Re: SSE related security hole

H. Peter Anvin (hpa@zytor.com)
18 Apr 2002 14:06:36 -0700


Followup to: <20020418183639.20946.qmail@science.horizon.com>
By author: linux@horizon.com
In newsgroup: linux.dev.kernel
>
> Um, people here seem to be assuming that, in the absence of MMX,
> fninit *doesn't* leak information.
>
> I thought it was well-known to just clear (set to all-ones) the
> tag register and not alter the actual floating-point registers.
>
> Thus, it seems quite feasible to reset the tag word with FLDENV and
> store out the FPU registers, even on an 80387.
>
> Isn't this the same security hole? Shouldn't there be 8 FLDZ instructions
> (or equivalent) in the processor state initialization?
>

Perhaps the right thing to do is to have a description in data of the
desired initialization state and just F[NX]RSTOR it?

-hpa

-- 
<hpa@transmeta.com> at work, <hpa@zytor.com> in private!
"Unix gives you enough rope to shoot yourself in the foot."
http://www.zytor.com/~hpa/puzzle.txt	<amsp@zytor.com>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/