Re: Pentium emulation

Linus Torvalds (torvalds@transmeta.com)
Tue, 29 Jul 1997 09:05:15 -0700 (PDT)

On Tue, 29 Jul 1997, Pavel Machek wrote:
> > The i386 is indeed very very broken when it comes to read-only pages in
> > kernel space. The kernel tries to handle this, but the i386 braindamage
> > does result in threads being inherently unsafe because there are various
> > nasty race conditions that a thread library could hit.
>
> You just said that only kernel is hit by this. But is not threads
> library part of userland? Why does especialy threads library care
> about wp bit being broken?

It's not the threads _librray_. It's the kernel threads.

The issue with kernel threads is that they share the same address space,
which means that one thread can change the mapping of another thread in
the middle of some operation.

In particular, one thread can change the mapping of another thread in
between that other thread testing the i386 WP bit by hand and actually
writing to the page. It's a small window, and probably _very_ hard to
actually take advantage of, but it's there.

That race doesn't exist on any sane hardware, because we don't need to
test the WP bit by hand (and let me re-iterate that "i386" here does NOT
cover the whole line of 32-bit intel CPU's, but really _only_ the _3_86.
Any i486+ machine is fine).

> > This is fixed in the i486 and up, and the threads race problem only
> > shows up for code that tries to be malicious on purpose, so it is mostly
> > harmless (hint: if you're using a 386 as a server that accepts logins,
> > you should probably try to hit somebody for a 486 - there must be tons
> > of them lying around).
>
> I do not think so. Not here :-(. BTW such warnings should be better
> written out somewhere, I always thought that 386s are expected to
> work... And btw replacing board is somehow non-trivial for portable
> computers... Bad, bad, bad.

I'd be more than happy to say somewhere that "a i386-based machine works
fine, but you shouldn't NOT allow logins on them in security-conscious
areas".

Note that that doesn't mean that a i386 isn't a fine server: you can
happily use old i386 machines as web-servers, routers, NFS servers etc.
But you should _not_ allow potentially nasty people to actually log on to
them and use their own programs..

There are other reasons for not using i386-class machines: most of the
386's that I've seen had the so-called "popad bug". The popad bug is
deadly in protected mode - in real mode it only trashed the %eax register,
but in protected mode will actually lock up the CPU under the right
circumstances.

I haven't really considered this to be a Linux problem - both of the
problems are due to hardware bugs (although the WP bit behaviour is
classified by intel as a "feature"). And if you allow interactive logins
to your machine, you probably want to have more horsepower than a i386
will give you anyway.

I also wouldn't consider this a problem on a portable computer: it really
is a problem only for computers where you allow foreign logins from people
you don't trust. If you give a portable computer to somebody, you
implicitly trust them with the hardware (and any software measures are
moot at that point with any portably _I_ have seen so far).

Note that a cracker cannot misuse the i386 bugs without being able to run
his own programs on the machine. He has to be able to run a program he has
written (because none of the standard installation programs will even try
to do anything nasty).

Linus