-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

============================================================================= FreeBSD-EN-22:02.xsave Errata Notice
The FreeBSD Project

Topic: Incorrect XSAVE state size

Category: core
Module: kernel
Announced: 2022-01-11
Affects: All supported versions of FreeBSD.
Corrected: 2021-12-12 02:49:50 UTC (stable/13, 13.0-STABLE)
2022-01-11 18:14:58 UTC (releng/13.0, 13.0-RELEASE-p6)
2021-12-12 02:49:50 UTC (stable/12, 12.3-STABLE)
2022-01-11 18:19:21 UTC (releng/12.3, 12.3-RELEASE-p1)
2022-01-11 18:33:11 UTC (releng/12.2, 12.2-RELEASE-p12)

For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>.

I. Background

Contemporary x86 CPUs support the XSAVE instruction, "Save Processor Extended tates." Some but not all CPUs support the so-called init optimization for XSAVE. The optimization means that the CPU may not write all of the state on XSAVE, and indicates that it did not in xstate_bv. Whether or not this
happens depends on "complex internal microarchitectural conditions."

On signal delivery, the OS provides the saved context interrupted by the
signal to the signal handler. The context includes all CPU state available to userspace, including FPU registers (XSAVE area). Also, upon return from the signal handler, the saved context is restored, which allows the handler to modify the main program flow. When the init optimization kicks in, the OS tries to hide the effects of the init state optimization from the signal handler by filling in parts of the XSAVE area.

The CPU reports sizes of some of the XSAVE state regions, but two of them
are fixed and must be hard-coded by the kernel.

II. Problem Description

The hard-coded size for state region 1 (SSE/XMM) was incorrect, effectively filling the xmm8 through xmm15 registers with arbitrary values on signal
return when the init optimization occurred.

III. Impact

On amd64 and i386 systems, application memory may become corrupted, leading to incorrect behaviour. Other platforms are not affected.

IV. Workaround

Use of XSAVEOPT may be disabled by adding the following line to loader.conf:

hw.cpu_stdext_disable=0x1

V. Solution

Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date, and reboot.

Perform one of the following:

1) To update your system via a binary patch:

Systems running a RELEASE version of FreeBSD on the amd64, i386, or
(on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for an errata update"

2) To update your system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/EN-22:02/xsave.patch
# fetch https://security.FreeBSD.org/patches/EN-22:02/xsave.patch.asc
# gpg --verify xsave.patch.asc

b) Apply the patch. Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI. Correction details

This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches:

Branch/path Hash Revision
- ------------------------------------------------------------------------- stable/13/ 1d6ebddb62bc stable/13-n248578 releng/13.0/ f2caded7f590 releng/13.0-n244769 stable/12/ r371242 releng/12.3/ r371483 releng/12.2/ r371488
- -------------------------------------------------------------------------

For FreeBSD 13 and later:

Run the following command to see which files were modified by a
particular commit:

# git show --stat <commit hash>

Or visit the following URL, replacing NNNNNN with the hash:

<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>

To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:

# git rev-list --count --first-parent HEAD

For FreeBSD 12 and earlier:

Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number:

# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NNNNNN with the revision number:

<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>

VII. References

<URL:https://reviews.freebsd.org/D33390> <URL:https://github.com/golang/go/issues/46272>

The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-22:02.xsave.asc> -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmHd2CUACgkQ05eS9J6n 5cKE+w//bOsl0ry/Vx4OaIFzX52Blp6iu5nYoSwFu9wipTq5d07xL+UhXT3bbnRN yzxJz4KLkBlBaorwN0OX9N3/bjErOq10QMzzcX2jQnvixgIhV9oxqZoOoMcehfVp 9L2yo1JNhXkn0ysKU2ysxpi1F/9t9xATcqxxC1PuSbl1N143qTnmRB5EWDi9Ygan sjFgBhcTmfz3gATxwKP0hz25KaXO+/0WwZzYHCnGYncPnfh12OgKCkMDi6H2v54R 7+Rl0JtbycK257UIACki/s1FgbiIXkQuPLILD3YBn1kuXFPDhlIBKeK4NLu0G5DQ 6vqYHKrP5RssGsXdROVpjTe4eO1VkKQAkMI9NHCo6SOStbHcOqiB0bdz0TuGYyQN uhI5we2tqDb6uhZBi0az4c+yKp58d+2dF8DizRKGelDjDNby/1L09XAiybnR8liN YcHPV/v0Sx/QPjX9sfutMkhtpw28OdPeqoAQyzW9+VSeTC4z61CDmFi9qrN7Vpne KIvLbgaBYFMSsN4oeG5CfZzlemLNkk8R+5JKmPCxoewX9r7jj2gr9yMqXcmQhjyR 46z0Xp9JL0ovYzvfA9g0nV9tPxmRsAuOL2k7C4nPI38kXbCUlOuCjcNc7EP/gdfi e7sNXtXwzRDWgO4ipHfLeqzmAnxXy42vFpD2Be5RjbsqXdcH+6I=
=ejFK
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)