The Cyrix coma bug is a design flaw in

Cyrix Cyrix Corporation was a microprocessor developer that was founded in 1988 in Richardson, Texas, as a specialist supplier of floating point units for 286 and 386 microprocessors. The company was founded by Tom Brightman and Jerry Rogers. In 1992 ...

6x86 (introduced in 1996), 6x86L, and early 6x86MX

processors A central processing unit (CPU), also called a central processor, main processor or just processor, is the electronic circuitry that executes instructions comprising a computer program. The CPU performs basic arithmetic, logic, controlling, an ...

that allows a non-privileged program to hang the computer.

Discovery

According to Andrew Balsa, around the time of the discovery of the F00F bug on

Intel Intel Corporation is an American multinational corporation and technology company headquartered in Santa Clara, California, Santa Clara, California. It is the world's largest semiconductor chip manufacturer by revenue, and is one of the devel ...

Pentium Pentium is a brand used for a series of x86 architecture-compatible microprocessors produced by Intel. The original Pentium processor from which the brand took its name was first released on March 22, 1993. After that, the Pentium II and P ...

, Serguei Shtyliov from

Moscow Moscow ( , US chiefly ; rus, links=no, Москва, r=Moskva, p=mɐskˈva, a=Москва.ogg) is the capital and largest city of Russia. The city stands on the Moskva River in Central Russia, with a population estimated at 13.0 million ...

found a flaw in a

processor while developing an IDE disk driver in assembly language. Alexandr Konosevich, from

Omsk Omsk (; rus, Омск, p=omsk) is the administrative center and largest city of Omsk Oblast, Russia. It is situated in southwestern Siberia, and has a population of over 1.1 million. Omsk is the third largest city in Siberia after Novosibirsk ...

, further researched the bug and coauthored an article with Uwe Post in the

German German(s) may refer to: * Germany (of or related to) **Germania (historical use) * Germans, citizens of Germany, people of German ancestry, or native speakers of the German language ** For citizens of Germany, see also German nationality law **Ger ...

technology magazine '' c't'', calling it the "hidden CLI bug" (CLI is the instruction that disables

interrupt In digital computers, an interrupt (sometimes referred to as a trap) is a request for the processor to ''interrupt'' currently executing code (when permitted), so that the event can be processed in a timely manner. If the request is accepted ...

s in the x86 architecture). Balsa, as a member on the Linux kernel mailing list, confirmed that the following C program (which uses inline x86-specific assembly language) could be compiled and run by an unprivileged user: unsigned char c = ; int main() Execution of this program renders the processor completely useless until it is rebooted, as it enters an

infinite loop In computer programming, an infinite loop (or endless loop) is a sequence of instructions that, as written, will continue endlessly, unless an external intervention occurs ("pull the plug"). It may be intentional. Overview This differs from: * ...

that cannot be

ed. This allows any user with access to a Cyrix system with this bug to perform a

denial-of-service attack In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host conn ...

. It is similar to execution of a Halt and Catch Fire instruction, although the coma bug is not any one particular instruction.

Analysis

What causes the bug is not an

mask, nor are interrupts being explicitly disabled. Instead, an anomaly in the Cyrix's

instruction pipeline In computer engineering, instruction pipelining or ILP is a technique for implementing instruction-level parallelism within a single processor. Pipelining attempts to keep every part of the processor busy with some instruction by dividing inco ...

prevents interrupts from being serviced for the duration of the loop; since the loop never ends, interrupts will never be serviced. The xchgxchgl in the source code means Exchange ( Long) instruction is atomic, meaning that other instructions are not allowed to change the state of the system while it is executed. In order to ensure this atomicity, the designers at Cyrix made the xchg uninterruptible. Due to

pipelining Pipelining may refer to: * Pipeline (computing), aka a data pipeline, a set of data processing elements connected in series ** HTTP pipelining, a technique in which multiple HTTP requests are sent on a single TCP connection ** Instruction pipeli ...

and branch predicting, however, another xchg enters the pipeline before the previous one completes, causing a

deadlock In concurrent computing, deadlock is any situation in which no member of some group of entities can proceed because each waits for another member, including itself, to take action, such as sending a message or, more commonly, releasing a lo ...

Workarounds

A fix for unintentional instances of the bug is to insert another instruction in the loop, the nop instruction being a good candidate. Cyrix suggested serializing the xchg opcode, thus bypassing the pipeline. However, these techniques will not serve to prevent deliberate attacks. One way to prevent this bug is to enable bit 0x10 in the configuration register CCR1. This disables implicit bus locking normally done by xchg instruction. Since CPUs affected by this bug were not designed to work in multi-processor systems, loss of xchg atomicity is harmless.{{Citation needed, date=March 2018

Notes

External links

Andrew Balsa's early description of the bug

(and undocumented features) Hardware bugs Denial-of-service attacks

Discovery

Analysis

Workarounds

See also

Notes

External links