------------------------------------------------------------
|
|
|
|
To see which files were modified by a particular revision, run the
|
|
following command, replacing NNNNNN with the revision number, on a
|
|
machine with Subversion installed:
|
|
|
|
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
|
|
|
Or visit the following URL, replacing NNNNNN with the revision number:
|
|
|
|
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
|
|
|
VII. References
|
|
|
|
<URL:https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00145.html>
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3665>
|
|
|
|
The latest revision of this advisory is available at
|
|
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-18:07.lazyfpu.asc>
|
|
-----BEGIN PGP SIGNATURE-----
|
|
|
|
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlsrN1hfFIAAAAAALgAo
|
|
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
|
|
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
|
|
5cJTLA/+Kt7QLkNCVudaiE+d+VMuC2f1aGhqoyd+36xL9rNsn2ShZhIo+gq1dhXn
|
|
2lJiOYCPN5cJkasj1YdP2bSIv25nTcFMp0rKOww0A1scOnzi66LAD+DXmGVUhmaA
|
|
MPyrnuL7rbuPq9ls9FGAO2XURwB9IrGYtqPuVWmNyn+HyKBYcGCkL5+UEnHeUCg8
|
|
oopJudZgrGBVMFCsqG6K/b+3uc397Hyq0PZzpyWFfkaxrbTwVMMwgWyTxIYaPVs7
|
|
2g7WK2JWjJNk0IWQGot9qpKYDRyxc9PPFX/0blwOLe1Wwrt5nEF+9av89HQJ6PXF
|
|
+Ws5w8Gnhi9wWuK19ew1j0nvP+f0zw09r4GuEzhZXADAz733HNK5dtsS/dMJi2wa
|
|
9fQ0s1joT3JFDvWZKUQS2mNuhpvBfYoI0d0OEJT2H2eycFYe4B+VNhB2V1e9wLn6
|
|
9X4+Vbc2LEOF09klQQFMYNMEyQzLtfq2gHIoD37sCw9mMrYKWjgy3NhY5AKrfGHG
|
|
OcBsvnaXCW/x9/kV9Pfoel/psrmjcQdp4QEKAZbRNwvJG5sGhtsQXTp0Nk+BCuVy
|
|
G0NNB9306dLfk0OTZ02SiOUjVagXObyo+LgWTBO6FryDlHVkopsYNkB5oRx9fLrm
|
|
68r7OXidl0ndGqnh87meMVH1/Fu/rr09Jd4osIzS+Gc0Dt7NOEQ=
|
|
=8fnI
|
|
-----END PGP SIGNATURE-----
|