Info Meltdown and Spectre Vulnerabilities Information

[YoAndy]

And to add more fun to this 2018, now a vulnerability in the AMD PSP is announced

https://www.phoronix.com/scan.php?page=news_item&px=AMD-PSP-2018-Vulnerability

Apparently a fix (incomplete?) was released in December. I guess it has something to do with people reporting on December how the latest AGESA update for RyZen had disabled the PSP processor.

And they keep falling

 

[goldstone77]

Guys, noob question here, I heard from several sources something about a major patch coming tomorrow (tuesday). Meanwhile, I already have Microsoft's KB4056892 installed on my computers.
- Is there really another major patch expected for Tuesday, and if so, is it going to be released at OS level (such as KB4056892), or is it going to be something at BIOS level?

I think the patch you are referring to the windows 10 update that was released early at the end of last week. It was scheduled to run during CES in hopes the news of the vulnerabilities would go unnoticed, because of CES coverage. Beyond the just the windows update you will also have motherboard microcode bios updates for newer CPUs. These microcode updates have reported decrease performance 0-4%FPS, and up to 41% reduced SSD and NVME performance. Note that these update are attempts to fix a hardware security flaw, and can only be permanently fixed by hardware redesign.

 

[goldstone77]

Also, I installed the Win10 update on my mom's FX-6300 system, and it immediately reset the computer. Black screen, restart, whole works. WTF? Upon restarting it did the same thing after about two seconds into the desktop. Had to roll back to the previous image and works fine. Installed the update again, same thing. Black screen, restart. I've had to unplug her system from the internet which basically makes it worthless as it keeps automatically installing the update now and no way to disable that (Windows updates) as we well know.

Warning: Microsoft's Meltdown and Spectre patch is bricking some AMD PCs
By Mark Wycislik-Wilson Published 10 hours ago
https://betanews.com/2018/01/08/microsoft-meltdown-spectre-patch-bricks-amd-pcs/

As if the Meltdown and Spectre bug affecting millions of processors was not bad enough, the patches designed to mitigate the problems are introducing issues of their own. Perhaps the most well-known effect is a much-publicized performance hit, but some users are reporting that Microsoft's emergency patch is bricking their computers.

We've already seen compatibility issues with some antivirus tools, and now some AMD users are reporting that the KB4056892 patch is rendering their computer unusable. A further issue -- error 0x800f0845 -- means that it is not possible to perform a rollback.
Details of the problem have been gradually emerging through reports posted by users on Microsoft Answers. People with AMD Athlon-powered computers say that following the installation of the patch, it is impossible to boot into Windows leaving a full reinstallation as the only option -- although some users report that even this does not fix the problem.

One user, Jaroslav Škarvada, explains the predicament:

I have older AMD Athlon 64 X2 6000+, Asus MB, after installation of KB4056892 the system doesn't boot, it only shows the Windows logo without animation and nothing more. After several failed boots it do roll-back then it shows error 0x800f0845. Unfortunately, it seems it's not easy to disable the automatic updates without gpedit tweaks, so it tries installing and rolling-back the update over and over. The sfc /scannow shows no problem, in-place upgrade also doesn't seem to help. I can try full reinstall, but I doubt it will change anything. It seems like the update is binary incompatible with my old CPU.

The number of people experiencing the problem appears to be fairly significant, but Microsoft is yet to issue a response. Judging from the thread on Windows Answers, the best chances for success are to perform a complete reinstallation of Windows and immediately disable Windows Update. Another user, Snoopy_garnet, explains what to do in Group Policy Editor:

Open the Run command (Win + R), in it type: gpedit.msc and press enter.

Navigate to: Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update.
Open this and change the Configure Automatic Updates setting to '2 - Notify for download and notify for install"

 

[antoniointini]

I think the patch you are referring to the windows 10 update that was released early at the end of last week. It was scheduled to run during CES in hopes the news of the vulnerabilities would go unnoticed, because of CES coverage. Beyond the just the windows update you will also have motherboard microcode bios updates for newer CPUs. These microcode updates have reported decrease performance 0-4%FPS, and up to 41% reduced SSD and NVME performance. Note that these update are attempts to fix a hardware security flaw, and can only be permanently fixed by hardware redesign.

Thanks for the quick reply. I'll keep checking for this BIOS updated. I have a brand new Asus Prime X299 with a i7 7740, and I'm quite concerned with FPS reduction. I use flight simulators which are very CPU intensive - my processor is currently overclocked to 5 GHz, and it is still the bottleneck (GPU is a GTX1080, running at 90% of its capacity). I believe SSD will only impact my loading times in this application.

