Module Name: src
Committed By: riastradh
Date: Sat Jun 13 19:00:18 UTC 2020
Modified Files:
src/sys/arch/x86/x86: fpu.c
Log Message:
Zero the fpu registers on fpu_kern_leave.
Avoid Spectre-class attacks on any values left in them.
To generate a diff of this commit:
cvs rdiff -u -r1.62 -r1.63 src/sys/arch/x86/x86/fpu.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/arch/x86/x86/fpu.c
diff -u src/sys/arch/x86/x86/fpu.c:1.62 src/sys/arch/x86/x86/fpu.c:1.63
--- src/sys/arch/x86/x86/fpu.c:1.62 Thu Jun 4 19:53:55 2020
+++ src/sys/arch/x86/x86/fpu.c Sat Jun 13 19:00:18 2020
@@ -1,4 +1,4 @@
-/* $NetBSD: fpu.c,v 1.62 2020/06/04 19:53:55 riastradh Exp $ */
+/* $NetBSD: fpu.c,v 1.63 2020/06/13 19:00:18 riastradh Exp $ */
/*
* Copyright (c) 2008, 2019 The NetBSD Foundation, Inc. All
@@ -96,7 +96,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: fpu.c,v 1.62 2020/06/04 19:53:55 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: fpu.c,v 1.63 2020/06/13 19:00:18 riastradh Exp $");
#include "opt_multiprocessor.h"
@@ -378,6 +378,7 @@ fpu_kern_enter(void)
void
fpu_kern_leave(void)
{
+ union savefpu zero_fpu __aligned(64);
struct cpu_info *ci = curcpu();
int s;
@@ -385,6 +386,14 @@ fpu_kern_leave(void)
KASSERT(ci->ci_kfpu_spl != -1);
/*
+ * Zero the fpu registers; otherwise we might leak secrets
+ * through Spectre-class attacks to userland, even if there are
+ * no bugs in fpu state management.
+ */
+ memset(&zero_fpu, 0, sizeof(zero_fpu));
+ fpu_area_restore(&zero_fpu, x86_xsave_features);
+
+ /*
* Set CR0_TS again so that the kernel can't accidentally use
* the FPU.
*/
