Cyrix coma bug
Encyclopedia
The Cyrix coma bug is a design flaw in Cyrix
6x86, 6x86L, and early 6x86MX processor
s that allows a non-privileged
program to completely lock the computer.
bug on Intel Pentium, Serguei Shtyliov of Moscow
found a flaw in a Cyrix
processor while developing an IDE disk driver in assembly language
. Alexandr Konosevich, from Omsk
, further researched the bug, and coauthored an article with Uwe Post in the German
technology magazine, c't
, calling it the "hidden CLI bug" (CLI is the instruction which disables interrupt
s in the x86 architecture). Balsa, as a member on the Linux
-kernel mailing list, confirmed that the following C
program could be compiled and run by an unprivileged user
:
Execution of this program renders the processor completely useless, as it enters an infinite loop that cannot be interrupted
. This presents a security
flaw because any user with access to a Cyrix system with this bug could prevent other users from using the system. Exploitation of this flaw would therefore be a denial-of-service attack
. It is similar to execution of a Halt and Catch Fire
instruction, although the coma bug is not any one particular instruction.
mask, nor are interrupts being explicitly disabled. Instead, an anomaly in the Cyrix's instruction pipeline
prevents interrupts from being serviced for the duration of the loop; since the loop never ends, interrupts will never be serviced. The xchg instruction is atomic, meaning that other instructions are not allowed to change the state of the system while it is executed. In order to ensure this atomicity, the designers at Cyrix made the xchg uninterruptible. However, because of pipelining
and branch predicting
, another xchg enters the pipeline before the previous one completes, leaving the processor in this uninterruptible state forever.
instruction being a good candidate. Cyrix suggested serializing
the xchg opcode, thus bypassing the pipeline. However, these techniques will not serve to prevent deliberate attacks.
One way to prevent this bug is to enable bit 0x10 in the configuration register CCR1.
Cyrix
Cyrix Corporation was a microprocessor developer that was founded in 1988 in Richardson, Texas as a specialist supplier of high-performance math coprocessors for 286 and 386 microprocessors. The company was founded by former Texas Instruments staff members and had a long but troubled relationship...
6x86, 6x86L, and early 6x86MX processor
Central processing unit
The central processing unit is the portion of a computer system that carries out the instructions of a computer program, to perform the basic arithmetical, logical, and input/output operations of the system. The CPU plays a role somewhat analogous to the brain in the computer. The term has been in...
s that allows a non-privileged
Privilege (Computing)
In computing, privilege is defined as the delegation of authority over a computer system. A privilege is a permission to perform an action. Examples of various privileges include the ability to create a file in a directory, or to read or delete a file, access a device, or have read or write...
program to completely lock the computer.
Discovery
According to Andrew Balsa, around the time of the discovery of the f00fF00f
The invalid operand with locked CMPXCHG8B instruction bug, commonly referred to as the Pentium F00F bug , is a design flaw in the majority of Intel Pentium, Pentium MMX, and Pentium OverDrive processors...
bug on Intel Pentium, Serguei Shtyliov of Moscow
Moscow
Moscow is the capital, the most populous city, and the most populous federal subject of Russia. The city is a major political, economic, cultural, scientific, religious, financial, educational, and transportation centre of Russia and the continent...
found a flaw in a Cyrix
Cyrix
Cyrix Corporation was a microprocessor developer that was founded in 1988 in Richardson, Texas as a specialist supplier of high-performance math coprocessors for 286 and 386 microprocessors. The company was founded by former Texas Instruments staff members and had a long but troubled relationship...
processor while developing an IDE disk driver in assembly language
Assembly language
An assembly language is a low-level programming language for computers, microprocessors, microcontrollers, and other programmable devices. It implements a symbolic representation of the machine codes and other constants needed to program a given CPU architecture...
. Alexandr Konosevich, from Omsk
Omsk
-History:The wooden fort of Omsk was erected in 1716 to protect the expanding Russian frontier along the Ishim and the Irtysh rivers against the Kyrgyz nomads of the Steppes...
