Massive security hole in CPU's incoming?Official Meltdown/Spectre Discussion Thread

Page 18 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.

BigDaveX

Senior member
Jun 12, 2014
440
216
116
I was talking about consumer Market. There is a lot of consumers(well, I think all of them) who are concerned with this, and will not be blinded, by any brand perception.

If anything, that's probably even less likely than AMD capturing 50% of the server market, given how few designs wins they've had with OEM desktops and especially laptops over the last six or so years.

Unless you're talking about sales of individual CPUs to enthusiasts and the like, in which case maybe that would be possible (though probably a very long shot), but as the years 2004-2006 proved, Intel and AMD don't live or die based on what enthusiasts buy.
 

ggadrian

Senior member
May 23, 2013
270
0
76
I think it's too early for anyone to start thinking about changing platforms or altering purchase decisions until there is some significant testing done with known patched PCs across multiple CPU types/speeds and many different types of workloads. Otherwise all you're basing decisions on is potential issues.

Well, I wouldn't return anything with the info we have, but I sure wouldn't buy anything until the dust clears and we know the performance impact (if any) for the different applications and uses.
 

Glo.

Diamond Member
Apr 25, 2015
5,657
4,407
136
If anything, that's probably even less likely than AMD capturing 50% of the server market, given how few designs wins they've had with OEM desktops and especially laptops over the last six or so years.

Unless you're talking about sales of individual CPUs to enthusiasts and the like, in which case maybe that would be possible (though probably a very long shot), but as the years 2004-2006 proved, Intel and AMD don't live or die based on what enthusiasts buy.
Aaaaand underestimating AMD CPU continues ;).


Their products have a lot of potential, and there is nothing in the world, apart from Intel Bribing OEMs, to ban them from buying those CPUs, that could stop the adoption. The product portfolio of AMD is growing. What they lack currently is only desktop SoC's, and low power CPUs/APUs, with high performance.

If we will add to all of this possibility of big APU with HBM2 - their future is much brighter than 90% people believe it is ;).
 

Malogeek

Golden Member
Mar 5, 2017
1,390
778
136
yaktribe.org
Well, I wouldn't return anything with the info we have, but I sure wouldn't buy anything until the dust clears and we know the performance impact (if any) for the different applications and uses.
Yes that's true, I wouldn't buy anything right now either lol.

Patch was released to 2 of my 5 Intel PCs so far, and my Ryzen PC as well. All W10 PCs. Just the usual delayed queue for updates.
 

Thala

Golden Member
Nov 12, 2014
1,355
653
136
There is a bit of misunderstanding in this thread in general, let me put a few bullet points

1) Spectre (Variant 1+2) essentially should work on any CPU with speculative execution, because it relies on code executed by the victim process with all access rights the victim process has. So it essentially relies on executing code, which is already part of the victim process - so a hurdle is to actually find suitable existing code sequences, which leak the information. Another hurdle is to train the branch predictor accordingly.

Summary: Speculation on branches is not avoidable on modern architectures for performance reasons and the KAISER patch is no resolution for Spectre at all.

2) Meltdown (Variant 3) allows any process in user mode to leak information which are protected by kernel access rights. In order for this to work two things need to happen:
a) the CPU needs to allow loading a secret value from memory where is has no access rights at the current privilege level
b) it forwards the value to dependent instructions, which then can leak the information

Both a) and b) needs to hold in order for Meltdown being effective. As i did argue in previous posts, information about the access rights is known very early in the process but at least before the secret value is read into the CPU register and much before the value is forwarded to the next instructions.

Summary: The CPU architecture is potentially able to reject such loads (by either already rejecting a) or b) later) without any performance penalty (that is one of the big differences to Spectre). Therefore meltdown is not applicable to most ARM CPUs and most likely AMD CPUs.
 
  • Like
Reactions: prtskg

John Carmack

Member
Sep 10, 2016
153
246
116
I'm laughing at the idea that there are actual persons in this thread who are acting all concerned up in here that Microsoft might get sued. Riiiiight. Nobody read the EULA I take it? If nobody has sued Microsoft over things in the past like the hell spawn that was IIS then what's going to happen here?
 

Malogeek

Golden Member
Mar 5, 2017
1,390
778
136
yaktribe.org
I'm laughing at the idea that there are actual persons in this thread who are acting all concerned up in here that Microsoft might get sued. Riiiiight. Nobody read the EULA I take it? If nobody has sued Microsoft over things in the past like the hell spawn that was IIS then what's going to happen here?
In the US? Highly doubtful. In the EU? Well that's something else...
 
