The Cyrix coma bug is a design flaw in Cyrix 6x86, 6x86L, and early 6x86MX processors that allows a non-privileged program to completely lock the computer. Cyrix was a CPU manufacturer that began in 1978 in Richardson Texas as a specialist supplier of high-performance math co-processors for 286 and The Cyrix 6x86 (codename M1 is a sixth-generation 32-bit 80x86 -compatible Microprocessor designed by Cyrix and manufactured by IBM The Cyrix 6x86 (codename M1 is a sixth-generation 32-bit 80x86 -compatible Microprocessor designed by Cyrix and manufactured by IBM In Computing, privilege is defined as the delegation of authority over a Computer system
Contents |
Discovery
According to Andrew Balsa, around the time of the discovery of the f00f bug on Intel Pentium, Serguei Shtyliov of Moscow found a flaw in a Cyrix processor while developing an IDE disk driver in assembly language. f00f (ˈfuːf an Abbreviation of f0 0f c7 c8 is the Hexadecimal encoding of an instruction that exhibits a Design flaw in the majority of The Pentium brand refers to Intel 's single-core x86 Microprocessor based on the P5 fifth-generation Microarchitecture. Moscow (Москва́ romanised: Moskvá, IPA: see also other names) is the Capital and the largest city of Cyrix was a CPU manufacturer that began in 1978 in Richardson Texas as a specialist supplier of high-performance math co-processors for 286 and AT Attachment with Packet Interface ( ATA/ATAPI) is a standard interface used to connect storage devices such as Hard disks Solid-state See the terminology section below for information regarding inconsistent use of the terms assembly and assembler Alexandr Konosevich, from Omsk, further researched the bug, and coauthored an article with Uwe Post in the German technology magazine, c't, calling it the "hidden CLI bug" (CLI is the instruction which disables interrupts in the x86 architecture). Omsk (Омск is a city in southwest Siberia in Russia, the administrative center of Omsk Oblast. The German language (de ''Deutsch'') is a West Germanic language and one of the world's major languages. c't (short for Computertechnik, ie computer technology originally an abbreviation for computing today) is a German computer Magazine, published In Computing, an interrupt is an asynchronous signal from hardware indicating the need for attention or a synchronous event in software indicating the need for a change Balsa, as a member on the Linux-kernel mailing list, confirmed that the following C program could be compiled and run by an unprivileged user:
static unsigned char c[4] = {0x36, 0x78, 0x38, 0x36};
main()
{
asm ("movl $c, %ebx\n\t"
"again: xchgl (%ebx), %eax\n\t"
"movl %eax, %edx\n\t"
"jmp again\n\t");
}
Execution of this program renders the processor completely useless, as it enters an infinite loop that cannot be interrupted. tags please moot on the talk page first! --> In Computing, C is a general-purpose cross-platform block structured In Computing, privilege is defined as the delegation of authority over a Computer system In Computing, an interrupt is an asynchronous signal from hardware indicating the need for attention or a synchronous event in software indicating the need for a change This presents a security flaw because any user with access to a Cyrix system with this bug could prevent other users from using the system. This article describes how security can be achieved through design and engineering Exploitation of this flaw would therefore be a denial-of-service attack. It is similar to execution of a Halt and Catch Fire instruction, although the coma bug is not any one particular instruction. Halt and Catch Fire, known by the Mnemonic HCF, was originally a fictitious computer Machine code instruction claimed to be under development at IBM
Analysis
What causes the bug is not an interrupt mask, nor are interrupts being explicitly disabled. In Computing, an interrupt is an asynchronous signal from hardware indicating the need for attention or a synchronous event in software indicating the need for a change Instead, an anomaly in the Cyrix's instruction pipeline prevents interrupts from being serviced for the duration of the loop; since the loop never ends, interrupts will never be serviced. Pipelining redirects here For HTTP pipelining see HTTP pipelining. The xchg[1] instruction is atomic, meaning that other instructions are not allowed to change the state of the system while it is executed. An atomic operation in computer science refers to a set of operations that can be combined so that they appear to the rest of the system to be a single operation with only In order to ensure this atomicity, the designers at Cyrix made the xchg uninterruptible. However, because of pipelining and branch predicting, another xchg enters the pipeline before the previous one completes, leaving the processor in this uninterruptible state forever. Pipelining redirects here For HTTP pipelining see HTTP pipelining. In Computer architecture, a branch predictor is the part of a processor that determines whether a Conditional branch in the instruction
Workarounds
A simple fix is to insert another instruction in the loop, the nop instruction being a good candidate.
One way to prevent this bug is to enable bit 0x10 in the configuration register CCR1. Alternatively, Cyrix provided a way to fix this, by serializing the xchg opcode, thus bypassing the pipeline.
See also
Notes
External links
- Andrew Balsa's early description of the bug
- Cx6x86 registers (and undocumented features)
Dapyx Software network: MP3 Explorer | Ebook Manager | Zenithic