Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 14 Nov 1997 15:41:26 -0500 (EST)
From:      "Jay M. Richmond" <jayrich@room101.sysc.com>
To:        freebsd-security@freebsd.org
Subject:   Re: Pentium bug workaround in NetBSD (was Re: Intel Pentium Bug:              BSDI Releases a patch) (fwd)
Message-ID:  <Pine.BSF.3.96.971114154118.19990D-100000@room101.sysc.com>

next in thread | raw e-mail | index | archive | help
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2

mQCNAzQe9IMAAAEEAKVCBVhfVHCyNOsNvCwXbamYDslPoBoUgllJxGWrjYr8+XOS
mAIo6VNyR6E0Q57SICfxAlw8CfrW3jSFZxCalyAr7f4SU/ioF7qOx9AEeRePKbQD
XQYT/eUirjo4h1TzQPWMrlGtnehTJfX4LKLeu8WRsMog/6LMzxBohdeuTAY9AAUR
tCJKYXkgTS4gUmljaG1vbmQgPGpheXJpY2hAc3lzYy5jb20+
=PTZq
-----END PGP PUBLIC KEY BLOCK-----

---------- Forwarded message ----------
Date: Fri, 14 Nov 1997 09:49:27 -0500
From: "Charles M. Hannum" <mycroft@MIT.EDU>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: Pentium bug workaround in NetBSD (was Re: Intel Pentium Bug:              BSDI Releases a patch)

It occurs to me that there may be another way to solve this -- with a
slightly higher performance penalty.  To put it simply: return to user
mode and let the instruction be executed again.

To make this work, I suggest:

* Create the partially mapped IDT as per the BSDI patch.  Use it.

* Create a second copy of the IDT that it fully mapped.  For each
vector in this second copy, install a routine which first reloads the
IDT pointer to point to the partially mapped IDT and then uses the
normal routine.

* When we get a page fault, check to see if the fault was in the
second IDT, and if so turn off interrupts (with a CLI), load the
pointer to the first IDT, gratuitously fetch the IDT descriptor for
exception 6 to make sure it's in the cache, and return to user mode
(doing an implicit CLI during the IRET).

The theory is that we reexecute the faulting instruction with a
normal-looking IDT, making sure that the descriptor is in the L1
cache, so we don't get the hang.  The only way it would get rotated
out of the cache before the instruction is reexecuted would be if an
interrupt or exception occurs (i.e. some other code is caused to
execute) between when we reload the IDT pointer to the fully mapped
IDT and when the instruction is reexecuted.  To prevent this, we
arrange for any such interrupt or exception to cause the partially
mapped IDT to be loaded again, and thus when the interrupt or
exception completes, the instruction would cause another page fault.

This has a bit more performance impact on debuggers (because trace and
breakpoint traps are handled through this mechanism, with an
additional ~100 cycles on a 486), but it shouldn't have any of the
caveats I previously mentioned.

[I'd implement this right now and try it, but I *really* have to go
sleep now.  Recovering from a cold.  *sigh*]




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.971114154118.19990D-100000>