Vigil@nce: OpenBSD, denial of service via XMM
October 2009 by Vigil@nce
On an i386 processor, a local attacker can generate an XMM
exception, in order to stop OpenBSD.
Severity: 1/4
Consequences: denial of service of computer
Provenance: user shell
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 05/10/2009
IMPACTED PRODUCTS
– OpenBSD
DESCRIPTION OF THE VULNERABILITY
Streaming SIMD Extensions are integrated into Intel Pentium III
and later processors. New XMM0 to XMM7 registers are provided,
where floating point operations can be done.
The trap() function of the sys/arch/i386/i386/trap.c file manages
exceptions which can occur on the processor. However, the case
"T_XFTRAP" (SIMD Floating Point fault) is not handled. When it
occurs, the system panics.
On an i386 processor, a local attacker can therefore generate an
XMM exception, in order to stop OpenBSD.
CHARACTERISTICS
Identifiers: BID-36589, VIGILANCE-VUL-9072
http://vigilance.fr/vulnerability/OpenBSD-denial-of-service-via-XMM-9072