Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 14 Nov 1997 20:02:37 -0500 (EST)
From:      "Jay M. Richmond" <jayrich@room101.sysc.com>
To:        security-officer@freebsd.org
Cc:        freebsd-security@freebsd.org
Subject:   Software backgrounder (fwd)
Message-ID:  <Pine.BSF.3.96.971114200226.2386B-100000@room101.sysc.com>

next in thread | raw e-mail | index | archive | help
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2

mQCNAzQe9IMAAAEEAKVCBVhfVHCyNOsNvCwXbamYDslPoBoUgllJxGWrjYr8+XOS
mAIo6VNyR6E0Q57SICfxAlw8CfrW3jSFZxCalyAr7f4SU/ioF7qOx9AEeRePKbQD
XQYT/eUirjo4h1TzQPWMrlGtnehTJfX4LKLeu8WRsMog/6LMzxBohdeuTAY9AAUR
tCJKYXkgTS4gUmljaG1vbmQgPGpheXJpY2hAc3lzYy5jb20+
=PTZq
-----END PGP PUBLIC KEY BLOCK-----

---------- Forwarded message ----------
Date: Fri, 14 Nov 1997 16:08:26 -0600
From: Aleph One <aleph1@DFW.NET>
To: BUGTRAQ@NETSPACE.ORG
Subject: Software backgrounder

http://support.intel.com/support/processors/pentium/ppiie/softback.htm

   Pentium processor invalid instruction erratum

   Software backgrounder workaround for "Invalid Operand with
   Locked CMPXCHG8B Instruction" erratum.

   The LOCK Prefix

   Some types of programs perform computations that require data accesses
   to have a specific ordering. These types of programs most commonly
   include operating systems, database engines, and applications for
   multiple processors. To ensure the ordering of data accesses, these
   programs use synchronization. Synchronization may be done by either
   software or hardware methods, but most programs use hardware
   synchronization for efficiency. Hardware synchronization usually
   involves reading and updating a memory location, with the hardware
   ensuring that the sequence is done in one operation. Such a combined
   operation is called a locked access. Intel processors support locked
   accesses by an instruction feature called the lock prefix. This
   feature tells the processor that an instruction that updates memory is
   to be processed as a locked access to memory.

   The CMPXCHG8B Instruction

   Beginning with the Pentium® processor, Intel processors have provided
   special hardware support for synchronization using the CMPXCHG8B
   (compare and exchange 8 bytes) instruction. This instruction compares
   a specified memory location with processor registers, and
   conditionally updates the 8-byte memory location. When used with the
   lock prefix, this instruction provides very flexible hardware support
   for synchronization.

   The Erratum

   In Pentium processors, Pentium processors with MMX&#153; technology,
   Pentium OverDrive® processors, and Pentium OverDrive processors with
   MMX technology there is an erratum that affects the lock prefix on a
   CMPXCHG8B instruction with a register destination. This erratum does
   not affect the Pentium Pro processor, Pentium II processor, or the
   i486&#153; and earlier processors. The documented use of the CMPXCHG8B
   instruction requires an 8-byte memory destination; attempting to use a
   CMPXCHG8B to update a 4-byte processor register is a program error. A
   computer&#146;s operating system typically processes program errors
   through error handling routines. The erratum may cause an unexpected
   system freeze, preventing the program error from being processed by
   the error handling routine.

   The affected form of the instruction is not contained in any operating
   system or other application known to Intel, nor is there any
   reasonable purpose for a software tool to generate it. Hence user
   software should not be affected. However, it is possible for a
   malicious program to use this instruction to cause a system freeze.
   The system freeze will not affect data that a user has already saved
   to disk. When the system is restarted all saved data will still be
   available.

   The Workaround

   Intel has developed a workaround for this erratum that can be
   incorporated by operating systems vendors. The workaround takes
   advantage of the memory management support provided by Intel
   processors. Specifically, it relies upon a page not present fault
   being processed before the program error handling routine. The page
   not present fault also prevents the memory bus lock caused by the lock
   prefix. When an affected instruction is processed and the processor
   attempts to invoke the error handling routine, it is made to encounter
   a page not present fault. While processing the page not present fault
   the program error is dispatched to the error handling routine as
   expected. The operating system then continues normally.

   If you are an operating system vendor and would like further
   information about the erratum or the workaround, see [20]Contact Info.
   Please identify yourself as an operating system vendor.




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.971114200226.2386B-100000>