Re: More on the pentium workaround - the gotchas

Ingo Molnar (
Mon, 17 Nov 1997 17:51:06 +0100 (MET)

On Sat, 15 Nov 1997, Linus Torvalds wrote:

> The more I think about this, the more I start to believe that Hans Lermens
> patch is the best one after all. It's too simple-minded to get all cases
> correct, but it never does anything really bad (it essentially only breaks
> on code that is bad in the first place).

also, what about the small window of getting a timer interrupt &
schedule() on the instruction boundary between the page fault handler's
'iret' and the restarted user-space instruction? We dont disable
interrupts, so this should well be possible. (implicit 'sti' in iret is
specified by Intel as 'takes effect only at the second instruction
boundary', but in the page fault case we do not disable interrupts).

so, unless i got the above case wrong, it is quite hard to know in
advance what instruction the CPU will restart. Unless we want to
disassemble for F00F & friends in schedule() as well? ;)

Enabling the buggy IDT gives me cold shudders anyway, the x86 ISA is IMHO
way too complex. [to mention one more ugly thing, x86 ISA defines traps
and exceptions to be delayed after movw %*, %%ss or popw %%ss, resulting
in more complexity and possibly dangerous situations.]

So, we cannot know what we executed (the linear/physical memory alias
problem wrt code prefetch), and we cannot know what we _will_ execute.
Attack code might even put a debug breakpoint right before an unmapped
page, the eip will point to that unmapped page, so we cannot even
disassemble _one byte_ without extreme prejudice. Mark's solution really
seems to be the most robust one, with the small extension that 'trap #1'
(hw debug trap) _has_ to point to after the trapping instruction as well
... and here comes the problem, how do we do that without disassembling
_all of_ x86 ISA, gosh!

to sum up the problem: 'page fault' is an exception, but 'traps' need to
have a fixed up regs->eip value pointing to the next instruction boundary.
This is more or less easy for 'irq 3', but is very ugly for hw debug
traps. How do we do this without switching back to a full (buggy) IDT?

-- mingo