Theo de Raadt Details Intel Core 2 Bugs

Eukariote writes "Recently, Intel patched bugs in its Core 2 processors. Details were scarce; soothing words were spoken to the effect that a BIOS update is all that is required. OpenBSD founder Theo de Raadt has now provided more details and analysis on outstanding, fixed, and non-fixable Core 2 bugs. Some choice quotes: 'Some of these bugs... will *ASSUREDLY* be exploitable from userland code... Some of these are things that cannot be fixed in running code, and some are things that every operating system will do until about mid-2008.'"

Yay AMD

[delt0r]

Thank God I got a AMD this time around.

Re:Yay AMD

[BosstonesOwn]

I don't think that is a good thing either. It looks like AMD may be doing this as well.

(While here, I would like to say that AMD is becoming less helpful day
by day towards open source operating systems too, perhaps because
their serious errata lists are growing rapidly too).

Re:Yay AMD

[Etyenne]

From the TFA:

(While here, I would like to say that AMD is becoming less helpful day by day towards open source operating systems too, perhaps because their serious errata lists are growing rapidly too).

Yay indeed.

Re:Yay AMD

[cab15625]

Except that if you read what Theo has to say, he doesn't have kind words for AMD either.

Re:Yay AMD

[Idaho]

Except that if you read what Theo has to say, he doesn't have kind words for AMD either.

Wake me up when Theo has kind words to say about basically anything at all, now *that* would be news!

Unfortunately he's likely also right on most accounts though :(

Re:Yay AMD

[delt0r]

He said they are getting less and less helpfull. Which is not the same as "just as bad".

Dam I really think it would be better if we didn't have a "two party system" in the x86 field. A third (or fourth) vendor would be nice. But given the high barrier to entry, its not going to happen anytime soon.

Re:Yay AMD

[operato]

start buying some via cpu's. we'll get a third at some stage.

Re:Yay AMD

[vadim_t]

Well, there's VIA as well, althought their stuff left a lot to be desired the last time I checked it out. Their mini-ITX stuff had potential -- small, low power usage, REALLY good crypto and video acceleration to compensate for the slow CPU. Unfortunately when I tried a Nehemiah board, it was very unstable.

Re:Yay AMD

[Intron]

Why x86? You write a lot of code in machine language? Ever hear of Java?

Re:Yay AMD

[BosstonesOwn]

Heres #3

VIA http://www.via.com.tw/en/products/processors/

Re:Yay AMD

[delt0r]

I program 98% in java. What cost/performance option is there that not x86? The Cells are comming, but how well do the JIT perform on them? There was the PowerPC etc with apple. But now thats gone too.

Re:Yay AMD

[delt0r]

Well VIA are not really performance CPU's. There are more for application that are size/power sensitive IIRC. The idea of using the phrase "two party system" is that voting for the independants does not get them into power. That is we have a market dominated by just 2 players. Really just one major player with a significant other.

We just got a 150 000 euro cluster from IBM. The options were intel or AMD.

Re:Yay AMD

Got a few mini-itx from via: none is really convincing; all run OpenBSD now (and fine) as their Windows/Linux claims
were countered (on paper and in reality) by (processor) incompatibilities. Announcements are another factor.

Re:Yay AMD

[Intron]

Over half the programming being done is not x86-specific. It's either for Sun, IBM, embedded or in a machine-independent language like Java or perl. The main thing preventing use on the desktop of non-x86 CPUs is Windows. And the only reason that x86 is cheaper is the volume due to desktop use.

Re:Yay AMD

[TheRaven64]

SPARC is doing very well for certain categories of workload, although mainly web-app types at the moment. Most computers sold these days have some form of ARM chip[1], which is a nice, low-power architecture, but lacks floating point. This isn't a huge problem, since a lot of ARM designs (particularly those from TI) have a DSP on die which can seriously out-perform a general purpose CPU for a lot of FPU-heavy workloads.

For general-purpose usage, the most interesting design I've seen recently is the PWRficient from P.A. Semi. It's a nice dual-core 64-bit PowerPC, with low power usage, similar performance to IBM's PowerPC 970 series. It has a lot of nice stuff on-die (crypto, a really shiny DMA architecture, etc).

For a complete round-up of current alternatives, take a look at this article and the next two in the series.

[1] They are generally marketed as 'cell phones' or similar, rather than 'computers'.

Re:Yay AMD

[glitch_xl]

Obligatory: I am in ur processor fsking with yer transitors!

Re:Yay AMD

[MoxFulder]

Dam I really think it would be better if we didn't have a "two party system" in the x86 field. A third (or fourth) vendor would be nice. But given the high barrier to entry, its not going to happen anytime soon. Heck, it doesn't even have to be x86. I don't use anything but open-source software, so I don't really care one bit about the underlying architecture, as long as it performs well. If somebody builds a well-performing, price-competitive mobo/processor combo that I can drop into my current box, and supports USB/SATA/PCI/2D graphics, I'll use it.

ARM, MIPS64, PowerPC, SPARC, whatever works... I imagine there's a large community of open-source users who would similarly jump ship from x86 if there were an alternative that were competitive on price/performance and flexibility.

Re:Yay AMD

[Bill,+Shooter+of+Bul]

He does have kind words about open bsd. ... Sometimes.

Re:Yay AMD

[physburn]

Well since AMD has its phemon processor in some beta-preprotection stage ready for an autumn release, i expect there are very busy now looking for errata (and speed path probs), and yes there list will be getting longer. I just wish them luck, getting these things out. Intel's Core 2 been available for ages though and really the BIOS fixes should have been out immediately and it should have been fixed in silicon by now.

Re:Yay AMD

[MBGMorden]

http://www.via.com.tw/en/products/processors/

You've got Via already. Their newer chips are available at 2Ghz speeds, and work well depending on the application (very low power and low cost) - from what I hear they're in a LOT of computers sold in Asia where lowering cost (of purchase as well as cost of running - ie power consumption) is the absolute #1 priority and speed is way down the list.

Re:Yay AMD

[Tony+Hoyle]

You'd be surprised - there are all sorts of gotchas on different platforms... different OS library support, different word length, different byte orders, alignment issues, etc. then at the OS level you have path separators (/,\,.,:,whatever plus existence of drives eg SYS$SYSTEM:[00000] is a path on VMS, C:\ is a path on Windows - and not all filesystems support paths in the sense Unix does anyway, Character set assumptions (you can't assume the platform supports utf8, or even ASCII), Case sensitivity, Character set sensitivity, etc.

No code (except assembler) is CPU specific.. you can compile an average (well written) C app on pretty much anything with a C compiler, but it's often unknowningly architecture /OS specific - until you've been through the pain of translating to an entirely different OS (HPUX is fun, VMS is even more fun, or for *lots* of fun try OS/360) it's difficult to know - and that goes for any language, including Java (which mitigates some of the issues but by no means all of them.. not to mention the jvm isn't available on many platforms).

Re:Yay AMD

What a load of old crap Intel has become. First, they brought out the P4 Prescott. I bought one, because it was the new thing. Prescotts turned out to be utter shit. They run as hot as the depths of hell, and aren't particularly fast. So when the Core 2 Duo came out, I eagerly upgraded. And now, it turns out that this seris can't even get basic CPU functions right.

In future, I am only buying PIII chips and earlier. Anything newer than that will have to be from one of Intel's competitors.

Re:Yay AMD

[Gr8Apes]

I guess IBM doesn't sell Power chips anymore, nor Sun UltraSparc? (If you're talking in that price range, then those become contenders.)

Re:Yay AMD

[darkwhite]

REALLY good crypto and video acceleration Good video acceleration? From VIA?

The problem with VIA's platforms is that for twice the price you can get an Intel mobile-on-desktop mITX/uATX system that pulls less power and has far more than twice the performance, or you can get an AMD system for the same price that pulls a bit more power and still has hugely better performance.

Video is really bad too - there are tons of sub-$40 (even sub-$20) cards and integrated chips from both vendors that kick VIA's ass.

Re:Yay AMD

[bberens]

I wouldn't, but only because I utilize virtualization quite a bit.

Re:Yay AMD

[delt0r]

They didn't offer anything but x86, and this *was* IBM.

Re:Yay AMD

[MoxFulder]

Well, practically all processors are easier to virtualize than x86 :-) (http://en.wikipedia.org/wiki/Popek_and_Goldberg_v irtualization_requirement) MIPS, ARM, PPC, SPARC all "just work" with virtualization, since all their privileged instructions operate in the non-braindead way.

Of course, if you use virtualization to do cross-OS development or to run Windows apps, then obviously you're kind of stuck with x86 :-(

Re:Yay AMD

[kestasjk]

Wake me up when Theo has kind words to say about basically anything at all, now *that* would be news!

Unfortunately he's likely also right on most accounts though :( I'd like to wait to see if this actually affects anything at all before pulling a Theo and forking a project out of spite.

Theo talks a lot about "potential" security problems. There are 50-60 bugs and he'd "bet" that there are 2-3 "potentially exploitable" bugs. Hmmm. Just in case we've forgot how Theo deals with "potentially exploitable" bugs when they're in his own code:

# 2007-02-28: OpenBSD team indicates that the bug results in corruption of mbuf chains and that only IPv6 code uses that mbuf code, there is no user data in the mbuf header fields that become corrupted and it would be surprising to be able to run arbitrary code using a bug so deep in the mbuf code. The bug simply leads to corruption of the mbuf chain.
# 2007-03-05: Core develops proof of concept code that demonstrates remote code execution in the kernel context by exploiting the mbuf overflow.
# 2007-03-05: OpenBSD team notified of PoC availability.
# 2007-03-07: OpenBSD team commits fix to OpenBSD 4.0 and 3.9 source tree branches and releases a "reliability fix" notice on the project's website. He downplays them, just like he accuses everyone else of doing. He hates it when people call things vulnerabilities when they don't have PoC code (and even when they do), but he's happy to spread FUD about other products without any evidence that anything is exploitable.


Getting back to the problem itself. This is a problem in the MMU, a "show stopper", "buggy as hell", they "scare the hell" out of him. But hasn't Core 2 been out for a while now? Hasn't anyone noticed these terrible bugs? Where are all the reports of misbehaving programs and crashes that should have appeared since Core 2's release 11 months ago?

More likely Theo is leaping at the opportunity to spread FUD about a company that isn't sharing information with him. All processors have bugs; they're incredibly complicated devices. AMD has them, IBM has them, Atmel has them, etc. But they're rarely very serious, they rarely actually affect anything in remotely realistic scenarios.
Until Theo, or anyone, can actually show that these bugs are dangerous and are going to do some damage in a realistic scenario why should we care?

What is Theo adding to this anyway? Intel released the errata to everyone, Theo isn't exposing anything. Theo chimes in with how he's quivering with fear, how they could "potentially be exploitable", and how he "bets" Intel has more errata that they're not telling him.
Raving lunatics like Theo are totally counter productive. How does he expect Intel to respond? "Thanks for telling your flock not to buy our processors, now here are those detailed driver specifications you've been bugging us for!"

Re:Yay AMD

[swv3752]

There is the Via C processors.

They are low power cpu's loosely based on the Cyrix core much like an Athlon X2 is loosely based on a K6.

Re:Yay AMD

[IdleTime]

*sigh*
What do you think java is translated into? Smoke signals? Everything boils down to native x86 instructions before it is processed. What language you write in doesn't matter.

Re:Yay AMD

[atrus]

Thats the plus part of Java. There is a Java defined way of doing things (byte order, separators, etc). All you need is a competent JVM (which is not as portable :))

Re:Yay AMD

"Thank God I got a AMD this time around." - by delt0r (999393) on Thursday June 28, @08:58AM (#19674651)

I am inclined to agree & 2nd that motion (AMD Athlon64 X2 4800+ user here)... I was admittedly impressed by the Intel CoreDuo/Core2Duo performance shown in both synthetic benchmarks, & more "real world" type tests (using actual applications), but seeing word of this online reminds me of the Pentium FDIV bug that surfaced years ago, & I do NOT need technical inaccuracy out of my CPU or exploitable bugs (security issues) out of it either.

I do hope Intel fixes this, OR issues recalls (replacements)... or that it can be patched @ an OS level (doable imo, in most cases, but not desirable imo also), but it does not appear to be the case in some instances, per Theo de Raadt's analysis.

Above all - I am NOT an "Intel Fanboy" or "AMD Fanboy", I just like having the best & highest performing equipment I can afford, & over time, since 1991 (where I began on PC's @ least) I have owned both CPU families (mostly INTEL in fact).

However - Were I to buy now, prior to hearing news of this for instance?

I honestly would have went INTEL this round, rather than AMD, based solely on performance (which is all I am ever after, along with secure/stable operations).

However, after reading this? This is no longer the case.

Good article.

APK

P.S.=> Why was delt0r "modded down" for? He didn't do anything wrong, but express his opinion (which he is entitled to, imo @ least)... I don't get it. He wasn't "flaming" anyone, OR, technically inaccurate (spouting falsehoods etc. et al)... oh well! apk

Re:Yay AMD

[Intron]

"Everything boils down to native x86 instructions"

bytecode on Sparc gets compiled to Sparc, on PowerPC it gets compiled to PowerPC. The point is that you can distribute one binary bytecode, not source, that runs on the JVM on any of those platforms.

"What language you write in doesn't matter"
How do I write in VB, C# or Objective C and distribute binaries that run on any of those platforms?

Re:Yay AMD

[TheRaven64]

This is a problem in the MMU, a "show stopper", "buggy as hell", they "scare the hell" out of him. But hasn't Core 2 been out for a while now? Hasn't anyone noticed these terrible bugs? Where are all the reports of misbehaving programs and crashes that should have appeared since Core 2's release 11 months ago?

I have a Core 2 Duo, and Parallels causes kernel panics in the kernel extension that handles virtual memory with roughly a 50% chance every time I run Parallels and roughly once a week if I just leave the kexts loaded without running Parallels. Of course, it might be Parallels' bad code and not this bug, but I haven't seen any problems with Parallels on Core 1 machines.

Re:Yay AMD

[ajs318]

If you don't mind the idea of a chip which lies about its own capabilities, go ahead and buy a VIA CPU. They detect as 80686, but in fact only implement a partial subset of 80686 instructions. This got me when I tried to build Asterisk to run on a little mini-thing I had lying around.

It was easy enough to fix with a configure option, and there was stuff about it on the Wiki when I looked, but still. Back in the days when most cars only had four gears and a five-speed transmission was an extra, at least the four-speed variants didn't have the non-existent "5" position marked on the knob (which could have caused a nasty accident had someone attempted to engage 5th gear on a motorway or something).

Re:Yay AMD

[InsaneProcessor]

Not even close the the Cyrix core. These parts actually work.

Re:Yay AMD

He said they are getting less and less helpfull. He also said their "serious errata" (i.e., "shit that's broken") lists are growing. Seriously, dude, read past the first few words sometime.

Re:Yay AMD

[LWATCDR]

I would love an ARM notebook. I might get the one that Palm is selling. The ARM is a great CPU but it seems that they don't want to try and go anywhere but the embedded market. Why would they? They own it and are making money hand over fist.

Re:Yay AMD

[Tmack]

I guess IBM doesn't sell Power chips anymore, nor Sun UltraSparc? (If you're talking in that price range, then those become contenders.)

Thats news to Sun and IBM...

Just because they arent as available for desktop machines doesnt mean they went away. Sun also just released their UltraSparc T1 chip about a year ago, which looks very promising for virtualization with as many cores as it has...

Tm

Re:Yay AMD

[Tmack]

bleh, need more coffee, sarcasm detector not functioning yet...

Re:Yay AMD

[TheRaven64]

On the ARM front, the most interesting stuff is coming from Samsung, who have ported Xen to ARM. The really neat thing about this is that it allows you to carry your entire 'desktop' state around with you, then live-migrate it to your TV when you get home. They currently have some experimental work doing 'partial migration,' where the VM remains resident on both systems, and acts like a single system image cluster, allowing you to run different processes on the different machines, then fold them all up and take them with you later.

Re:Yay AMD

[TheoMurpse]

I'd be willing to bet that most of us on /. are more interested in running other people's code that was written for x86, rather than writing our own code. See, e.g., any commercial game written in the past 10 years.

Re:Yay AMD

[dr.badass]

Good video acceleration? From VIA?

He means accelerated MPEG-2/MPEG-4 decoding, not graphics.

Re:Yay AMD

[flowsnake]

If you really want an ARM notebook, you could get an Acorn A4 http://www.old-computers.com/museum/computer.asp?c =31 from ebay. Perhaps not the most powerful computer you will ever use, based around an ARM3 running at a blistering 24MHz, but not bad for a 16 year old model!

Re:Yay AMD

Most of the commercial game code I run was written for PS/2, which is MIPS. The Sims, the best selling PC game series of all time, was ported to PS/2 and the Mac. Nothing is "written for x86", it is written to run on a PC, with PC resources. CPU doesn't matter except to the compiler.

Re:Yay AMD

[fatphil]

Did you miss the "in the x86 field" part a few posts back?

Re:Yay AMD

[poopdeville]

http://www-03.ibm.com/systems/bladecenter/power-ba sed.html

Re:Yay AMD

[davecb]

TheRaven64 said:SPARC is doing very well for certain categories of workload, although mainly web-app types at the moment.

Well, most SPARC boxes are running databases and big non-parallellizable computations, but they indeed have got back into a good price/performance space for integer-intensive web apps with the Niagara chips.

--dave

Re:Yay AMD

[DrSkwid]

Plan 9 From Bell Labs

Re:Yay AMD

[dreddnott]

As far as I know, CP/M on the Zilog Z-80 is still waiting for a JVM...

Re:Yay AMD

[synthespian]

I don't know how you got modded "interesting."

Because what you do is a cheap "text-analysis" of what Theo says.

In order to refute him, you have to do an analysis on the bugs he claims exist. You have to prove his claims are false.

It doesn't seem like you will do that.

Re:Yay AMD

[Transcendent]

He downplays them, just like he accuses everyone else of doing

The exploit you refer to is an IPv6 only issue. Considering that the internet doesn't use IPv6, you're only left with attacks on an internal network (if it happens to use IPv6), which should be, at least, trusted.

Re:Yay AMD

[Arterion]

I'm a raving lunatic, you insensitive clod!

Re:Yay AMD

[Haeleth]

Most of the commercial game code I run was written for PS/2, which is MIPS.

No, the PS/2 was x86. The MIPS was still pretty new and untested in 1987, so there was no way IBM was going to pick anything but the trusty old 8086 for their new platform.

Re:Yay AMD

[dwarfking]

Thank you, I needed a good laugh today. Now have to clean the coffee that I just laugh/spewed onto my monitor.

Re:Yay AMD

Um, ARM cores do have hardware float, arm 9 and 11 have VFPs, newer cores have float units too.

Re: Yay AMD

[Black+Parrot]

Dam I really think it would be better if we didn't have a "two party system" in the x86 field. Damn, I'm glad that we have two parties. We're lucky we're not paying Intel $1000 for buggy 200MHz Pentium Pros in 2007.

Re:Yay AMD

[TeknoHog]

not bad for a 16 year old model!

I'll rather take the 16 year old model, please. :-P

Re:Yay AMD

[G+Morgan]

Theo doesn't actually make any concrete claims. He bets that out of 60 bugs 2/3 will be exploitable. He doesn't produce a PoC or even a theory he just takes a number and a percentage then combines them. Essentially he is guessing.

Not knocking him in general but here he hasn't produced anything we didn't know already.

Re:Yay AMD

[Short+Circuit]

And which company's processor do you think of as a legitimate "80686"? I seem to recall Intel and AMD stepping away from numbered processors after Intel lost its trademark dispute, with even Cyrix calling their processors things like "5x86" and "6x86".

"686" is more a generation indicator than an actual specification, and different companies (Intel, AMD, Cyrix/VIA) have different feature sets in that generation.

Re:Yay AMD

[Sits]

Perhaps it is a hardware bug but hardware bugs occur with less frequency than software ones. Parallels definitely has bugs though and I've personally run up against Enabling Parallels' NAT shared networking makes Mail.app slow when replying to mail with attachments. Frustratingly, it is very hard to find a list of issues from the folks making Parallels.

I guess the way to know for sure if it's Parallels or the hardware is to test whether your issue turns up when using VMWare...

Re:Yay AMD

[peacefinder]

"Not knocking him in general but here he hasn't produced anything we didn't know already."

Maybe I've been under a rock lately, but I didn't know there were security implications to the bugs. I'm glad he mentioned it.

Re:Yay AMD

[bconway]

Not quite. If you check AMD's errata, their have 4x as many "items" to be resolved in their latest chips as the Core 2 line.

Re:Yay AMD

[Gr8Apes]

Dropping down on coffee/tea/soda/caffiene carriers myself. Life seems to be moving at about 3/2 speed at the moment.

Re:Yay AMD

[rbanffy]

I would be far happier if we had a bigger field than the x86...

There _must_ be a way to build a decent computer, desktop or notebook, around ARM, MIPS or SPARC and to do it at a reasonable price and we now have the software base to build a functional computing experience on just about any architecture. I think almost all my userland would run on all CPUs I mentioned.

Heck. The machine to my right has Firefox running on Solaris on a vintage Ultra 1 workstation and it's putting up a pretty satisfactory browsing experience. And I also love that Frog Design aesthetics...

Re:Yay AMD

[tepples]

How do I write in VB, C# or Objective C and distribute binaries that run on any of those platforms? Mono has VB and C# covered. For Objective-C, you might have to distribute source code that links against GNUstep.

Re:Yay AMD

[mibus]

ARM, MIPS64, PowerPC, SPARC, whatever works... I imagine there's a large community of open-source users who would similarly jump ship from x86 if there were an alternative that were competitive on price/performance and flexibility.

Unfortunately, part of the performance comes from the multitude of highly-tuned libraries. You just don't get that on other architectures until some great hackers have spent time doing the work, which easily leads to a catch-22.

Re:Yay AMD

[kl76]

I guess when he says "80686" he means "P6 architecture compatible"...

http://en.wikipedia.org/wiki/I686

Re:Yay AMD

[delt0r]

This is what happened. We advertise that we want a 150 000 dollar cluster. The vendors submit offeres. We pick the best. All offers were x86 cpu's.

They have over cpus's on there website, great. But they didn't offer us anything but x86. Sun didn't put in a offer.

Re:Yay AMD

[julesh]

You sure? (OK, so it needs an eZ80, not a Z80, and its for direct OS-less embedding not CP/M, but still...)

Intel chips

[supersnail]

.. not intel compatable.

Ask for your money back folks!

Re:Intel chips

[Short+Circuit]

No, what this means is no other brand is Intel-compatible. :-)

How hard is it to get right?

[Junior+J.+Junior+III]

We're talking about a few hundred million transistors. I imagine that detecting and fixing bugs when there's that many components involved is really, really difficult. Are other comparably complex processors better? How do AMD, VIA, Motorola, IBM, etc. fare?

Re:How hard is it to get right?

[delt0r]

This is all true, and AMD have had problems in the past. Though it does seem to be more of a Intel problem. There bugs tend to be worse and intel tend to be worse at letting everyone know. IMO anyway.

Don't get me wrong, I have had my fair share of intel machines. I *almost* got a duo this time around. But a store special on a AMD X2 was just too good to pass up.

Re:How hard is it to get right?

