| Summary: |
VUL-0: CVE-2021-47226: kernel: x86/fpu: Invalidate FPU state after a failed XRSTOR from a user buffer |
| Product: |
[Novell Products] SUSE Security Incidents
|
Reporter: |
SMASH SMASH <smash_bz> |
| Component: |
Incidents | Assignee: |
Security Team bot <security-team> |
| Status: |
RESOLVED
FIXED
|
QA Contact: |
Security Team bot <security-team> |
| Severity: |
Normal
|
|
|
| Priority: |
P3 - Medium
|
CC: |
camila.matos, gabriele.sonnu, jslaby, mhocko
|
| Version: |
unspecified | |
|
| Target Milestone: |
--- | |
|
| Hardware: |
Other | |
|
| OS: |
Other | |
|
| URL: |
https://smash.suse.de/issue/406852/
|
| Whiteboard: |
CVSSv3.1:SUSE:CVE-2021-47226:4.7:(AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N) |
|
Found By:
|
Security Response Team
|
Services Priority:
|
|
|---|
|
Business Priority:
|
|
Blocker:
|
---
|
|---|
|
Marketing QA Status:
|
---
|
IT Deployment:
|
---
|
|---|
In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Invalidate FPU state after a failed XRSTOR from a user buffer Both Intel and AMD consider it to be architecturally valid for XRSTOR to fail with #PF but nonetheless change the register state. The actual conditions under which this might occur are unclear [1], but it seems plausible that this might be triggered if one sibling thread unmaps a page and invalidates the shared TLB while another sibling thread is executing XRSTOR on the page in question. __fpu__restore_sig() can execute XRSTOR while the hardware registers are preserved on behalf of a different victim task (using the fpu_fpregs_owner_ctx mechanism), and, in theory, XRSTOR could fail but modify the registers. If this happens, then there is a window in which __fpu__restore_sig() could schedule out and the victim task could schedule back in without reloading its own FPU registers. This would result in part of the FPU state that __fpu__restore_sig() was attempting to load leaking into the victim task's user-visible state. Invalidate preserved FPU registers on XRSTOR failure to prevent this situation from corrupting any state. [1] Frequent readers of the errata lists might imagine "complex microarchitectural conditions". References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-47226 https://www.cve.org/CVERecord?id=CVE-2021-47226 https://git.kernel.org/stable/c/002665dcba4bbec8c82f0aeb4bd3f44334ed2c14 https://git.kernel.org/stable/c/a7748e021b9fb7739e3cb88449296539de0b6817 https://git.kernel.org/stable/c/d8778e393afa421f1f117471144f8ce6deb6953a https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2021/CVE-2021-47226.mbox