Re: ESP corruption bug - what CPUs are affected?

[Gabriel Paubert <paubert@iram.es>]

On Sat, Sep 25, 2004 at 04:25:43PM +0400, Stas Sergeev wrote:
> Hello.
> 
> Gabriel Paubert wrote:
> >Maybe I miss something, but it seems that lret (or retl)
> >is not affected by this bug.
> Petr Vandrovec says (he forgot to CC that
> to LKML I think):

At least I did not see it.

> ---
> Looking at VMware's code it seems that RETF suffers from
> this bug too...
> ---
> 
> I tested that - he is right, and Intel docs
> make no sense as to not mentioning this.

I suspected that they behaved differently because the
pseudocode in iret's description is quite different 
(for iret, it even does not mention restoring ESP!).
But if you expect Intel's doc, or that of any manufacturer
for the matter, to tell the whole truth, you're naïve.

Is ESP really properly restored for V86 bmode or is it that 
it does not hit the case of a default 32 bit code segment with 
a 16 bit stack?

I'm absolutely amazed by the fact that this bug has been there
since the beginning and only seems to hit users right now.

I don't like adding an intermediate privilege level, but
it looks hard to do through the vdso, and you always have to 
push something on the final stack. A hardware task switch 
might work, but it has problems with races on the segment
descriptors. 

Anyway, I've just read again Intel's doc about mixing 16 and 32 bit 
code and I have found the understament of the day:

"For most efficient and trouble-free operation of the processor, 32-bit
                        ^^^^^^^^^^^^
programs or tasks should have the D flag in the code-segment descriptor
and the B flag in the stack-segment descriptor set, and 16-bit programs
or tasks should have these flags clear. Program control transfers from
16-bit segments to 32-bit segments (and vice versa) are handled most
efficiently through call, interrupt, or trap gates."


	Regards,
	Gabriel