, further researched the bug, and coauthored an article with Uwe Post in the German
German language
German is a West Germanic language, related to and classified alongside English and Dutch. With an estimated 90 – 98 million native speakers, German is one of the world's major languages and is the most widely-spoken first language in the European Union....
technology magazine, c't
C't
c't – Magazin für Computertechnik is a German computer magazine, published by the Heinz Heise publishing house. Originally a special section of the electronics magazine elrad, the magazine has been published monthly since December 1983 and biweekly since October 1997...
, calling it the "hidden CLI bug" (CLI is the instruction which disables interrupt
Interrupt
In computing, an interrupt is an asynchronous signal indicating the need for attention or a synchronous event in software indicating the need for a change in execution....
s in the x86 architecture). Balsa, as a member on the Linux
Linux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
-kernel mailing list, confirmed that the following C
C (programming language)
C is a general-purpose computer programming language developed between 1969 and 1973 by Dennis Ritchie at the Bell Telephone Laboratories for use with the Unix operating system....
program could be compiled and run by an unprivileged user
Privilege (Computing)
In computing, privilege is defined as the delegation of authority over a computer system. A privilege is a permission to perform an action. Examples of various privileges include the ability to create a file in a directory, or to read or delete a file, access a device, or have read or write...
:
Execution of this program renders the processor completely useless, as it enters an infinite loop that cannot be interrupted
Interrupt
In computing, an interrupt is an asynchronous signal indicating the need for attention or a synchronous event in software indicating the need for a change in execution....
. This presents a security
Computer security
Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
flaw because any user with access to a Cyrix system with this bug could prevent other users from using the system. Exploitation of this flaw would therefore be a denial-of-service attack
Denial-of-service attack
A denial-of-service attack or distributed denial-of-service attack is an attempt to make a computer resource unavailable to its intended users...
. It is similar to execution of a Halt and Catch Fire
Halt and Catch Fire
Halt and Catch Fire, known by the mnemonic HCF, refers to several computer machine code instructions that cause the CPU to cease meaningful operation...
instruction, although the coma bug is not any one particular instruction.
Analysis
What causes the bug is not an interruptInterrupt
In computing, an interrupt is an asynchronous signal indicating the need for attention or a synchronous event in software indicating the need for a change in execution....
mask, nor are interrupts being explicitly disabled. Instead, an anomaly in the Cyrix's instruction pipeline
Instruction pipeline
An instruction pipeline is a technique used in the design of computers and other digital electronic devices to increase their instruction throughput ....
prevents interrupts from being serviced for the duration of the loop; since the loop never ends, interrupts will never be serviced. The xchg instruction is atomic, meaning that other instructions are not allowed to change the state of the system while it is executed. In order to ensure this atomicity, the designers at Cyrix made the xchg uninterruptible. However, because of pipelining
Instruction pipeline
An instruction pipeline is a technique used in the design of computers and other digital electronic devices to increase their instruction throughput ....
and branch predicting
Branch predictor
In computer architecture, a branch predictor is a digital circuit that tries to guess which way a branch will go before this is known for sure. The purpose of the branch predictor is to improve the flow in the instruction pipeline...
, another xchg enters the pipeline before the previous one completes, leaving the processor in this uninterruptible state forever.
Workarounds
A fix for unintentional instances of the bug is to insert another instruction in the loop, the nopNOP
In computer science, NOP or NOOP is an assembly language instruction, sequence of programming language statements, or computer protocol command that effectively does nothing at all....
instruction being a good candidate. Cyrix suggested serializing
Serialization
In computer science, in the context of data storage and transmission, serialization is the process of converting a data structure or object state into a format that can be stored and "resurrected" later in the same or another computer environment...
the xchg opcode, thus bypassing the pipeline. However, these techniques will not serve to prevent deliberate attacks.
One way to prevent this bug is to enable bit 0x10 in the configuration register CCR1.
External links
- Andrew Balsa's early description of the bug
- Cx6x86 registers (and undocumented features)