Contributed by deanna on from the interesting dept.
"So, in summary, AE3 scares the hell out of me, and for the others AE5, AE8, AE21, and AE30 look serious."
His comments are actually so detailed that it's impractical to reproduce them here. The ones he mentions specifically:
AE3 - POPF/POPFD that sets the trap flag (aka when single-stepping a program) may cause unpredictable behavior. Holy shit. This one is serious.
AE5 - Memory aliasing with inconsistent dirty and Access bits may cause a processor deadlock. This means a PTE with 'D'irty set but with 'A'ccess not set. FreeBSD and DragonFly always set the A bit when setting the D bit and will not be effected but I don't know about other OSs. This is a very serious bug though.
AE8 - FXSAVE after FNINIT without an intervening FP instruction may save uninitialized values for FDP and FDS. This isn't an issue unless the data being written represents a security leak of some sort, such as a portion of the state of another program's FP unit. This could be a security issue with regards to one program snooping another program's cryptography. Statistical snooping possible through this sort of mechanic has been shown to be effective in recent years.
AE21 - The execution disable bit is shared between cores. I'm not sure what this means but Intel seems to think that it compromises an anti-hacker feature. Sounds pretty serious.
AE30 - Global pages in the DTLB may not be flushed by RSM instructions before restoring the architectural state from SMRAM. This is catastrophic for any software that uses global pages in SMM mode. It means that no software can use global pages in SMM mode. Operating systems usually do not have any control over what is run in SMM mode so this is a BIOS issue for the most part.
(Comments are closed)