Return to

Intel FUBAR ... again - Kernel memory leak in nearly every Intel CPU of the last decade (Spectre hits everyone, Meltdown still Intel exclusive)



I do not see how anyone is going to able sell anything for while. Anyone with half a brain is going to throw all purchasing plans in the trash until we see how this is going to play out.

By the way… intel cpu’s are on sale that are not really sales :)~


Best talk so far.


I think MS decided to be incompetent years ago and they are doing everything right to stay on that level.


Yes, servers are taking a hit on CPU for sure. Twice the CPU util after patch for Meltdown isn’t peanuts.

(You can probably guess when the patch was applied)



I hope all security problems won’t delay Zen + first quarter release.


Rather it be right… then ten years of Oh crap!


It started with Windows 8. When they tried so hard to be a consumer data mining company, that’s when they started to be terrible. Look at how many tracking cookies a unneutered Skype now produces… There was that evidence in another thread that PiHole was just blocking requests left and right from Skype’s ad servers.


I’m here :stuck_out_tongue:


More gaming and storage results.


Well, on a Ryzen 1800x, spectre PoC does work:

[email protected]:~/meltdown$ lscpu
Architecture:        x86_64
CPU op-mode(s):      32-bit, 64-bit
Byte Order:          Little Endian
CPU(s):              16
On-line CPU(s) list: 0-15
Thread(s) per core:  2
Core(s) per socket:  8
Socket(s):           1
Vendor ID:           AuthenticAMD
CPU family:          23
Model:               1
Model name:          AMD Ryzen 7 1800X Eight-Core Processor
Stepping:            1
CPU MHz:             2200.000
CPU max MHz:         3600.0000
CPU min MHz:         2200.0000
BogoMIPS:            7199.97
Virtualization:      AMD-V
L1d cache:           32K
L1i cache:           64K
L2 cache:            512K
L3 cache:            8192K
Flags:               fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm constant_tsc rep_good nopl nonstop_tsc cpuid extd_apicid aperfmperf pni pclmulqdq monitor ssse3 fma cx16 sse4_1 sse4_2 movbe popcnt aes xsave avx f16c rdrand lahf_lm cmp_legacy svm extapic cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw skinit wdt tce topoext perfctr_core perfctr_nb bpext perfctr_llc mwaitx cpb hw_pstate sme vmmcall fsgsbase bmi1 avx2 smep bmi2 rdseed adx smap clflushopt sha_ni xsaveopt xsavec xgetbv1 xsaves clzero irperf xsaveerptr arat npt lbrv svm_lock nrip_save tsc_scale vmcb_clean flushbyasid decodeassists pausefilter pfthreshold avic v_vmsave_vmload vgif overflow_recov succor smca

Spectre PoC:

[email protected]:~/meltdown$ time ./spectre
Reading 23 bytes:
Reading at malicious_x = 0xffffffffffdfec20... Success: 0x48=’H’ score=2 
Reading at malicious_x = 0xffffffffffdfec21... Success: 0x65=’e’ score=2 
Reading at malicious_x = 0xffffffffffdfec22... Success: 0x6C=’l’ score=2 
Reading at malicious_x = 0xffffffffffdfec23... Success: 0x6C=’l’ score=2 
Reading at malicious_x = 0xffffffffffdfec24... Success: 0x6F=’o’ score=2 
Reading at malicious_x = 0xffffffffffdfec25... Success: 0x20=’ ’ score=2 
Reading at malicious_x = 0xffffffffffdfec26... Success: 0x4C=’L’ score=2 
Reading at malicious_x = 0xffffffffffdfec27... Success: 0x65=’e’ score=2 
Reading at malicious_x = 0xffffffffffdfec28... Success: 0x76=’v’ score=2 
Reading at malicious_x = 0xffffffffffdfec29... Success: 0x65=’e’ score=2 
Reading at malicious_x = 0xffffffffffdfec2a... Success: 0x6C=’l’ score=2 
Reading at malicious_x = 0xffffffffffdfec2b... Success: 0x31=’1’ score=2 
Reading at malicious_x = 0xffffffffffdfec2c... Success: 0x54=’T’ score=2 
Reading at malicious_x = 0xffffffffffdfec2d... Success: 0x65=’e’ score=2 
Reading at malicious_x = 0xffffffffffdfec2e... Success: 0x63=’c’ score=2 
Reading at malicious_x = 0xffffffffffdfec2f... Success: 0x68=’h’ score=2 
Reading at malicious_x = 0xffffffffffdfec30... Success: 0x73=’s’ score=2 
Reading at malicious_x = 0xffffffffffdfec31... Success: 0x00=’?’ score=5 
Reading at malicious_x = 0xffffffffffdfec32... Success: 0x25=’%’ score=2 
Reading at malicious_x = 0xffffffffffdfec33... Success: 0x70=’p’ score=2 
Reading at malicious_x = 0xffffffffffdfec34... Success: 0x00=’?’ score=5 
Reading at malicious_x = 0xffffffffffdfec35... Success: 0x25=’%’ score=2 
Reading at malicious_x = 0xffffffffffdfec36... Success: 0x64=’d’ score=2 

real    0m0.006s
user    0m0.005s
sys     0m0.001s

…whilst meltdown does not (as expected):

[email protected]:~/git/meltdown-poc$ ./meltdown 
poke buffer: 0x7ff32e346000, page size: 4096
Illegal instruction

Kernel version (+AMD KPTI avoidance patch):
$ uname -a
Linux deepthought.lan 4.14.11 #2 SMP Tue Jan 2 21:32:06 GMT 2018 x86_64 AMD Ryzen 7 1800X Eight-Core Processor AuthenticAMD GNU/Linux


All as expected then.


My attempt may been flawed then.


Overclock the CPU as @sgtawesomesauce and check again.

Jk but if you want you may check it. It will be so fun if ryzen with overclock is immune.


It’s curious.
I’d like to see some results from other Ryzen/TR/EPYC owners too. Anyone?


There isn’t much to report honestly. It’s all the same across the board for variant 1.

Also I feel like handing out likes today. :smiley:


I was messing with Variant 2 and honestly this is the most apt thing to describe what it felt like figuring it out and trying (but failing) to get it to work.


ah, so you solved it with an emacs macro?


I confess. I used cat.

Maybe that’s why i didn’t have success.


I just thought of something. This vulnerability might finally give us the chance to look at the encrypted Windows 10 telemetry payloads before encryption. This would be a breakthrough if people can figure that out before it’s patched.