Lucene search

K
intelIntel Security CenterINTEL:INTEL-SA-00145
HistoryJun 13, 2018 - 12:00 a.m.

Lazy FP State Restore

2018-06-1300:00:00
Intel Security Center
www.intel.com
16

Summary:

System software may utilize the Lazy FP state restore technique to delay the restoring of state until an instruction operating on that state is actually executed by the new process. Systems using Intel® Core-based microprocessors may potentially allow a local process to infer data utilizing Lazy FP state restore from another process through a speculative execution side channel.

Description:

System software may opt to utilize Lazy FP state restore instead of eager save and restore of the state upon a context switch. Lazy restored states are potentially vulnerable to exploits where one process may infer register values of other processes through a speculative execution side channel that infers their value.

· CVSS - 4.3 Medium CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Affected Products:

Intel® Core-based microprocessors.

Recommendations:

If an XSAVE-enabled feature is disabled, then we recommend either its state component bitmap in the extended control register (XCR0) is set to 0 (e.g. XCR0[bit 2]=0 for AVX, XCR0[bits 7:5]=0 for AVX512) or the corresponding register states of the feature should be cleared prior to being disabled. Also for relevant states (e.g. x87, SSE, AVX, etc.), Intel recommends system software developers utilize Eager FP state restore in lieu of Lazy FP state restore.

Acknowledgements:

Intel would like to thank Julian Stecklina from Amazon Germany, Thomas Prescher from Cyberus Technology GmbH (<https://www.cyberus-technology.de/&gt;), Alex Zuepke, Rudolf Marek and Zdenek Sojka from SYSGO AG (<http://sysgo.com>), Colin Percival and for reporting this issue and working with us on coordinated disclosure.

Intel would also like to thank employees Kekai Hu, Ke Sun, Henrique Kawakami and Rodrigo Branco for CVE-2018-3665.