Bug of the Month

Your CPU could Be Turned Against You

Jason Krause

The recently discovered "FO bug" causes Pentium- and Pentium with MMX-based systems to crash when a few lines of innocent-looking machine code -- F0 0F C7 C8 -- are sent to the CPU. It's unlikely for this code to appear in any commercial software because it doesn't convey a useful executable command. However, it offers hackers a new mechanism with which to launch malicious programs against systems and servers. This bug can occur regardless of what OS a system is running.

The illegal instruction is a 64-bit value that the processor tries to stuff into a 32-bit register. When a register is used as a destination, a processor normally stops such an instruction, signals an error, and prompts an error handler in software. According to Manny Vara, spokesman for Intel , "Basically, in this case the problem is that this code sequence doesn't raise a flag that something's wrong." A crash occurs if the instruction is locked, which means it gets completed without interruption, the invalid register is used, and the CPU hangs. On single-user systems, this is probably not a significant threat. But on servers executing uploaded CGI programs, this could be a serious security hole.

Intel has posted information on its Web site ( http://support.intel.com/support ) about how OS vendors can fix this problem. These workarounds generate a page fault when the invalid exception occurs, avoiding the bus-lock condition and allowing the processor to execute the error handler.

As this article went to press, all the major commercial OS vendors had pledged to work with Intel on creating fixes, but they hadn't yet made their implementations available for their customers. However, a patch for Linux-based systems is already available at ftp://ftp.kernel.org/pub/linux/kernel/.