From owner-freebsd-hackers  Fri Dec 12 04:22:10 1997
Return-Path: <owner-freebsd-hackers>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id EAA15515
          for hackers-outgoing; Fri, 12 Dec 1997 04:22:10 -0800 (PST)
          (envelope-from owner-freebsd-hackers)
Received: from phoenix.its.rpi.edu (dec@phoenix.its.rpi.edu [128.113.161.45])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id EAA15502
          for <hackers@FreeBSD.ORG>; Fri, 12 Dec 1997 04:22:03 -0800 (PST)
          (envelope-from dec@phoenix.its.rpi.edu)
Received: from localhost (dec@localhost)
	by phoenix.its.rpi.edu (8.8.8/8.8.7) with SMTP id HAA00383;
	Fri, 12 Dec 1997 07:21:58 -0500 (EST)
	(envelope-from dec@phoenix.its.rpi.edu)
Date: Fri, 12 Dec 1997 07:21:58 -0500 (EST)
From: "David E. Cross" <dec@phoenix.its.rpi.edu>
To: John Kelly <jak@cetlink.net>
cc: hackers@FreeBSD.ORG
Subject: Re: (fwd) Re: F00F bug *fixed* in 2.0.x kernels
In-Reply-To: <3491cfe3.6774010@mail.cetlink.net>
Message-ID: <Pine.BSF.3.96.971212071820.332A-100000@phoenix.its.rpi.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

On Fri, 12 Dec 1997, John Kelly wrote:

> On 8 Dec 1997 23:11:24 GMT, in comp.os.linux.development.system
> torvalds@transmeta.com (Linus Torvalds) wrote:
> 
> In article <vc7u3cjttap.fsf@saturn.cs.uml.edu>,
> Albert D. Cahalan <acahalan@saturn.cs.uml.edu> wrote:
> >Jerry Hicks <wghhicks@ix.netcom.com> writes:
> >
> >> Wrong again Albert...
> >
> >Nope, you are wrong. This method is a _third_ solution.
> >
> >>>> My ``fix'' is to have the IDT descriptor reference a segemnt
> >>>> which has a length of 0.  This has the effect of mapping SIGILL
> >>>> into SIGBUS, so that the `cmpxchg8' crash now generates a Bus
> >>>> error.  (I didn't bother returning the correct signal; it can
> >>>> probably be added if it is important) 
> 
> This is indeed the "FreeBSD fix".
> 
> The so-called "fix" doesn't work (it appears to, for simple exploits,
> but it doesn't), and I _told_ some FreeBSD people so: I even sent
> people a test-program that will still lock up a FreeBSD system with
> the "fix". 
> 
> If they are indeed still using that fix, they are a sorry lot of
> incompetent idiots. 
> 
> 		Linus

Hmm, by my reading of /usr/src/sys/i386/i386/trap.c, we are trapping a
page-fault, for the F00F workarround (Line 608, Version 1.83.2.2).

I think Linus should a: Check his facts. b: not be so high and mighty all
the time, it really turns people off.

--
David Cross
ACS Consultant