Anonymous user
CPU Bugs: Difference between revisions
Add some interesting mis-features
| [unchecked revision] | [unchecked revision] |
m (→Core 2 Bugs: That table is about bugs in Core, not Core 2) |
(Add some interesting mis-features) |
||
Line 1:
Computers are made by humans, and thus inherently prone to errors. This page describes known bugs for various models and brands
== Mis-features ==
=== ESP is not cleared ===
The x86 IRET will not clear upper bits of the stack register (32:16) when returning to 16-bit mode. As the result, the kernel high 16bit of ESP may be leaked to the userspace. Same is true for 64-bit kernel to 16-bit userspace transition.
=== NULL selector load may not clear MSR_GS_BASE ===
Nor Intel neither AMD CPUs specify what happens with MSR_GS_BASE if NULL selector is loaded. The Intel CPUs seem to load it with zero, AMD CPUs seems to preserve the previous values. This detail needs to be taken
into account for the context switches, if kernel tries to optimize the slow MSR operations.
=== FXSAVE/FNSAVE ===
The Intel and AMD differ in what context is saved/restored. AMD CPUs do not save/restore certain parts (FIP/FOP) only when exception is pending (see CVE-2006-1056)
=== SYSRET ===
The Intel CPUs do not handle properly the non-canonical return address. If a non-canonical address is present in RCX when executing SYSRET, a General Protection Fault will be taken in CPL0 with CPL3 registers. (see CVE-2006-0744)
=== SS selector ===
On AMD CPU, SS selector may become unusable when in-kernel interrupt arrives (sets SS to NULL) and thread is switched and returned to userspace via SYSRET. The numerical SS value is correct however the descriptor cache is wrong. This affects
only the 32-bit compatibility mode usage of SS.
== Intel ==
| |||