• Suresh Siddha's avatar
    x64, fpu: fix possible FPU leakage in error conditions · 6ffac1e9
    Suresh Siddha authored
    On Thu, Jul 24, 2008 at 03:43:44PM -0700, Linus Torvalds wrote:
    > So how about this patch as a starting point? This is the RightThing(tm) to
    > do regardless, and if it then makes it easier to do some other cleanups,
    > we should do it first. What do you think?
    
    restore_fpu_checking() calls init_fpu() in error conditions.
    
    While this is wrong(as our main intention is to clear the fpu state of
    the thread), this was benign before commit 92d140e2 ("x86: fix taking
    DNA during 64bit sigreturn").
    
    Post commit 92d140e2, live FPU registers may not belong to this
    process at this error scenario.
    
    In the error condition for restore_fpu_checking() (especially during the
    64bit signal return), we are doing init_fpu(), which saves the live FPU
    register state (possibly belonging to some other process context) into
    the thread struct (through unlazy_fpu() in init_fpu()). This is wrong
    and can leak the FPU data.
    
    For the signal handler restore error condition in restore_i387(), clear
    the fpu state present in the thread struct(before ultimately sending a
    SIGSEGV for badframe).
    
    For the paranoid error condition check in math_state_restore(), send a
    SIGSEGV, if we fail to restore the state.
    Signed-off-by: default avatarSuresh Siddha <suresh.b.siddha@intel.com>
    Cc: <stable@kernel.org>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: default avatarIngo Molnar <mingo@elte.hu>
    6ffac1e9
i387.h 7.78 KB