Best regards

Antonio Intini

 

[goldstone77]

I think the patch you are referring to the windows 10 update that was released early at the end of last week. It was scheduled to run during CES in hopes the news of the vulnerabilities would go unnoticed, because of CES coverage. Beyond the just the windows update you will also have motherboard microcode bios updates for newer CPUs. These microcode updates have reported decrease performance 0-4%FPS, and up to 41% reduced SSD and NVME performance. Note that these update are attempts to fix a hardware security flaw, and can only be permanently fixed by hardware redesign.

Thanks for the quick reply. I'll keep checking for this BIOS updated. I have a brand new Asus Prime X299 with a i7 7740, and I'm quite concerned with FPS reduction. I use flight simulators which are very CPU intensive - my processor is currently overclocked to 5 GHz, and it is still the bottleneck (GPU is a GTX1080, running at 90% of its capacity). I believe SSD will only impact my loading times in this application.

Best regards

Antonio Intini

Honestly, even a 4% reduction in FPS isn't much. But a lot more testing needs to be done, so we can know the real impact. It will probably take a couple weeks to a month. And many more patches for years until the hardware is redesigned.

 

[juanrga]

Meltdown site updated affected chips. The former phrase "At the moment, it is unclear whether ARM and AMD processors are also affected by Meltdown." has been replaced by "At the moment, it is unclear whether AMD processors are also affected by Meltdown. According to ARM, some of their processors are also affected".

This confirms the original guesses of the authors (commented in this post) about how the failure of their original attack on ARM and AMD processors didn't imply the CPUs would be invulnerable. And now we have confirmation ARM CPUs are vulnerable.

 

[goldstone77]

AMD CEO Dr. Lisa Su Talks Spectre, Meltdown
Jayson Derrick , Benzinga Staff Writer FOLLOW
January 08, 2018 1:13pm
https://www.benzinga.com/media/cnbc/18/01/11002434/amd-ceo-dr-lisa-su-talks-spectre-meltdown

Advanced Micro Devices, Inc.
AMD 3.37%
's stock has gained nearly 20 percent over the past five trading sessions, mostly due to the discovery of a security flaw in rival Intel Corporation
INTC
's processors.

The Executive
AMD CEO Dr. Lisa Su talks with CNBC's Jon Fortt.

The Thesis
As a technology CEO, the top priority is security, much like how safety is the top priority for an auto executive, Su said in a CNBC interview. The entire technology industry is taking the latest round of security flaws, dubbed Meltdown and Spectre, very seriously, Su said.

Meltdown does not affect AMD's architecture due to the way AMD set up the architecture, the executive said. But on the other hand, Spectre is a "little broader" in its reach and does affect AMD's processors. Operating system vendors are working on mitigation —a "strong solution," Su said.

"To be fair, I think it is very application-dependent and very processor-dependent," she said. "And so I do believe there are good mitigations in place. I do believe there [are] some workloads that you might see — larger performance variants. But on this particular Spectre we feel the performance [impact] will be small."

Price Action
Shares of AMD were up nearly 3 percent at $12.22 Monday afternoon.

 

[Darkbreeze]

Also, I installed the Win10 update on my mom's FX-6300 system, and it immediately reset the computer. Black screen, restart, whole works. WTF? Upon restarting it did the same thing after about two seconds into the desktop. Had to roll back to the previous image and works fine. Installed the update again, same thing. Black screen, restart. I've had to unplug her system from the internet which basically makes it worthless as it keeps automatically installing the update now and no way to disable that (Windows updates) as we well know.

Warning: Microsoft's Meltdown and Spectre patch is bricking some AMD PCs
By Mark Wycislik-Wilson Published 10 hours ago
https://betanews.com/2018/01/08/microsoft-meltdown-spectre-patch-bricks-amd-pcs/

As if the Meltdown and Spectre bug affecting millions of processors was not bad enough, the patches designed to mitigate the problems are introducing issues of their own. Perhaps the most well-known effect is a much-publicized performance hit, but some users are reporting that Microsoft's emergency patch is bricking their computers.

We've already seen compatibility issues with some antivirus tools, and now some AMD users are reporting that the KB4056892 patch is rendering their computer unusable. A further issue -- error 0x800f0845 -- means that it is not possible to perform a rollback.
Details of the problem have been gradually emerging through reports posted by users on Microsoft Answers. People with AMD Athlon-powered computers say that following the installation of the patch, it is impossible to boot into Windows leaving a full reinstallation as the only option -- although some users report that even this does not fix the problem.

