Subject: Possible (but Evil) work-around for Pentium bug?
To: None <current-users@NetBSD.ORG>
From: Erik E. Fair <email@example.com>
Date: 11/12/1997 12:30:26
I got the following today, which hints at a work-around with unacceptable
performance loss: turning off the L1 cache.
>X-Authentication-Warning: topdog.cs.umbc.edu: wrath owned process doing -bs
>Date: Wed, 12 Nov 1997 11:35:36 -0500 (EST)
>From: Vijay Gill <firstname.lastname@example.org>
>Subject: Re: Potentially dangerous Pentium bug disc
>On Wed, 12 Nov 1997, Michael McArthur wrote:
>> That's the problem -- it isn't a "bug", just an exploitable
>> instruction set that Cyrix, AMD, et al have been faithfully copying.
>> For that matter, the 486 instruction set is a subset of the
>> Pentium instruction set. Does this affect the 486/386 etc..?
>Short summary. The illegal instruction F0 0F C7 C8 locks up the
>Pentium, only reset or NMI allows the cpu to continue (this is a lock
>cmpxchg8 instruction with a reg as destination; in this case AX, but all
>other regs work, too; I'm not really sure if NMI cleans it up). It
>doesn't halt AMDs, Cyrixes, PPros and PII, nor does it halt any Intel CPU
>before Pentium; it's supposed to produce an illegal instruction trap.
>It does not halt the pentium, if the offending instruction is the
>destination of a mispredicted branch, or if the illegal instruction IDT is
>in the L1 cache.
>Affected: Multiuser systems facing "wannabe" hackers; all Pentium and
>Pentium MMX processors are affected.
>Workaround: none, if disabling the L1 cache and loading the illegal
>instruction IDT with TR4/TR5 isn't an option for you (massive performance
>hit). A boardlevel workaround seems to be possible (LOCK hold for more
>than a few microseconds -> raise NMI).
>History: Is known to Intel for at least some months (the maintainer of the
>Intel secret page found this bug, reported it, and did not publish it).
>They did not fix it (thus even the most recent Pentia are affected).
>% cat >pentbug.c
>unsigned main = 0xC8C70FF0;
>% cc pentbug.c -o pentbug
>(thanks to bernd paysan)