  • Like
Reactions: dark zero

Dayman1225

Golden Member
Aug 14, 2017
1,152
973
146
Intel has released an affected processor list, TL: DR - literally everything going back to nehalem

Intel Issues Updates to Protect Systems from Security Exploits:

Intel has already issued updates for the majority of processor products introduced within the past five years. By the end of next week, Intel expects to have issued updates for more than 90 percent of processor products introduced within the past five years. In addition, many operating system vendors, public cloud service providers, device manufacturers and others have indicated that they have already updated their products and services.

Intel continues to believe that the performance impact of these updates is highly workload-dependent and, for the average computer user, should not be significant and will be mitigated over time. While on some discrete workloads the performance impact from the software updates may initially be higher, additional post-deployment identification, testing and improvement of the software updates should mitigate that impact.
 

Elixer

Lifer
May 7, 2002
10,376
762
126
This is a twist... Google is slow to patch chrome.

Hours after Google's announcement, Mozilla confirmed everybody's worst fear, that both Meltdown and Spectre are remotely exploitable by embedding attack code in mundane JavaScript files delivered via web pages.


Firefox added Meltdown and Spectre mitigations in November 2017

According to Google, Chrome will receive mitigations to protect against Meltdown and Spectre exploitation in Chrome 64, due to be released on January 23.
https://www.bleepingcomputer.com/ne...tion-vector-for-meltdown-and-spectre-attacks/
 

Paratus

Lifer
Jun 4, 2004
16,613
13,295
146

I like how they repeat three times (Twice before listing affected intel systems) that for other systems (AMD, ARM) you should contact those manufacturers.

Very thoughtful of them.
jnHWXN4.gif
 
  • Like
Reactions: KompuKare

coercitiv

Diamond Member
Jan 24, 2014
6,150
11,670
136
I like how they repeat three times (Twice before listing affected intel systems) that for other systems (AMD, ARM) you should contact those manufacturers.

Very thoughtful of them.
jnHWXN4.gif
Intel's interest on the welfare of ARM and AMD customers is exemplary. People should feel safer buying from both AMD and ARM considering Intel is essentially offering support for their products as we speak. /s
 

mattiasnyc

Senior member
Mar 30, 2017
356
337
136
AMD's statement is specifically directed to the exploitations in the Google Project Zero research. Don't assume anything beyond that. Just because those methods may not work on AMD CPU's doesn't mean that other attacks on speculative execution on AMD CPU's won't work.

I think most people get what you mean, it's just that the larger context here is that the fix fixes something specific (the exploit) that isn't a problem on AMD's recent CPUs. So it's not that the same or similar "hole" in the design couldn't be exploited in a different way in the future, it's that if that happens the current fix might not prevent that and if that's the case AMD CPUs have been punished simply because Intel CPUs had to be addressed.

I think that's the context.
 

prtskg

Senior member
Oct 26, 2015
261
94
101
No, it's because Intel is a very responsible and good company.:p
 

dark zero

Platinum Member
Jun 2, 2015
2,655
138
106
AMD is calm...

And now the Chinese government will bring VIA back for more...

And makes me wonder... VIA is affected by this?
If not... Intel will be totally screwed.

DSrds-iXkAE1BWY.jpg:large

Sorry if this has been posted.

Waiting for VIA and Spreadtrum responses... Also... There are others x86 manufacturers out there?
 

IEC

Elite Member
Super Moderator
Jun 10, 2004
14,323
4,904
136
Most desktop users will notice no difference in performance, but this is a real headache for VM, cloud, and shared hosting providers (read: Xeon users).
 

Karnak

Senior member
Jan 5, 2017
399
767
136
AMD's statement is specifically directed to the exploitations in the Google Project Zero research.
Of course it's specifically directed to the "GPZ-exploitations" - simply because they're including Spectre and Meltdown.

Variant 1 - Spectre
Variant 2 - Spectre
Variant 3 - Meltdown

At this point there is nothing else than those two.
 

dark zero

Platinum Member
Jun 2, 2015
2,655
138
106
Most desktop users will notice no difference in performance, but this is a real headache for VM, cloud, and shared hosting providers (read: Xeon users).
Not only that.... Intermediate users who uses DB will notice the performance penalty too since some of the benchmark related to DB (Postgre SQL) shows up the penalty. And if this is Postgre SQL which is one of the most transparent... I can't imagine the penalty on other DB engines like Microsoft SQL...

https://www.postgresql.org/message-id/20180102222354.qikjmf7dvnjgbkxe@alap3.anarazel.de
 
  • Like
Reactions: lightmanek

plopke

Senior member
Jan 26, 2010
238
74
101
So does this affect gaming performance? or is it 25-30% in like an extremely rare niche application.
There is no easy yes/no answer , patches are still being worked on , but the overall indication so far , gaming performance will not take a hit that is noticeable to the user.