[ardor]

Actually we are talking about VHDL. The "million transistors" argument is just as appropiate as saying "software is so large, it has so many ones and zeros". Development does not happen at this low stage.

Re:How hard is it to get right?

[supersnail]

Except it seems that intel have just arbiteraly changed the way MMU instructions work.

Intel seems to regard these as unpublished improvements rather than bugs.

Re:How hard is it to get right?

[SatanicPuppy]

What is a bug but an undocumented feature?

Re:How hard is it to get right?

[Zontar_Thing_From_Ve]

How do AMD, VIA, Motorola, IBM, etc. fare?

AMD64 doesn't like FreeBSD 6.2 at all. We use FreeBSD and Linux in our business. FreeBSD is very important to us. In fact, I would go so far as to say that the senior management here in our IT department borders on being fanboys of FreeBSD. We were running various versions of FreeBSD on our AMD64 servers from 6.1 down to 5.something and we (foolishly in hindsight) decided that we had to upgrade to version 6.2 because it had some bug fixes we thought we needed. Oh they did fix those bugs, but they opened up a huge one that apparently nobody knows what causes it and nobody has any idea how to fix. What happens is that AMD64 systems will panic with some sort of a "sleeping on a non-sleepable lock" panic. Some people think that this is being caused by a large number of writes. Given how our servers work, this is certainly possible for us. The bottom line for us is that FreeBSD on AMD64 is so unstable that we are probably going to have to go to Linux instead for our web servers. Nobody wants to do that, but we simply can't have our webservers going down every day with the same panic and we lose one server a day on average to this problem. We've even had boxes crash within minutes of being brought up with the exact same panic.

Once we move to Linux, I don't think we'll go back to FreeBSD. My best guess is that because the problem has apparently been going on for months with no resolution that we'll start moving servers from FreeBSD to Linux when we can. We don't have this problem under Linux. The fact is that whether we like it or not, more people use Linux and if stuff is seriously broken under Linux, someone will fix it soon enough. With FreeBSD nobody seems to have any idea what to do for this problem and I'm not sure that it will even be fixed this year, let alone soon enough to keep us from moving to Linux.

Re:How hard is it to get right?

[imgod2u]

Yes and no. There are limitations to HDL's (and Intel, last I heard, was all Verilog). For one, it is *very* difficult, if not impossible in certain situations, to describe asynchronous signals. With something as complicated as a microprocessor that is so aggressively designed for both power and speed, I would guess that they didn't go with a completely synchronous design (hell, no one does anymore). Locally synchronous, globally asynchronous design has been in use for a while. It helps when you want to be able to shut off, or slow down, only parts of the chip that aren't being used very much.

It is not possible to describe such things (let alone voltage islands, voltage scaling) in an HDL language and they must either be a special feature built into synthesis (with an extra set of constraints) or done by hand at the transistor/gate level.

Then there's the point of verification. Every software release since about the mid-1990's has almost been immediately followed by patches. Just because it's "1's and 0's" does not mean that it doesn't get harder to detect corner cases as complexity grows. And it's much more difficult if you have to simulate on a cycle-accurate model (boot-up for an operating system, in simulation, would take a day on a nice cluster on something as big as the Core 2).

Then there's post-synthesis/layout issues. Timing analysis do best on sequential logic (completely synchronous). When you throw in clock gating, multiple voltage islands, dynamic voltage scaling (meaning dynamic gate delays), not to mention the plethora of other techniques that those folks might be doing, what you see in simulation at the RTL level will not match what you see in reality. First rule they ever teach in any ASIC design class is never trust simulation.

The point is that abstraction, like how it's "vhdl", does not mean that it's not difficult to get right and even sometimes impossible to be certain.

Re:How hard is it to get right?

[herrkaiser]

They probably have a VHDL or Verilog for most parts (if not all) of the chip. But that doesn't stop to make things by hand. I bet that most of the parts of the chip (especially the critical ones) are made by hand. I don't know how GP got insightful.

Re:How hard is it to get right?

[suv4x4]

We're talking about a few hundred million transistors. I imagine that detecting and fixing bugs when there's that many components involved is really, really difficult. Are other comparably complex processors better? How do AMD, VIA, Motorola, IBM, etc. fare?

It's not about size, it's about messiness. The current x86 architecture is just hacks upon hacks. Various CPU modes slapped on top in each generation. Commands abstracted into other commands or translated to RISC commands. Certain commands running on parallel and other not, complex branch prediction techniques.

And what is x64 if not yet one more layer of hacks upon x86.

All of this creates a prospect of having buggier and buggier chips in time because we can't get rid of the x86 legacy. It's not unlike the struggles Microsoft is having while trying to retain backwards compatibility of its OS.

Just like biological organisms eventually age, leave offspring and die, the technology cycle proceeds in the same fashion. This means we'll be seeing virtualizations and translations and hacks that keep compatibility to one turning point where someone will come up with a simple fast stable and clean solution and overtake the old market leaders.

Re:How hard is it to get right?

[herrkaiser]

Also, there are some parts that are not even digital anymore. Because of the very high speed, they should work like digital ports, but they are actually some analog circuitry.

Re:How hard is it to get right?

what does Very High Density Lipo-proteins have to do with this?

Re:How hard is it to get right?

[cyfer2000]

most of those transistors are used to make cache. Assume there are 4MiB L2 cache, roughly 33.5 million bit, Intel uses 6 transistors per bit design, that's about 200 million transistors. There are also several million transistors used for the L1 cache. I remember there are no more than 300 million transistors on Conroe chip, so we are talking about tens of transistors for code execution now. And there are sill a lot of transistors used to locate the cache, decode...

Re:How hard is it to get right?

[TheGratefulNet]

AMD64 doesn't like FreeBSD 6.2 at all

% uname -a
FreeBSD myhost.grateful.net 6.2-STABLE FreeBSD 6.2-STABLE #0: Mon May 28 09:52:28 PDT 2007 me@myhost.grateful.net:/usr/obj/usr/src/sys/AMD64 i386

granted, I'm using 32bit mode - but I've been running 6.2 for as long as its been out and my 'always on' freebsd box. what issues are you seeing? this is my production box - but I don't see any problems with bsd. in fact, I also have 6.2 running with an old amd64 3000+ that was a mobile chip and had to have cpufreq enabled just to move it off its default 800mhz and up to the 2.mumble ghz that its supposed to clock at. works fine.

I have seen some hardware devices not behave well but often its not a well designed piece of hardware or its just not meant for server style loads (cheap consumer onboard sata sometimes times out and usb2.0 always times out if you give it enough load).

I can't speak to amd64 USING 64bit mode, but 32bit mode works as well as (or better) than linux on headless style computing.

Re:How hard is it to get right?

[RichMan]

The problem is that they are releasing buggy hardware.

They should be respinning and correcting. Also their design process should adapt and catch these bugs next time.

What this speaks to is a rapid hardware churn and release cycle without proper testing and validation.

Re:How hard is it to get right?

[Antique+Geekmeister]

You do realize that Theo de Raadt is the leader of OpenBSD, not FreeBSD, right? And that Theo got kicked off of CVS write access to NetBSD for various reasons, including his personality and tendency to pick stupid fights instead of getting things working?

Re:How hard is it to get right?

[Zontar_Thing_From_Ve]

what issues are you seeing?

I thought I explained it pretty well. It's a known problem - a "sleeping on a non-sleepable lock" panic. You can do a web search on it and find some discussion about others who have it, but nobody seems sure about what causes it (a lot of writes is the best guess) and nobody knows how to fix it.

Long story short - 32 bit mode won't work for us as we have to move to 64 bits for growth and future scalability. Using 32 bit FreeBSD is not an option for us. We'll just move to 64 bit Linux rather than move backwards to 32 bit FreeBSD. 64 bit OSes work a lot faster for us than 32 bit. Fast response keeps out customers happy.

Another guy asked why we didn't just fall back to version 6.1 of the kernel. We felt that we needed bug fixes that came out in 6.2 and indeed 6.2 did fix those problems, it just opened up something worse with the panics. Going back to 6.1 will once again give us the bugs we wanted fixed. Again, we might as well just go to Linux as it doesn't have the bugs we faced and it doesn't have the panics on 64 bit AMD that FreeBSD 6.2 does.

Re:How hard is it to get right?

[profplump]

Not if you want support for RAID cards released in the least 2 years, for example. Having worked FreeBSD with high-end hardware I can speak to the fact that it's a major hassle to balance the OS bugs with hardware support; new hardware gets support later in FreeBSD than linux, and that support is less likely to be backported than in linux.

Re:How hard is it to get right?

[TheRaven64]

About a year ago, I was at a talk by a former Intel chief architect, which really highlighted this. A huge number of parts of the x86 instruction set have side-effects, which makes it much harder to test individual parts of the CPU independently. Another problem is that earlier versions of a chip described certain behaviours as 'undefined,' and did something quite silly in these cases because it was simple. Of course, some developers (mainly game developers, apparently) then decided to make use of this undefined behaviour, and if they change it later then software breaks, and people blame Intel, so they have to keep maintaining this broken behaviour in newer chips.

Re:How hard is it to get right?

[simm1701]

Well people have been saying for years that hardware is getting more and more like software....

Re:How hard is it to get right?

[suv4x4]

% uname -a
FreeBSD myhost.grateful.net 6.2-STABLE FreeBSD 6.2-STABLE #0: Mon May 28 09:52:28 PDT 2007 me@myhost.grateful.net:/usr/obj/usr/src/sys/AMD64 i386

Wait... this works in Slashdot's text area?

% uname -a

% uname -a

Damn it :(

Re:How hard is it to get right?

[ceeam]

I'm not sure how widespread is the problem. Google search for the error message does not return a lot of results. Good luck in resolving your issue but try to sound less FUD'dy next time.

OTOH - I've had a problem with FreeBSD installation on this one particular mobo here. It panics during boot with OHCI and "address not found" problem. I couldn't work around it. I mailed Epox and they deflected me to another point and I didn't bother (shouldn't they handle it internally? Well - next time I'm not buying Epox). Linux BTW also says something during USB init but at least it chugs on (and everything works it seems, Windows was silent but loosing USB keyboard every other boot).

Re:How hard is it to get right?

[imgod2u]

Well, see, that's the thing. It implies that the bug was detected before release. Believe me, it costs a lot more to recall than to delay 3 months. The problem is, existing test methods simply cannot test enough without taking *years*. You don't catch 1% more of the flaws in a flat amount of time. It takes *exponentially* more time as you asymptotically approach 100% of all possible features tested. To "get it right" as in be certain that there are no flaws in the design would take centuries.

The problem we should be asking isn't why it wasn't tested more, but rather, why it was so complex to begin with. There is only one reason for putting anything in silicon and that is for speed. I'm going to guess that a large majority of "features" on today's x86 microprocessors are not speed bottlenecks. Why could these features not be put on a re-programmable firmware? The technology exists.

Re:How hard is it to get right?

[trigeek]

Actually, Intel CPU's are designed in Verilog. Intel never used VHDL for it's CPUs - it used to use iHDL, an internal hardware description languange, but convereted to Verilog about 6 years ago.

Re:How hard is it to get right?

[ErikZ]

Why not just go back to 6.1?

Re:How hard is it to get right?

[TheGratefulNet]

thanks for the heads up.

I have never seen this but WILL be (now) on the lookout for it. it seems you did find a pretty ugly bug in bsd.

I don't run 64bit mode and I also tend use decent disk i/o cards (3ware in raid1 mode), which I'm led to believe is fully production quality.

(I started using linux in 1995 or so and switched over, almost fully, to freebsd around 1999 or so. I've had almost zero problems with bsd on my production boxes, but these are not multiuser systems - they're LAMP servers (well, minus the L) but they aren't hammered on - they get fairly light duty. still, I've had uptimes that approach a year (reset by a need to physically move the server). I don't think I ever got a full year of uptime on linux - but to be fair, I was always updating the kernel and that has the nasty habit of reseting your uptime.

Re:How hard is it to get right?

[Tony+Hoyle]

My boss used to work designing these things and he told me how difficult it is... in computing you have operation that does X, it'll always do X. In chip design it's just not that deterministic because electrons do what they damned well please, and have never any of the theory textbooks. Engineers have libraries of 'what worked last time' that they use because textbook examples rarely do what you'd expect (he went into an example about electron flow going backwards under certain circumstances but I forgot the details).

Re:How hard is it to get right?

[askreet]

Wouldn't 4MiB be exactly 32 million bits? Why is this roughly 33.5? Lets go with that: 32,000,000 * 6 = 192,000,000 transistors. That leaves 'roughly' 108,000,000 transistors for L1 cache, code execution, and other minor functionality.

Re:How hard is it to get right?

[Anonymous+Brave+Guy]

Any sufficiently advanced undocumented feature is indistinguishable from a bug. :-)

Re:How hard is it to get right?

[gomiam]

Wouldn't 4MiB be exactly 32 million bits? Why is this roughly 33.5?

Since 1MiB=1048576B (Mi is a "binary mega" unit, not a decimal one, that's M), it is 8388608 bits. Multiplying by 4 gives 33554432 bits (so it is a bit over 33.5 million bits). Multiplying by 6 you get 201326592 transistors (a bit over 201 million). In the end it's a difference of "just" 9 million transistors or so, but everything adds up.

End note: unfortunately, hard disk manufacturers have long ago changed from MiB and GiB to MB and GB, shortchanging us all in the process.

Re:How hard is it to get right?

[creativeHavoc]

How do AMD, VIA, Motorola, IBM, etc. fare?

Why not ask the important question. How does ARM fare? It is their designs that many of these chip makers base everything on. If there is some sort of flawed developmental issue, would it not be best to look at the people responsible for the largest volume of processors, instead asking about these other names that are only big in popular name space?

Re:How hard is it to get right?

[saider]

All circuitry is analog. Nature knows not of this "digital" of which you speak. Digital logic is simply an abstraction that makes things easier to design, but it is implemented with the good old transistor. The transistor can be operated like a switch, but it is still a bunch of electrons flowing through a semiconductor bound by the laws of physics and quantum mechanics.

Re:How hard is it to get right?

[MrPeach]

The way I see it, they are in a race with AMD, and when making performance tweaks to get "just a little more juice" out of the process, they willingly create problems such as these MMU errors.

I'm betting that fixing them will reduce performance such that they will lose the lead, hence they will not do so.

(In the interest of honesty, this was posted from an AMD facility, but represents only my personal opinions.)

Re:How hard is it to get right?

A couple of questions:
1) Is this the 64 bit version of FreeBSD 6.2
2) What is he PR?

Thanks

Re:How hard is it to get right?

"sleeping on a non-sleepable lock" is probably a bug in a driver.
Can't you create a backtrace from panic and see where this happens?

Re:How hard is it to get right?

[mengel]

Theo may not have the best personality for working with certain personality types, granted.

But when it comes to things technical, if he says he's sure something works a given way, then that sets a confidence level of over 98%, as far as I'm concerned, and there are very few people in the world I say that of.

'nuff said.

Re:How hard is it to get right?

[fbjon]

IANACPUDeveloper, but I don't think it'll be a problem in the long run. It may be crufty now, but eventually it will be old enough, with enough abstraction layers between applications and the lower levels that stuff can simply be dropped.

Re:How hard is it to get right?

[harrkev]

The problem we should be asking isn't why it wasn't tested more, but rather, why it was so complex to begin with. There is only one reason for putting anything in silicon and that is for speed. I'm going to guess that a large majority of "features" on today's x86 microprocessors are not speed bottlenecks. Why could these features not be put on a re-programmable firmware? The technology exists.

Nope. Not even close. Moore's law (roughly translated) means that the same die size will both become faster, and give you more transistors (yes, not an exact translation, but close enough). That means that even if you do nothing to your design, you get more speed. Well, it used to mean that. These days, the transistors are not increasing in speed every generation like they used to. Moore's law is breaking down. I built my computer almost three years ago, and the $200 processor runs at 2 GHz. Now, that same price range will get you 2.4 GHz. Three years and the clock speed has gone up 20%. Clearly, the transistors are not getting much faster. BUT... The modern processors are all dual-core, instead of my old single-core monster. So, you are getting a lot more transistors for your money.

It looks like the future involves more transistors, but not a lot of gains as far as transistor speed. So, the $1,000,000 question is how do you use those transistors. Believe me when I tell you that AMD and Intel study how to best use those transistors. If you have some more room to work with, do you make the floating-point unit faster, do you make the processor more "superscalar", or do you just increase the cache? There are trade-offs associated with each one, and each choice will impact certain benchmarks more than others.

Simply stated, if AMD and Intel did not add all this extra stuff, the processors would not be getting faster. The goal is to use the transistors that you have intelligently -- which means some complexity.

Re:How hard is it to get right?

[jZnat]

I think he means digital as in discrete while analog is continuous. You know, the mathematical definition. :)

Re:How hard is it to get right?

[jpfed]

It is not possible to describe such things (let alone voltage islands, voltage scaling) in an HDL language and they must either be a special feature built into synthesis (with an extra set of constraints) or done by hand at the transistor/gate level.

Verilog is perfectly capable of describing designs at the gate level. Just last semester I designed a simple 16-bit RISC processor at the gate level (with the exception of flip-flops, given to us as black boxes) using Verilog.

Verilog is a huge language. While it may be the case that some of its constructs assume a clock (I can't say- I worked with a tiny subset), the language itself does not assume a clock and is capable of dealing with asynchronous circuits.

Re:How hard is it to get right?

[Waffle+Iron]

This means we'll be seeing virtualizations and translations and hacks that keep compatibility to one turning point where someone will come up with a simple fast stable and clean solution and overtake the old market leaders.

You mean like 68000, MIPS, PowerPC, Itanium, etc? Many fast, stable, clean alternatives to the x86 have come and gone over the years. After a brief career as a niche competitor on the desktop, they all eventually end up relegated to the embedded device market.

Notice also that by the 2nd or 3rd generation of any architecture, the original assumptions about the state of hardware technology that made the architecture such a clean solution usually become invalid. This means that the alternatives start getting pretty messy themselves. One of my favorite examples is the acronym "MIPS", which originally meant "Microprocessor without Interlocked Pipeline Stages". That made the R3000 a very simple clean design. Yet by the time the R4000 was introduced, increased transistor die counts and worsening instruction bandwidth bottlenecks made that approach uncompetitive. So they went ahead and added those messy interlocked pipeline stages anyway in order to avoid padding all the code with so many NOPs.

At the end of the day, software installed base always wins out in the desktop market. That's why the CPUs with an unbroken chain of compatibility back to the original 8008 have always ended up on top.

Re:How hard is it to get right?

[Cygfrydd]

FTA:

Various developers are busy implimenting [sic] workarounds for serious bugs in Intel’s Core 2 cpu.
Perhaps its petty, but my opinion of Theo’s opinion was not enhanced by his apparent inability to spellcheck a post as seminal as this.

@yg

Re:How hard is it to get right?

[Renegade88]

I've got two Sun Fire X2100M2 boxes (AMD64 Next generation Opteron Model 1214) running FreeBSD 6.2 in 64 bit mode. I built them 90 days ago and they have never suffered any problems, much less a kernel panic.

Are you servers the first generation opteron? Maybe this "sleeping on a non-sleepable lock" panic is restricted to those chips.

Re:How hard is it to get right?

[zcsteele]

Actually, Intel CPU's are designed in Verilog. Intel never used VHDL for it's CPUs - it used to use iHDL, an internal hardware description languange, but convereted to Verilog about 6 years ago. That explains everything!

My condolences to Intel's engineers.

Re:How hard is it to get right?

[archen]

Where I work we use FreeBSD (6.2) extensively as well. Every now and then - mainly on test machines - I've come up with really strange problems that Google only returned 5 or 6 non English results. You'd think that anything that comes up in the log you'd be able to find via Google in some way, but that isn't always the case. Sometimes I've come up with issues where I only found the error printed in the source code itself as the Google result. Since switching all of our servers but one to 64bit, everything is surprisingly stable aside from the ONE machine that uses an Intel processor.

Many of the problems I thought might be due to processor strangeness were actually problems with the mainboard. I had a Linux box that seemed to have problems with Cool 'n Quiet enabled, or so I thought mainly because of the 'losing ticks' message in the log. Eventually the machine would turn itself off. I went through different options only to find a month later that the machine was completely dead. Swapped out the main board and never had another problem.

The servers I run aren't really dedicated web servers either, so it seems likely that whatever scenario he's running into has to do with what they're using the machines for. I also run a website that is hammered pretty well that's doing just fine, but I run Lighttpd, Postgresql and Rails on it - not LAMP.

Re:How hard is it to get right?

[drmerope]

I used to curse hardware vendors for their buggy chips, but now having worked for one such vendor, I see the other end of the stick.

It isn't the number of gates per-se that matters. Most of those transistors are in cache anyways. No, what really kills a project is the amount of explicit (configuration) and implicit state. This makes in nearly impossible to test adequately.

Second, Verilog RTL is used extensively. Verilog RTL lacks type-safety. It is also a very primitive language. A common source of error stems from cycle-misalignment. i.e., data from two sources is expected to be coherent on a given clock-cycle but actually arrives skewed. Worse is when this happens only during certain conditions.

This problems can be hard to detect; they may require very specific sequences of events; they may require sustained load, etc. Verilog provides no means to adequately annotate and assert alignment requirements--they have assertions but I find them nearly useless for documenting temporal relationships.

Modern x86 has everything including the kitchen sink inside. Its pretty difficult for designers to have a good sense of what is happening outside their bubble of responsibility. On the other hand, substantial code reuse takes place from generation to generation. I suspect this run of problems stems from invasive changes being made to enhance SMP performance.

Re:How hard is it to get right?

[Galactic+Dominator]

According to freebsd-bugs, this one was fixed about a year ago. So either you're spreading FUD, which sounds possible from your obvious linux leanings, or you didn't describe the issue well enough(as another responder asked about that as well).

http://lists.freebsd.org/pipermail/freebsd-bugs/20 06-July/019278.html

Re:How hard is it to get right?

[evilbessie]

So does that make any undocumented code full of bugs, because never* have I seen fully documented code.

*I've not seen that much code

Re:How hard is it to get right?

Man, all this hardware talk is a bummer. I just want to write and run my software. Why do I have to worry about the hardware? What does hardware have to do with software, anyway?

Re:How hard is it to get right?

[rthille]

Interesting that you would claim that everything is analog, then reference _quantum_ mechanics...

Re:How hard is it to get right?

[Fweeky]

Of course, thousands of people, including a significant majority of FreeBSD's developers, use AMD64 and don't see problems like this, so I don't think it's so much "AMD64 hates FreeBSD 6.2" as "I've run into an annoying bug and would like to overgeneralize in a vague attempt to solicit sympathy and interest".

Given that you're faced with having to move to Linux, I can sympathise, but playing the "FreeBSD/AMD64 is just too unstable to use!!1!!!!1!!!2" card is just counterproductive FUD, especially when you don't even bother linking to a PR or relevent thread.

"sleeping on a non-sleepable lock" is very non-specific, fwiw. Hardly better than "it doesn't work", since it doesn't say anything about where it happens. A search on just that is going to uncover a tonne of unrelated issues which just happen to result in the same panic. They're not likely to be related to AMD processor bugs either; more likely it's a driver problem.

Re:How hard is it to get right?

