From owner-freebsd-security Fri Nov 14 17:03:31 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id RAA17985 for security-outgoing; Fri, 14 Nov 1997 17:03:31 -0800 (PST) (envelope-from owner-freebsd-security) Received: from room101.sysc.com (richmojm2.student.rose-hulman.edu [137.112.206.126]) by hub.freebsd.org (8.8.7/8.8.7) with SMTP id RAA17974 for ; Fri, 14 Nov 1997 17:03:23 -0800 (PST) (envelope-from jayrich@room101.sysc.com) Received: (qmail 2395 invoked by uid 1000); 15 Nov 1997 01:02:37 -0000 Date: Fri, 14 Nov 1997 20:02:37 -0500 (EST) From: "Jay M. Richmond" To: security-officer@freebsd.org cc: freebsd-security@freebsd.org Subject: Software backgrounder (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from QUOTED-PRINTABLE to 8bit by hub.freebsd.org id RAA17978 Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAzQe9IMAAAEEAKVCBVhfVHCyNOsNvCwXbamYDslPoBoUgllJxGWrjYr8+XOS mAIo6VNyR6E0Q57SICfxAlw8CfrW3jSFZxCalyAr7f4SU/ioF7qOx9AEeRePKbQD XQYT/eUirjo4h1TzQPWMrlGtnehTJfX4LKLeu8WRsMog/6LMzxBohdeuTAY9AAUR tCJKYXkgTS4gUmljaG1vbmQgPGpheXJpY2hAc3lzYy5jb20+ =PTZq -----END PGP PUBLIC KEY BLOCK----- ---------- Forwarded message ---------- Date: Fri, 14 Nov 1997 16:08:26 -0600 From: Aleph One To: BUGTRAQ@NETSPACE.ORG Subject: Software backgrounder http://support.intel.com/support/processors/pentium/ppiie/softback.htm Pentium processor invalid instruction erratum Software backgrounder workaround for "Invalid Operand with Locked CMPXCHG8B Instruction" erratum. The LOCK Prefix Some types of programs perform computations that require data accesses to have a specific ordering. These types of programs most commonly include operating systems, database engines, and applications for multiple processors. To ensure the ordering of data accesses, these programs use synchronization. Synchronization may be done by either software or hardware methods, but most programs use hardware synchronization for efficiency. Hardware synchronization usually involves reading and updating a memory location, with the hardware ensuring that the sequence is done in one operation. Such a combined operation is called a locked access. Intel processors support locked accesses by an instruction feature called the lock prefix. This feature tells the processor that an instruction that updates memory is to be processed as a locked access to memory. The CMPXCHG8B Instruction Beginning with the Pentium® processor, Intel processors have provided special hardware support for synchronization using the CMPXCHG8B (compare and exchange 8 bytes) instruction. This instruction compares a specified memory location with processor registers, and conditionally updates the 8-byte memory location. When used with the lock prefix, this instruction provides very flexible hardware support for synchronization. The Erratum In Pentium processors, Pentium processors with MMX™ technology, Pentium OverDrive® processors, and Pentium OverDrive processors with MMX technology there is an erratum that affects the lock prefix on a CMPXCHG8B instruction with a register destination. This erratum does not affect the Pentium Pro processor, Pentium II processor, or the i486™ and earlier processors. The documented use of the CMPXCHG8B instruction requires an 8-byte memory destination; attempting to use a CMPXCHG8B to update a 4-byte processor register is a program error. A computer’s operating system typically processes program errors through error handling routines. The erratum may cause an unexpected system freeze, preventing the program error from being processed by the error handling routine. The affected form of the instruction is not contained in any operating system or other application known to Intel, nor is there any reasonable purpose for a software tool to generate it. Hence user software should not be affected. However, it is possible for a malicious program to use this instruction to cause a system freeze. The system freeze will not affect data that a user has already saved to disk. When the system is restarted all saved data will still be available. The Workaround Intel has developed a workaround for this erratum that can be incorporated by operating systems vendors. The workaround takes advantage of the memory management support provided by Intel processors. Specifically, it relies upon a page not present fault being processed before the program error handling routine. The page not present fault also prevents the memory bus lock caused by the lock prefix. When an affected instruction is processed and the processor attempts to invoke the error handling routine, it is made to encounter a page not present fault. While processing the page not present fault the program error is dispatched to the error handling routine as expected. The operating system then continues normally. If you are an operating system vendor and would like further information about the erratum or the workaround, see [20]Contact Info. Please identify yourself as an operating system vendor.