Potentially dangerous Pentium bug disc
Vijay Gill
wrath at cs.umbc.edu
Wed Nov 12 16:35:36 UTC 1997
On Wed, 12 Nov 1997, Michael McArthur wrote:
> That's the problem -- it isn't a "bug", just an exploitable
> instruction set that Cyrix, AMD, et al have been faithfully copying.
>
> For that matter, the 486 instruction set is a subset of the
> Pentium instruction set. Does this affect the 486/386 etc..?
Short summary. The illegal instruction F0 0F C7 C8 locks up the
Pentium, only reset or NMI allows the cpu to continue (this is a lock
cmpxchg8 instruction with a reg as destination; in this case AX, but all
other regs work, too; I'm not really sure if NMI cleans it up). It
doesn't halt AMDs, Cyrixes, PPros and PII, nor does it halt any Intel CPU
before Pentium; it's supposed to produce an illegal instruction trap.
It does not halt the pentium, if the offending instruction is the
destination of a mispredicted branch, or if the illegal instruction IDT is
in the L1 cache.
Affected: Multiuser systems facing "wannabe" hackers; all Pentium and
Pentium MMX processors are affected.
Workaround: none, if disabling the L1 cache and loading the illegal
instruction IDT with TR4/TR5 isn't an option for you (massive performance
hit). A boardlevel workaround seems to be possible (LOCK hold for more
than a few microseconds -> raise NMI).
History: Is known to Intel for at least some months (the maintainer of the
Intel secret page found this bug, reported it, and did not publish it).
They did not fix it (thus even the most recent Pentia are affected).
Reproduce:
Unix:
% cat >pentbug.c
unsigned main = 0xC8C70FF0;
^D
% cc pentbug.c -o pentbug
% ./pentbug
(thanks to bernd paysan)
vijay
More information about the NANOG
mailing list