from todays freebsd advisory: fxrstor on amd cpu does not restore fip,fdp,fop thus leaking other proc's execution history; deraadt@ ok

2 files changed, 20 insertions, 3 deletions

diff --git a/sys/arch/amd64/amd64/fpu.c b/sys/arch/amd64/amd64/fpu.c
index 1958a58f619..5c13d8d7e21 100644
--- a/sys/arch/amd64/amd64/fpu.c
+++ b/sys/arch/amd64/amd64/fpu.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: fpu.c,v 1.9 2005/12/13 00:18:19 jsg Exp $	*/
+/*	$OpenBSD: fpu.c,v 1.10 2006/04/19 15:48:17 mickey Exp $	*/
 /*	$NetBSD: fpu.c,v 1.1 2003/04/26 18:39:28 fvdl Exp $	*/
 
 /*-
@@ -239,8 +239,17 @@ fpudna(struct cpu_info *ci)
 		fldcw(&p->p_addr->u_pcb.pcb_savefpu.fp_fxsave.fx_fcw);
 		ldmxcsr(&p->p_addr->u_pcb.pcb_savefpu.fp_fxsave.fx_mxcsr);
 		p->p_md.md_flags |= MDP_USEDFPU;
-	} else
+	} else {
+		static double	zero = 0.0;
+
+		/*
+		 * amd fpu does not restore fip, fdp, fop on fxrstor
+		 * thus leaking other process's execution history.
+		 */
+		fnclex();
+		__asm __volatile("ffree %%st(7)\n\tfld %0" : : "m" (zero));
 		fxrstor(&p->p_addr->u_pcb.pcb_savefpu);
+	}
 }
 
 
diff --git a/sys/arch/i386/isa/npx.c b/sys/arch/i386/isa/npx.c
index 3fd0102dcbf..27279230a84 100644
--- a/sys/arch/i386/isa/npx.c
+++ b/sys/arch/i386/isa/npx.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: npx.c,v 1.38 2006/03/13 18:42:16 mickey Exp $	*/
+/*	$OpenBSD: npx.c,v 1.39 2006/04/19 15:48:17 mickey Exp $	*/
 /*	$NetBSD: npx.c,v 1.57 1996/05/12 23:12:24 mycroft Exp $	*/
 
 #if 0
@@ -637,6 +637,14 @@ npxdna_xmm(struct cpu_info *ci)
 		fldcw(&p->p_addr->u_pcb.pcb_savefpu.sv_xmm.sv_env.en_cw);
 		p->p_md.md_flags |= MDP_USEDFPU;
 	} else {
+		static double	zero = 0.0;
+
+		/*
+		 * amd fpu does not restore fip, fdp, fop on fxrstor
+		 * thus leaking other process's execution history.
+		 */
+		fnclex();
+		__asm __volatile("ffree %%st(7)\n\tfld %0" : : "m" (zero));
 		fxrstor(&p->p_addr->u_pcb.pcb_savefpu.sv_xmm);
 	}