[rho]

Once we move to Linux, I don't think we'll go back to FreeBSD

FWIW, I am a former FBSD fan who's transitioned to CentOS quite happily. There's nothing quite like the ports tree, but yum ain't horrific, and I like the "enterprise" aspect of it. I haven't used the 64bit versions, but all in all, CentOS has been excellent.

Re:How hard is it to get right?

[NotQuiteInsane]

Any bug distinguishable from an undocumented feature is insufficiently advanced. :-)

Re:How hard is it to get right?

[G+Morgan]

Most code is self-documenting. Any sufficiently documented code is impossible to read.

Re:How hard is it to get right?

So, where is the bug report? Did the corporation of GP decide to contact developers? Perhaps spending a few dollars to get a bug fixed? I didn't read anything about that, while that is what FOSS is about: co-operation. If it were an individual, I'd be less inclined to say this, but once you start bragging "about your customers" I guess it must be worth a lot to to get this fixed...

Re:How hard is it to get right?

[rapidweather]

I have added some memory to an old Pentium Pro server I have, with two processors, and had problems arise after a while. I removed the latest added memory, and put the sticks I did have there, back in, and everything's fine again. Took the offending two sticks and put them in another machine, and they worked fine there, same OS.
Strange thing with the Dual Pentium Pro machine was that the bios and OS booted ok with the memory being tried out, then aways failed when I tried to change window managers. That's when X dropped out, and sometimes the OS just decided to go to halt or shut down.
So, it always takes some testing to get all your valuable memory used somewhere. Can't always blame OS crashes on the motherboard or processor, or graphics card, even though it's X that fails. One has to do lots of testing to sort some of these problems out. I thought to myself, "I sure would have been barking up the wrong tree if I thought the crashes where due to the OS itself, and not to a hardware (mis)configuration."

Rapidweather

Re:How hard is it to get right?

> > > > Any sufficiently advanced undocumented feature is indistinguishable from a bug. :-)
> >
> > So does that make any undocumented code full of bugs, because never* have I seen fully documented code.
>
> Any bug distinguishable from an undocumented feature is insufficiently advanced. :-)

In other words, from the adversary's point of view:

Any insuficiently-documented bug is indistinguishable from a feature.

The second-order problem is that Intel itself is now providing "remote system management (read: exploits) even for powered-off machines" misfeatures into the motherboard's LAN controller.

Re:How hard is it to get right?

[scottv67]

(he went into an example about electron flow going backwards under certain circumstances but I forgot the details).

Did he mention the part about reversing the polarity on the EPS relays on Deck 7?
http://www.star-trek-voyager.net/ship4/eps_system. htm

Re:How hard is it to get right?

[ChrisMaple]

Why could these features not be put on a re-programmable firmware? The technology exists.

Reprogrammable hardware ("firmware") is much slower than dedicated hardware, usually several times slower. It also takes up a lot of real estate compared to dedicated hardware. Its use is so expensive that it is reserved for fixing surprise blunders, not implementing experimental features.

Re:How hard is it to get right?

[ChrisMaple]

As of my experience 6 years ago, some things are extremely difficult to model in Verilog. For example, the output of a two input NAND gate will rise twice as fast if both inputs fall at the same time. It is just barely possible in Verilog to model this. What is not possible, without a huge module running hundreds of times slower than a standard gate description, is to model what happens if both inputs fall at almost, but not exactly, the same time. Now consider a simulation that runs 48 hours to verify the operation of a fairly small processor, that must be run for all 5 corners. Now multiply that by 100 to properly model at the gate level, instead of just approximating. That's 3 years. Now multiply that by the number of times the design has to be changed to fix timing errors discovered in the simulation.

Good gate modelling, as opposed to default approximations, is not practical in Verilog. Fortunately, the default is usually good enough.

Re:How hard is it to get right?

% uname -a
Linux flabbergasted 2.6.20-16-lowlatency #2 SMP PREEMPT Thu Jun 7 20:23:03 UTC 2007 i686 GNU/Linux

No problem here; you must be using one of those Intel Core2 CPUs.

Summary sucks, someone please provide better one

[Blahbooboo3]

Uh, the slashdot summary is pretty lousy. After RTFA I am still a bit confused, can someone at slashdot please provide an "english" translation of the problems and how dangerous they are to normal users?

Thanks!

Good stuff.

[AltGrendel]

I always find Mr. De Raadt's comments an interesting read. He's like a geek version of Harlan Ellison.

Re:Good stuff.

[Lisandro]

Same here. The guy might seem like a bit of an asshole sometimes, but he surely knows what he's talking about. Some of the things he points out are plain unbelievable:

Basically the MMU simply does not operate as specified/implimented in previous generations of x86 hardware. It is not just buggy, but Intel has gone further and defined "new ways to handle page tables" (see page 58).

Some of these bugs are along the lines of "buffer overflow"; where a write-protect or non-execute bit for a page table entry is ignored. Others are floating point instruction non-coherencies, or memory corruptions -- outside of the range of permitted writing for the process -- running common instruction sequences.

It will be interesting to see what Intel has to say about this.

Re:Good stuff.

[suv4x4]

Some of these bugs are along the lines of "buffer overflow"; where a write-protect or non-execute bit for a page table entry is ignored. Others are floating point instruction non-coherencies, or memory corruptions -- outside of the range of permitted writing for the process -- running common instruction sequences.

It will be interesting to see what Intel has to say about this.

Yea! Damn, where's the Intel Opinion Center exactly when you need it!

Re:Good stuff.

You're implying that Harlan Ellison has a damn clue about what he's talking about?

Re:Good stuff.

[arth1]

You got to be kidding. They're nothing alike. While Harlan Ellison is eloquent, with a large vocabulary, Theo de Raadt's command of the language is faltering, and unusually repetitive. While English isn't his first language, that's no excuse when being compared to icons like Harlan Ellison. (Heck, English is my third langage, and I groan when I read Theo de Raadt.)
    Also, Ellison doesn't presume to tell other writers how they should write. He's a fan or friend of many authors with very different writing styles from himself. He only defends his turf. This is in stark contrast to de Raadt, who seems to thrive on telling others what to do.

As far as I can tell, the only thing they have in common is attracting animosity, but even that differs in execution. Ellison plays his audience. He knows the reactions, and exploits this ahead of time. Theo de Raadt seems oblivious, and reactionary.

If I were to compare Theo de Raadt to someone more famous, it would have to be Frank Sinatra. The "My Way" part.

Re:Good stuff.

I've seen Theo speak on a few occasions. Without a doubt he's one of the top minds in O/S R&D worldwide.

People may rip on him for his occasional lack of tact and extremely vocal views, but most geniuses have some sort of hangup like this.

So when he says there are severe problems with Core 2 CPUs, I believe him. I wouldn't know who else to believe.

Re:Good stuff.

[butlerdi]

He always produces some pretty good songs to accompany the releases as well http://www.openbsd.org/lyrics.html

Re:Good stuff.

[jez9999]

Sorry for being slow, but what exactly DID happen to the Intel Opinion Centre?

how do they fix it?

do they just submit a patch to intel for the hardware? can i upgrade my intel cpu to newer firmware? hopefully i dont need a floppy drive cause i dont have one!! haha.

Patches

[suv4x4]

outstanding, fixed, and non-fixable Core 2 bugs

Well, in these days of fast-paced business, business at the blink of an eye, at the speed of light, at the speed of spooky action at distance kinda speed, it's normal that companies would release products prematurely and then patch later.

Thankfully, software is very easy to patch post-release.

Now, the only thing left to do, is someone tell Intel that they're selling hardware.

Re:Patches

[Jeff+DeMaagd]

Now, the only thing left to do, is someone tell Intel that they're selling hardware.

Hardware has had built-in firmware/software for as long as I remember. BIOS is software. Microcode for even consumer CPUs has been done for as long as I remember, Pentium II had it. Apparently, the 8086 had microcode-based instructions.

Re:Patches

[suv4x4]

Hardware has had built-in firmware/software for as long as I remember. BIOS is software. Microcode for even consumer CPUs has been done for as long as I remember, Pentium II had it. Apparently, the 8086 had microcode-based instructions.

Don't confuse microcode with firmware. Two different things. Microsode isn't intrinsically updateable, and may be placed in a read-only memory block.

Re:Patches

[jefu]

According to Andy Grove (Intel co-founder) "Hardware is nothing but frozen software.", so they are selling software, "frozen software".

Re:Patches

[Jeff+DeMaagd]

That's true.

Still, I think that probably the entire processor industry is using loadable microcode. A acquantance of mine at AMD said that AMD does it too. Hammering Intel for using a feature that's industry standard is a little unfair.

Re:Patches

[Hal_Porter]

Modern processors have some ram for microcode updates

http://www.enlight.ru/docs/cpu/INFO/mcupdate.htm

I think with this and with clever hacks in the OS, you can fix most bugs. So probably there's a lot of person to person communication between processor manufacturers, Bios writers and OS vendors and the net result is that it all seems like it works. Of course if you're an obnoxious vendor of a not too commercially important OS, you're probably excluded from this, which is why Theo is upset.

Re:Patches

[niceone]

Now, the only thing left to do, is someone tell Intel that they're selling hardware.

Or they could just rename the range: Core 2 Duo 2 Beta.

Re:Patches

[TheLink]

Well according to me (nobody), software is what you configure/modify,
hardware is what someone else configures/modifies.

OK so it's not 100% accurate, but it works well enough for me :)[1].

In my first job I used to reprogram modems. Most other people treated modems as "hardware only devices". Now the same can be said for DVD drives, phones, etc.

[1] Strictly speaking, most hardware nowadays contains a lot of software which only a few would bother with.

Re:Patches

[the_lesser_gatsby]

That doesn't do you any good at all if you haven't got enough energy to melt it.

Re:Patches

People have fixed/coded around bugs before. This is all a tempest in a teapot.

Not necessarily. Intel would certainly want everyone to believe that, but the truth is we don't know yet whether these bugs are a) easy enough to exploit, b) necessary to work around in OS software (MS patched for some of this recently), c) possible to fix in microcode, and d) going to be fixed by Intel.

At this point all the facts aren't in yet.

Re:Summary sucks, someone please provide better on

[Aladrin]

Sure:

Some of the bugs are so dangerous that it doesn't matter WHAT operating system you're running, code could be written that could attack the entire system. It would still be OS-specific code, but since the exploit is in the hardware, it's a LOT harder to prevent the attack, if it's even possible.

Some of the bugs are unfixable, as well. (I assume they mean without physcially replacing the chip with a 'fixed' one that doesn't exist yet.)

Re:Summary sucks, someone please provide better on

[Hurga]

can someone at slashdot please provide an "english" translation of the problems and how dangerous they are to normal users?

"We don't have the complete picture yet, but things look bad"

Hanno

Time for RISC?

[644bd346996]

For years, the x86 instruction set has been implemented on top of RISC cores. That microcode layer has been getting thicker over the years, and now it seems that it may be too complex to be reliably dealt with. I wonder if this means that we should toss out that x86 layer and deal just with the high-performance, straightforward RISC core.

Re:Time for RISC?

[Viv]

The market resoundingly rejected that idea when Intel tried to hoist IA64 on it.

Re:Time for RISC?

Response to the architecture it self was fairly strong. The difficulty was in getting the zoning permission to locate the required nuclear power station in your datacenter.

Re:Time for RISC?

[Slashcrap]

I wonder if this means that we should toss out that x86 layer and deal just with the high-performance, straightforward RISC core.

Did you know that one of the main reasons that x86 outperforms any similarly specified RISC chip is because those horribly inelegant, variable length x86 instructions allow for considerably higher code density than RISC?

Elegant does not necessarily equal faster or better, no matter how much you might want it to.

Re:Time for RISC?

[BosstonesOwn]

Because of the huge hit it took to move to that platform. The costs for most business operations were to high.

They would need to do it sort of like what is going on with x64 at the moment. Slowly transfer it over and maybe run an emulation layer on the os. The procs are plenty fast enough to take a small hit on performance.

Re:Time for RISC?

[suv4x4]

The market resoundingly rejected that idea when Intel tried to hoist IA64 on it.

They did it in a very bad moment and had poor developer tools. Yet, Microsoft ported Windows to IA64 and it worked out fine.

If x86 chips keep getting buggier and buggier in time because of legacy support issues, trust me, a day will come and people *will* switch away from x86, if given a sound alternative.

If anything, Mac has shown that you can even retain compatibility across CPU architecture for user-grade applications.

Re:Time for RISC?

[p3d0]

What makes you think the bugs are in the "x86 layer"?

Re:Time for RISC?

[mwvdlee]

What they should do (if at all possible) is allow access to the RISC core by some specific instruction or so (and similarly, switch back). This would enable new software to be written in the basic RISC language, yet remain legacy compatibility. The BIOS and OS could take the bulk of that switching work.

Though this idea is so obvious that it's probably impossible for some reason I don't know about.

Re:Time for RISC?

[LWATCDR]

No the real reason the that x86 has such good performance is that Intel and AMD have spent billions of dollars in R&D to make the x86 the fastest flying pig ever.

I think the latest Power series will give any Intel CPU a run for it's money as well the latest Sparc.

Code Density is nice since access to main memory is a bottle neck. CISC does have some advantages over RISC just as RISC has some over CISC.
However the x86 as an ISA really does suck. x86-64 is a lot better but it could still be better.

Re:Time for RISC?

Though this idea is so obvious that it's probably impossible for some reason I don't know about.

That sounds like ARM/Thumb - ARM chips have dual instruction sets, one for legacy compatibility (32 bit ARM) and the other for compact code (16 bit Thumb).

Given the sheer number of transistors that can be fitted onto modern CPU dies, there is no reason why an additional instruction decoder could not be included as an interface to the trace cache. I agree with you and the original poster that Intel/AMD should introduce this feature ASAP. Future CPUs need to be simpler so that they can make more efficient use of power and space, and that has to include a transition away from ridiculous non-orthogonal ISAs. Do it with a second instruction decoder for now, and move to dynamic binary translation for "legacy free" chips at some point in the future.

Re:Time for RISC?

[Anonymous+Brave+Guy]

Elegant does not necessarily equal faster or better, no matter how much you might want it to.

Fair point, but in this context I'd take "correct" over "faster" any day.

Re:Time for RISC?

[edwdig]

I think the latest Power series will give any Intel CPU a run for it's money as well the latest Sparc.

Yes, they will. But those chips are designed with a target price of thousands of dollars and without anywhere near as much concern about heat.

Power has a 128 KB L1 cache (64 KB on Core 2), 4 MB L2 cache per core (4 MB L2 shared on Core 2), and a 32 MB L3 cache (none on Core 2). If you're willing to pay for that, x86 would be a lot faster.

Oh, don't forget that Power chips run really really hot. Hotter than Pentium 4's. The market has made it clear that lower power usage / heat generation is a priority now.

Re:Time for RISC?

[644bd346996]

It doesn't really matter whether the bugs are in the x86 decoder and compatibility stuff or not. The problem is that they add greatly to the overall complexity. A cleaner architecture is easier to implement. This has been shown many times with ARM and Power chips, that manage to be very efficient and fast, even with significantly smaller R&D budgets.

Re:Time for RISC?

[AchiIIe]

Actually most new cores have a RISC underpinnings. "Modern x86 processors also decode and split more complex instructions into a series of smaller internal "micro-operations" which can thereby be executed in a pipelined (parallel) fashion, thus achieving high performance on a much larger subset of instructions."

> http://en.wikipedia.org/wiki/Micro-operations

Re:Time for RISC?

Hahaha, microcode layer? Get Real...

Re:Time for RISC?

[linuxrocks123]

IA64 isn't a RISC ISA. It's a (poorly designed) VLIW one.

Re:Time for RISC?

[p3d0]

Actually, it does matter. If the bugs are in parts of the chip that would be needed even in a RISC design, your argument is moot.

Re:Time for RISC?

[TheLink]

The Mac has moved FROM 68k to powerpc to x86.

So if anything, the Mac has shown that people are choosing x86.

The two big x86 pigs in the market are ugly, but they've both got high tech rockets strapped to them and they are outflying the "elegant eagles".

And guess what - somehow the pigs are even consuming less power than most of those eagles for the same level of performance.

I wouldn't bet against the x86. Intel themselves have tried at least twice to get rid of it, and failed.

Re:Time for RISC?

[suv4x4]

So if anything, the Mac has shown that people are choosing x86.

They chose x86 not because it's particularly future-proof as architecture, you know the reasons were completely different.
Likewise for energy efficiency, that's got nothing to do with x86 in particular.

x86 was just the pragmatical choice, but you never know for how long: PowerPC used to be the pragmatical choice before it as well.

Re:Time for RISC?

[644bd346996]

No, it isn't. Higher overall complexity means there is more to be debugged. If there are bugs in the RISC portion (even though that is a bit of a false dichotomy) that means that portion didn't get enough testing. If there weren't other subsystems competing for testing efforts, the RISC core would end up getting tested more thoroughly.

Re:Time for RISC?

[644bd346996]

Why did you phrase that as though you were contradicting me?

Re:Time for RISC?

[LWATCDR]

The grandparent made the statement that the x86 performed better than a RISC chip.
Yes the Power cpu is not a good notebook chip but there is a market where the highest performance no matter the cost does exist. The power does very well there.
The Core doesn't You can not just add cache to the Core unless you are Intel and frankly even if you just stuck on more cache it wouldn't be faster then the Power unless you did a total redesign of the core to use the cache.
The SparcT1 is a great chip for many integer parallel tasks. It is better for that market than the x86.
Then you have a market where power consumption and heat are the biggest issues. And for that market you have the ARM. The Core is a hot power hungery pig compared to the ARM.
Notice that Nintendo, Microsoft, and Sony all picked PPC risk cpus for their consoles?
The x86 isn't the idea universal computing solution that so many people think it is.
It is a good compromise of price, performance, power, and cost. It is also very popular because of the pc so it has had a lot of resources thrown at it. The main reason that the x86 won the desktop has nothing to do with performance. On the contrary it's performance has everything to do with it's popularity. If IBM had picked the 68k over the x86 Motorola would be the number CPU producer in the world today. I bet IBM to this day wishes that it had not out sourced the CPU for the PC. But then they thought it was going to be a tiny market and not really worth spending much on.

Re:Time for RISC?

Splitting complex instructions into multiple simpler operations is not the same thing as RISC. RISC and CISC are terms used to describe the instruction set visible to the end user.

Nearly every CISC CPU ever made uses microcode, simply because it's very awkward to design hardware to directly execute many CISC instructions. If modern x86 chips are really RISC, so is the 8086, because it used microcode too.

In the 1990s x86 designs got microcode engines with long pipelines, superscalar execution, etc. Since these microarchitectural features (and the resulting performance) had long been associated exclusively with RISC by the general public, it was advantageous to market the new designs as CISC CPUs with RISC internals. But there really wasn't anything new about using microcode.

Re:Time for RISC?

Sorry for that, I only read one reply saying that "IA-64 was rejected" -- clicked parent, and didn't really read your comment. Odd that I was not modded down...

Re:Time for RISC?

[sjelkjd]

IA64 was neither high performance nor straightforward.

Re:Time for RISC?

[et764]

RISC binaries tend to be larger than CISC binaries. The reason is the complex instruction set, like in the x86 architecture, were made complex to save memory. Most of the common instructions are represented in only one byte, while the rarer instructions can be much much longer. RISC instruction sets, on the other hand, typically have a fixed instruction size for all instructions, and the average instruction length ends up being longer.

While most people have plenty of hard drive space now, and RAM isn't as scarce as it used to be, CPU caches are still pretty small. Using a more compact instruction set can make the code caches more effective, which can dramatically improve performance.

I doubt this completely justifies choosing CISC over RISC, but it is at least one piece of information in favor of sticking with CISC.

Re:Time for RISC?

[p3d0]

That microcode layer has been getting thicker over the years... How so?

Shock Felt Round the World

[N8F8]

Coming from the government sector, this kind of issue isn't going to be taken lightly. I work at a DoD facility and all our machines were just refreshed with Core 2 Duo machines. It is already almost impossible to get new software approved, if this causes the same paranoia for basic commodity hardware we're really gonna feel some pain.

Re:Shock Felt Round the World

[Lord+Ender]

My understanding is that these problems allow someone who has the ability to execute code on the system to escalate privileges (get root).

Single-user systems would not be affected.

Re:Shock Felt Round the World

I work at a DoD facility

Good lord, I hope you don't have clearances. If you do, what the hell are you doing posting in a public forum such things! Way to paint a great big bullseye on your UID.

Re:Shock Felt Round the World

[drinkypoo]

My understanding is that these problems allow someone who has the ability to execute code on the system to escalate privileges (get root). Single-user systems would not be affected.

That provides useful vectors for buffer overflow-based attacks. You can get a buffer overflow someplace harmless, and turn it into a ring 0 attack. Or at least, that's what it should be good for, according to allegations.

Re:Shock Felt Round the World

[Sancho]

Most of the Windows boxes that get oh-so-compromised are single-user systems. "Oh, but those people run as admin!" Yeah, but now, any program on the box can "run as admin."

Blah.

Re:Shock Felt Round the World

[Lord+Ender]

The idea that a virus needs admin access to spread or do lots of damage is very false, yet far too widely believed to be true by many unix types.

Re:Shock Felt Round the World

[Sancho]

Yeah, but every time I say that, I get modded down. It happens just about any time a story on Linux security or Windows insecurity comes around.

Re:Shock Felt Round the World

[julesh]

My understanding is that these problems allow someone who has the ability to execute code on the system to escalate privileges (get root).

This is true.

Single-user systems would not be affected.

This is not. Ther are huge numbers of issues here, with a wide variety of potential effects.

For instance: "General Protection (#GP) Fault May Not Be Signaled on Data Segment Limit Violation above 4-G Limit". This could result in the situation you describe in your first sentence. Also, software may rely on it to prevent misbehaviours of all other kinds: remote buffer overflows for instance, might be caught in some software by setting a data segment limit on the segment in use and assuming it will be caught. Other software might plausibly run in a loop until the violation occurs thus indicating it has run out of data to process in memory; such software may crash on a Core 2, and because no details are given about when this occurs ("May Not Be Signmaled"), we don't know that it couldn't be an intermittent failure.

"(E)CX May Get Incorrectly Updated When Performing Fast String REP MOVS or Fast String REP STOS With Large Data Structures" -- This could almost certainly cause buffer overflows in some software. Much more plausibly than the last one. Apparently a fix is available for this issue, but clearly not for open source users.

"Incorrect Address Computed For Last Byte of FXSAVE/FXRSTOR Image Leads to Partial Memory Update" -- This could be a more serious calculation accuracy problem than the Pentium FDIV bug was for some programs.

"Cache Data Access Request from One Core Hitting a Modified Line in the L1 Data Cache of the Other Core May Cause Unpredictable System Behavior" or "Concurrent Multi-processor Writes to Non-dirty Page May Result in Unpredictable Behavior" -- Multithreaded programs that access the same data in multiple threads can make anything get screwed up.

"PREFETCH Instruction Execution under Some Conditions May Lead to Processor Livelock", "REP Store Instructions in a Specific Situation may cause the Processor to Hang" -- I don't think I need comment further on these.

Re:Shock Felt Round the World

[Lord+Ender]

Well if I see it, I'll give you a +1 next time :-)

Re:WHY WHY

[SatanicPuppy]

It's a series of significant hardware bugs, some of which are exploitable from userland, which may or may not be easily correctable with a bios patch.

