Re: More on the pentium workaround - the gotchas

Linus Torvalds (torvalds@transmeta.com)
Sat, 15 Nov 1997 23:00:27 -0800 (PST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Rogier Wolff: "Re: More on the pentium workaround - the gotchas"
Previous message: Andrew E. Mileski: "Re: VFS"

On Sun, 16 Nov 1997, Christian Groessler wrote:
>
> >CPU itself to the right thing, but I'm now of the opinion that trying to
> >do that is just stupid).
> >
> >movl $0xf00fc7c8,1f
> >1: int3
> >
> >which will take the int3 trap (because it has been pre-fetched), but then
> if the page fault handler notices that it was an
>
> Writing to the prefetch queue will flush it on Pentiums or better.
> The move 486->Pentium broke my old DOS routines which tried to detect
> whether they are run single-stepped :-(

Read the fine print. I agree that my code-snipped above doesn't really
work, but the basic idea _does_ work.

Intel will not actually flush the pre-fetch queue on writes to a
prefetched location. Intel will flush the pre-fetch queue on writes to the
same _linear_address_ as the prefetched location, which is not the same
thing at all. It is very easy indeed to overcome: you just map the same
physical page at two different addresses, and you modify it at another
address than the one you execute from.

Boom.

This is something that can be used to fool any scheme that is based on
disassembling the instruction that caused the trap.

Linus

Next message: Rogier Wolff: "Re: More on the pentium workaround - the gotchas"
Previous message: Andrew E. Mileski: "Re: VFS"