One user, Jaroslav Škarvada, explains the predicament:

I have older AMD Athlon 64 X2 6000+, Asus MB, after installation of KB4056892 the system doesn't boot, it only shows the Windows logo without animation and nothing more. After several failed boots it do roll-back then it shows error 0x800f0845. Unfortunately, it seems it's not easy to disable the automatic updates without gpedit tweaks, so it tries installing and rolling-back the update over and over. The sfc /scannow shows no problem, in-place upgrade also doesn't seem to help. I can try full reinstall, but I doubt it will change anything. It seems like the update is binary incompatible with my old CPU.

The number of people experiencing the problem appears to be fairly significant, but Microsoft is yet to issue a response. Judging from the thread on Windows Answers, the best chances for success are to perform a complete reinstallation of Windows and immediately disable Windows Update. Another user, Snoopy_garnet, explains what to do in Group Policy Editor:

Open the Run command (Win + R), in it type: gpedit.msc and press enter.

Navigate to: Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update.
Open this and change the Configure Automatic Updates setting to '2 - Notify for download and notify for install"

Well, at least I wasn't imagining things although a clean install using installation media from before the patch release and blocking WU seems to be working for now.

 

[Hellfire13]

These chip manufacturers chalk out their roadmaps years ahead. Chip level redesigning is probably not going to happen anytime soon.

What a mess...duh

 

[Darkbreeze]

That's one of the points I've been trying to make since the first day these stories broke. Everything currently in the pipe is likely DOA and new designs will take years from, well, June, to get done. That's if it is is even possible to design a CPU with branch prediction (Which accounts for a tremendous amount of modern CPU performance) that isn't vulnerable and doesn't have to pay a stiff performance penalty for hardening them. It might not be. Even if it's possible to evade the current vulnerabilities, new designs using it might have other ones.

Nice huh? Wait two years for new CPU that performs worse than Haswell and then find out that it too has similar, albeit different, vulnerabilities. Just a nightmare.

 

[Hellfire13]

Temporary fixes... https://thehackernews.com/2018/01/meltdown-spectre-patches.html

Brace for impact... https://www.computerworld.com/article/3246286/microsoft-windows/buggy-win7-meltdown-patch-kb-4056894-throwing-blue-screens.html

 

[Turb0Yoda]

SAN's Instructor Jake William(@MalwareJake) put out an overview video. It's about an hour long but put together by a man who's definitely qualified for this stuff:
https://www.youtube.com/watch?v=8FFSQwrLsfE

 

[aldaia]

Meltdown site updated affected chips. The former phrase "At the moment, it is unclear whether ARM and AMD processors are also affected by Meltdown." has been replaced by "At the moment, it is unclear whether AMD processors are also affected by Meltdown. According to ARM, some of their processors are also affected".

This confirms the original guesses of the authors (commented in this post) about how the failure of their original attack on ARM and AMD processors didn't imply the CPUs would be invulnerable. And now we have confirmation ARM CPUs are vulnerable.

Some clarification about ARM processors. Here is the list of ARM processors affected by the 3 variants.
https://developer.arm.com/support/security-update
The only ARM vulnerable to Meltdown (variant 3) is cortex A75. Cortex A-75 was obviously not tested by the authors of the paper. The ARM processors tested in the paper remain NON VULNERABLE to Meltdown. So, no, original guesses of the authors have not been confirmed.

 

[rds1220]

Saw this today. Seems the update from Microsoft is causing AMD based machines to give a BSOD or not boot up at all.

https://www.pcworld.com/article/3246189/security/microsoft-halts-meltdown-patches-windows-amd-pcs-unbootable.html

 

[goldstone77]

http://steamcommunity.com/games/NexMachina/announcements/detail/1583444307645115385

About server problems
JANUARY 8 - HMQ-YEPE
Hi everyone!

There has been an increased amount of reports during the past few days about various server problems including the availability of online arena, leaderboards and player customization. We've investigated the issue and it would seem that the cause of the problem are the recent patches to the Meltdown vulnerability.[spectreattack.com]

After the patch our backend server has experienced 4-5 times bigger load than it did before. This has caused the unexpected issues that you are currently experiencing in Nex Machina. You can see the impact of the patch in the picture below.
We are trying to mitigate the effects to the best of our ability. You can expect issues during the next two weeks as due to the nature of the problems we'll pretty much have to test the fixes in live environment. Meanwhile we ask for your patience and please continue reporting any issues that you may experience. Thank you for understanding.

