Re: SSE related security hole

Andi Kleen (ak@suse.de)
Thu, 18 Apr 2002 13:55:05 +0200

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Mike Black: "2.4.17-pre7 oops"
Previous message: Jens Axboe: "Re: 2.5.9: ide: unexpected interrupt 1 12"
In reply to: Alan Cox: "Re: SSE related security hole"

On Thu, Apr 18, 2002 at 12:53:12PM +0100, Alan Cox wrote:
> > > Intel folks are actually saying even back in Pentium MMX days that it isnt
> > > guaranteed that the FP/MMX state are not seperate registers
> >
> > In this case it would be possible to only do the explicit clear
> > when the CPU does support sse1. For mmx only it shouldn't be needed.
> > For sse2 also not.
>
> Do you have a documentation cite for that claim ?

Actually I did some more tests:

test program

main()
{
unsigned int i[4], o[4];

i[0] = 1; i[1] = 2; i[2] = 3; i[3] = 4;
asm("movups %1,%%xmm1 ; fninit ; movups %%xmm1,%0" : "=m" (o) : "m" (i));
printf("%x %x %x %x\n",o[0],o[1],o[2],o[3]);

asm("movups %1,%%xmm1 ; movups %%xmm1,%0" : "=m" (o) : "m" (i));
printf("%x %x %x %x\n",o[0],o[1],o[2],o[3]);
}

Result on a pentium4:

./xmm
bffff68c 8048431 8049640 8049660
bffff68c bffff68c bffff68c 8048431

So fninit seems to change something in XMM1.

and pentium 3:

bffff81c 8048431 8049640 8049660
bffff81c bffff81c bffff81c 8048431

changes something different ?

If even Intel cannot agree on this it is probably safest to do an explicit
zeroing like Andrea's patch does. I retract the origina suggestion.

-Andi
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Mike Black: "2.4.17-pre7 oops"
Previous message: Jens Axboe: "Re: 2.5.9: ide: unexpected interrupt 1 12"
In reply to: Alan Cox: "Re: SSE related security hole"