Bugtraq mailing list archives

Q163852: Invalid Operand with Locked CMPXCHG8B Instruction

From: aleph1 () DFW NET (Aleph One)
Date: Fri, 12 Dec 1997 11:04:36 -0600

DOCUMENT:Q163852
TITLE:Invalid Operand with Locked CMPXCHG8B Instruction
PRODUCT:Microsoft Windows NT | Microsoft Windows
PROD/VER:4.00 | 95
OPER/SYS:WINDOWS
KEYWORDS:kbbug kbhw kbpatch NTSrvWkst

--------------------------------------------------------------------------
The information in this article applies to:

 - Microsoft Windows NT Workstation versions 3.5, 3.51, and 4.0
 - Microsoft Windows NT Server versions 3.5, 3.51, and 4.0
 - Microsoft Windows 95
--------------------------------------------------------------------------

SYMPTOMS
========

When an Intel processor receives a specific invalid instruction, your
computer may stop responding (hang). Your computer must be turned off and
restarted to return to normal operation.

NOTE: Although there is no known operating system or application that
issues such an invalid instruction, you should be aware that a program can
be written maliciously to contain such an instruction. The operating system
would not trap this error, as it should, which results in the processor
hang.

CAUSE
=====

This problem can occur due to an error in the following Intel processors:

 - Pentium processor
 - Pentium processor with MMX technology
 - Pentium OverDrive processor
 - Pentium OverDrive processors with MMX technology

NOTE: This problem cannot occur on the following Intel processors:

 - Pentium Pro processor
 - Pentium II processor
 - i486 and earlier processors

This problem is known as "Invalid Operand with Locked CMPXCHG8B
Instruction" and is erratum 81 on the Pentium processor errata list. For
more information, please contact Intel or go to the following Intel web
site:

   http://support.intel.com/sites/support/

RESOLUTION
==========

Intel has identified a workaround to this problem that allows the operating
system to trap the invalid instruction and not pass it to the processor.
Microsoft has worked closely with Intel to provide the following hotfixes:

Windows NT 4.0
--------------

To resolve this problem for Windows NT 4.0, obtain the following fix or
wait for the next Windows NT service pack.

This fix should have the following time stamp:

   11/24/97  12:24p                51,968 Hal.dll
   11/24/97  12:24p                48,384 Hal486c.dll
   11/24/97  12:25p                66,400 Halapic.dll
   11/24/97  12:24p                46,112 Halast.dll
   11/24/97  12:25p                82,208 Halcbus.dll
   11/24/97  12:25p                80,320 Halcbusm.dll
   11/24/97  12:24p                46,400 Halmca.dll
   11/24/97  12:25p                68,544 Halmps.dll
   11/24/97  12:25p                67,552 Halmpsm.dll
   11/24/97  12:26p                79,008 Halncr.dll
   11/24/97  12:25p                40,192 Haloli.dll
   11/24/97  12:25p                56,608 Halsp.dll
   11/24/97  12:25p                40,768 Halwyse7.dll
   11/20/97  06:23p               938,816 Ntkrnlmp.exe
   11/20/97  06:22p               918,848 Ntoskrnl.exe

This hotfix has been posted to the following Internet location:

   ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/
   hotfixes-postSP3/pent-fix/

NOTE: The above link is one path; it has been wrapped for readability.

Windows NT 3.51
---------------

To resolve this problem for Windows NT 3.51, obtain the following fix.

This fix should have the following time stamp:

   11/24/97  12:42p                49,840 Hal.dll
   11/24/97  12:42p                48,768 Hal486c.dll
   11/24/97  12:42p                65,648 Halapic.dll
   11/24/97  12:42p                46,704 Halast.dll
   11/24/97  12:42p                81,056 Halcbus.dll
   11/24/97  12:42p                79,200 Halcbusm.dll
   11/24/97  12:42p                46,912 Halmca.dll
   11/24/97  12:42p                67,696 Halmps.dll
   11/24/97  12:42p                40,480 Haloli.dll
   11/24/97  12:42p                53,744 Halsp.dll
   11/24/97  12:42p                49,840 Halws3.dll
   11/24/97  12:42p                41,072 Halwyse7.dll
   11/21/97  01:35p               821,904 Ntkrnlmp.exe
   11/21/97  01:34p               810,016 Ntoskrnl.exe

This hotfix has been posted to the following Internet location:

   ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT351/
   hotfixes-postSP5/pent-fix/

NOTE: The above link is one path; it has been wrapped for readability.

Windows 95
----------

A fix for Windows 95 is not yet available.

STATUS
======

Windows NT 4.0
--------------

Intel has confirmed this to be a problem in the Intel processors listed
above.

A supported fix is now available from Microsoft, but has not been fully
regression-tested and should be applied only to systems experiencing this
specific problem. Unless you are severely impacted by this specific
problem, Microsoft recommends that you wait for the next Service Pack that
contains this fix. Contact Microsoft Technical Support for more
information.

Windows NT 3.51
---------------

Intel has confirmed this to be a problem in the Intel processors listed
above. A supported fix is now available from Microsoft, but has not been
fully regression-tested and should be applied only to systems experiencing
this specific problem. Unless you are severely impacted by this specific
problem, Microsoft recommends that you wait for the next Service Pack that
contains this fix. Contact Microsoft Technical Support for more
information.

Windows 95
----------

Intel has confirmed this to be a problem in the Intel processors listed
above. Microsoft is researching this problem and will post new information
here in the Microsoft Knowledge Base as it becomes available.

Additional query words: 95 3.50 3.51 4.00 i386 malicious hangs freeze
freezes erratum cmpxchg8b compare and exchange 8 bytes cold boot hard boot

============================================================================

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND.  MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  IN NO
EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR
ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.  SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
SO THE FOREGOING LIMITATION MAY NOT APPLY.
Current thread:

CERT Advisory CA-97.27 - FTP_bounce Aleph One (Dec 10)
- Re: CERT Advisory CA-97.27 - FTP_bounce Janos Farkas (Dec 11)
  - Re: CERT Advisory CA-97.27 - FTP_bounce Aleph One (Dec 11)
    - Re: CERT Advisory CA-97.27 - FTP_bounce Barry Irwin (Dec 12)
    - Re: CERT Advisory CA-97.27 - FTP_bounce Alfred Huger (Dec 12)
  - Q163852: Invalid Operand with Locked CMPXCHG8B Instruction Aleph One (Dec 12)
- <Possible follow-ups>
- Re: CERT Advisory CA-97.27 - FTP_bounce Kev (Dec 11)