-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-EN-22:02.xsave                                          Errata Notice
                                                          The FreeBSD Project

Topic:          Incorrect XSAVE state size

Category:       core
Module:         kernel
Announced:      2022-01-11
Affects:        All supported versions of FreeBSD.
Corrected:      2021-12-12 02:49:50 UTC (stable/13, 13.0-STABLE)
                2022-01-11 18:14:58 UTC (releng/13.0, 13.0-RELEASE-p6)
                2021-12-12 02:49:50 UTC (stable/12, 12.3-STABLE)
                2022-01-11 18:19:21 UTC (releng/12.3, 12.3-RELEASE-p1)
                2022-01-11 18:33:11 UTC (releng/12.2, 12.2-RELEASE-p12)

For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.

I.   Background

Contemporary x86 CPUs support the XSAVE instruction, "Save Processor Extended
tates."  Some but not all CPUs support the so-called init optimization for
XSAVE.  The optimization means that the CPU may not write all of the state on
XSAVE, and indicates that it did not in xstate_bv.  Whether or not this
happens depends on "complex internal microarchitectural conditions."

On signal delivery, the OS provides the saved context interrupted by the
signal to the signal handler.  The context includes all CPU state available to
userspace, including FPU registers (XSAVE area).  Also, upon return from the
signal handler, the saved context is restored, which allows the handler to
modify the main program flow.  When the init optimization kicks in, the OS
tries to hide the effects of the init state optimization from the signal
handler by filling in parts of the XSAVE area.

The CPU reports sizes of some of the XSAVE state regions, but two of them
are fixed and must be hard-coded by the kernel.

II.  Problem Description

The hard-coded size for state region 1 (SSE/XMM) was incorrect, effectively
filling the xmm8 through xmm15 registers with arbitrary values on signal
return when the init optimization occurred.

III. Impact

On amd64 and i386 systems, application memory may become corrupted, leading to
incorrect behaviour.  Other platforms are not affected.

IV.  Workaround

Use of XSAVEOPT may be disabled by adding the following line to loader.conf:

  hw.cpu_stdext_disable=0x1

V.   Solution

Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date, and reboot.

Perform one of the following:

1) To update your system via a binary patch:

Systems running a RELEASE version of FreeBSD on the amd64, i386, or
(on FreeBSD 13 and later) arm64 platforms can be updated via the
freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for an errata update"

2) To update your system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/EN-22:02/xsave.patch
# fetch https://security.FreeBSD.org/patches/EN-22:02/xsave.patch.asc
# gpg --verify xsave.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

This issue is corrected by the corresponding Git commit hash or Subversion
revision number in the following stable and release branches:

Branch/path                             Hash                     Revision
- -------------------------------------------------------------------------
stable/13/                              1d6ebddb62bc    stable/13-n248578
releng/13.0/                            f2caded7f590  releng/13.0-n244769
stable/12/                                                        r371242
releng/12.3/                                                      r371483
releng/12.2/                                                      r371488
- -------------------------------------------------------------------------

For FreeBSD 13 and later:

Run the following command to see which files were modified by a
particular commit:

# git show --stat <commit hash>

Or visit the following URL, replacing NNNNNN with the hash:

<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>

To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:

# git rev-list --count --first-parent HEAD

For FreeBSD 12 and earlier:

Run the following command to see which files were modified by a particular
revision, replacing NNNNNN with the revision number:

# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NNNNNN with the revision number:

<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>

VII. References

<URL:https://reviews.freebsd.org/D33390>
<URL:https://github.com/golang/go/issues/46272>

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-22:02.xsave.asc>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmHd2CUACgkQ05eS9J6n
5cKE+w//bOsl0ry/Vx4OaIFzX52Blp6iu5nYoSwFu9wipTq5d07xL+UhXT3bbnRN
yzxJz4KLkBlBaorwN0OX9N3/bjErOq10QMzzcX2jQnvixgIhV9oxqZoOoMcehfVp
9L2yo1JNhXkn0ysKU2ysxpi1F/9t9xATcqxxC1PuSbl1N143qTnmRB5EWDi9Ygan
sjFgBhcTmfz3gATxwKP0hz25KaXO+/0WwZzYHCnGYncPnfh12OgKCkMDi6H2v54R
7+Rl0JtbycK257UIACki/s1FgbiIXkQuPLILD3YBn1kuXFPDhlIBKeK4NLu0G5DQ
6vqYHKrP5RssGsXdROVpjTe4eO1VkKQAkMI9NHCo6SOStbHcOqiB0bdz0TuGYyQN
uhI5we2tqDb6uhZBi0az4c+yKp58d+2dF8DizRKGelDjDNby/1L09XAiybnR8liN
YcHPV/v0Sx/QPjX9sfutMkhtpw28OdPeqoAQyzW9+VSeTC4z61CDmFi9qrN7Vpne
KIvLbgaBYFMSsN4oeG5CfZzlemLNkk8R+5JKmPCxoewX9r7jj2gr9yMqXcmQhjyR
46z0Xp9JL0ovYzvfA9g0nV9tPxmRsAuOL2k7C4nPI38kXbCUlOuCjcNc7EP/gdfi
e7sNXtXwzRDWgO4ipHfLeqzmAnxXy42vFpD2Be5RjbsqXdcH+6I=
=ejFK
-----END PGP SIGNATURE-----