That is why it's news. I've been watching this since it broke, and I'm interested in this thread. I doubt I'm the only one.

Well...

I have to say that his had swayed my choice in motherboard and CPU. I was going to order the parts to build a Core 2 Duo based system this week, but after reading this I'm going to find an Athlon 64 X2 in a comparable price range.

What's the point of a speed boost if Intel is breaking x86 architecture (Intentionally? Hahaha!) and leaving your PC open to rape on basically *any* OS?

Re:Well...

That's a really silly thing to base your decision on. It's like one in a million that the errata will affect you in day to day use.

"There's a 1/100000 chance that your seatbelt will come unbuckled in a car accident in this Honda."
"Screw that I'm getting a Toyota!"

Re:Well...

[Tim_Enchanter]

No... This is just a case of paranoia. Someone who has less than charitable thoughts about Intel takes practically routine patch and spread it about like its the new Pentium float bug (which was a croak in itself). Now their is blood in the water and slashdot is running for the hills while frantically crafting tin foil hats. In reality, can anyone produce a single instance of an exploited machine, much less an actual attack? It is funny how motivated people become by some distant threat they don't understand made "real" by a demagogue or a politician. Beware those who tell you to be afraid, for in their heart they deem themselves your master.

Re:Well...

[dk90406]

Bad analogy. It should be:

"There's a chance that your seatbelt will come unbuckled in this Honda, if the car is affected by precisely 0.47G."

That gives your enemy the opportunity to engineer that you get hit with precisely 0.47G

But you are otherwise right: I see no real need to be concerned, as long as you are prudent and control what software you allow to execute on your PC. If you aren't prudent and download all kinds of stuff from the 'net, it doesn't matter what CPU you have anyway.

Re:Well...

[Wyzard]

Keep in mind that Theo is speaking theoretically here, about potential vulnerabilities -- there are no actual working exploits for this stuff in the wild, and if/when there are, you'll hear about them through normal security advisories and Intel will probably release microcode updates to fix them, just like they did with this TLB bug when it proved to be a real-world problem.

There may be (in fact, probably are) workable exploits known to the ultra-secretive intelligence organizations of the world, but for most people that's not a concern -- you're unlikely to be the target of an individualized attack, and if you are, you'd better have your computer watched 24/7 by some highly-paid armed guards, because it's much cheaper and easier to just break in and use your computer directly than to pull off an attack based on buggy CPU opcodes.

Also keep in mind that AMD's processors aren't bug-free either: their errata list is here.

Re:Well...

[Chatterton]

Don't feed the trolls...

Go for the Z80 architecture. They had 3 decades to ironing theses pesty bugs. And big advantage for your electricity bill is that they are low power !!!

intel issues

[artjunk]

I am exceedingly ignorant in this area, but even I can grasp how dangerous some of these are. And, as a mac user (PowerPC Dual G5 - thankfully), I suspect that this will come as really bad news to mac community as well. It's unbelievable to me that some of the "Show Stopper" issues are not being addressed by intel - especially when news of nation to nation cyber wars/cyber attacks are beginning to pepper the news. The fact that some of these are not resolvable through software patches is VERY worrisome to me! I am very appreciative to those who can fully interpret these flaws chip architecture and bring it out to the public's awareness.

Re:intel issues

[gilesjuk]

Why would it be a problem for Mac users? there are literally a handful of viruses and malware for the Mac.

I doubt these bugs will cause problems for many end users, it is those using servers that will be worried. But the code has to get onto the box first.

Re:intel issues

[artjunk]

From what I gather from the article, it's irrelevant what OS you use - as some of these issues are at the lower level (under/before the OS). And, since all newer macs are Intel Core Duo's, I think this could be be an issue for them as well.

Re:intel issues

[another_fanboy]

it's irrelevant what OS you use
The exploit is at the hardware level, but the program targeting the exploit would be written for the individual OS. Not to say macs are in any way better, just that they have a smaller chance of being targeted than windows/*nix.

Re:intel issues

[99BottlesOfBeerInMyF]

From what I gather from the article, it's irrelevant what OS you use...

I don't think that is quite true. In order to execute one of these exploits, you need to get something running on the box and that means it has a binary that will run on your OS. Once that happens, you're rooted with no security measures in software able to do anything about it. To be useful, however, the OS will still have to be taken into account at this point as well.

That is not to say no one will write a cross platform worm or a mac specific exploit for this, since it is as vulnerable (maybe more so) than Windows. This is a problem for Mac users, but maybe not quite as large of a problem as you're implying.

Re:intel issues

[Zoxed]

> I am exceedingly ignorant in this area...

On a Slashdot post that is pretty much taken for granted :-)

Re:WHY WHY

[zakeria]

but why do we not see mentions to other Intel bugs where the same is true.. is this the first time userland code and exploit these bugs I think not!

Re:Summary sucks, someone please provide better on

[0123456]

"Some of the bugs are so dangerous that it doesn't matter WHAT operating system you're running, code could be written that could attack the entire system."

Indeed. For example, 'rm -rf ~'

I can see that a number of these bugs could potentially be exploited by evil code running on your machine. But if you have evil code running on your machine, you're already in deep crap.

translation

[circletimessquare]

the computer thingamajibs don't do things right and the computer nerds are all upset about it. best not to click on ANYTHING until 2009

Re:translation

[object88]

best not to click on ANYTHING until 2009

What about waving? Can I wave my mouse over things if I promise not to click?

Theo says...

(While here, I would like to say that AMD is becoming less helpful day
by day towards open source operating systems too, perhaps because
their serious errata lists are growing rapidly too). While this news does force me to rethink my intention to purchase a Core Duo MacBook Pro from Apple, because that's a lot of money to pay for a system inherently insecure thanks to Intel's negligence, I suppose one shouldn't go running to hug an AMD logo in an "us versus them" obsession when the latest offerings from Sunnyvale have hidden flaws (and not just the CPUs).

Re:Theo says...

Every CPU released for probably as long as you've known about computers has had an errata sheet on it. If you want to stop buying CPUs with errata... well... your computing days are over.

AI65 Thermal Interrupt is not generated...

[farker+haiku]

AI65. A Thermal Interrupt is Not Generated when the Current Temperature
is Invalid
Problem: When the DTS (Digital Thermal Sensor) crosses one of its programmed
thresholds it generates an interrupt and logs the event
(IA32_THERM_STATUS MSR (019Ch) bits [9,7]). Due to this erratum, if the
DTS reaches an invalid temperature (as indicated IA32_THERM_STATUS MSR
bit[31]) it does not generate an interrupt even if one of the programmed
thresholds is crossed and the corresponding log bits become set.
Implication: When the temperature reaches an invalid temperature the CPU does not
generate a Thermal interrupt even if a programmed threshold is crossed.
Workaround: None identified.
Status: For the steppings affected, see the Summary Tables of Changes.

I don't see why this is an issue. The Intel Desktop temperature monitor doesn't even work on my E6600, so how can it detect an invalid temperature? In other news, alternative temperature monitor programs (like speedfan)work, while the official intel one does not.

Re:AI65 Thermal Interrupt is not generated...

[farker+haiku]

please allow me to correct myself before I get jumped on. the fault lies in my intel motherboard (D975xbx2), using the intel chip E6600.

Re:AI65 Thermal Interrupt is not generated...

[Speare]

To turn to the usual car analogy tactic:

I don't see why this is an issue. The Intel Desktop temperature monitor doesn't even work on my E6600, so how can it detect an invalid temperature?

I don't see why this is an issue. The burnt-out low-oil lamp on my dashboard doesn't even work on my car, so how can the oil pump detect an invalid oil level?

If the input is working right, then a high temperature reading should trigger an interrupt to warn the OS that it should back off for a while. If the input isn't working right, perhaps it's just making up values, most of which are valid (10C, 80C, 345C, etc.) but maybe sometimes those made-up values are not valid (#NAN, #INF). Now, I don't know squat about this situation, but this is what it sounds like to me. Maybe if it thinks it has *ever* seen a #NAN, it will *never* trigger an interrupt again.

Potential DoS exploit: even on a good processor with a good sensor, make it think it has seen a #NAN, then work the processor until it locks up without any warning or notice given to the OS.

Re:AI65 Thermal Interrupt is not generated...

[farker+haiku]

Whoooosh. That was the sound of a joke flying over your head.

Re:AI65 Thermal Interrupt is not generated...

[Tx]

In all fairness to the GPP, after several rereads, if that was a joke, it was probably the least funny one I have read so far this year. Don't give up your day job.

Re:AI65 Thermal Interrupt is not generated...

Ask AMD. Back in 2000 or so, they sold Athlons with no temperature protection, and suffered a huge PR problem when some enterprising individual filmed an Athlong bursting into flames after the heatsink was removed from a running machine. I'm waiting for someone to do the same for an Intel Core 2 Duo... imagine the entertainment potential!

Re:AI65 Thermal Interrupt is not generated...

[AP2k]

Its a sad, sad day when Intel cant get a simple 8-bit ADC measurement right.

Today's ironic CAPTCHA: "simply"

Re:AI65 Thermal Interrupt is not generated...

[novus+ordo]

That was one of my favorite videos. Enjoy.

Others?

[drxenos]

I just bought a laptop with a Core 2, but its not one of this specific processors. Does that (necessarily) mean mine does not have these issues? I think its a later model.

No Intel Niether Amd what to buy VIA ?

[denisbergeron]

Before, you can buy Mac for the Open arhitecture of the Power! Now, what can we buy ?

Read to the end of TFA !

(While here, I would like to say that AMD is becoming less helpful day by day towards open source operating systems too, perhaps because their serious errata lists are growing rapidly too).

Re:No Intel Niether Amd what to buy VIA ?

[howlingmadhowie]

suddenly, everyone's favorite company doesn't look that bad after all.

Re:Summary sucks, someone please provide better on

im sure it says "news for nerds" round here somewhere ... LEARN.

UGH!! Just bought Core 2

[pygmy_jesus]

I've stuck with AMD for over 6 years, but after all the talk about how they fell off, plus the OC ability of Intel, I just put together a core2 system! You see what happens when you fuck a stranger in the ass, Larry?!?!

A hundred million transistors

[TapeCutter]

Three words....Black box testing.

Re:A hundred million transistors

Many things can't be testing with blackbox testing dumbass. Most notably, a new system of doing things that makes code vulnerable if it doesn't do it the new way (like is the case with many of those errata).

Re:A hundred million transistors

[azrider]

Three words....Black box testing.

Three more words (sans link):

BLACK BOX VOTING

Re:A hundred million transistors

[imgod2u]

The problem with the black box is that you never know whether the box you're using actually matches the box that will be put there. Hardware is not sequential. Everything happens at once, governed by a clock (and sometimes, without a clock). To test that kind of "black box", let alone reproduce a correct "black box" model is complex enough that the process, itself, introduces mismatches.

Re:A hundred million transistors

[TapeCutter]

I never said it was easy, rigid quality control costs money on a grand scale and it will still fail some of the time (statistically speaking). But BBT is the foundation of any component based model be it hardware or software.

Re:A hundred million transistors

[TapeCutter]

I always thought that was an odd name since what they advocate is more akin to white box testing.

Re:A hundred million transistors

[TapeCutter]

Errata are mistakes that reach production, manafacturers were perfecting BBT before it became a TLA and it's highly likely BBT found these particular mistakes.

dumbass

Wanker.

Re:A hundred million transistors

[imgod2u]

My point is, it doesn't eliminate the scaling problem. It merely reduces it. A design of 200 million transistors will still be much harder to verify than one that is 50 million (assuming equal logic complexity). Black box testing helps but at some point, you'll still hit the wall where it would take longer than the time you have to test a sufficient percentage of features. It's not just about money, it's about time. And unless people are content with a processor being released every 20 or 30 years, this problem will not go away.

Re:A hundred million transistors

[Mr.+Jaggers]

Many things can't be testing with blackbox testing dumbass

Eh??? How exactly do you think many of those errata items were discovered and reported to Intel? By hard-working hordes of programmers like us who just happened to be performing static analysis on Intel's super-secret Verilog and RTL??

It would probably be more accurate to say "Many things can't be testing [sic] with simulation only dumbass." Besides, when the API to the "new system of doing things" would be used to write a (software) unit test, and as such the implementation of the "new system of doing things" in the CPU is abstracted out of the test completely (hence the blackboxness of it all).

Perhaps blackbox testing is an incomplete tool for FIXING hardware flaws & errors, but certainly it's the ideal technique for a first pass at FINDING them.

Re:A hundred million transistors

[Mr.+Jaggers]

I suppose simulation is your only resort for component modules in the hardware design, so the BBT is really more of an integration-testing effort. You're right, however, internal clocking and timing issues are awfully difficult to diagnose... it's not like we can get down there and probe a particular layer and measure the hold times as the clock settles. We can't really even bring out test points (which at least you can synthesize into FPGA designs). Though, it's not like you're actually verifying each of 200 million transistors. I disagree with your scaling statement on the feature count; feature count isn't increasing with Moore's law, it's the transistor count. Our diagnostic techniques will certainly improve. It's not like semiconductor manufacturing has to start over on every chip, every revision, every decrease in nanometer/fabrication process.

The only reason (that I can see) that Intel & AMD profit from flawed designs is because the consumer is lazy or doesn't care, or both. It's a demand-driven problem. If consumers demanded quality, the number of testing & respin cycles will increase to equilibrium.

Re:Intentional?

[Slashcrap]

There seem to be intentional modifications in there.

Unprovable conjecture. Why would Intel make this public if they were?

Could that be a backdoor and a good reason for countries like China to develop their own CPUs?

Are you the same freak that posted on KernelTrap about how every CPU since the 486 has been bugged by the NSA and can be monitored by satellites? If so, please carry out the recommended course of action that I detailed to you on that occasion. Namely that you set fire to yourself outside the UN building in order to draw attention to your cause. Thanks in advance.

Re:Summary sucks, someone please provide better on

[vadim_t]

This is going to be a big deal for shared hosting environments for example.

If you can, as a normal user, execute something that lets you get root on the box, and there's nothing the OS can do to prevent it, then it's a seriously nasty situation for quite a few businesses.

I wouldn't be surprised if businesses like that started switching to AMD hardware.

IA 64 is not a RISC chip

IA64 is an EPIC chip, which is kind of VLIW offshoot.

Well...

[ardor]

and now? Everyone should trash their Core 2's? I for one have neither the money nor the incentive to do this. Its a good thing De Raadt highlights these very serious issues, but unfortunately it comes too late.

Microcode

[pathological+liar]

... so how many of these are fixed by recent microcode updates? How many CAN be fixed by microcode updates?

So how long before we start seeing...

[clickety6]

... Intel Core 2 processors embedded everywhere... paper weights, key ring fobs, geek jewellery, ...

(I still have my nice Pentium key ring from the last big chip snafu!)

Re:Summary sucks, someone please provide better on

[DrSkwid]

There's the added bonus of the possibility that the source code would look benign but compile it to buggy machine code and it turns belligerent.

Quantum effects?

[DFDumont]

My favorite errata in the list is AI22, Sequential Code Fetch to Non-canonical Address May have Nondeterministic Results. Basically the chip decides that all of the high oreder bits should be '1', instead of '0' - for no apparent reason as its not consistent.
Did anyone notice these chips are using the 65nm process?
At what point do the shear quantum affects overcome the deterministic EE rules that are used to design the chips? I don't know, but wikipedia defines a nanoparticle as one with at least one dimension less than 100nm. http://en.wikipedia.org/wiki/Nanoparticle
Given that definition every transistor's source, drain and gate are nanoparticles. And we expect them to behave classically why?

Re:Quantum effects?

[Reverend528]

My favorite errata in the list is AI22, Sequential Code Fetch to Non-canonical Address May have Nondeterministic Results. Basically the chip decides that all of the high oreder bits should be '1', instead of '0' - for no apparent reason as its not consistent.

That's not a bug. It's a cryptographically secure random number generator!

Re:Quantum effects?

Score: 2, Insightful? You have got to be joking.

Usually non-determinism in logic results from races or latches being set before the logic values can propagate through the path. If it were a quantum effect then statistically only *HALF* of the high order bits would be '1' instead of '0'.

So no - not a quantum effect, just a regular, run-of-the-mill design flaw.

Re:Quantum effects?

[Burb]

Given that definition every transistor's source, drain and gate are nanoparticles. And we expect them to behave classically why? We don't. Transistors wouldn't work in a "classical" universe

Re:Quantum effects?

[ioshhdflwuegfh]

Well, there are also many other possible classical reasons for nondeterministic results of this bug, for instance due to some asynchronicity issues related to the inner design of the part of chip that deals with the non-canonical addresses, its connections to other parts of the chip, etc---the chip itself is sufficiently complex that it is hard to tell without looking into details of the design what's up. I'd just give a guess that this nondeterminism is veryvery unlikely to be due to the quantum effects.

Given that definition [of nanoparticle] every transistor's source, drain and gate are nanoparticles. And we expect them to behave classically why? Good question indeed. It is similar to asking, given that every atom is a quantum object, why should the wire made of these atoms behave according to laws of classical physics, like the Ohm's law etc? The physics answer is quite tricky, and it spins around the question how does the famous reductionism break down, or not, in going from classical to quantum world, and vice-versa.
In the case of the chip, large working temperature of such chips will very much help in suppressing the quantum effects. The length scale of the little wires inside of the chip is very important, so, simply stated, one must counter-balance the size of the wires with the working temperature, and, in the end, you get the chip to behave completely classically, designed using standard laws of digital/analog electronics. Going to much finer wires, like 10 fold thinner, would reintroduce quantum effect very big time, to the point of breaking the classical laws of conduction of these wires, transistors would have to be redesigned/refabricated using completely different technology (that, AFAIK, does not exist yet), etc...

Re:Quantum effects?

I have firsthand accounts of Texas instruments hiring quantum physicists on contract specifically to resolve engineering issues as the distances between pathways get smaller and smaller. I would wager Intel does the same. As a result, I sincerely doubt this issue is a quantum level issue.

Re:Quantum effects?

[interval1066]

Of course by classically he means canonically, not Newtonian. The problem here of course is quantum tunneling causing electron leakage at the gate, but these effects are kept to a minimum by a number of processes, even at 65nm I doubt Intel have reached the threshold of determinism just yet. I think the problems are more born out of the usual architect error: they are human.

Re:Quantum effects?

I don't know, but wikipedia defines a nanoparticle as one with at least one dimension less than 100nm.

Wikipedia also defines elephants as sandwiches.

Re:Quantum effects?

I have firsthand accounts of Texas instruments hiring quantum physicists on contract specifically to resolve engineering issues as the distances between pathways get smaller and smaller. I would wager Intel does the same. As a result, I sincerely doubt this issue is a quantum level issue.

You're saying they've probably hired people to solve a certain class of problems, therefore you sincerely doubt this problem is of that class? You must have an awful lot of faith in quantum physicists. They're smart people, but achieving a 100% success rate is something else.

Re:Quantum effects?

At the moment, all reported errata are hardware logic bugs (including bugs in the microcode), not circuit marginality problems. None of them are truly non-deterministic. There is always a specific sequence of events that can be used to expose the bug. In this case, that particular sequence is likely hard to describe without detailed knowledge of the chip's design.

Re:Quantum effects?

[nbritton]

"My favorite errata in the list is AI22, Sequential Code Fetch to Non-canonical Address May have Nondeterministic Results. Basically the chip decides that all of the high order bits should be '1', instead of '0' - for no apparent reason as its not consistent."

That's not a bug, it's a random number generator.

Re:Quantum effects?

[Elivs]

I don't know, but wikipedia defines a nanoparticle as one with at least one dimension less than 100nm.

Wikipedia also defines elephants as sandwiches.

I couldn't find that reference in wikipedia, but the first elepahant in England was brought ashore at Sandwich.

History of Sandwich

Re:Quantum effects?

[julesh]

Did anyone notice these chips are using the 65nm process?
At what point do the shear quantum affects overcome the deterministic EE rules that are used to design the chips? I don't know, but wikipedia defines a nanoparticle as one with at least one dimension less than 100nm. http://en.wikipedia.org/wiki/Nanoparticle
Given that definition every transistor's source, drain and gate are nanoparticles. And we expect them to behave classically why?

Because experimental evidence suggests that they do. I think current theory is that transistors will behave deterministically down to at least 20nm. I'm really not sure what the relevance of nanoparticles is; the cut off there is entirely arbitrary and probably corresponds to the point that people generally start measuring in nanometres rather than fractions of microns. There's no particular physical effect that suddenly starts occuring at 100nm.

Intel: The Microsoft of Hardware?

"We will correct all bugs with our Core 2 SP1 pack"

Rush to conquer?

[Applekid]

How does this errata compare to previous generations or even AMDs? I wonder if any increase could be from rushing Core 2 to market to kick AMD's flagship CPU off the top of the heap.

Re:Summary sucks, someone please provide better on

[0123456]

"This is going to be a big deal for shared hosting environments for example."

True, but that depends on how easily they could be exploited in the real world, rather than in the theoretical world. From what I remember, one was about incorrect behaviour when your code runs off the end of a 4GB boundary; certainly that might be exploitable, but not on any system which can't run >4GB of code.

I skimmed through the bugs which the author said really scared him and didn't see anything that looked easy to exploit from a user program. Yes, if you want total security on your system then they'd be scary, but if it's almost impossible to exploit then it really doesn't matter to anyone much outside the most secret parts of the government (and, even then, bribing people would probably be an easier way of stealing secrets).

"I wouldn't be surprised if businesses like that started switching to AMD hardware."

You're assuming that AMD chips are any better.

Insider view of the latest x86 bugs

I recently interned at the Haifa branch of the Intel's Israeli R&D center. It's the branch that originally developed the Nehemia core technology. I posted some of my experiences working there in my blog, and I reveal some (unclassified!) details of their development process.
Posted anonymously for obvious reasons..

Re:Insider view of the latest x86 bugs

Posted anonymously for obvious reasons..
...but linked to a blog?

Re:Insider view of the latest x86 bugs

[deniable]

Yeah, and you've made the text anonymous too. It's like it's in Hebrew or something.

(And now I know what right-to-left text looks like in Firefox. Cool.)

To add to the other comment, what name is on the whois for ouch.co.il? Rhetorical, I don't need to know.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Silent + urgent = deadly

[jihadist]

Of course it's exploitable. Otherwise, no "urgent" but "silent" patch. Then again, on a chip of this complexity, until they create an AI to hack-test it, there will be errata.

Re:Silent + urgent = deadly

Like Dijkstra said, testing can't prove absence of bugs -- only presence.

Re:Silent + urgent = deadly

[jihadist]

Djikstra, or Goedel?

"Gödel proved fundamental results about axiomatic systems showing in any axiomatic mathematical system there are propositions that cannot be proved or disproved within the axioms of the system."

http://www-history.mcs.st-and.ac.uk/Mathematicians /Godel.html

$ per exploit

[Gothmolly]

So someone like Andre Hedrick, or Linus, or Alan Cox, or Theo, could write an exploit for this that would root a box, but any script kiddie or Russian hacker could write a CSS or JPEG hack for IE that roots the box. Which is easier? Which is more likely?

The braking system in my car could catastrophically fail, or a soccer mom could mow me down with an SUV. I trust the brakes, I don't necessarily trust the soccer moms. It's all about risk. It might be technically interesting to read Theo's analysis, but the sky is not falling.

