Intel Announces New Vulnerability: Lazy FP State Restore

Intel AMT Security BranchScope

Today, Intel announced yet another new variant of the Spectre vulnerability – the Lazy FP state restores vulnerability. If the operating system uses the Lazy FP function of the CPU to save and restore the system state during context switching, the attacker can use the CPU’s predictive execution function to obtain the data collected by other processes in the register.

“System software may utilize the Lazy FP state restore technique to delay the restoring of state until an instruction operating on that state is actually executed by the new process. Systems using Intel® Core-based microprocessors may potentially allow a local process to infer data utilizing Lazy FP state restore from another process through a speculative execution side channel.

System software may opt to utilize Lazy FP state restore instead of eager save and restore of the state upon a context switch. Lazy restored states are potentially vulnerable to exploits where one process may infer register values of other processes through a speculative execution side channel that infers their value.”

Intel AMT Security BranchScope

The operating system should use Eager FP instead of Lazy FP. Before the publication of the vulnerability, rumours of Lazy FP‘s flaw have been circulating in the system developer community and are generally believed to be true. So OpenBSD stopped using Lazy FP on June 5, and DragonFlyBSD also fixed the vulnerability on the 13th.

Coincidentally, there were Linux kernel developers who discovered that Lazy FP had performance problems. Therefore, in January 2016, Eager FP had been enabled by default on supported CPUs and had inadvertently repaired the vulnerability.

If your Linux kernel uses 4.6-rc1 and later, no action is required. Otherwise, you need to add eagerfpu=on to the boot kernel parameters, manually turn on and restart the system, or you can wait for the upstream backport patch. Users of other operating systems should make security updates promptly.