CVE-2002-1571

Step 1: Triggering the Vulnerability: A user-space process, or potentially a malicious kernel module, attempts to access or utilize SSE registers after the kernel has initialized the FPU/SSE using fninit.

Step 2: Data Persistence: Prior to the fninit call, sensitive data (e.g., cryptographic keys, passwords, or other confidential information) may have been stored in the SSE registers by other processes or the kernel itself.

Step 3: Incomplete Initialization: The fninit instruction, due to the kernel's incorrect assumption, does not fully clear all SSE registers on the affected processor architecture.

Step 4: Data Leakage: The user-space process, now able to access the SSE registers, can read the residual data left behind by the incomplete initialization, thus leaking sensitive information.

The vulnerability stems from an incorrect assumption within the Linux kernel's initialization code. Specifically, the kernel's code, prior to version 2.4.19, assumes that the fninit instruction, used to initialize the floating-point unit (FPU) and SSE registers, clears all relevant registers. However, on certain processors, particularly those supporting SSE (Streaming SIMD Extensions), fninit might not fully clear all SSE registers. This leads to a scenario where sensitive data, previously stored in these registers by other processes or the kernel itself, can be inadvertently leaked to a malicious actor. The root cause is a logic error in the kernel's initialization routines, coupled with a hardware-specific behavior of the fninit instruction. The flaw allows for information disclosure because the kernel fails to properly sanitize the state of the SSE registers before they are potentially accessed by a user-space process. This is not a buffer overflow or a race condition, but a data leakage vulnerability.