Re:$ per exploit

[FuzzyDaddy]

It depend on the specificity of your target. If you're collecting credit card information and stealing bank accounts, then you're right. But suppose you want military secrets, or access to some CEOs emails, or to take down amazon.com. There's always a target of high enough value to be worth the extra effort.

Re:$ per exploit

[butlerdi]

Especially when the hackers are state sponsored, abundent and determined for ideological or monetary reasons.

Re:Summary sucks, someone please provide better on

[ioshhdflwuegfh]

Uh, the slashdot summary is pretty lousy. After RTFA I am still a bit confused, can someone at slashdot please provide an "english" translation of the problems and how dangerous they are to normal users? The second link in the article, containing brief descriptions of bugs, might be useful, although perhaps still quite technical. One bug that is perhaps easy to communicate to the "normal user" is AE30, where the bug might cause some software running on Core Duo during the dehibernation to reload data from the wrong memory location. It's labeled as "potentially catastrophic", and I imagine that after the wrong reload, more or less anything can happen: some program crashing, OS crashing, to, who knows, maybe even some exploits can be programmed to use this bug...

Am I the only one...

[Xest]

...wondering WTF an invalid temperature is?

Surely a temperature is always going to be valid unless these processors only support an extremely small set of possible temperature values?

Anyone have more insight into what an invalid temperature might be and how it might be caused?

Re:Am I the only one...

[idontgno]

...wondering WTF an invalid temperature is?

Something like -423.745i

Measured in grams.

Re:Am I the only one...

[Tony+Hoyle]

I guess you could try to cool it to -274... that'd be an invalid temperature.

Re:Am I the only one...

[corsec67]

"Captain! These reading are off the scale."

Re:Am I the only one...

[novus+ordo]

Say your processor overheats and kills the temperature diode(or it just dies due to faulty hardware)...oops now the processor can't know that it's getting too hot and throttle(slow down) itself. Not to say that would be very very bad...especially if you overclock your processor(upping voltage anyone?) which I see many people with C2D are doing. Also if you want to have an automatic fan that speeds up as your processor heats up and your diode is borked, good luck. I was reading about this on Tom's Hardware forums a while ago. I wouldn't call this a 'show stopper' but I certainly would try not to take the heatsink or fan off...

Re:Am I the only one...

[HaloZero]

How about a temperature register suddenly containing a non-numeric value? Not even non-numeric, but a NaN value or a NaHexN value...

VHDL for voting machines

[martyros]

So perhaps the NY law requiring software for voting machines to be held in escrow should include the chip layout as well...

Re:VHDL for voting machines

[Joe+U]

Not really. No matter what the flaws in the chip are, if you control all the code running you can prevent any potential damage.

A voting machine should be a secure black box, no other software will ever be run on it.

Re:VHDL for voting machines

Why? Voting machines shouldn't be running untrusted code at all and I very much doubt code to attack specific CPUs could be disguised well enough to evade detection by anybody reviewing the code that's in escrow.

Linus doesn't think it's a big deal.

[davebert]

Link

Re:Linus doesn't think it's a big deal.

Since Theo knows just a tad more about operating systems and CPU design than Linus does, I think I'll go by his analysis.

Re:Linus doesn't think it's a big deal.

[Durzel]

Theo also seems quite sensationalist from a first glance (this is the first of his articles I've read). Emotive statements like "These processors are buggy as hell", conjecture like "We bet there are many more errata not yet announced" doesn't really lend credence to his arguments.

He may be entirely right, and his experience in CPUs, BIOS vendors and Intel, AMD, etc may mean what he is saying is accurate - but the tone doesn't really sound very professional.

Re:Linus doesn't think it's a big deal.

Well, considering Linus was writing an OS kernel before Theo, and up to a few years ago was earning his living /designing/ CPUs, I think I'll go by his analysis, thank you.

Re:Linus doesn't think it's a big deal.

[bark]

I think they are coming from different angles.

If you read the post, Linus's opinion is that all cpus have errata, and from the point of view of Linux, these errata don't impact linux that much because they've already designed their internal systems to deal with contingencies like these, because Linus believes erratas are just going to go up as we make more cpu's.

Theo, on the other hand, is coming at it from a "black-hat" point of view. Given the processor, he's thinking how people can compromise the cpu on a hardware level.

They have differing POV's, and it's not really "who's right", but "who's priorities do you align yourself with."

In normal use, as the core 2 has already been proved in general use for about a year already, these errata are easy to shrug off. If it crashes, just reboot it. If it corrupts your data, just get it from backup.

However, if you're using it in a military / hard crypto setting, there might be concerns.

Re:Linus doesn't think it's a big deal.

Theo is an anal beancounter, Linus is a sloppy PHB. I know who I trust more.

Re:Summary sucks, someone please provide better on

[swillden]

Some of the bugs are so dangerous that it doesn't matter WHAT operating system you're running, code could be written that could attack the entire system. It would still be OS-specific code, but since the exploit is in the hardware, it's a LOT harder to prevent the attack, if it's even possible.

Here's a little more detail, based on my (very incomplete) understanding of the issues:

It appears that Intel has made changes to the way the memory management unit in the processor works, plus there are also some bugs that affect memory management. So what does that mean?

• Theo mentions changes in how TLB flushes must be handled. Translation Lookaside Buffers (TLBs) are tables where operating systems cache information used to quickly determine what physical memory page corresponds to a given virtual memory page. Each running process has it's own address space (meaning the data at address, say, 1000, is different for each process) and operating systems have to be able to quickly translate these virtual addresses to addresses within the physically-available RAM. The authoritative data on the mapping is in a set of data structures called the "page table", but the processors provide a mechanism for creating and managing TLBs which act as a high-performance cache of part of the page table data. Failing to properly flush the TLBs during a context switch (putting one process to sleep and activating another) might result in the new process' virtual memory mapping being done incorrectly. From a security perspective, this could give one process access to memory owned by another.
• Another issue mentioned is the possibility that No-Execute bits may be ignored. The OS can set the No-Execute (NX) bit on a page of memory that it knows to be pure data that should not be executed. The processor will refuse to execute code from any memory page with NX set. This makes most buffer overflow attacks impossible, because the normal buffer overflow attack involves getting a bit of malicious code shoved into a stack-based buffer as well as overflowing the buffer to overwrite a return address so that the CPU will jump to and execute the malicious code. Obviously, if the processor sometimes ignores NX bits, the buffer overflow attacks become possible again.
• Theo also mentions possibly-ignored Write-Protect (WP) bits. The OS can mark memory pages as read-only. This is used for all sorts of things related to security. One of the biggest is preventing processes from writing to the memory in which shared libraries are loaded. If my process could overwrite, say, the C library code implementing "printf", other processes that call this function would execute my code. Some of them will be running as root, so I can execute code with root permissions. Modern operating systems do lots of data-sharing between processes, some of it completely non-writable, other parts of it "copy on write". Copy-on-write pages are implemented by setting the WP bit and then catching the page fault generated by the CPU when a process tries to write the page. The fault handler quickly copies the page in question, allows the write to hit the copy, and reswizzles the page table so the virtual page of the writing process points to the new copy. WP bits being ignored would also break this, so lots of cases where data is "opportunistically" shared would become really and truly shared, allowing one process to corrupt data used by another.

There are other issues as well... but these are a good sample, and should give an idea of what kind of bad stuff these CPU bugs/changes can make possible.

Better armor leads to improved weapons

[duffbeer703]

Plate armor was great until someone came up with the longbow. Large bastions/fortresses ruled warfare until mobile artillery became more practical.

There's a sense that operating systems are getting better with security, so it's no suprise that people are starting to look at hardware.

If these flaws are srious enough

Who knows, Intel may be forced to do a recall/replace thing.

Product recall

[digitalderbs]

Could this be a case for a product recall? A compromised OS could be considered a safety risk, and they're shipping a defective product. Some of these issues seem quite serious, requiring special treatment for bugged CPUs in the code.

Re:Product recall

[kg261]

I am starting to wonder about this as well: Last week the fan on my Toshiba P100 (T5500 Core 2 Duo)notebook starting running continously just after I connected to the internet. Since I bought the machine, the CPU fan was audible only occasionally. Of course I checked the Toshiba website, and a new BIOS was made available just the previous day. I loaded it and the fan problem was fixed for a couple of days, appeared again for a few days, then went away. The notebook connects to the internet only every few days. Possibly there is a poor connection somewhere, but it quite coincidental that all this happens just before the news of the Microsoft patch on June 22.

Re:Product recall

[IntelNick]

I am from Intel, and I thought I would give you our perspective. Months ago, we addressed a processor issue by providing a BIOS update for our customers that in no way affects system performance. We publicly documented this as an erratum in April. All processors from all companies have errata, and Intel has a well-known errata communication process to inform our customers and the public. Keep in mind the probability of encountering this issue is low. Specification Updates for the affected processors are available at http://developer.intel.com./ We feel we've resolved the issue and were open about it with customers and then publicly publishing it, but this is a good venue for ideas on how we could do better or more. I am interested in any constructive comments...

Re:Product recall

[digitalderbs]

in no way affects system performance
The concern is not system performance. It's system reliability.

Keep in mind the probability of encountering this issue is low
The probability may be low if it is expected that no one will exploit these issues, which according to Theo de Raadt, may not be the case. Is this fix available to all platforms?

Re:Product recall

[IntelNick]

Yes, on all platforms. All errata are thoroughly investigated for issues and vulnerabilities, should they have any we fix them, usually through a microcode update or other patch. If we cannot do so quickly then we have the option of swapping out the product (we did this with a Xeon chip in 2004). Security and reliability are of upmost importance.

Re:Product recall

[kg261]

Looking at the errata (314079-12), the thermal interrupt is an old issue and not likely the cause of recent events. But the sequence of events looked like some kind of "AMT" behaviour: June 19 BIOS update released; cooling fan speed increased for no reason for a few days; Microsoft 'reliability patch' June22. Most likely it is coincidence.

Re:Summary sucks, someone please provide better on

[Corporate+Troll]

Yes, if you want total security on your system then they'd be scary

We're talking about Theo here.... Total security is what the OpenBSD project aims for.

Re:Summary sucks, someone please provide better on

"I wouldn't be surprised if businesses like that started switching to AMD hardware."

You're assuming that AMD chips are any better. Without any security notices to suggest otherwise, that's a pretty reasonable assumption to make isn't it?

Re:Summary sucks, someone please provide better on

You're assuming that AMD chips are any better.

Nope, he's just assuming that a manager will hear about this and assume AMD chips are any better. There's nothing about whether the manager is right.

Re:Summary sucks, someone please provide better on

[0123456]

"Without any security notices to suggest otherwise, that's a pretty reasonable assumption to make isn't it?"

Why? Do AMD even release full errata lists for their chips?

Every chip of this complexity has bugs and probably lots of them. If Theo had said that he's checked the AMD list and it didn't have any exploitable bugs then that would be a reason to consider them, but without even knowing what bugs they might have, why would you assume they're any safer?

Maybe Intel should stop releasing these lists and then no-one would even know about them.

Errata in the errata?

[A+nonymous+Coward]

Theo posts a link to a GIF of the errata, wherein AE4 and AE11 appear to describe the same bug (REP MOVS across a memory type boundary) but one says SHOW STOPPER while the other says possible effect on performance, no data loss or corruption.

'twould be nice if the errata were more consistent. I'll have to check thePDF.

Old jokes from the Pentium days...

The first Pentium had a floating point bug. Maybe they're working too closely with Microsoft? (I kid! I kid! Put down that flamethrower!) Any way, here are a few Pentium jokes I dug up. If only the Core 2 bugs were all floating point erroirs we could recycle all of these old jokes to Core 2 jokes!

Q: How many Pentium designers does it take to screw in a light bulb?
A: 1.99904274017, but that's close enough for non-technical people.

Q: What do you get when you cross a Pentium PC with a research grant?
A: A mad scientist.

Q: What's another name for the "Intel Inside" sticker they put on Pentiums?
A: The warning label.

Q: What do you call a series of FDIV instructions on a Pentium?
A1: Successive approximations.
A2: A random number generator.

Q: Complete the following word analogy: Add is to Subtract as Multiply is to:
                1) Divide
                2) ROUND
                3) RANDOM
                4) On a Pentium, all of the above
A: Number 4.

Q: What algorithm did Intel use in the Pentium's floating point divider?
A: "Life is like a box of chocolates." (Source: F. Gump of Intel)

Q: Why didn't Intel call the Pentium the 586?
A: Because they added 486 and 100 on the first Pentium and got 585.999983605.

Q: According to Intel, the Pentium conforms to the IEEE standards 754
        and 854 for floating point arithmetic. If you fly in aircraft
        designed using a Pentium, what is the correct pronunciation of "IEEE"?
A: Aaaaaaaiiiiiiiiieeeeeeeeeeeee!

Q: Did you hear about the new "morning after" pill being developed as a replacement for RU-486???
A: Its called RU-Pentium. It causes the embryo to not divide correctly.

TOP TEN NEW INTEL SLOGANS FOR THE PENTIUM:
    9.9999973251 It's a FLAW, Dammit, not a Bug
    8.9999163362 It's Close Enough, We Say So
    7.9999414610 Nearly 300 Correct Opcodes
    6.9999831538 You Don't Need to Know What's Inside
    5.9999835137 Redefining the PC -- and Mathematics As Well
    4.9999999021 We Fixed It, Really
    3.9998245917 Division Considered Harmful
    2.9991523619 Why Do You Think They Call It *Floating* Point?
    1.9999103517 We're Looking for a Few Good Flaws
    0.9999999998 The Errata Inside

THE TOP TEN REASONS TO BUY A PENTIUM MACHINE:
10. Your current computer is too accurate
9. You want to get into the guinness book as "owner of most expensive paperweight"
8. Math errors add zest to life
7. You need an alibi for the I.R.S.
6. You want to see what all the fuss is about
5. You've always wondered what it would be like to be a plaintiff
4. The "intel inside" logo matches your decor perfectly
3. You no longer have to worry about cpu overheating
2. You got a great deal from JPL
1. It'll probably work

Thank you, thank you, I'll be here all week. Remember to tip the bartender. Lets see, 20% of... divide by...

Re:Old jokes from the Pentium days...

Another one I remember is that PENTIUM is actually an acronym - for "Producing Erroneous Numbers Through Incorrect Understanding of Mathematics"

Re:Summary sucks, someone please provide better on

[TheRaven64]

I don't know why Theo posted that link, because it is about the Core, not the Core 2. They are two completely different micro-architectures. The Core was a slightly tweaked Pentium M (which is basically a P6 with extra vector instructions and the NetBurst branch predictor), while the Core 2 is a completely new micro-architecture. If you compare the errata in the two links, you will see that they are quite different.

Re:Summary sucks, someone please provide better on

[dingen]

I've been using the SummaryService from OS X recently to create my own summaries and see if I like it enough to go through the entire article. Here's what is says if I put the slider down to about 25%:

These processors are buggy as hell, and some of these bugs don't just cause development/debugging problems, but will *ASSUREDLY* be exploitable from userland code.

...Note that some errata like AI65, AI79, AI43, AI39, AI90, AI99 scare the hell out of us. Some of these are things that cannot be fixed in running code, and some are things that every operating system will do until about mid-2008, because that is how the MMU has always been managed on all generations of Intel/AMD/whoeverelse hardware.

...(While here, I would like to say that AMD is becoming less helpful day by day towards open source operating systems too, perhaps because their serious errata lists are growing rapidly too). Pretty good, I think!

You know those shirts from thinkgeek.com that threaten to replace you with a small shell script? Turns out there might be something to it for Slashdot editors.

Scariest post of the thread

Scariest post on that thread:

http://marc.info/?l=openbsd-misc&m=118302016430106 &w=2

AMT is a technology intended to facilitate survailance, maintenance
and control computers remotely.

* Monitor and control (filter) the network traffic - before/under the
running operatingsystem

* sending out patches to computers - even if they are turned off.

* Control, upgrade, change, add and remove software

Re:Scariest post of the thread

[joe+155]

whilst that does sound scary (as does "trusted computing" for that matter). I think that its important to remember that things like this aren't inherently bad. Imagine if this system exists but you are the only one who can control it (and it's been implemented properly and the spec is open and secure). It would make admin-ing systems easier. It would make attacks harder (it does mention being able to quickly isolate infected computers).

As always it comes down to where the power is, if it is with the users then there really isn't a problem with this. I understand the fear that that power will be taken away from the users, but as a community we've proven ourselves pretty resourceful.

As a side not, couldn't the community set up an open hardware manufacturer producing chips? we could finance it through a shared ownership system... Or Mark Shuttleworth could buy it

Re:Scariest post of the thread

[Control+Group]

Yeah, it's terrifying. Just like iLO boards and RDP, which is why no one uses them.

Oh, wait.

Re:Scariest post of the thread

>As a side not, couldn't the community set up an open hardware manufacturer producing chips? we could finance it through a shared ownership system... Or Mark Shuttleworth could buy it

Not even Shuttleworth could afford to build and keep running something like that that would be competitive, even if it were a fabless design shop( a la Transmeta). That is big $$$.

Re:Summary sucks, someone please provide better on

[venekamp]

Some of the bugs are unfixable, as well. (I assume they mean without physcially replacing the chip with a 'fixed' one that doesn't exist yet.) Unfixable here means that even an update to the microcode is not enough. That's why your BIOS needs to be updated so that the new microcode can be uploaded into your CPU and hence correct the errornous behaviour.

wrong

[nanosquid]

IA64 was not a RISC version of x86-like chips, it was a completely new architecture coming out of VLIW work at HP. IA64 architectures had failed once before, and it was a stupid idea for Intel to push them so heavily (personally, I think they will never work because they push too much complexity into software). Switching to IA64 meant that many compilers couldn't be made to work at all, and many other compilers would generate inefficient output.

Intel should be developing a conservative RISC processor, an instruction set similar to PPC but a bit more friendly to transitioning from x86. The adaptation of existing compiler back-ends would be fairly simple. Furthermore, the chip should have backwards compatibility, either through JIT-support or through a small (not necessarily hugely efficient) instruction set translator in the chip.

Itanium is a lesson in how not to handle technological transitions. Itanium was picked by geeks who had no idea of what the market wanted or needed, and Intel marketing and management blindly believed what they were hearing from the geeks. (Another company that works like that is Microsoft, which is why they keep churning out such bad software.)

Re:wrong

[Viv]

The fact that IA-64 wasn't RISC is irrelevant to the point. Bonus points for being a pedant who misses the forest for the tress, though!

The fact is, Intel attempted to (as the grandparent wrote) "toss out that x86 layer and deal just with the high-performance, straightforward [CISC/RISC/VLIW/EPIC/GOATSE] core." They got fuckstomped by the market, because it wasn't what the market wanted.

Re:wrong

[norkakn]

Dude, when Itanium came out, it was the fastest FP core on the planet. It came out how many years late?

Had it come out on time, it would have changed processor design. There was a large debate about whether to go superscaler or the itanium route. Superscaler one this time, but it is hard in a different way, and we've already reached some of its limits (hence the move to multiple cores), and it is a lot harder to write software to use superscaler and multicore designs than an itanium approach. Itanium required really good compilers, which it would have had, had it come out on time.

You are calling Intel stupid, but saying that they should try to move in on IBM's turf? I just hope that they'd be smart enough to implement an atomic check and set instruction so that one could do a spin-lock without disabling interupts. Anyways, RISC is quite a bit less efficient than CISC with memory bandwidth, and Intel doesn't have the greatest history with making memory fast and wide. CISC does have some definite advantages outside of the core, which is why it has worked so well. x86 is just a particuarly weird implementation.

You have some very valid points, but I think you are selling Intel and the Itanium short. Itanium isn't really VLIW either, it's weirder than that, though VLIW is the easiest way to describe it. It was designed to solve a lot of the problems with VLIW. My opinion is that they should have first shipped it without any of the x86 stuff as a pure supercomputing processor, and write a solid C and fortan compilers for it. After that, they could add x86 emulation to break into the server market. I can understand why they wanted to go all in though.

While it may have failed, their first superscaler chip failed horribly as well. They'll be pillaging the Itanium IP for decades to come.

Re:wrong

[TheThiefMaster]

Furthermore, the chip should have backwards compatibility, either through JIT-support or through a small (not necessarily hugely efficient) instruction set translator in the chip. You mean like how cpus already transform x86 into cpu-specific microcode? In theory it's possible to have a system with more than one instruction set to microcode converter, but there are more serious problems, like TLB, memory page size, number of registers etc. Essentially to be compatible the new instruction set would have to be x86 with different codes for each instruction, and maybe some extra "new" instructions. Sounds like SSE, x86-64...

And the fact that you are suggesting a PPC-like instruction set is funny, considering Apple switched _away_ from PPC to x86 recently, and you want to go the other way.

Sometimes I think people on slashdot don't know what they're talking about.

Re:wrong

[imgod2u]

The point of a JIT translation is that it is essentially software and can be patched without recalling the chips. The primary use (or intended primary use) of the chip, where speed would count, would be in the new instruction set and that instruction set would be implemented (read: decoded, executed) in silicon whereas x86 would be handled in software/firmware, where its complexity would not cause flaws in the chip that had to be worked around.

Re:wrong

[ioshhdflwuegfh]

Dude, when Itanium came out, it was the fastest FP core on the planet. It came out how many years late? Correct me if I'm wrong, but as far as I remember alphas were still kicking ass when Itanium came out, and there was a massive outcry of people swearing on everything that is dear to them that alphas have better architecture than Itanium. Anyhow, I won't disagree that there is something very interesting about the concept of Itanium...

Anyways, RISC is quite a bit less efficient than CISC with memory bandwidth How come?

My opinion is that they should have first shipped it without any of the x86 stuff as a pure supercomputing processor, and write a solid C and fortan compilers for it. well said, can't agree more.

Re:wrong

Horseshit.

Please tell me, kind sir, exactly what happens when you hit that magical one electron per gate limit?

That's right - you need to shrink the path through the processor. Moving all the logic out of the processor core and into the compiler such that the processor becomes nothing more than an instruction execution gate makes the most logical sense.

Half the clock speed to perform the same workload as a x86_64 chip.

Re:wrong

[TheThiefMaster]

A microcode interpreter can be patched too, Intel have been doing it since the Pentium Pro.

JIT is obviously not that slow.

Re:wrong

[norkakn]

Dude, when Itanium came out, it was the fastest FP core on the planet. It came out how many years late? Correct me if I'm wrong, but as far as I remember alphas were still kicking ass when Itanium
came out, and there was a massive outcry of people swearing on everything that is dear to them that alphas have better architecture than Itanium. Anyhow, I won't disagree that there is something very interesting about the concept of Itanium... Hmm, the guy who taught me about the Itanium told it to me. I can't find a source right now; you may be right. Alpha has a beautiful structure. Doing spin-locks is a bitch though.

Anyways, RISC is quite a bit less efficient than CISC with memory bandwidth How come? With RISC, every instruction is the same length, so on the PPC, 32 bits. On CISC, it's anywhere from 8 to 108 (for x86, there may be some that are larger, but you get the idea).

