Bugtraq mailing list archives
Re: mode of the i586 F0 bug
From: alan () LXORGUK UKUU ORG UK (Alan Cox)
Date: Wed, 12 Nov 1997 22:37:10 +0000
manufacturer that the Intel hardware designers forgot to unlock the bus before trying to load the descriptor for the appropriate exception handler, which would explain why locking it into the L1 cache helps. I suppose the hardware does unlock it before actually
It would also explain how the real fix works. If you take a BSDI box after the patch and before the patch and compare the MMU tables via /dev/mem etc you'll find there are a pair of funny pages where the interrupt descriptor table has moved. Odder still the low part of it doesnt have a pte. What it seems is done is to put the low descriptors into an invalid page and take a page fault when it tries to handle the fault from the lock cmpxchg8. The linux code is based on this observation and does this trick. The page fault handler then checks the fault and sees a kernel mode fault on the descriptor block[1] and works out what the real fault was. It then calls the relevant kernel function instead of doing normal page fault processing. We could probably just remap the page then but its faster to call the functions by hand than map and remap the page (causing tlb flushes). Hopefully that info and the 2.1.63 linux patch is enough to get the fix into other free OS's too. And if anyone can find a way to break the linux 2.1.63 fix we'd all love to know. Hopefully a complete official intel workaround will appear shortly and we can switch to that. Alan [1] This is important - or we might take a fault for a user process at the same address by chance and do a trap instead ..
Current thread:
- Re: Intel Pentium Bug, (continued)
- Re: Intel Pentium Bug Tim Newsham (Nov 10)
- CERT Advisory CA-97.25 - CGI_metachar Aleph One (Nov 10)
- Re: CERT Advisory CA-97.25 - CGI_metachar Greg Bacon (Nov 11)
- L0pht Advisory: IE4.0 DilDog (Nov 10)
- L0pht Advisory: IE4.0 Petri Helenius (Nov 10)
- Cisco IOS password encryption facts John Bashinski (Nov 10)
- Re: Cisco IOS password encryption facts ice9 (Nov 11)
- Re: Cisco IOS password encryption facts J. Sean Connell (Nov 11)
- Re: Cisco IOS password encryption facts Michael Degerman (Nov 13)
- mode of the i586 F0 bug VaX#n8 (Nov 12)
- Re: mode of the i586 F0 bug Alan Cox (Nov 12)
- Linux F00F Patch Aleph One (Nov 12)
- Re: Safe /tmp cleanup Randal Schwartz (Nov 12)
- Re: Safe /tmp cleanup dsiebert () ICAEN UIOWA EDU (Nov 13)
- another buffer overrun in sperl5.003 Pavel Kankovsky (Nov 13)
- Re: Safe /tmp cleanup Valdis Kletnieks (Nov 13)
- IE4.0 patch Richard Trott (Nov 13)
- X Security problem (?) Carlo Wood (Nov 13)
- Re: X Security problem (?) Matthias Buelow (Nov 14)
- Re: X Security problem (?) Scott Moseman (Nov 14)
- digital unix 4.0 hole John McDonald (Nov 14)