Server workloads are being affected.

 

[goldstone77]

Dealing with the Meltdown patch at Grab
7 Jan 2018 · Althaf Hameez
http://engineering.grab.com/dealing-with-the-meltdown-patch-at-grab

Grab is more than just the leading ride-hailing and mobile payments platform in Southeast Asia. We use data and technology to improve everything from transportation to payments across a region of more than 620 million people.

The meltdown attack reported recently had far reaching implications in terms of security as well as performance. This post is a quick rundown of what performance impacts we noted as well as how we went on to mitigate them.

Most of our infrastructure runs on AWS. Initially, the only indicators we had were the slightly more than usual EC2 maintenance notices sent by AWS. However, as most of our EC2 fleet is stateless, we were able to simply terminate the required instances and spin up new ones. All the instances run on HVM across a variety of instance types running multiple Golang and Ruby applications and we didn’t notice any performance impact.

The one place where we did notice a performance impact was on Elasticache. We use Elasticache, the managed service offered by AWS, to run hundreds of Redis nodes. These Redis instances are used by services in multiple ways and we run both the clustered version as well as the non-clustered version.

On January 3rd, our automatic alerting triggered at around noon for high CPU utilization on one of our critical redis nodes. The CPU utilisation had jumped from around 36% to 76%. Now those numbers don’t look too bad until you realize that this is an m4.large instance which means it has 2 vCPUs. Combined with the fact that Redis is single-threaded, whenever we see CPU utilization go past 50% it’s a cause for concern.

The initial suspicions were a deployment / workload change causing the spike and our initial investigations focused on that. However, over the course of a few hours, multiple unrelated Redis nodes started displaying the exact same behaviour with sudden significant spikes in CPU utilisation.

Conclusion

This post was meant to give a quick glimpse of the impact that Meltdown has had at Grab as well provide some real data on the performance impact of the patches.

The design of our internal systems in their usage of Redis to quickly be able to horizontally scale-out was key in ensuring that there was minimal impact, if any to our customers.

We still have further investigation to conduct to truly understand why only certain Redis workloads were affected while others weren’t. We are planning to dive deeper into this and that may be the subject of a future blog post.

 

[randomizer]

So this is the "negligible impact on performance."

 

[goldstone77]

So this is the "negligible impact on performance."

So, far from what I've seen on personal computers 0-4%FPS and 0-41% on SSD or NVME performance depending on workload. Servers is also workload dependent meaning some show no performance increase while other show a tremendous increase. Not enough testing has been done, or problems reported to truly know the extent of the patching. I'd give it another week to a month maybe.

Edit: Sorry, I just got it was watching CES stuff LOL!

 

[aldaia]

So this is the "negligible impact on performance."

The problem is most review sites just benched individual applications or synthetic benchmarks. However a real workload mix is much more complex, for instance there might be a lot of context switches, and apparently the impact is significant.

 

[randomizer]

Unfortunately for Intel they've already made a premature statement about the "real world" performance impact.

 

[Darkbreeze]

I don't think either AMD or Intel have much grasp of the "real world". They never have before, I don't know why they would now.

 

[Turb0Yoda]

I'm curious to see if Dell/Intel will push it out to older servers like the rx10 series...
Anything before that(Poweredge 2950s and the like) are obselete but 1366 is still in wide use.

 

[imrazor]

I'm curious to see if Dell/Intel will push it out to older servers like the rx10 series...
Anything before that(Poweredge 2950s and the like) are obselete but 1366 is still in wide use.

Funny, that's exactly what I was going to ask about. So it seems Skylake and newer will get a microcode to help mitigate against Spectre. Does that mean everything pre-Skylake will be a sitting duck for hackers? My socket 1366 server really wants to know. Even it it would help, I sincerely doubt that Dell would release a BIOS update for a system so long out of production.

 

[randomizer]

Well this is a pain: https://www.reddit.com/r/javascript/comments/7pcnai/effects_of_meltdown_patch_in_common_js

 

[Darkbreeze]

The expressed outlook from Intel and AMD keeps getting brighter and brighter, oh things are just fine and we see no major issues, in fact, fewer all the time, while everybody ELSE keeps finding more and more reasons why this really sucks big DD. Do you think there will ever come a point where they have to just say "Ok, you're right, the whole thing is borked" or as usual will simply throw a few flowers on top of a big pile of steaming crap and keep telling us how great it smells. Jesus.