The first thing you can do is play games where common instructions have shorter opcodes, and the second easy one is to not include unneeded register spots. (Adds need 3 registers, loads only need two). Not exactly a CISC thing by definition, but CISC is more likely to do stuff like having a load register and a load address register, so you can put say load as an 8 bit opcode instead of load r1 r2 to load the memory at location r1 into register r2. The net result is that you can more densly pack instructions, which saves disk space (worthless), some disk access (can be worthwhile) and memory bandwidth (very worthwhile). It's also a lot easier to expand the instruction set, so you can do crazy things like saying that this 5 bit opcode is followed by another to open up 32 new instructions that do this set of common OS tasks that take 5 registers and decode to 100 instructions each. The processing time might be the same as on a PPC, but you'd need to fetch fewer instructions from memory.

The downside is that you need to decode instructions everytime you see them, because they are stored as CISC in the caches. This makes your pipeline longer and makes missed branches, interrupts and the like much more expensive. Netburst saves the decoded instructions so that you can save that time (but you lose a bit in on chip memory). This is a pain to get working correctly though, hence some of the growing pains of the P4. It was a good idea, just really really hard.

Even RISC decodes instructions, it's just a lot easier to do, so I doubt that caching them will be worthwhile. Most can be done in one cycle, except for some weird ones. There is a PPC instruction that loads (this is from memory, details are fuzzy) 8 registers at once from memory. There used to be a sweet trick that made this an efficient operation. That was 15 years ago, these days the core just changes it to 8 single loads.

I love processor design. I wish I'd been a better student, but I don't really want to do boring stuff at Intel for 25 years so that they'd let me be on the team that designed some insignificant chipset.

Are you convinced? I can find some better examples if you'd like.

Re:wrong

[Sparohok]

Itanium is a lesson in how not to handle technological transitions. Itanium was picked by geeks who had no idea of what the market wanted or needed, and Intel marketing and management blindly believed what they were hearing from the geeks.

Actually, Itanium was a wildly successful product. Mere rumors of Itanium's capabilities were sufficient to kill DEC Alpha, drive SGI/MIPS out of the high end processor market and disrupt SPARC and PA-RISC development programs. Intel virtually eliminated the threat of competitive RISC architectures for years with the announcement of Itanium.

(Another company that works like that is Microsoft, which is why they keep churning out such bad software.)

To much the same effect.

Re:wrong

[pavon]

I disagree. They did more than throw out the x86 layer with Itanium. They also threw out most all of the out-of-order code execution and branch prediction that made modern Intel chips efficient. The problem with Itanium was that it was harder to write compilers for program for and wasn't any faster either. Why would you chose to do more work for no gain? There is no reason why Intel couldn't develop a cleaner ISA than x86 that performed better than x86 chips. That said I don't know that it would buy them much - the more complex that chips become the less significant the x86 layer is in the big picture.

Re:wrong

[ioshhdflwuegfh]

Thanks, that was very helpful!

Re:wrong

[imgod2u]

Which is why I said firmware.

Re:wrong

[Phantom+Gremlin]

Damn. I wish I had mod points. Yours is the most insightful post I've read in quite some time.

Re:wrong

[nanosquid]

The fact that IA-64 wasn't RISC is irrelevant to the point.

Well, actually, the IA-64 is a RISC architecture, in particular, it's a VLIW RISC.

They got fuckstomped by the market, because it wasn't what the market wanted.

Yes, and, more precisely, what the market didn't want was the VLIW aspect of IA-64, because that required everybody to rewrite their compilers. If IA-64 had just been a RISC, it would probably have taken over by now.

Re:wrong

[nanosquid]

My opinion is that they should have first shipped it without any of the x86 stuff as a pure supercomputing processor, and write a solid C and fortan compilers for it.

That doesn't work. The market for a machine that requires Intel C and Intel Fortran to run fast is tiny because people use many different compilers and languages in the real world. The consequence of that is that the volume remains low and the prices remain high. High prices mean that the thing doesn't give the best overall bang for the buck. So, the only people buying are people that need really high single CPU performance. But the people who need really high single CPU performance are usually the people whose code doesn't parallelize well anyway.

While it may have failed, their first superscaler chip failed horribly as well. They'll be pillaging the Itanium IP for decades to come.

I don't think so. I think the future is going to be a combination of multicore and vectorized/SIMD architectures. EPIC/VLIW and superscalar approaches are going to disappear: EPIC/VLIW imposes too much of a burden on software and can't take sufficient advantage of dynamic parallelism, and multicore is ultimately more flexible and easier to compile for than superscalar architectures.

Re:wrong

[Billly+Gates]

I have never seen an Itanium to date and they are non existent as far as I am concerned.

SGI killed itself by lining themselves with MS and WinNT before the CEO left for Microsoft as a reward. Hmmm

Alpha was killed because Carly Fiona invested a billion into Itanium and dammit she was going to get a return! So buy digital and then kill it. Where is she now?

WIndows Server and Linux killed sun as CEOs and CFOs began crapping their pants during the y2k bug and the .com rise after seeing how much money they were spending in IT. The most expensive systems aka suns/mainframes were the first to go to cut costs. Also linux can do what a sun does for 1/10th the cost?

So Intel gives up on Itanium as it is and goes with x86-64 and we are stuck with 30 year old technology. Sigh

I hope that new VLIW chip Intel has with 80 cores and 1 trillion operations per second becomes popular. Intel might be on to something there.

Re:wrong

[Sparohok]

Think what you want, but I described the way things actually happened, while you're describing a gloss of revisionist history. Itanium was intended to kill off all other high end RISC development programs, and it very nearly succeeded despite being an "unsuccessful" and desperately late product.

SGI/MIPS canceled two high end CPUs, Beast and Capitan, specifically because of the threat of Itanium. I was there, I saw it happen.

http://news.com.com/Silicon+Graphics+scraps+MIPS+p lans/2100-1001_3-210024.html

Compaq killed Alpha before the HP merger, before Carly, with the intention of moving their high end business to IA-64:

http://en.wikipedia.org/wiki/DEC_Alpha

Obviously, Itanium redirected HP's focus away from PA-RISC since it was a HP/Intel project.

Itanium failed to completely derail SPARC, but it caused a great deal of controversy inside SUN about the future of the SPARC architecture and disrupted SPARC development for a year or two.

http://news.com.com/2100-1001_3-237583.html

IBM's Power architecture was perhaps the least affected by Itanium. IBM was pretty skeptical about Itanium and kept the Power program very much alive. As a result, they are the only RISC family which still has a significant presence on the Top500 supercomputing list.

http://www.top500.org/stats/list/29/procfam
http://www.top500.org/stats/list/13/procfam

I have no idea whether all these other CPU families would have been successful in the marketplace without Itanium. However, the fact is they were killed due to one of the most influential vaporware announcements in the history of the computer industry.

Re:wrong

[norkakn]

That doesn't work. The market for a machine that requires Intel C and Intel Fortran to run fast is tiny because people use many different compilers and languages in the real world. Not if you're writing software for a supercomputer.

multicore is ultimately more flexible and easier to compile for than superscalar architectures. Do you have a source for this? I look at SMP as being quite a bit harder. Unless you think we should all learn erlang, threads are hard. You don't have to do anything different for superscalar. (At least people didn't)

Putting the work into software is a very good thing. We can change software and recompile, it's harder to change microcode and it is impossible to change silicon.

The biggest problem with EPIC is the hardware upgrade path.

Re:wrong

[nanosquid]

Not if you're writing software for a supercomputer.

Your implication that supercomputer users are willing to do anything for performance is wrong. There is a small market segment that has stable needs, has a huge budget, and is happy with porting and tuning their handful of applications to some specific box. NASA and some of the national labs may fall into that category.

Most of the supercomputer market, however, is shared computing facilities, and they are not going to get away with telling their dozens of users that they just blew the supercomputing budget for the next few years on a computer that requires their users to port millions of LOC to a new compiler.

Do you have a source for this? I look at SMP as being quite a bit harder. Unless you think we should all learn erlang, threads are hard.

Threads for fast numerical computations are easily encapsulated into libraries; you automatically get speedups for vector code, SIMD code, and parallel problem instances. That covers image and video processing, databases, content based retrieval, and most large scale simulations.

You don't have to do anything different for superscalar. (At least people didn't)

In high performance computing, you have to do a lot for getting efficiency out of superscalar chips. Worse, what you need to do is often dependent on which chip it is.

Putting the work into software is a very good thing. We can change software and recompile, it's harder to change microcode and it is impossible to change silicon. The biggest problem with EPIC is the hardware upgrade path.

If that's what they were doing, it might have been OK. But EPIC replaces dynamic instruction scheduling done in hardware with static instruction scheduling done in software.

Re:Summary sucks, someone please provide better on

[mwvdlee]

What worries me most is; with software, you can supply a fixed version to customers for the cost of a CD and a postage stamp (or less), with hardware it's slighly more expensive and thus slightly less likely to ever happen.

New tricks

[Nick_taken]

The interesting thing about this is that software protection vendors and crackers now have more tricks, especially concerning permissions, the bad news is that debugging is also messed up.

Re:Summary sucks, someone please provide better on

[tomstdenis]

Shared hosts should run VMs anyways. The trick then is when the instructions are executed natively. If you can root the VM program that'd be cool.

Tom

The bugs aren't really the scary part,

[yAm]

the AMT (Advanced Management Technology) is the truly frightening bit. Big Brother visits your computer:

A Swedish ASIC designer explains:
http://strombergson.com/kryptoblog/?p=311

(A rough) translation:
http://marc.info/?l=openbsd-misc&m=118302016430106 &w=2

Re:The bugs aren't really the scary part,

Oh, FFS, there's more to life than the beige box in your room in your parent's basement. Assuming it's properly designed, that technology will a godsend to server farm administrators and corporate IT deployments.

is this common?

[jfleming1024]

Do most processors have long lists of problems released some time after the processor's debut? The specification update from Intel lists 105 specific problems.

Re:is this common?

Of course it is. Even the 6502 has bugs and even undocumented instructions.

AMD K8? Hundreds of documented bugs, including coherency problems talking between the cores on a dual-core chip. heh! Many very serious K8 bugs were in rev A0 and rev B0 and revC0. rev CG was kinda stable, save for alot of memory controller sensitivity. (This, BTW, is the REAL reason you needed registered DIMMs on socket 940 systems. Any early K8 with lots of populated DIMM slots needs registered memory because the memory controller just can't drive so much load. I keep saying the socket 939/"unbuffered memory" relationship is coincidental and conspiratorial because the memory controller was fixed in all later K8 revs, not just socket 939 chips.)

MIPS R4300? Tons of performance-limiting bugs, too. There were bugs regarding instruction ordering and branch slots. You can't just compile R4000 code and expect it to work bug-free on this CPU. NOPs are your friend.

Every chip has bugs. They can come from poor design verification up-front, unforeseen corner cases, analog sensitivity, and physical things like IR drop and crosstalk. Many aren't discovered until too late in the game, and then the decision needs to be made to either ship the product anyway (with workarounds either in BIOS or driver, preferably BIOS if you want stable support across OSes. ;-) or fix it. Sometimes both depending on how many chips you have in production at the time.

Single-user

[Lonewolf666]

Single-user systems would not be affected.
Except in the case that you don't trust some software and run it with a non-administrator account to be safe against hijacking of your system.

These CPU bugs may allow malware to get around limitations of the user account it is running on. Thus making an otherwise very sensible precaution useless. The same goes for things like Vista's UAC, if the malware can hack into the OS itself thanks to a CPU bug.

A100 and A110 Intel CPU's affected?

[Brit_in_the_USA]

PI just bought a PC with an Intel CPU, in fact, this is the first PC I've owned with an intel CPU in 8 years Been building my own AMD computers since that time. But it's hard to build a UPPC so I got the new Samsung Q1U.

I was under the impression that the A110 series processor in it was a Core2 derivative, but the Intel site states it is a Pentium M derivative.

http://www.intel.com/design/mobile/datashts/316908 .htm

My gut feeling is that it has inherited deigns from both (since Core 2 is a Pentium M derivative).

So does it have a serious bug too? (that we haven't been told about yet)

Re:A100 and A110 Intel CPU's affected?

[orionpi]

The A100 and A110 are 90nm, they look to be a Dothan derived CPU rather than a Core2. The Core2 is a new micro architecture designed similarly to the previous P6 architecture which the Dothan is a uses. I would suspect you have a different list of bugs to work off of, given the Dothan was the last P6 CPU rather than the first like the Core2 the list is probably shorter.

AMD security through Obscurity?

[Brit_in_the_USA]

Taking the argument from the Windows vs. OSX debates, does this mean that if Intel have more desktops in our homes the hackers would target Intel's CPU bugs before AMD's ?

Still happy with my Dual Opteron

[tjstork]

And I look forward to upgrading my 248s to 275s on my birthday.

Re:Yay Sun

[CompMD]

My UltraSPARC boxes just seemed to be running better after hearing this news. :)

Effects on grsecurity, PaX, SELinux?

[cdf123]

Just out of curiosity, how would one exploit these bugs from user space? Are we talking an attacker can compromise a remote machine? e.g. an apache/php or ssh connection through a buffer overflow? Or does an attacker need local executable access, and if so, can any executable be potentially used to compromise the system, or would they need a specially crafted binary?

And how would this effect a system running advanced security, like grsecurity, PaX or SELinux? Theo mentioned that a potential buffer overflow could bypass a no-exec, or write protected memory space, but would address space layout randomization help to control that?

Re:Effects on grsecurity, PaX, SELinux?

The easiest exploit to target is the unchecked write protect flag. Simple exploit would look something like this...

1, Find the address of a commonly used stdlib routine (printf, strcpy, strcmp, ...).
2, overwrite the beginning of the function with a jump to my replacement function.
3, Now wait till a process with root priviledges makes that function call.
4, Use my temporary root priviledge to escalate my host process to root.
5, profit!

Address space randomisation is still going to help prevent buffer overflows from doing anything interesting. Intels flaws don't negate that level of security, its just that we can no longer trust the hardware flags to work as advertised. Whats changed, and this effects every OS on Intel is we can no longer trust the segregation between different processes in userspace from affecting each other by corrupting the shared librarys (or shared data).

Re:Summary sucks, someone please provide better on

[Nullav]

Some of the bugs are unfixable, as well. (I assume they mean without physcially replacing the chip with a 'fixed' one that doesn't exist yet.)

I wonder if they'll respond the same way as they did to with the FDIV bug (i.e. replace the chips upon request).
Granted, that screwed up a lot more without active exploitation.

Errata....

[TapeCutter]

Speaking of mistakes that reach production....I should have hit "preview".

Ok, so we have more holes...

[Rooked_One]

We've had holes in our OS's since... umm... always - I think when we used paper we didn't have holes... except for when we were using the paper made for 3 ring binders.
 
So what are we left with - just another hole (heh, thats a name of a piercing shop where I live) that exploiters will try to exploit. And then what? The AV companies will do their best (like they always have or haven't) done.
OS's have holes, software has holes, so in this case, do what is smart. Throw up a firewall running a 5 meg version of linux on a 386 box :)

Re:Hogwash!

[Lockejaw]

Looking over the errata sheet, it seems the behavior when these bugs are tripped is not actually fully known. In most cases it's just "unpredictable behavior." De Raadt and the OpenBSD people generally treat "unpredictable behavior" as a possible security hole without first producing a proof-of-concept exploit (regardless of whether it turns out to actually be exploitable).

Re:Summary sucks, someone please provide better on

[novus+ordo]

Yes AMD does release errata(pdf warning).

Maybe Intel should stop releasing these lists and then no-one would even know about them. I guess they could stop releasing these lists but I would think that they would be liable. And as for no-one finding out...how do you think they find out about these bugs anyway? I would think that they would remove them prior to production if they could simulate real-life use 100% accurately. In fact, modern processors take upwards of 70% of their development time in testing--they're that complicated.

List of Affected Processors

[ITMagic]

Is there any available list of WHICH processors are affected?
Are we talking ALL Core 2 Duo chips, of ALL varieties, including mobile?
What other chips are involved? (Personally, I find the whole genealogy if Intel chips very very hard to follow).

Weird comments re BIOS patching

[Ancient_Hacker]

I wonder about some of the comments in the "Workaround" sections. Most of the time they weasel and say "no workaround yet". More likely, no workaround is possible in many cases. Then with some of the user-land problems, like REP MOVSB acting up, they say "BIOS can fix". Huh? How could the BIOS fix a broken REP MOVSB? I can see the BIOS being able to patch interrupt related bugs, but a straight instruction? About the only conceivable way would be to have the BIOS load special microcode to emulate the REP MOVSB. But many of the bugs involve what they call the "fast" REP MOVSB which sounds like its done by hardware.

Re:Weird comments re BIOS patching

[hughk]

Many BIOSs will load microcode fixes into the CPU as part of startup - another good reason to keep up to date. This gets loaded into the CPUs microcde RAM and patches the existing instruction decode to jump to the microcode fix. Yes, it is a little like intercepting an instruction in an OS and emulating it - except on a modern chip, they are RISC machines with a microcde translator around it that interprets the IA32/IA64 instructions.

Re:Summary sucks, someone please provide better on

[Durzel]

Surely "getting root" on the box would require the OS to actually behave in a logical way in response to a "CPU exploit". If the OS has no visibility of a hardware-level failure isn't it more likely that remote exploitation of a CPU exploit - if it were possible - would simply cause a unrecoverable system error?

Obviously forcing a box offline would be equivalent to a DoS..

Better one? Please provide an earlier one!

[Chuck+Chunder]

About 10 hours ago I put down a deposit on having an Intel Core 2 Duo based computer built for me so this is a bit late!

I chose Intel (Core 2 Duo CPU and 965G motherboard) because of the open video drivers they release (and I enjoy reading about them on planet.freedesktop.org). Hopefully these CPU bugs are just something that is theoretically scary but won't end up posing practical problems for me as a user.

Re:Better one? Please provide an earlier one!

[PitaBred]

Probably not. It's more impacting on highly security-sensitive systems like multi-user servers and such. I run a Core 2 Duo in my laptop, and it flies, never had any serious issues with it. It will periodically get in a weird state booting up and get some bugs detecting hardware (which is probably BIOS related), but a quick reboot fixes that.

Re:Summary sucks, someone please provide better on

[ioshhdflwuegfh]

Yes, I agree about the architectures, but there are nevertheless some similarities among the bugs: for Core 2 Duo, description of AI21 bug says:

Global Pages in the Data Translation Look-Aside Buffer (DTLB) May Not Be Flushed by RSM instruction before Restoring the Architectural State from SMRAM which is the same as the description of the bug AE30 of Core Duo that I mentioned before. For AI21, Intel also says "plain fix".

Re:Summary sucks, someone please provide better on

[Aladrin]

I hope so, as I very very recently bought a Core 2 chip to use on my main machine at home. I'm not holding my breath, though.

Warnings should be used for buggy hardware

[Foktip]

Anyone whose tried to get more than a single IDE cdrom drive and serial ATA 2 drives working on a core 2 system at the same time, has probably seen just how buggy core 2 can be. Intermittent/random OS failures, the hard-drives fail randomly (even SATA2 ones), etc. - and that was consistent on 3 motherboards, with 5 different hard drives, even when IDE-sata adaptors or a PCI-IDE card were used. Not only that, but some HD's are outright incompatable with some core2 motherboards.

Theres no excuse for this unreliability, and especially the lack of information. There should have been warnings/more information ON THE BOX, so that consumers dont have to do tons of research just to make sure they're buying a product that will work PROPERLY (or work with their existing hardware). Isnt that already required by law? Mayby someone should start a class-action lawsuit or something, just to get the message across.

Re:Warnings should be used for buggy hardware

[iamhassi]

"Mayby someone should start a class-action lawsuit or something, just to get the message across."

Soon as I read the article I searched here for someone posting a link to a class-action lawsuit. You're the only one that mentioned the word "lawsuit".

Come on lawyers this is a easy one with deep pockets, just let us know where to sign up.

Re:Warnings should be used for buggy hardware

Or you morons could finally learn that when you shop with someone who thinks they are a monopolist and you don't have a choice, this is what you get. Microsoft, GM in the 1970s, SBC/AT&T, the list goes on . . . buy an AMD or PowerPC and through that intel shit in the trash, and TURN ON A BRAIN CELL before spending that much money next time.

Re:Warnings should be used for buggy hardware

That's your motherboard, Mr. Foktip. I suggest you invest more than 30 dollars on your next purchase.

Re:Intentional?

Are you the same freak that posted on KernelTrap about how every CPU since the 486 has been bugged by the NSA and can be monitored by satellites? If so, please carry out the recommended course of action that I detailed to you on that occasion. Namely that you set fire to yourself outside the UN building in order to draw attention to your cause. Thanks in advance.

I wrapped my CPU in tinfoil to prevent NSA spying, but it stopped working. Goddamn NSA! I guess it doesn't work when the signal from their secret moonbase is blocked.

Re:Summary sucks, someone please provide better on

[Bri3D]

Another scary bug (perhaps the scariest, since it appears to be the one that most reliably/repeatably occurs) is AI88: Microcode Updates Performed During VMX Non-root Operation Could Result in Unexpected Behavior.
From what the errata says, unless the host software has specifically disallowed access to parts of the MSR, a VMX guest/non-root system could reload the CPU microcode.
This leads to a whole universe of complicated data theft/code execution/etc. exploits that will probably never be created due to their complexity. However, it also leads to a very, very, very simple DoS/crash exploit (load some bad microcode, crash the CPU).

Incorrect

[WyrdOne]

x86 afaik has never been implemented on a RISC architecture outside of anything other than a lab context. It's CISC that is the primary core for x86.

http://arstechnica.com/cpu/4q99/risc-cisc/rvc-1.ht ml

Re:Incorrect

[644bd346996]

Nope. Internally, the x86 processors are RISC, and have been for years (specifically, since the P6 and K6). AMD has even used RISC in their marketing, and Intel talks about things like micro-ops. The processors are basically RISC chips with x86 decoders.

Re:Incorrect

[644bd346996]

Correction: The K5 was also a RISC internally.

no

[twitter]

Could that be a backdoor and a good reason for countries like China to develop their own CPUs?

China will use these backdoors like anyone else, why would they bother to invent their own?

Lots of issues

[flyingfsck]

Stack problems, memory management problems, interrupt problems and so on. Many of these bugs will not cause an immediate exception or crash but may look like software bugs, for example a stack problem causing a return to the wrong address.

I guess MS Windows users will simply blame Microsoft's sloppy code, when it isn't even their fault...

Re:Lots of issues

[CCFreak2K]

That's been the case for years (see: bad third-party drivers on Windows XP). I don't see why it would change now.

Re:Summary sucks, someone please provide better on

That's rather specious reasoning. "Well we know that this chip has potentially serious security flaws but then we don't know for certain that this other one doesn't, so let's not use that". As always you can only make decisions to your best judgement with the information you have available at the time. Unless you have specific reasoning to believe that there are as-yet undisclosed security flaws in AMD chips or have evidence that AMD would supress such information if it were to exist then the only logical outcome here is to assume that AMD have the more secure processor. Maybe in the future flaws will be discovered there too, in which case people will need to consider their options again, but right now the situation as it stands is that these Intel chips have known flaws and AMD's current chips do not.

Maybe Intel should stop releasing these lists and then no-one would even know about them. Then we would assume they have something to hide. At least I sure would.

Re:Summary sucks, someone please provide better on

[petermgreen]

Surely "getting root" on the box would require the OS to actually behave in a logical way in response to a "CPU exploit".

