P54C Erratum 33.

BY ROBERT R. COLLINS

P54C Erratum 33

PROBLEM: The WRMSR and RDMSR instructions allow writing and reading of special MSRs (Model Specific Registers) based on the index number placed in ECX. The architecture was specified to reject accesses to illegal MSRs by generating the fault GP(0) if WRMSR or RDMSR is executed with an illegal index. However, negative indices, all of which are illegal, do not trigger GP(0).

IMPLICATIONS: If RDMSR is used with negative indices, undefined values will be read into EAX. If WRMSR is used with negative indices, undefined processor behavior may result.

WORKAROUND: Do not use illegal indices with WRMSR and RDMSR.

The above information is a direct quote from the Pentium Processor Specification Update (errata). There's just one problem with it...it's not true. While some of the information is true, other parts of it are patently false.

It's true that reading and writing illegal MSRs is supposed to generate a GP fault. But Intel left a back-door in the architecture to read and write MSRs that they didn't think anybody would discover. It wasn't long before the hacker community discovered this back door, and began publishing the secrets of these hidden MSRs. One such article appears at this web site, entitled "Pentium Model-Specific Registers and What They Reveal" by Ralf Brown.

As Ralf was researching these hidden MSRs, he contacted Christian Ludloff and myself for more information. Ralf had already discovered that MSRs with negative indices were mirror images of their non-negative counterparts. There was just one problem: the non-negative counterparts weren't contiguous (some MSR indices that were undefined and generated the expected GP(0)), but the negative indices were all contiguous and all produced return values. Ralf expected that these undefined MSR indices were a back-door into MSRs that Intel wanted to use for their own purposes. Ralf was correct.

Within a short period of time, I discovered that MSR 8000001D was an undocumented MSR that mapped to the Probe Mode Control Register. Ralf discovered a few others relating to the Floating Point Unit. He wrote up a paper, and published it to the World Wide Web.

Now, the ball was in Intel's court. They had just published Erratum 33 which described these illegal MSRs as having an undefined effect on the Pentium processor's behavior. Clearly, the thought this issue was important enough to document it as Erratum 33. But unfortunately, they didn't think it was important enough to tell the truth.

© 1991-1999 Intel Secrets Web Site and Robert Collins. PGP key available.

Make no mistake!
This web site is proud to provide superior information and service without any affiliation to Intel Corporation.

"Intel Secrets", "What Intel doesn't want you to know" and anything with a dropped e in it, are phrases that infuriate Intel Corporation.

Pentium, Intel, and the letter "I" are registered trademarks of Intel Corporation. 386, 486, 586, P6, all other letters, and all other numbers are not!
All other trademarks are those of their respective companies. See Trademarks and Disclaimers for more info.

Robert Collins works somewhere in the United States of America. Robert may be reached via email or telephone.