From: Stas Sergeev <stsp@aknet.ru>
To: Petr Vandrovec <VANDROVE@vc.cvut.cz>
Cc: linux-kernel@vger.kernel.org
Subject: Re: ESP corruption bug - what CPUs are affected?
Date: Fri, 17 Sep 2004 22:12:01 +0400 [thread overview]
Message-ID: <414B28F1.4040604@aknet.ru> (raw)
In-Reply-To: <3BFF2F87096@vcnet.vc.cvut.cz>
Hello.
Petr Vandrovec wrote:
>> There is a "semi-official" bug in Intel CPUs,
>> which is described here:
>> http://www.intel.com/design/intarch/specupdt/27287402.PDF
>> chapter "Specification Clarifications"
>> section 4: "Use Of ESP In 16-Bit Code With 32-Bit Interrupt Handlers".
> Not a bug, but a feature.
Yep, one of those features, that you can
neither disable, nor (speaking about dosemu)
work around.
>> What I want to find out, is what CPUs are
>> affected. I wrote a small test-case. It is
>> attached. I tried it on Intel Pentium and
>> on AMD Athlon - bug is present on both. But
>> I'd like to know if it is also present on a
>> Transmeta Crusoe, Cyrix and other CPUs.
> AFAIK all.
I expected that. My last hopes were on Cyrix, which,
at least as I've heard, doesn't follow the Intel's
specs very strictly. So I thought maybe they have
not duplicated that "feature".
> There are products which depend on this behavior.
Out of curiosity, what are those products? I
think it is pretty much brain-damaged to depend
on a ESP corruption.
>> I'd also like to know any thoughts on whether
>> it is possible to work around the bug, probably
>> in a kernel?
> IMHO you have to switch to 16bit stack, load upper bits of ESP
> with target value, and then execute IRET, while 16bit SS:SP points
> to same place where flat ESP pointed.
Hmm, that sounds feasible.
> And I do not think that linux NMI handler survives 16bit stack, so
> natural solution seems to be to create complete 16bit CPL1
> environment, return to it, load ESP as you want, and then do IRET
> to return to CPL2 or CPL3. Fortunately V8086 mode is not affected,
> so there should be no problem with using CPL1 for this middle step.
> But of course it is not something you want to do on each return
> from interrupt handler... Well, or maybe you want...
Umm, no. But well, the spec claims that this
happens only with iret. It doesn't say that it
is a general problem with switching between a
different protection rings. And it seems, for
example, that WinNT/XP do not have that problem.
I.e. the DOS progs that get a Stack Fault under
dosemu because ESP points to the kernel space, can
actually work under WinXP. Maybe they are using
some other technique to return to Ring3, the one
that doesn't trigger the bug at all?
>> Anyway, I'd be glad to get any info on that bug.
>> Why it was not fixed for so many years, looks
>> also like an interesting question, as for me.
> It is part of architecture now...
How could that happen? Was it so difficult to just
fix? Oh well, perhaps it was...
next prev parent reply other threads:[~2004-09-17 18:11 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-09-16 18:39 ESP corruption bug - what CPUs are affected? Petr Vandrovec
2004-09-17 18:12 ` Stas Sergeev [this message]
2004-09-18 16:45 ` Stas Sergeev
2004-09-18 16:59 ` Petr Vandrovec
2004-09-18 19:14 ` Stas Sergeev
2004-09-18 20:35 ` Petr Vandrovec
2004-09-22 18:49 ` Stas Sergeev
2004-09-22 19:19 ` Richard B. Johnson
2004-09-22 20:03 ` Stas Sergeev
2004-09-22 20:13 ` Richard B. Johnson
2004-09-28 15:43 ` Denis Vlasenko
2004-09-22 20:02 ` Petr Vandrovec
2004-09-23 4:09 ` Stas Sergeev
2004-09-23 17:08 ` Stas Sergeev
2004-09-23 18:06 ` Petr Vandrovec
2004-09-24 20:36 ` Stas Sergeev
2004-09-24 21:43 ` Petr Vandrovec
2004-09-25 8:04 ` Gabriel Paubert
2004-09-25 12:25 ` Stas Sergeev
2004-09-25 19:18 ` Gabriel Paubert
2004-09-25 20:40 ` Stas Sergeev
2004-09-25 23:42 ` Gabriel Paubert
2004-09-26 18:04 ` Stas Sergeev
2004-09-27 9:07 ` Gabriel Paubert
2004-09-30 15:11 ` Bill Davidsen
2004-10-06 16:18 ` ESP corruption bug - what CPUs are affected? (patch attempts) Stas Sergeev
-- strict thread matches above, loose matches on Subject: below --
2004-10-06 17:18 ESP corruption bug - what CPUs are affected? (patch att Petr Vandrovec
2004-10-11 18:32 ` ESP corruption bug - what CPUs are affected? Stas Sergeev
2004-09-16 17:49 Stas Sergeev
2004-09-16 19:03 ` Denis Vlasenko
2004-09-17 18:13 ` Stas Sergeev
2004-09-17 22:04 ` Denis Vlasenko
2004-09-18 10:58 ` Stas Sergeev
2004-09-18 13:08 ` Denis Vlasenko
2004-09-18 17:05 ` Stas Sergeev
[not found] ` <200409190108.45641.vda@port.imtp.ilyichevsk.odessa.ua>
2004-09-22 19:05 ` Stas Sergeev
2004-09-21 11:19 ` Pavel Machek
2004-09-21 11:43 ` Denis Vlasenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=414B28F1.4040604@aknet.ru \
--to=stsp@aknet.ru \
--cc=VANDROVE@vc.cvut.cz \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).