Essentially the aim of such exploits is usually to get your code to be run with privilages it should not have had.

some examples:
all modern operating systems use one copy of shared libraries in memory for all apps that use the library (not doing so would be very wastefull of both memory and cache). If a process can bypass the write protect on that memory it can force other processes to run its code some of those will be running as root.

If your code finds a way to flip the CPU into kernel mode without jumping into the OS then it has the run of all memory and hardware on the system. Once you have that it shouldn't be too hard to find the process tables and change your processes user ID to root.

Re:Privilige Escalation

Because in order for a privilige escalation bug to work there must be an untrusted user that is allowed to run some code in the first place. That is why this bug is more of an issue for Linux/BSD than Macs as most Macs are single user systems.

What intel had to say:

[Vryl]

"Come on people, move along, nothing to see here".

Reverse compatibility for OS/2?

[johnw]

Presumably AE6 is a reverse-compatibility feature to allow OS/2 1.0 to run its DOS box?

Truly history doth repeat itself.

Obligatory Apple Rant

[jafac]

Thank GOODNESS apple switched to intel chips.

Nothing like a monopoly, and a monoculture, to breed innovation and a robust information infrastructure!

Re:Obligatory Apple Rant

Yeah! PowerPC CPUs never had any bugs at all!

(For the sarcasm impaired: The above is sarcasm.)

Re:Obligatory Apple Rant

[jafac]

Of course they had bugs. But when they had bugs, the manufacturer had an incentive to try to fix them, and when they had bugs, only a fraction of all computers were affected.

IF, as a result of Apple's switch to intel chips, and as a result of intel's other anticompetitive practices, AMD's market standing slips further, intel will be in a position to "not give a crap" about such bugs. And when those bugs happen, they will affect a very large proportion of all computers. It will be even more of a field day for spammers and botnet operators than it is today.

Re:Summary sucks, someone please provide better on

[TheRaven64]

If you are using paravirtualisation, then it uses exactly the same protection mechansims as a normal kernel, and so you gain no protection from this kind of exploit. If you are using hardware-assisted virtualisation, then take a look at the errata list; a few related to VMX mode. If you are using binary re-writing, then expect to pay a speed penalty.

Theo-bashing is so passe.

[peacefinder]

"Hasn't anyone noticed these terrible bugs?"

Apparently they have, and now we know too.

Look, I know Theo-bashing is a traditional bit of fun, so I hate to rain on your parade. But you should keep in mind that the OpenBSD team is uniquely (or nearly so) positioned to discover and publicize the security implications this sort of flaw. The whole project is security oriented; they don't accept "binary blobs" into security-sensitive roles, which means they look more closely at hardware than most; they operate in a very transparent manner; their user base is supportive of any security-related moves by the devs; their installed base is heavy in security-sensitive roles; and the project is notorious for not giving a damn about political considerations.

"But they're rarely very serious, they rarely actually affect anything in remotely realistic scenarios."

OpenBSD is heavily used in the perimeter security role, and in security-sensitive roles generally. As its OS security gets better, OpenBSD's sensitivity to hardware security flaws gets higher. If there's an architectural flaw that the OS can't cover, OpenBSD's user base needs to know that so they can evaluate their overall security and spec hardware accordingly.

Almost no one else needs to worry about hardware exploits in Core 2 as much as OpenBSD does, because almost every other OS for general-purpose hardware has easier exploit paths. For instance, I'm not worried about this flaw on my home iMac, because my iMac isn't in a security-sensitive role. If an attacker wants my home data, it'd be easier for the attacker to simply break in and steal the whole box.

"How does he expect Intel to respond?"

Like the professionals they are, I'd think.

Re:Theo-bashing is so passe.

[kestasjk]

Look, I know Theo-bashing is a traditional bit of fun, so I hate to rain on your parade. But you should keep in mind that the OpenBSD team is uniquely (or nearly so) positioned to discover and publicize the security implications this sort of flaw. First off I'm not "Theo-bashing", I'm bashing what Theo is doing. He acts like a vain hypocrite so often that people think we're bashing Theo and not what Theo happens to be doing.
Second; how are they uniquely positioned? Theo read the errata that's public to everyone, and says that he "bets" there may be "potential" security implications. He's in a unique position to troll and spread FUD about a company that doesn't pay attention to OpenBSD, but apparently he's not in a unique position to offer anything new.

"But they're rarely very serious, they rarely actually affect anything in remotely realistic scenarios."

OpenBSD is heavily used in the perimeter security role, and in security-sensitive roles generally. As its OS security gets better, OpenBSD's sensitivity to hardware security flaws gets higher. If there's an architectural flaw that the OS can't cover, OpenBSD's user base needs to know that so they can evaluate their overall security and spec hardware accordingly. Isn't that precisely what Intel have done? They've let the public know about the flaws, now it's up to OpenBSD to "evaluate their overall security and spec hardware accordingly". (This mail suggests they're jumping straight to "spec hardware" before properly evaluating how this affects their security.)

Almost no one else needs to worry about hardware exploits in Core 2 as much as OpenBSD does, because almost every other OS for general-purpose hardware has easier exploit paths. For instance, I'm not worried about this flaw on my home iMac, because my iMac isn't in a security-sensitive role. If an attacker wants my home data, it'd be easier for the attacker to simply break in and steal the whole box. What hardware exploits? Who said anything about hardware exploits? Intel's errata doesn't say anything like that, Theo's mail gave nothing other than a "bet" that out of 50-60 bugs in the chip "2-3" will be exploitable. You're acting like the errata details a whole bunch of critical vulnerabilities, but that's just not true.

This is exactly how Theo wants people to react to this; "now the Core 2 isn't safe", even though his mail contained no substance whatsoever.

"How does he expect Intel to respond?"

Like the professionals they are, I'd think. A professional's response to a mail that cites publicly released errata alone and concludes that no-one should buy your chips? No response, of course.
Hopefully Intel are more professional than Theo, and will be working on future products and technologies, and finding bugs in existing ones, rather than indulging in empty self righteous flamefests.

Re:Theo-bashing is so passe.

[peacefinder]

"First off I'm not "Theo-bashing", I'm bashing what Theo is doing."

So in your clause "Raving lunatics like Theo" you'd like the reader to focus on the fact that he's raving, but the reader should basically ignore that you just happen to mention in passing that you think he's a lunatic?

Right, got it. Thanks for the clarification on that.

"Theo read the errata that's public to everyone, and says that he "bets" there may be "potential" security implications."

Well - and I can only speak for myself here - the fact is that I'm an ignorant fuckwit when it comes to the security implications of Intel's hardware errata. I know just enough to know that I cannot read Intel's chip errata and produce an opinion about the security implications that ihas any statistically-significant superiority to random chance. I'd guess that it is highly likely that well in excess of 95% of the general computer-buying public is similarly ignorant.

However, I'm dead certain that Theo knows a great deal more about secure OS design and the implications of these errata than I do. I'm pretty sure he knows more about it than you do, too. (Nothing personal, but I figure there's probably under five thousand people worldwide who have similar expertise at the moment. Odds are you're not among them.) His track record thus far isn't perfect, but it's really fucking good. So if he says that it's likely that some of the flaws will prove exploitable, I'm willing to provisionally trust his predictive opinion.

And it's not like it'll stop me - or most other security-conscious people - from buying Core 2 machines. It will, however, prevent most or all security-conscious admins from deploying such machines in highly security-sensitive roles until the picture becomes more clear. This is not going to be a huge impact on Core 2 sales, because there already were better hardware solutions than Core 2 for both multi-user server roles and for perimeter security roles. The real problem with these alleged security flaws will be in the laptop and desktop markets, because Core 2 is pre-eminent there. Even so, it would only affect the segment of that market that is security-sensitive... which probably is not a huge portion of that market. (As another commenter said, though, the DoD's tech buyers are probably going to have serious headaches.)

So if Theo's goal is to wound Intel - which I doubt - this is not going to leave a big mark in sales. Theo fails it!

Overall, I don't think your theory holds much water. Sure it's possible that he's just being a dick about it just to spite intel. But it's also possible that his expertise leads him to have genuine concern, and his forthrightness leads him to say it plainly. I, for one, am not willing to bet my network security on the chance that the former possibility contains the whole truth behind this.

Re:Theo-bashing is so passe.

[akpoff]

And of course they're not all security related, even if this particular thread ran that way. 9 of the errata result in states where the CPU can or will hang. My personal "favorite" is AI65 that documents a case where the CPU won't throw a thermal interrupt when the temperature threshold is crossed. Your iMac might fail to kick on its fans in such a condition. Even worse -- there's no workaround

AI65. A Thermal Interrupt is Not Generated when the Current Temperature is Invalid

Problem: When the DTS (Digital Thermal Sensor) crosses one of its programmed thresholds it generates an interrupt and logs the event (IA32_THERM_STATUS MSR (019Ch) bits [9,7]). Due to this erratum, if the DTS reaches an invalid temperature (as indicated IA32_THERM_STATUS MSR bit[31]) it does not generate an interrupt even if one of the programmed thresholds is crossed and the corresponding log bits become set.

Implication: When the temperature reaches an invalid temperature the CPU does not generate a Thermal interrupt even if a programmed threshold is crossed.

Workaround: None identified.

How common is this? Beats me. It certainly bothers me that this isn't one of the errata that can be addressed via a BIOS fix.

Re:Theo-bashing is so passe.

[Wavicle]

I really hate to jump in on this attack/apologist love fest going on here, but I have to agree that Theo is really crying foul without giving any substance to his argument other than "something exploitable MUST be in there." I have to state, as others have, that I find this sort of attack rather poor taste unless something of more substance can be brought to bear.

Case in point: AI90. Theo claims this is already "exploitable" in some OSes (not his). Okay.. well... What does this exploit look like? Does it cause a crash? A hang? Increase privilege level? Arbitrary code execution? Delay of a couple microseconds because the VMM is less likely to swap the page out?

Code segment limit is a way of saying "not all of this 4K page is executable" but most OSes don't use it. Either a page is in the code segment, or it isn't (which is why OpenBSD is immune.) But let us say for convenience that you have an OS that uses code segment limit. And let us further suppose that you stumble upon this error. What must now happen to have an exploit?

This is where my knowledge of OS design perhaps hits a stumbling block. This erratum says that the next page may be marked as accessed, even though it hasn't actually been accessed. In order for this to be exploitable, the OS must perform some operations that affect this not-really-accessed page without checking the accessed bit. What operation? And what OS?

What is it about this flaw that would lead one to avoid a Core2 CPU for your next purchase? Considering that this the most prominent example, I'd think he could show some more concrete example of the danger of this flaw (since it scares the hell out of him).

Re:Theo-bashing is so passe.

[Douglas+Goodall]

"This is where my knowledge of OS design perhaps hits a stumbling block. This erratum says that the next page may be marked as accessed, even though it hasn't actually been accessed. In order for this to be exploitable, the OS must perform some operations that affect this not-really-accessed page without checking the accessed bit. What operation? And what OS?"

This example doesn't indicate whether the access was a write or a read. If it was a read, who cares? If it is a spurious write indication, it could cause a write fault exception that wasn't real and could cause a process to be terminated when it hadn't done anything wrong. I could see that being a real problem for any operating system that uses virtual memory in protected mode with write protected code segments. That would probably mean windows and Unix.

Re:Theo-bashing is so passe.

[Wavicle]

This example doesn't indicate whether the access was a write or a read.

The part where I mention code segment limit was the tip off that this was code execution. Or you could have just read AI90.

The erratum specifically states this happens during code execution and your code segment limit is near the end of the page. If you try and execute outside the code segment limit, the A flag of the subsequent page may get set before the page fault happens. If you don't try and execute outside the limit, nothing happens. It wasn't a write, code execution is a read from a hardware perspective but architecturally is something slightly different.

Re:Theo-bashing is so passe.

[peacefinder]

Well, is this better?

I realize it's not proof-of-concept code - which would of course be ideal - but it is another BSD project leader's opinions on each of many of the errata, with pretty fair specificity. Again, I'm no expert here, but these guys are. One or both might be wrong about any security implications they claim, but they're in a heck of a lot better position to know than I am. Seems like it's foolhardy to dismiss their concerns out of hand, or bet a hardware purchase on the idea that it's some sort of retaliatory press release.

Re:Theo-bashing is so passe.

[Wavicle]

No disrespect to Matt or anything, but no that isn't better. The second link in particular isn't germane to the discussion of AI90 because it covers the Core Solo/Duo. There are over 100 MILLION of those systems installed, that errata list is a year and a half old, and there are no known exploits for any of those.

So as to his actual theoretical exploit of AI90... He's guessing, and some of his guessing doesn't seem sound.

it will result in unexpected modifications to the page table page and numerous operating systems may free such pages to the page-zerod page list under the assumption that they cleaned the page out when in fact there may be a page table entry with the access bit set (meaning the page wasn't completely zerod when freed). That could cause problems.

I really can't completely parse what is being said here. He seems to imply that the OS may handle accessed pages differently from non-accessed pages in a dangerous way. A strict reading of what he says indicates the OS will zero accessed pages and not non-accessed pages, which makes no sense. If you are going to start zapping page tables entries you should zap all pages associated with a particular program, irrespective of their accessed state. If it is a page not associated with the faulting program, it shouldn't be freed whether it has been accessed or not.

The A bit (page accessed) is a tuning parameter for use by the OS. Most OSes set it by default because you incur a performance penalty to set the bit (setting it requires a hidden R/M/W cycle with the #LOCK asserted). Incorrectly setting it could lead to incorrect tuning, but that is not an exploit. It has yet to be proposed how this parameter intended for debug and tuning can be exploited.

I would be convinced if I could see an OS exploit that would show up in response to this erratum, but not in response to correct handling of A bit setting on the processor. All theoretical attacks so far seem to exist on an OS that could also be attacked by writing a program that selectively accesses or does not access some of its pages.

Re:Theo-bashing is so passe.

[nacturation]

So in your clause "Raving lunatics like Theo" you'd like the reader to focus on the fact that he's raving, but the reader should basically ignore that you just happen to mention in passing that you think he's a lunatic? Perhaps you misread that. He might have been saying "Raving lunatics [are the kinds of people who really] like Theo". Not that it sheds a much nicer light, however.

Re:Theo-bashing is so passe.

[southpolesammy]

I'd guess that it is highly likely that well in excess of 95% of the general computer-buying public is similarly ignorant.

I know this thread is dead and all, but just wanted to contribute one more tangential piece of info that Slashdotters need when considering our level of expertise vs. the general public. The ratio of tech-knowledgable people is much more exclusive that even 95% -- I would venture to say that it's more like 99.9%.

For example, assuming the requisite knowledge required to understand the Intel errata would be gained either by taking a university-level course, like Ohio State's CSE 675 Intro to Computer Architecture class, or by doing some very highly directed self-study, and given that the class is offered 4x/year with an average class of 25 students, then roughly 100 students/year gain that knowledge. Let's also assume that 50% forget that knowledge within 5 years, so over the course of those 5 years, 250 people become capable of reading those errata.

With OSU's Columbus campus enrollment at roughly 51,000/yr, with roughly 10,000 turnover/year due to graduation and withdrawal, then over 5 years, approximately 100,000 students will have had the opportunity at taking that class and retaining the knowledge.

So, simple math tells us that only 0.25% of a college-level population will obtain and retain the requisite skills. Now extrapolate that the the general population that doesn't attend college, which is roughly 60% in the US, and you get a final percentage of about 0.1% overall that can read the Intel errata, and even that may be a stretch, IMHO.

Bottom line -- Slashdotters need to realize that very few people overall understand technology, and even fewer care.

4nm

[bdjacobson]

When we reach the 4nm process, then our electrons will begin bleeding through the insulation. Will be fun to see what the computing industry does then. Or what Intel does when they hit 45nm (the limit to the photolithography process); AMD has a license with IBM for Immersion Lithography which will push them past the 45nm mark.

Intentional bugs? C2D was designed in Israel.

[lamer01]

Would allow Israel to perform Cyberwarfare on unsuspecting opponents. Another reason not to allow foreign entities to be involved in the development of parts that could be used in our defense industry. Of course, this by no means says anything about Israel. Any country with many enemies could do the same given the opportunity.

COPY ON WRITE could be affected, & in a BIG wa

See the portions in this page, where others here speak of "copy on write" functionality...

If you do not understand what this is, or how it works? Look it up, that, & memory mapped files.

It is about shared data between processes & making private copies a particular app uses, as WRITE ONLY to that particular process.

Shared data is one area that I can definitely see being exploited (SQLServer 2005 for instance? Uses this heavily doing db snapshots (a recovery/reliability mechanism, & databases are definite targets for industrial espionage/power/money because information? Really is, power!)

APK

P.S.=> Up above on this page, this gent gives a GREAT overview of this, see his post:

http://hardware.slashdot.org/comments.pl?sid=24266 3&cid=19675249

swillden is his name, & he does a GOOD job of it, especially for someone saying he has an "incomplete understanding of the issues", imo @ least, he does well because he stated that especially (modesty imo, because he hits on exactly what I feel would be targetted & exploited, & I give an example of what I would target above, SQLServer 2005 use of copy on write during DB Snapshots especially, for data alteration, OR theft)... apk

Modern processors

[ajs318]

Modern "80x86" processors actually have a RISC core emulating 80x86 CISC instructions. That can't possibly be efficient: there are some occasions when you don't need every bit of an 80x86 instruction to happen (for instance, ADC sets the carry flag, but the next instruction may not care about the state of the carry flag). Although the "interpreter" -- because that's what it really is -- might well be able to optimise out some microinstructions on-the-fly, it almost certainly isn't looking far enough ahead to be certain about that.

Native code running directly on the underlying RISC core, if there was a way to do it, ought to be faster than emulated 80x86 code. A lot faster, if the compiler is good.

Really, the only reason 80x86 (which really is a truly horrible design, mostly cruft and bodges upon bodges) is still popular at all, is to allow Microsoft to keep the Source Code of Windows secret. The BSDs and Linux don't have any such requirement -- the Source Code is readily available, and they can and do run on almost any processor architecture. AMD's 64-bit architecture is a little cleaner but still held back by the need to implement 32-bit instructions.

Think what we could do with something like ARM, but built in straight 64-bit (i.e. ditch byte addressing and deal strictly in 64-bit words) and going back to Furber and Wilson's original concepts which eschewed complications such as hardware multiply and divide precisely because software implementations can be quicker for shorter word lengths (multiplying two 8-bit values requires only 8 additions, but a 64-bit hardware multiplier will always do 64 anyway). If 64 bits really is too much for one instruction, then maybe squeeze in two 32-bit instructions that then (attempt to) execute in parallel (so must be writing into different registers, unless the condition fields -- with ARM, every instruction is conditional, though there are "AL" and "NV" conditions that execute always and never respectively -- are such that both won't be satisfied together). This would need two logic matrices, but they could share a common register file.

Re:Modern processors

[utopianfiat]

(for instance, ADC sets the carry flag, but the next instruction may not care about the state of the carry flag)

Because 1-bit flip-flops take SO LONG TO WRITE TO
Mod parent down ffs.

Re:Modern processors

[Dwedit]

The NV condition doesn't actually exist anymore, it's used for reserved instructions.

Re:Modern processors

[taradfong]

There are some true principles in your post but you haven't flushed them out, and your anti-MS emotions are driving you to predict non-existent conspiracies.

Intel faced this realization around the time of the Pentium Pro/PII/PIII. Many people said x86 could never compete with RISC. Guess what? Like you, they were dead wrong! Don't feel too bad, even *Intel* got this wrong with Itanium.

And the reason is this: the process and development effort advantages gained from having an unmatchable production volume of an x86 FAR EXCEED the minor, more elegant design tradeoffs of other processors.

Furthermore, while a human being perceives the RISC->CISC (actually, opcode->micro-op) decoding as a wasteful thing that must be purged to attain perfection, the reality is that it is NOT a factor in performance. If it was, then how could an Intel (or AMD) processor continually completely max out the capacity of its floating point units (2-6 FLOPS/clock depending on chip)? The answer is, because the overhead is unobservable because of a great deal of parallelism, pre-fetching, caching (instruction and data) and scheduling implemented in very fast, very optimized, and very parallel hardware.

You might then retreat to make the argument that while maybe the performance overhead is zero, all that circuitry is costing you electrical power. And the answer is, again, sure, but how much? When you realize that most of the gates on a modern chip are cache, you come to the realization that very, very little power is being spent on opcode decode.

About the only pro-RISC argument you might make anymore is that indeed, those chips are MUCH easier to design.

Now on to your 'MS code secrecy is why we have x86' - HOGWASH! x86 rules the roost - again - because of its volume! It's got the most developers, drivers (crucial), code, accessories and advertising. Did you forget, BTW, that there were Alpha versions of Windows NT? And there still is an Itanium version. And an X-Box 360 version is I'm sure on the way. As well as a 'Cell' based machine. If indeed a significantly faster architecture came out you can count on MS supporting it. The problem is, for any kind of competing architecture to gain critical mass it must be MUCH better in terms of performance or power consumption. And no one seems to be able to introduce anything for which they can maintain a gain over Intel for long.

So, unless you're a compiler writer, why complain (not that writing a RISC compiler can be much fun either)?!? If you're in scientific computing, your problem is likely memory performance, not CPU execution. If you're playing games, you're likely limited by graphics cards and PCI-EX bus bandwidth. If you're a 'normal' user, your CPU barely breaks a sweat. And while your laptop might have shorter battery life than you want, increasingly your screen and other things take up more and more of the power budget.

Re:Modern processors

[hughk]

Think what we could do with something like ARM, but built in straight 64-bit (i.e. ditch byte addressing and deal strictly in 64-bit words) and going back to Furber and Wilson's original concepts which eschewed complications such as hardware multiply and divide precisely because software implementations can be quicker for shorter word lengths (multiplying two 8-bit values requires only 8 additions, but a 64-bit hardware multiplier will always do 64 anyway)

It was called Alpha - remarkably clean and worked very well. It was essentially betamaxed when HP took over Compaq. HP/Intel were in bed together trying to flog the dead horse, unobtanium. DEC's problem with Alpha is that it was a great chip, but they could never get the volume up to bring the cost down. Alpha ran heavy-iron OSs like VMS, but it also ran Linux. The NT version was hampered as Microsoft used binary emulation for most of their non-OS code. Alpha was fast but emulation was limiting.

Re:Modern processors

Modern "80x86" processors actually have a RISC core emulating 80x86 CISC instructions. That can't possibly be efficient: there are some occasions when you don't need every bit of an 80x86 instruction to happen (for instance, ADC sets the carry flag, but the next instruction may not care about the state of the carry flag).

Those CPUs don't work quite the way you think they do.

The internal 'instruction set' (really microcode) doesn't resemble any ordinary RISC instruction set; it's designed specifically to implement x86, not to operate like an end-user-visible instruction set would. Problems of the type you're talking about arise when translating between dissimilar ISAs with different condition code handling and the like. That's just not an issue here.

Few x86 instructions translate to more than two or three microcode ops, and a large number translate to just one. The point of the translation is mostly to separate ALU instructions with memory operands into discrete loads, stores, and ALU ops. Instructions which don't touch memory are very unlikely to need more than one microcode op.

Native code running directly on the underlying RISC core, if there was a way to do it, ought to be faster than emulated 80x86 code. A lot faster, if the compiler is good.

The underlying core has no instruction format suitable for storage in external memory; uops are fully decoded control words, which are much larger than the original instructions. It would be terribly inefficient to expose this to user programs.

