Security researchers have uncovered a new microarchitectural vulnerability in some Intel processors. Called “Lazy FP State Restore,” this vulnerability relies on a side channel to leak potentially privileged data after the processor performs a context switch from an unprivileged process to a privileged kernel function, according to security analysis from Red Hat. Both Intel and Red Hat classify the potential impact of this vulnerability as “moderate.” AMD CPUs are not affected.
As with Spectre and Meltdown, the vulnerability stems from efforts to improve performance. Context switches are microarchitecturally expensive, and the less data that needs to be moved around during such a switch, the better. The leak relies on the fact that the processor can defer saving and restoring of FPU state until a new process actually uses the CPU's floating-point unit after a context switch (hence “lazy”). An attacker can apparently use another process to reveal or infer this lazily-restored data from target processes, although full details of the exploit are not yet available. Since the CPU's floating-point registers are often involved in cryptographic calculations, the ability to read data from them is bad news, according to The Register.
The choice to use lazy FPU save-and-restore is an operating-system-and-software-level one, so microcode updates won't be required to mitigate it, according to a statement provided to The Register by Red Hat. The issue apparently doesn't affect Intel processors uniformly, either—Red Hat says newer Intel CPUs implement instructions that make the potential performance benefits of the lazy FP state restore mostly irrelevant, so the technique isn't used on those chips.
The Linux vendor says that operating systems using the lazy method of FPU restore should be configured to use “eager” FPU restore instead, in which the entire FPU state is swapped on every context switch, although a list of affected CPUs is not yet available. Given that Red Hat says version 7 of its Enterprise Linux OS uses this “eager” technique by default on Sandy Bridge and newer Intel architectures, the issue is likely confined to pre-Sandy Bridge chips.
Red Hat says it will be issuing an update to versions 6 and earlier of its operating system to expose a flag to configure eager FPU restore in the kernel. The company says enabling the parameter will not affect performance on vulnerable systems. The Register says Microsoft also has patches for affected systems in the works. As always, we advise TR readers to enable automatic updates on their systems and use supported versions of their operating system of choice.
Intel provided TR with the following statement on the vulnerability:
This issue, known as Lazy FP state restore, is similar to Variant 3a. It has already been addressed for many years by operating system and hypervisor software used in many client and data center products. Our industry partners are working on software updates to address this issue for the remaining impacted environments and we expect these updates to be available in the coming weeks. We continue to believe in coordinated disclosure and we are thankful to Julian Stecklina from Amazon Germany, Thomas Prescher from Cyberus Technology GmbH, Zdenek Sojka from SYSGO AG, and Colin Percival for reporting this issue to us. We strongly encourage others in the industry to adhere to coordinated disclosure as well.