* DDJ Home

* Today's Headlines
* Past Headlines
* Microprocessor Articles
* Intel Secrets
* Intel Errata
* Undocumented Corner
* Processor Manuals
* Motherboard Manuals
* Links
Microprocessor Resources

BY ROBERT R. COLLINS

P54C Erratum 33

PROBLEM: The WRMSR and RDMSR instructions allow writing and reading of special MSRs (Model Specific Registers) based on the index number placed in ECX. The architecture was specified to reject accesses to illegal MSRs by generating the fault GP(0) if WRMSR or RDMSR is executed with an illegal index. However, negative indices, all of which are illegal, do not trigger GP(0).

IMPLICATIONS: If RDMSR is used with negative indices, undefined values will be read into EAX. If WRMSR is used with negative indices, undefined processor behavior may result.

WORKAROUND: Do not use illegal indices with WRMSR and RDMSR.

The above information is a direct quote from the Pentium Processor Specification Update (errata). There's just one problem with it...it's not true. While some of the information is true, other parts of it are patently false.

It's true that reading and writing illegal MSRs is supposed to generate a GP fault. But Intel left a back-door in the architecture to read and write MSRs that they didn't think anybody would discover. It wasn't long before the hacker community discovered this back door, and began publishing the secrets of these hidden MSRs. One such article appears at this web site, entitled "Pentium Model-Specific Registers and What They Reveal" by Ralf Brown.

As Ralf was researching these hidden MSRs, he contacted Christian Ludloff and myself for more information. Ralf had already discovered that MSRs with negative indices were mirror images of their non-negative counterparts. There was just one problem: the non-negative counterparts weren't contiguous (some MSR indices that were undefined and generated the expected GP(0)), but the negative indices were all contiguous and all produced return values. Ralf expected that these undefined MSR indices were a back-door into MSRs that Intel wanted to use for their own purposes. Ralf was correct.

Within a short period of time, I discovered that MSR 8000001D was an undocumented MSR that mapped to the Probe Mode Control Register. Ralf discovered a few others relating to the Floating Point Unit. He wrote up a paper, and published it to the World Wide Web.

Now, the ball was in Intel's court. They had just published Erratum 33 which described these illegal MSRs as having an undefined effect on the Pentium processor's behavior. Clearly, the thought this issue was important enough to document it as Erratum 33. But unfortunately, they didn't think it was important enough to tell the truth.

Back to Intel Inside -- The Errata Series

Advertisement
Copyright © 2008 Dr. Dobb's Journal