Security updates to master and release

Matthew Dillon dillon at backplane.com
Wed Jun 13 21:22:45 PDT 2018


An Intel (and possibly AMD) FPU register disclosure exploit has become
public.  DragonFly users should update to the latest -release or master for
the fixes.  Rumors about this bug have been circulating for a month or so
but it got broken wide open when Theo of OpenBSD gave a talk at BSDCan a
few days ago.  Colin Percival of FreeBSD was later able to write-up an
exploit based on Theo's talk, validating Theo's theory.  Today Intel has
apparently lifted their NDA/embargo on the issue, so we should be getting
even more information on it soon.  Basically, though, the bug is related to
delayed FPU state saving and on-demand FPU state loading which several BSDs
still use (Linux stopped using it a while ago for other reasons).

This bug is not as easy to exploit as Meltdown was, but still fairly easy
considering how little time it took Colin to reproduce it.  Actually using
it to steal keys from other processes is a bit more difficult but not
impossible. So its a good idea to update.

-Matt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dragonflybsd.org/pipermail/users/attachments/20180613/49e65b48/attachment.html>


More information about the Users mailing list