Category Archives: CPU

Recently, many motherboard supporting skylake or kabylake, got a uefi update described as cpu microcode security update for a specific Intel errata, described by Intel® as :

Under complex micro-architectural conditions, short loops of less than 64 instructions that use AH, BH, CH or DH registers as well as their corresponding wider register (e.g. RAX, EAX or AX for AH) may cause unpredictable system behavior. This can only happen when both logical processors on the same physical processor are active.

Intel issues cpu frequently errata that can cause denial of service, but in that case, manufacturer don’t create a specific uefi update for each of them.

So does unpredictable system behavior may imply remote code execution (e.g. because such loops would propagate register change to the other thread running on the same core) ?

Also, what kind of loops can trigger the bug ? Does simply modifying some of the involved registers in less than 64 instructions can trigger the bug ? Does both logical cores on the same physical core needs to run the so‑called short loops ?

Continue reading Understanding the scope of Intel® errata №KBL095→

Recently, many motherboards supporting skylake or kabylake, got a uefi update described as cpu microcode security update for a specific Intel errata, described by Intel as :

Short Loops Which Use AH/BH/CH/DH Registers May Cause Unpredictable System Behavior.

Under complex micro-architectural conditions, short loops of less than 64 instructions that use AH, BH, CH or DH registers as well as their corresponding wider register (e.g. RAX, EAX or AX for AH) may cause unpredictable system behavior. This can only happen when both logical processors on the same physical processor are active.

Intel issues cpu frequent errata that can cause denial of service, but in this case, manufacturer didn’t create a specific uefi update for each of them.
Of course, I tried the following code on several logical cores which doesn´t crash anything (I don’t understand if all 8 registers must be involved to trigger the bug or only one of them is enough) :

48 ba ff 00 00 00 04    movabs $0x4000000ff,%rdx
00 00 00
.L5:
48 89 d0                movq    %rdx,%rax
48 2d fe 00 00 00       subq    $0xfe,%rax
08 f4                   orb     %dh,%ah
48 89 c3                movq    %rax,%rbx
48 81 eb fe 00 00 00    subq    $0xfe,%rbx
08 e7                   orb     %ah,%bh
48 89 d9                movq    %rbx,%rcx
48 81 e9 fe 00 00 00    subb    $0xfe,%rcx
08 fd                   orb     %bh,%ch
48 89 ca                movq    %rcx,%rdx
48 81 ea fe 00 00 00    subq    $0xfe,%rdx
08 ee                   orb     %ch,%dh
48 85 cb                test   %rcx,%rbx
75 cc                   jne    .L5
movq    %rcx, %rdx
movq    %rbx, %rax
movq    %rax, %rsi
leaq    .LC0(%rip), %rdi
movl    $0, %eax
call    printf@PLT

So does unpredictable system behavior imply remote code execution (e.g. because such loops would propagate register change to the other thread running on the same core) ?

Also, what kind of loops can trigger the bug? Does simply modifying some of the involved registers in less than 64 instructions trigger the bug? Does loops needs to be different (I mean threads shouldn’t use the same code)?
At least can it be possible to have example Ocaml code that can trigger the bug?
How to know if a vulnerable microcode is used while running qemu-kvm? (qemu -cpu host hides microcode revision number)

Continue reading Understanding the scope of Intel hyperthreading errata KBL095→