The Cyrix coma bug is a design flaw in

Cyrix Cyrix Corporation was a microprocessor developer that was founded in 1988 in Richardson, Texas, as a specialist supplier of floating point units for 286 and 386 microprocessors. The company was founded by Tom Brightman and Jerry Rogers. Ter ...

6x86 The Cyrix 6x86 is a line of sixth-generation, 32-bit x86 microprocessors designed and released by Cyrix in 1995. Cyrix, being a fabless company, had the chips manufactured by IBM and SGS-Thomson. The 6x86 was made as a direct competitor to Intel ...

(introduced in 1996), 6x86L, and early

6x86MX The Cyrix 6x86 is a line of sixth-generation, 32-bit x86 microprocessors designed and released by Cyrix in 1995. Cyrix, being a fabless company, had the chips manufactured by IBM and SGS-Thomson. The 6x86 was made as a direct competitor to Intel ...

processors that allows a non-privileged program to hang the computer.

Discovery

According to Andrew Balsa, around the time of the discovery of the F00F bug on

Intel Intel Corporation is an American multinational corporation and technology company headquartered in Santa Clara, California, and Delaware General Corporation Law, incorporated in Delaware. Intel designs, manufactures, and sells computer compo ...

Pentium Pentium is a series of x86 architecture-compatible microprocessors produced by Intel from 1993 to 2023. The Pentium (original), original Pentium was Intel's fifth generation processor, succeeding the i486; Pentium was Intel's flagship proce ...

, Serguei Shtyliov from

Moscow Moscow is the Capital city, capital and List of cities and towns in Russia by population, largest city of Russia, standing on the Moskva (river), Moskva River in Central Russia. It has a population estimated at over 13 million residents with ...

found a flaw in a

processor while developing an IDE disk driver in

assembly language In computing, assembly language (alternatively assembler language or symbolic machine code), often referred to simply as assembly and commonly abbreviated as ASM or asm, is any low-level programming language with a very strong correspondence bet ...

. Alexandr Konosevich, from

Omsk Omsk (; , ) is the administrative center and largest types of inhabited localities in Russia, city of Omsk Oblast, Russia. It is situated in southwestern Siberia and has a population of over one million. Omsk is the third List of cities and tow ...

, further researched the bug and coauthored an article with Uwe Post in the

German German(s) may refer to: * Germany, the country of the Germans and German things **Germania (Roman era) * Germans, citizens of Germany, people of German ancestry, or native speakers of the German language ** For citizenship in Germany, see also Ge ...

technology magazine ''

c't ''c't'' – (; ''Magazine for Computer Technology'') is a biweekly German computer magazine, published by the Heinz Heise, Heinz Heise publishing house of Hanover. file:Ct jubilaeum 30 turm.jpg, The 5.71 meter high tower from the 587 published ...

'', calling it the "hidden CLI bug" (CLI is the instruction that disables

interrupt In digital computers, an interrupt (sometimes referred to as a trap) is a request for the processor to ''interrupt'' currently executing code (when permitted), so that the event can be processed in a timely manner. If the request is accepted ...

s in the

x86 x86 (also known as 80x86 or the 8086 family) is a family of complex instruction set computer (CISC) instruction set architectures initially developed by Intel, based on the 8086 microprocessor and its 8-bit-external-bus variant, the 8088. Th ...

architecture). Balsa, as a member on the Linux kernel mailing list, confirmed that the following C program (which uses inline

-specific

) could be compiled and run by an unprivileged user: unsigned char c = ; int main() { asm ( " movl $c, %ebx\n" "again: xchgl (%ebx), %eax\n" " movl %eax, %edx\n" " jmp again\n" ); } Execution of this program renders the processor completely useless until it is rebooted, as it enters an

infinite loop In computer programming, an infinite loop (or endless loop) is a sequence of instructions that, as written, will continue endlessly, unless an external intervention occurs, such as turning off power via a switch or pulling a plug. It may be inte ...

that cannot be

ed. This allows any user with access to a Cyrix system with this bug to perform a

denial-of-service attack In computing, a denial-of-service attack (DoS attack) is a cyberattack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host co ...

. It is similar to execution of a Halt and Catch Fire instruction, although the coma bug is not any one particular instruction.

Analysis

What causes the bug is not an

mask, nor are interrupts being explicitly disabled. Instead, an anomaly in the Cyrix's

instruction pipeline In computer engineering, instruction pipelining is a technique for implementing instruction-level parallelism within a single processor. Pipelining attempts to keep every part of the processor busy with some instruction by dividing incoming Mac ...

prevents interrupts from being serviced for the duration of the loop; since the loop never ends, interrupts will never be serviced. The xchgxchgl in the source code means Exchange (

Long Long may refer to: Measurement * Long, characteristic of something of great duration * Long, characteristic of something of great length * Longitude (abbreviation: long.), a geographic coordinate * Longa (music), note value in early music mens ...

) instruction is atomic, meaning that other instructions are not allowed to change the state of the system while it is executed. In order to ensure this atomicity, the designers at Cyrix made the xchg uninterruptible. Due to pipelining and branch predicting, however, another xchg enters the pipeline before the previous one completes, causing a

deadlock Deadlock commonly refers to: * Deadlock (computer science), a situation where two processes are each waiting for the other to finish * Deadlock (locksmithing) or deadbolt, a physical door locking mechanism * Political deadlock or gridlock, a si ...

Workarounds

A fix for unintentional instances of the bug is to insert another instruction in the loop, the nop instruction being a good candidate. Cyrix suggested serializing the xchg opcode, thus bypassing the pipeline. However, these techniques will not serve to prevent deliberate attacks. One can also prevent the bug by disabling implicit bus locking normally done by xchg instruction. This is accomplished by setting bit four (mask of 0x10) in the configuration register, CCR1.

Notes

External links

Andrew Balsa's early description of the bug

(and undocumented features) Hardware bugs Denial-of-service attacks

Discovery

Analysis

Workarounds

See also

Notes

External links