[PATCH] x86_64: Fix signal FPU leak on i386 and x86-64

Found by Bodo Stroesser. Description from Bodo: >> On i386, if a signal handler is started, the kernel saves the fpu-state of the interrupted routine in the sigcontext on the stack. Calling unlazy_fpu() and setting current->used_math=0, the kernel supplies the signal-handler with a cleared virtual fpu. On sigreturn(), the old fpu-state of the interrupted routine is restored. If a process never used the fpu, it virtually has a cleared fpu. If such a process is interrupted by a signal handler, no fpu-context is saved and sigcontext->fpstate is set to NULL. Assume, that the signal handler uses the fpu. Then, AFAICS, on sigreturn current->used_math will be 1. Since sigcontext->fpstate still is NULL, restore_sigcontext() doesn't call restore_i387(). Thus, no clear_fpu() is done, current->used_math is not reset. Now, the interrupted processes fpu no longer is cleared! << Fix by AK. Just clear the FPU again when this happens. patch for i386 and x86-64. Signed-off-by: Andi Kleen <ak@suse.de> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>

[PATCH] x86_64: Fix signal FPU leak on i386 and x86-64
Found by Bodo Stroesser. Description from Bodo: >> On i386, if a signal handler is started, the kernel saves the fpu-state of the interrupted routine in the sigcontext on the stack. Calling unlazy_fpu() and setting current->used_math=0, the kernel supplies the signal-handler with a cleared virtual fpu. On sigreturn(), the old fpu-state of the interrupted routine is restored. If a process never used the fpu, it virtually has a cleared fpu. If such a process is interrupted by a signal handler, no fpu-context is saved and sigcontext->fpstate is set to NULL. Assume, that the signal handler uses the fpu. Then, AFAICS, on sigreturn current->used_math will be 1. Since sigcontext->fpstate still is NULL, restore_sigcontext() doesn't call restore_i387(). Thus, no clear_fpu() is done, current->used_math is not reset. Now, the interrupted processes fpu no longer is cleared! << Fix by AK. Just clear the FPU again when this happens. patch for i386 and x86-64. Signed-off-by: Andi Kleen <ak@suse.de> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
a3e64936 · Andi Kleen · Linus Torvalds · 7fb0f979 · a3e64936 · a3e64936
Commit a3e64936 authored Jan 11, 2005 by Andi Kleen Committed by Linus Torvalds Jan 11, 2005
Showing with 18 additions and 0 deletions

arch/i386/kernel/signal.c arch/i386/kernel/signal.c +6 -0

arch/x86_64/ia32/ia32_signal.c arch/x86_64/ia32/ia32_signal.c +6 -0

arch/x86_64/kernel/signal.c arch/x86_64/kernel/signal.c +6 -0

No files found.
--- a/arch/i386/kernel/signal.c
+++ b/arch/i386/kernel/signal.c
@@ -190,6 +190,12 @@ restore_sigcontext(struct pt_regs *regs, struct sigcontext __user *sc, int *peax
 			if (verify_area(VERIFY_READ, buf, sizeof(*buf)))
 				goto badframe;
 			err |= restore_i387(buf);
+		} else {
+			struct task_struct *me = current;
+			if (me->used_math) {
+				clear_fpu(me);
+				me->used_math = 0;
+			}
 		}
 	}

--- a/arch/x86_64/ia32/ia32_signal.c
+++ b/arch/x86_64/ia32/ia32_signal.c
@@ -261,6 +261,12 @@ ia32_restore_sigcontext(struct pt_regs *regs, struct sigcontext_ia32 __user *sc,
 			if (verify_area(VERIFY_READ, buf, sizeof(*buf)))
 				goto badframe;
 			err |= restore_i387_ia32(current, buf, 0);
+		} else {
+			struct task_struct *me = current;
+			if (me->used_math) {
+				clear_fpu(me);
+				me->used_math = 0;
+			}
 		}
 	}

--- a/arch/x86_64/kernel/signal.c
+++ b/arch/x86_64/kernel/signal.c
@@ -125,6 +125,12 @@ restore_sigcontext(struct pt_regs *regs, struct sigcontext __user *sc, unsigned
 			if (verify_area(VERIFY_READ, buf, sizeof(*buf)))
 				goto badframe;
 			err |= restore_i387(buf);
+		} else {
+			struct task_struct *me = current;
+			if (me->used_math) {
+				clear_fpu(me);
+				me->used_math = 0;
+			}
 		}
 	}