Bugtraq mailing list archives
Possible solution: [Fwd: I figured out how to make my Pentium
From: rodriguj () DRAGO FIE US ES (Miguel Angel Rodriguez Jodar)
Date: Mon, 10 Nov 1997 16:53:57 +0100
The following is a possible solution to F0 0F... crossposted from comp.sys.intel. The solution involves the use of the internal cache to make sure the descriptor is accesed from it, not from main memory. The problem occurs when the descriptor is not on the cache. Jim's example program forces an invalid opcode exception to load the descriptor into the cache, and then F0 0F... is not a problem as long as the descriptor remains in cache... But... there's a way to lock the cache, so its contents don't get lost.
From 486, one of the control registers controls the operation mode of
the internal cache, so one could fire an invalid opcode, get the descriptor into the cache, and INMEDIATLY lock the cache. This could be done at boot time on Linux or similar. Disadvantages: you MISS the internal cache, with loss of perfomance :( Miguel Angel Rodriguez Jodar Area de Arquitectura y Tecnologia de Computadores Universidad de Sevilla (Spain) ----------------------------------------------------------------------- Jim Brooks wrote:
I just figured out how to make my Pentium execute F0 0F C7 C8. The trick is get the IDT gate descriptor for the invalid opcode exception into the internal caches by first executing a legitimate invalid opcode. Thereafter, as long as the gate descriptor remains in the internal caches, then Pentium can execute F0 0F C7 C8 without hanging itself. But if it isn't in the cache, F0* will hose your system. I put assembly source code and a DOS EXE to demonstrate this at: ftp://ftp.jimbrooks.org/f0opcode.zip Note that this program will only run in DOS while the Pentium is in real-mode. You must disable any memory managers which control protect-mode, otherwise the program will crash! | | Jim Brooks | _ | mailto:jim () jimbrooks org ______________|_(_)_|______________ PGP public key available +|+ [ ( o ) ] +|+ * O[_]---[_]O *
Current thread:
- Updating microcode on the fly, (continued)
- Updating microcode on the fly Superuser (Nov 12)
- Re: Updating microcode on the fly Jyri Kaljundi (Nov 12)
- solaris 251 & syslogd Michael Helm (Nov 12)
- Re: solaris 251 & syslogd Richard Peters (Nov 12)
- Re: solaris 251 & syslogd Dave Kinchlea (Nov 12)
- CERT Advisory CA-97.25 - REVISED- Code Correction Aleph One (Nov 12)
- Bug In Security Dynamics' FTP server (Version 2.2) sp00n (Nov 12)
- Intel Pentium Bug: BSDI Releases a patch Joe Ilacqua (Nov 11)
- Re: Intel Pentium Bug Jason Parsons (Nov 09)
- Re: Intel Pentium Bug Kragen \ (Nov 10)
- Possible solution: [Fwd: I figured out how to make my Pentium Miguel Angel Rodriguez Jodar (Nov 10)
- Re: Intel Pentium Bug Tim Newsham (Nov 10)
- CERT Advisory CA-97.25 - CGI_metachar Aleph One (Nov 10)
- Re: CERT Advisory CA-97.25 - CGI_metachar Greg Bacon (Nov 11)
- L0pht Advisory: IE4.0 Petri Helenius (Nov 10)
- Cisco IOS password encryption facts John Bashinski (Nov 10)
- Re: Cisco IOS password encryption facts ice9 (Nov 11)
- Re: Cisco IOS password encryption facts J. Sean Connell (Nov 11)
- Re: Cisco IOS password encryption facts Michael Degerman (Nov 13)