Pentium F00F bug

The Pentium F00F bug, shorthand for F0 0F C7 C8, the hexadecimal encoding of one offending instruction,[1] more formally, the invalid operand with locked CMPXCHG8B instruction bug, is a design flaw in the majority of Intel Pentium, Pentium MMX, and Pentium OverDrive processors (all in the P5 microarchitecture).[2] [3]

Description

In the x86 architecture, the byte sequence F0 0F C7 C8 represents the instruction lock cmpxchg8b eax (locked compare and exchange of eight bytes in register eax), though the operand could be a register other than eax. The F0 0F C7 C8 instruction does not require any special privileges.

This instruction encoding is invalid. The cmpxchg8b instruction compares the value in the edx and eax registers (the lower halves of R0 and R2 on more modern x86 processors) with an eight-byte value in a memory location. In this case, however, a register is used as the destination operand, which is not allowed.

Under normal circumstances, this instruction would simply result in an exception; however, when used with the lock prefix (normally used to prevent two processors from interfering with the same memory location), the CPU erroneously uses locked bus cycles to read "exception handler descriptor." Locked reads without locked writes are not allowed bus operations; hence, after performing these bus cycles, all CPU activity stops, and the CPU must be reset to recover.

Due to the proliferation of Intel microprocessors, the existence of this open privilege instruction was considered a serious issue at the time. Operating system vendors responded by implementing workarounds that detected the condition and prevented the crash. Information about the bug first appeared on the Internet on or around 8 November 1997.[4][5] Since the F00F bug has become common knowledge, the term is sometimes used to describe similar hardware design flaws such as the Cyrix coma bug.

No permanent hardware damage results from executing the F00F instruction on a vulnerable system. Depending on the file system, operating system, and other circumstances, it is possible for data loss to occur if the disk buffers have not been flushed, if drives were interrupted during a write operation, or if some other non-atomic operation was interrupted.

The B2 stepping solved this issue for Intel's Pentium processors.[2] The Intel Quark series processors are also affected by this bug.[6]

Although technically not an example of either, the F00F instruction is often considered a killer poke, or a Halt and Catch Fire (HCF) instruction.

See also

References

  1. Collins, Robert R. (May 1, 1998). "The Pentium F00F Bug". Dr. Dobb's Journal. Retrieved 27 July 2015.
  2. 1 2 Intel (1998). "81. Invalid Operand with Locked CMPXCHG8B Instruction". Pentium® Processor Specification Update, Version-041 [Release Date January 1999] (PDF). Santa Clara, CA, USA: Intel. p. 51f. Retrieved 27 July 2015.
  3. The opening to this specification update reads:
    "PROBLEM: The CMPXCHG8B instruction compares an 8 byte value in EDX and EAX with an 8 byte value in memory (the destination operand). The only valid destination operands for this instruction are memory operands. If the destination operand is a register the processor should generate an invalid opcode exception, execution of the CMPXCHG8B instruction should be halted and the processor should execute the invalid opcode exception handler. This erratum occurs if the LOCK prefix is used with the CMPXCHG8B instruction with an (invalid) register destination operand. In this case, the processor may not start execution of the invalid opcode exception handler because the bus is locked. This results in a system hang. IMPLICATION: If an (invalid) register destination operand is used with the CMPXCHG8B instruction and the LOCK prefix, the system may hang. No memory data is corrupted and the user can perform a system reset to return to normal operation. Note that the specific invalid code sequence necessary for this erratum to occur is not normally generated in the course of programming nor is such a sequence known by Intel to be generated by commercially available software. This erratum only applies to Pentium processors, Pentium processors with MMX technology, Pentium® OverDrive processors and Pentium OverDrive processors with MMX technology. Pentium Pro processors, Pentium II processors and i486TM and earlier processors are not affected…"
  4. Onno Hovers; et al. "Nieuwe Intel Pentium Bug" ["New Intel…"] (google groups thread, 38 posts by 22 authors) (in Dutch). Mountain View, CA, USA: google.com. Retrieved 27 July 2015.
  5. The opening entry of the thread, by Hovers, reads:
    "[8 November 1997] Als je er nog niet over gehoord hebt, er is een nieuwe Intel Pentium BUG. Daardoor is het vanuit userspace mogelijk om de Pentium helemaal te laten crashen met 1 instructie. De bug doet zich voor op de Intel Pentium en de Intel Pentium MMX. De bug doet zich niet voor op de Intel Pentium Pro, de Intel Pentium II, de chips van AMD, Cyrix e.d. Deze bug is alleen van belang voor sommige mensen die een multiuser (shell) systeem draaien op een Intel Pentium. Op zo'n systeem kan elke user het systeem crashen…"
    Thread initiator O. Hovers was, at that time, a student of physics at the Eindhoven University of Technology.
  6. "#738575 - pthread: segfault in libpthread on Intel Galileo board - Debian Bug report logs". bugs.debian.org. Retrieved 2016-10-14.

Further reading

This article is issued from Wikipedia - version of the 10/14/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.