The Cyrix coma bug is a

design flaw A product defect is any characteristic of a product which hinders its usability for the purpose for which it was designed and manufactured. Product defects arise most prominently in legal contexts regarding product safety, where the term is appl ...

in Cyrix

6x86 The Cyrix 6x86 is a line of sixth-generation, 32-bit x86 microprocessors designed and released by Cyrix in 1995. Cyrix, being a fabless company, had the chips manufactured by IBM and SGS-Thomson. The 6x86 was made as a direct competitor to Int ...

(introduced in 1996), 6x86L, and early

6x86MX The Cyrix 6x86 is a line of sixth-generation, 32-bit x86 microprocessors designed and released by Cyrix in 1995. Cyrix, being a fabless company, had the chips manufactured by IBM and SGS-Thomson. The 6x86 was made as a direct competitor to Intel, ...

processors A central processing unit (CPU), also called a central processor, main processor or just processor, is the electronic circuitry that executes instructions comprising a computer program. The CPU performs basic arithmetic, logic, controlling, ...

that allows a non-privileged program to

hang Hang or Hanging may refer to: People * Choe Hang (disambiguation), various people * Luciano Hang (born 1962/1963), Brazilian billionaire businessman * Ren Hang (disambiguation), various people Law * Hanging, a form of capital punishment Arts, e ...

the computer.

Discovery

According to Andrew Balsa, around the time of the discovery of the F00F bug on

Intel Intel Corporation is an American multinational corporation and technology company headquartered in Santa Clara, California. It is the world's largest semiconductor chip manufacturer by revenue, and is one of the developers of the x86 seri ...

Pentium Pentium is a brand used for a series of x86 architecture-compatible microprocessors produced by Intel. The original Pentium processor from which the brand took its name was first released on March 22, 1993. After that, the Pentium II and Pe ...

, Serguei Shtyliov from

Moscow Moscow ( , US chiefly ; rus, links=no, Москва, r=Moskva, p=mɐskˈva, a=Москва.ogg) is the capital and largest city of Russia. The city stands on the Moskva River in Central Russia, with a population estimated at 13.0 million ...

found a flaw in a Cyrix processor while developing an IDE disk driver in

assembly language In computer programming, assembly language (or assembler language, or symbolic machine code), often referred to simply as Assembly and commonly abbreviated as ASM or asm, is any low-level programming language with a very strong correspondence be ...

. Alexandr Konosevich, from

Omsk Omsk (; rus, Омск, p=omsk) is the administrative center and largest city of Omsk Oblast, Russia. It is situated in southwestern Siberia, and has a population of over 1.1 million. Omsk is the third largest city in Siberia after Novosibirsk ...

, further researched the bug and coauthored an article with Uwe Post in the

German German(s) may refer to: * Germany (of or related to) ** Germania (historical use) * Germans, citizens of Germany, people of German ancestry, or native speakers of the German language ** For citizens of Germany, see also German nationality law **Ge ...

technology magazine ''

c't ''c't'' – ' (''Magazine for Computer Technology'') is a German computer magazine, published by the Heinz Heise, Heinz Heise publishing house. file:Ct jubilaeum 30 turm.jpg, The 5.71 meter high tower from the 587 published c't editions up to t ...

'', calling it the "hidden CLI bug" (CLI is the instruction that disables

interrupt In digital computers, an interrupt (sometimes referred to as a trap) is a request for the processor to ''interrupt'' currently executing code (when permitted), so that the event can be processed in a timely manner. If the request is accepted, ...

s in the

x86 x86 (also known as 80x86 or the 8086 family) is a family of complex instruction set computer (CISC) instruction set architectures initially developed by Intel based on the Intel 8086 microprocessor and its 8088 variant. The 8086 was introd ...

architecture). Balsa, as a member on the

Linux kernel mailing list The Linux kernel mailing list (LKML) is the main electronic mailing list for Linux kernel development, where the majority of the announcements, discussions, debates, and flame wars over the kernel take place. Many other mailing lists exist to di ...

, confirmed that the following C program (which uses inline

-specific

) could be compiled and run by an unprivileged user: unsigned char c = ; int main() Execution of this program renders the processor completely useless until it is rebooted, as it enters an

infinite loop In computer programming, an infinite loop (or endless loop) is a sequence of instructions that, as written, will continue endlessly, unless an external intervention occurs ("pull the plug"). It may be intentional. Overview This differs from: * ...

that cannot be

ed. This allows any user with access to a Cyrix system with this bug to perform a

denial-of-service attack In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connect ...

. It is similar to execution of a Halt and Catch Fire instruction, although the coma bug is not any one particular instruction.

Analysis

What causes the bug is not an

mask, nor are interrupts being explicitly disabled. Instead, an anomaly in the Cyrix's

instruction pipeline In computer engineering, instruction pipelining or ILP is a technique for implementing instruction-level parallelism within a single processor. Pipelining attempts to keep every part of the processor busy with some instruction by dividing inco ...

prevents interrupts from being serviced for the duration of the loop; since the loop never ends, interrupts will never be serviced. The xchgxchgl in the source code means Exchange (

Long Long may refer to: Measurement * Long, characteristic of something of great duration * Long, characteristic of something of great length * Longitude (abbreviation: long.), a geographic coordinate * Longa (music), note value in early music mens ...

) instruction is atomic, meaning that other instructions are not allowed to change the state of the system while it is executed. In order to ensure this atomicity, the designers at Cyrix made the xchg uninterruptible. Due to pipelining and branch predicting, however, another xchg enters the pipeline before the previous one completes, causing a

deadlock In concurrent computing, deadlock is any situation in which no member of some group of entities can proceed because each waits for another member, including itself, to take action, such as sending a message or, more commonly, releasing a lo ...

Workarounds

A fix for unintentional instances of the bug is to insert another instruction in the loop, the nop instruction being a good candidate. Cyrix suggested serializing the xchg opcode, thus bypassing the pipeline. However, these techniques will not serve to prevent deliberate attacks. One way to prevent this bug is to enable bit 0x10 in the configuration register CCR1. This disables implicit bus locking normally done by xchg instruction. Since CPUs affected by this bug were not designed to work in multi-processor systems, loss of xchg atomicity is harmless.{{Citation needed, date=March 2018

Notes

External links

Andrew Balsa's early description of the bug

(and undocumented features) Hardware bugs Denial-of-service attacks

Discovery

Analysis

Workarounds

See also

Notes

External links