Really, the only reason 80x86 (which really is a truly horrible design, mostly cruft and bodges upon bodges) is still popular at all, is to allow Microsoft to keep the Source Code of Windows secret. The BSDs and Linux don't have any such requirement -- the Source Code is readily available, and they can and do run on almost any processor architecture. AMD's 64-bit architecture is a little cleaner but still held back by the need to implement 32-bit instructions.

1. x86 isn't nearly as dirty as you think it is. The real cruft was pre-386; if you lock a 386 or later x86 into 32-bit mode and ignore the other modes it's not that bad. The biggest remaining wart was the original x87 FPU instruction set, but that's now possible to ignore in favor of SSE.

2. What the hell does Microsoft wanting to keep Windows closed source have to do with the popularity of x86? You're completely insane for suggesting a connection. There's nothing which would make Microsoft open-source Windows if it had to run on other CPUs. The proof is that Microsoft had (and in some cases shipped to end users) working ports of Windows NT for PowerPC, MIPS, Alpha, and probably others I'm forgetting. All closed source. All cancelled for reasons which had nothing to do with open/closed source.

3. AMD64 isn't any cleaner than 32-bit x86. It doesn't change much, just adds support for 64-bit registers, 64-bit ALU ops, and 8 more registers. To do this they needed to use more opcodes, which meant chaining more prefix bytes. Thus you get fun things like register-to-register ALU instructions being longer if one of the operands is one of the new registers.

Think what we could do with something like ARM, but built in straight 64-bit (i.e. ditch byte addressing and deal strictly in 64-bit words)

Oh god.

Never studied how much a mess that made of early versions of Alpha, have you?

and going back to Furber and Wilson's original concepts which eschewed complications such as hardware multiply and divide precisely because software implementations can be quicker for shorter word lengths (multiplying two 8-bit values requires only 8 additions, but a 64-bit hardware multiplier will always do 64 anyway).

This is stupid.

Sorry there's no less harsh a way to put it. It's a bad, dumb idea. RISC ISAs which left out hardwa

Re:Modern processors

[ajs318]

See, that's the beginning and end of the problem: the closedness of Windows. If when you bought a Windows licence you got the Source Code (but weren't allowed to pass on copies to anyone else; not giving out the Source Code works really well to prevent that, doesn't it?) then at least everyone could choose what architecture they were going to run it on. Microsoft's obstinacy with the Source Code crippled Alpha. Anyone who designs a new, 80x86-incompatible processor architecture finds themself in approximately the same situation as a high-rise flat resident who wins a canoe in a radio phone-in competition.

Buying Descision

[Voline]

Anyone know where I can get a SPARC laptop?

Re:Buying Descision

[dreddnott]

Try here - http://www.tadpolecomputer.com/Products.asp

Any laptop that claims "up to 16GB of RAM" can't be half bad.

2 points

[ppanon]

a) how does working around these bugs affect Intel Core Duo's performance?
b) I WAS thinking about buying a Core Duo so this information comes just in time.

What an own goal

[Stu101]

Am I the only one to think that the author should have paused for two seconds before blasting this out. Not due to any security issues, just at the end of his rant, he decided to take shots at Intel and AMD "Becoming less helpful by the day" Now if you were the chap at intel that did his best to get stuff sorted for Linux/BSD/Whatever oss project, going out on a limb to help, you would think "Fu*k you Theo" and be a lot less inclined to help and devote more support time to support contracts that potentially earn money.

The erratum mentioned

[m.dillon]

Ok, lets look at some of these.

AI65 - Thermal interrupt does not occur if DTS reaches an invalid temperature. What the hell is an invalid temperature? A disconnected sensor or something? It doesn't sound like something a userland thermal-generating loop can exploit but the errata is not detailed enough to know for sure.

AI79 - REP/STO in specific situation may cause the processor to hang. BIOS patchable. The errata mentions an uncacheable memory store. If this is a pre-requisit then only user programs with access to /dev/io or memory-mapped bus space can exploit it. So e.g. something like XOrg, but not the typical user program. Worse case seems to be a system freeze. Still, this is something to be concerned about.

AI43 - Concurrent MP writes to non-dirty page may result in unpredictable behavior. This one is extremely serious. It effects any threaded program and possibly even programs which are no threaded. This would cause me to not purchase the cpu. It says that a BIOS workaround is possible (aka microcode update).

AI39 - Cache access request from one core hitting a modified line in the L1 cache of another core may cause unpredictable system behavior. What the hell? Are they out of their minds? This is a big-time show stopper. It says it can be fixed with the BIOS (aka microcode update). I sure hope so.

AI90 - Page access bit may be set prior to signaling a code segment limit fault. This one is pretty serious. This cannot occur on most operating systems because the code segment is set to be unlimited and access is governed solely by the page tables. In 64 bit mode emulating 32 bit operation the problem might occur if a bit of code wraps the segment. There are possibly issues in other emulation modes, such as VM86 mode. The effect of setting the page accessed bit will not make a page accessible that was not previously unaccessible, but it will result in unexpected modifications to the page table page and numerous operating systems may free such pages to the page-zerod page list under the assumption that they cleaned the page out when in fact there may be a page table entry with the access bit set (meaning the page wasn't completely zerod when freed). That could cause problems.

AI99 - Updating code page directory attributes without tlb invalidation may result in improper handling of a page fault exception. This one doesn't look too serious, it just means the wrong exception will be taken first, meaning that the OS will probably seg-fault the program. If the OS corrects the issue and retries, the correct exception will be taken on retry. All BSDs that I know of handle page fault exceptions generically and will not be effected. Of greater concern is what sort of modifications to a page directory entry now require TLB invalidations? On FreeBSD and DragonFly, and I assume most BSDs and probably Linux too, page directory entries usually transition between only two states and a TLB invalidation is made when a page directory entry is invalidated, so they wouldn't be effected by this bug.

Re:The erratum mentioned

[m.dillon]

Now the core duo/solo errata.

AE1 - CPU to memory copy with FST with numeric and null segment exceptions may cause GP faults to be missed and FP linear address mismatch. In otherwords, a segmentation violation will be missed and a write will be allowed to proceed. This will not effect OSs using page tables for protection, which is all OSs. Sounds bad but doesn't sound like it will effect existing OSs

AE2 - Code segment violation may occur if a code stream wraps around a segment. No program does this on purpose, and OSs will just seg-fault the program if it does. The intel errata says it could be exploted by a virus but I don't see how by its current description. Maybe there is something they aren't telling us.

AE3 - POPF/POPFD that sets the trap flag (aka when single-stepping a program) may cause unpredictable behavior. Holy shit. This one is serious.

AE4 - REP MOVS in fast string mode continues in that mode when crossing into a page with a different memory type. This means that when crossing over from a cacheable page to an uncacheable page, the I/Os remain cacheable. And vise-versa. This will never happen on purpose so the question is whether it can be exploited in some way, and the answer to that is not that I can see.

AE5 - Memory aliasing with inconsistent dirty and Access bits may cause a processor deadlock. This means a PTE with 'D'irty set but with 'A'ccess not set. FreeBSD and DragonFly always set the A bit when setting the D bit and will not be effected but I don't know about other OSs. This is a very serious bug though.

AE6 - VM bit will be cleared on a double fault exception. Double faults are usual fatal for the whole machine so unless they can occur in an emulation mode (where the double fault is being emulated). Check your OS. FreeBSD and DragonFly do not try to resume after a double fault and do not take faults in VM mode and are not effected.

AE7 - Incompatible write attributes in page table verses MTTR may consolidate to UC. Not a big deal, doesn't happen unless something has been misprogrammed.

AE8 - FXSAVE after FNINIT without an intervening FP instruction may save uninitialized values for FDP and FDS. This isn't an issue unless the data being written represents a security leak of some sort, such as a portion of the state of another program's FP unit. This could be a security issue with regards to one program snooping another program's cryptography. Statistical snooping possible through this sort of mechanic has been shown to be effective in recent years.

AE9 - LTR can result in a system hang. Well, BSDs don't really use LTR all that much and the conditions required just will not happen on BSD or probably linux either. A break point must be set on the cache line containing the descriptor data? Not from userland!

AE10 - Invalid entries in the page directory pointer table register may cause a GP fault. Not an issue.

AE11 - REP MOVS operation in fast string mode continues in that mode when crossing into a page with a different memory type. Not an issue.

AE12 - FP inexact result exception flag may not be set if the #inexactresult occurs in any FPU instruction with certain instructions occuring afterwords. This is a very serious bug that only compilers can work around (and probably won't).

AE13 - IFU/BSU deadlock may cause system hang. I've no idea what IFU and BSU is.

AE14 - MOV with debug register causes a debug exception. Sounds like the worst that happens here is a program seg faults if this condition is hit while the program is being debugged.

AE15 - INIT does not clear global entries in the TLB. Oh, joy. Intel says that BIOS writers would know of thise errata and cod efor it, but insofar as I know this could be an issue when starting up APs.

AE16 - Use of memory aliasing with inconsistent memory type may cause system hang. It shouldn't be possible for this to happen with a modern OS. It means mapping the same physical page of memory with different memory contr

Re:The erratum mentioned

[MattBurke]

AI65 - Thermal interrupt does not occur if DTS reaches an invalid temperature. What the hell is an invalid temperature? A disconnected sensor or something? It doesn't sound like something a userland thermal-generating loop can exploit but the errata is not detailed enough to know for sure.

I'd guess an invalid temperature would be one which is outside monitorable range. Phase-change cooling will take CPUs to well below 0 degrees C, probably causing a problem if the temperature's dealt with as an unsigned number.

As for the possibility of something exploiting it to gain priv'd code execution, who says every bug has to be exploitable? AFAICT the errata is a list of acknowledged bugs, not security problems. Remember it's Intel that wrote the doc, not Theo.

Re:The erratum mentioned

AE3: "unpredictable behavior" is just marketing speak meaning that it doesn't perform exactly to spec. It doesn't mean "flip the processor into supervisor mode" or "turn paging off". Here it is likely something more like you can take a single-step exception immediately after doing a POPF instruction instead of after the following instruction. There are likely other factors that have to coincide for this to be the case.

AE5: "may cause" implies that there are other factors involved (i.e. simply having the dirty bit set but not the accessed bit set won't cause the problem).

AE21: to me, this means that clearing the EFER.NXE bit on one core will clear it for the other core (in a dual-core chip, of course). Of course, setting it on one would then set it on the other as well.

Re:The erratum mentioned

Hi,

AE3 - POPF/POPFD that sets the trap flag (aka when single-stepping a program) may cause unpredictable behavior. Holy shit. This one is serious.

This was deleted from the errata in September 2006. I've no idea why (it's rare for this to happen, and I can only assume it was wrong to begin with, and possibly reworded and shifted to a new errata item when more accurate information became available).

AE5 - Memory aliasing with inconsistent dirty and Access bits may cause a processor deadlock. This means a PTE with 'D'irty set but with 'A'ccess not set. FreeBSD and DragonFly always set the A bit when setting the D bit and will not be effected but I don't know about other OSs. This is a very serious bug though.

Intel manuals have been warning against inconsistant A and D flags for ages. It's not a serious bug, it's just a reminder for people that didn't read the programming manual properly.

AE8 - FXSAVE after FNINIT without an intervening FP instruction may save uninitialized values for FDP and FDS. This isn't an issue unless the data being written represents a security leak of some sort, such as a portion of the state of another program's FP unit. This could be a security issue with regards to one program snooping another program's cryptography. Statistical snooping possible through this sort of mechanic has been shown to be effective in recent years.

This is BS. If the OS initialises the FPU state in any way that could be considered secure when a process is started, then information can't leak from one process to another (with or without this bug) as the new process would load it's own full state when FXLOAD is used during (or after) the task switch.

AE21 - The execution disable bit is shared between cores. I'm not sure what this means but Intel seems to think that it compromises an anti-hacker feature. Sounds pretty serious.

This is another "non-event". An OS either supports execution disable and enables it for all cores, or doesn't support execution disable and doesn't enable it for all cores. User-level code can't control this flag. Virtual machine monitors (e.g. VMX) virtualize the flag.

AE30 - Global pages in the DTLB may not be flushed by RSM instructions before restoring the architectural state from SMRAM. This is catastrophic for any software that uses global pages in SMM mode. It means that no software can use global pages in SMM mode. Operating systems usually do not have any control over what is run in SMM mode so this is a BIOS issue for the most part.

This bug only effects BIOS/SMM code. Global pages are used by OSs to reduce TLB flushes when switching between virtual address spaces, but BIOS/SMM code has no reason to switch between virtual address spaces (and no reason to use global pages).

So in summary, everything that Matthew Dillon thinks might look serious here probably isn't worth yawning at....


Cheers,

Brendan

Re:The erratum mentioned

[mirabilos]

That's obvious :-)

IFU = Intel's Fucked Up
BSU = BullShit Unit

just kidding... a happy AMD user

AMT - 0wned at the hardware level.

[Animats]

That's actually a bad article about a real issue. A better article is here.

Intel's AMT technology puts special purpose hardware in the network controller which recognizes UDP and TCP packets on ports 16992, 16993, 16994, and 16995. This is completely independent of the operating system. Various system administration functions can be performed. Anybody can inventory the machine and read its ID. Other functions, like power off/on, reboot, user disable (disables keyboard/mouse/on-off switch) and remote disk I/O require a password or crypto key.

This has been around for a while; the previous version was called IPMI, Intelligent Platform Management Interface. It talked UDP only. AMT also talks TCP and HTTP; there's a whole protocol stack in the network controller now just for this. This was originally a server farm management system, but now it's on desktops, too. If HTTP mode is enabled, you can control the machine from a web browser via port 16692.

It even works while the computer is "turned off"; it's part of "wake on LAN" functionality.

Supposedly, there is no valid default password or key, and the feature is supposedly off by default. But if any software ever enables this, you're 0wned.

The computer manufacturer can preload management keys. "An OEM may supply platforms with a PID-PPS pair already written to the Intel AMT Flash memory.", according to Intel. If a vendor does that, they 0wn your computer. Something to watch for. AMT can also be enabled from the Intel Management BIOS extension screen. (Password: "admin", it says in the manual.)

The normal way AMT keys get loaded in a corporate environment is that you plug in a USB key with a special file ("setup.bin") and power cycle the machine. The machine then tries to connect to the mothership on port 9971, doing a DNS lookup for "ProvisionServer" if no IP address was specified.

If you don't want AMT enabled, here's how to disable it:, "Intel AMT is returned to Factory Mode by selecting the Unprovision option on the BIOS Extension menu or by disabling Intel AMT from the BIOS extension Manageability Feature Selection."

The whole AMT system is reasonably designed; it even has Kerberos authentication. But it's so powerful and so hidden that if it's ever enabled, it's worse than a root kit. Even reinstalling the OS won't help.

Here's Intel's technical info about AMT.

How casn I tell if my problem is related to this?

[CitznFish]

I bought a duo core e6600, new MB, new everything actually. Now whenever I play MP3's or video it will randomly slow down for a second. My friend has the same issue, but with a different brand of motherboard. He is running an e6400 though. updated drivers do not fix this. using a sound card does not fix this. BIOS updates do not fix this. I do notice that when I get the slow down I see a 10% jump in CPU usage on only one of the CPU Usage History graphs from within Windows Task manager.

After reading this:

http://www.geek.com/images/geeknews/2006Jan/core_d uo_errata__2006_01_21__full.gif

I still can't tell if this is an issue with the processor, but I'm betting it is. And if it is does Intel have anything in place for the consumer to fix these issues?

Edges cases missed

[AtariDatacenter]

So it sounds like someone was designing CPUs like I see some people designing software. They don't think through all the edge cases, but instead rely on testing to point them all out to be fixed. Except, they obviously didn't have sufficient testing in place to catch all of these edge cases. OUCH!

BTW, without going too far down this road, but did a different, perhaps newer, team have a good hand in this processor's implementation?

Safe to buy?

[AnyoneEB]

I am planning on buying a new desktop this summer and am currently looking at the Core 2 Q6600. (Hmm... next price drop is July 22nd, probably waiting until then.) So I have two questions:

1. When will I be able to buy an Intel processor which does not have these flaws?
2. Are these flaws really serious enough to make buying a Core 2 a bad idea?

Are x86 servers in danger

[Billly+Gates]

Typically I have found Intels to be more reliable in the server market than AMD's. This was especially true with the capicators blowing up and the nvidia/AMD chipset bug.

I have seen winXP blue screen multiple times on my new core2duo system and I assumed it was microsoft code doing the crash or bad hardware. It happens when I change video modes quickly like open Itunes or Wow. I read the errata and its related to the CPU.

I read Theo's comments about AMDs list getting very big as well.

Are generic x86 cpus' safe any server that requires uptime? Is it time to move on to something more modern and I do not mean Itanium.

Maybe switching back to Risc might be ideal with less instructions which means less things go wrong or Intel's new chip that is VLIW that can do 1 trillion operations per second is the future. Simple multiple cores running in parallel with large loads of cache to share might be more stable and simpler.

Great for those who still use PPC.

How ironic these bugs are in the processor and Apple now have migrated to all of the Macs to the Intel platform. However there is no processor in the world that has absolutely no bugs in them and the programmers need to program around most of them. The processor manufactures need to tell the programmers of these that know of and have a open forum to allow other people to discuss bugs that they have found.
I still have a fair amount of the Apple PPC systems I wonder if how many bugs does it have.

Theo should change his name

[catdevnull]

I love Theo--really. But he should change his name:

Theo de Rant.

Grow up.

[Ayanami+Rei]

RISC for RISC's sake is stupid.
All of the supposed upsides to RISC have been thrown aside, using the CISC techniques for performance's sake.
Look at the UltraSPARCs. Or the POWER architecture. Out-of-order execution, write barriers, speculative prefetch, branch predictors, SIMD instruction set extensions, all eating up chip real estate. But they need it to wring the appropriate perfomance out of the chip and keep those ALUs doing meaningful work.

The only thing different between them and X86s is that X86s have a slightly more involved instruction decoding step. (But not by much, and the modern RISC descendants have instruction decoders too.) On the other hand the X86 instruction set has built-in instruction compression which keeps the size of the cache needed for code smaller. Most RISC-derived chips have larger, word sized instructions which demands larger caches.

The one thing that made the 32-bit ISA retarded is that many instructions weren't orthogonal, and you didn't have enough GP registers to play with. That was fixed with x86_64, and you get some speed gains, but it ain't much. And some code is slower just because immediate operands (now 64 bit) are larger and eat up cache.

And this isn't a problem unique to Intel. Everyone goes through this, everyone uses microcode.

UltraSPARC needs microcode too. It needs it to implement the IA. (You know, task switching, page fault handling, etc.) It just so happens that Intel rushed the Core and there's bugs in that stuff, bugs that needed to be fixed ASAP. If it happened to Sun it's not such a big deal, they just release a patch for the Solaris kernel that takes care of it (either through OS workarounds or microcode patching, or both).

Grrr

[KZigurs]

Ok, big deal. All just because Microsoft decided to push microcode update thru windows update.

Any, _ANY_* CPU manufactured under the sun for quite a few years already has had some issues in the silicon. Some of those are more publicly announced, some not, but regardless almost any of them has had the issues fixed by means of pushing CPU software update with the help of the bios. Ugly, yes, why do you think, your BIOS [update] is the size it is, but it works and generally there is no fuss about it.

Also, quite a few operating systems know about the most critical/unfixable bugs and work around them. Simple as that, see 'cat /proc/cpuinfo | grep bug' if you don't believe me.

nonissue.

And all that fuss just because M$ decided that they could actually try to push it forwards as it probably was affecting windows. Not everyone updates bios on a daily basis.

failure equals success

[epine]

I don't think people on this thread have the correct conceptual understanding of the bugs reported. For the Core architecture, Intel sets design targets for performance and power consumption and time to market to kick AMD's backside, which they have done successfully. In order to achieve power consumption targets, they almost certainly designed Core with fewer pipeline stages than the Pentium IV, while requiring the complexity level in each pipeline stage to rise to achieve a higher IPC. They also decided to do some fancy things with the L2 cache to enhance dual core performance levels. I'm quite certain that Intel engineers working on various design problems discovered they couldn't meet their functionality, power consumption, circuit area, and timing constraints that the business objectives for Core mandated. Then after a lot of head scratching, the engineer cleverly discovers that if they change the logical requirements in very subtle ways that some clever circuit does meet those targets. Do the subtle logical changes violate the x86 functional requirements? The supervisory team meets to hash this out. The proposed design passes all the simulator compliance tests. Some engineer speaks up "well, in theory, it could matter in some situation, depending on a lot of complex things". That engineer is soon shouted down with a lot of hard headed business rational about kicking AMD's butt. The Core Duo design project races to conclusion and achieves all its business objectives. The chips sell like hotcakes. Then slowly it begins to trickle out that all of these subtle logic design short-cuts actually do matter in various situations both imagined and not imagined. Surpise: some of them can't be fixed in software or with microcode or BIOS updates even in principle. Oh crap! And we already sold so many of these and made such a fabulous profit, whatever are we going to do now?

Many of these errata are not mysterious problems with the implementation process. They are cleverly conceived deliberate tweaks to the logical requirements that enabled Intel to make the chip faster and sooner and cheaper to achieve a short term business advantage at unknown cost to the end consumer at the end of the day. Intel was desperate for a design victory over AMD. They got one. And this was the cost: ten of millions of end customers now owning systems that can't be properly secured by any reasonable means.

Nothing to do with Core2.

[Ayanami+Rei]

Everything to do with the Q965 chipset.

I wonder how his stuff relates to microkernels

[synthespian]

How about microkernels?

Are they better at surviving these attacks?

Re:UGH!! Just bought Core 2

[sandmaninator]

I am in EXACTLY the same boat dude! Finished the build yesterday! Dont worry about this CPU SNAFU man, the dude abides... the dude abides...

That reminds me...

[e40]

When I was 18 and still living at home, my family had some guests from out of town. One of the guests, Martin, was in town for the (1978?) SciFi convention in Lake Tahoe. The night before my friend's father was to leave, I was up late. I had the phone in my room (we had a 30' extension... man, those days before cordless were fun!) and it rang at about, oh, 2am. Now, this never happened in our house. Ever. I answered it and said hello. What I got back stunned me. "Is Martin there?" "Yeah, but, like, he and everyone else in the house are asleep... it's 2am." "Please tell him I'm on the phone." "OK, and who are you?" "Harlan Ellison." "OK, I'll tell him."

At that point I had read a lot of his stuff, but I was too chicken to say so.

The next day I got to drive Martin to Oakland so he could hitch a ride with Robert Silverberg. But, that's a another, very interesting story...

Core 2 Duo is not just in personal computers

If it crashes, just reboot it.

Clearly you're a Windows user, without a clue about the rest of the world.

I guess you'll be totally happy when the server of the MMOG you're playing crashes, or when your credit card transactions abort during withdrawal, or when your payments get lost, or your online ordering mysteriously fails.

"Just reboot it" is the most moronic thing I've heard for a long time.

Reverse Engineer The Microcode

[QuantumG]

If someone out there thinks they have the necessary skills (say, you can write your own bootloader if you wanted to) and wants to take on this issue, drop me an email, I have a few ideas how you might go about it.

Errata causing the uproar is AI91

AI91. Update of Attribute Bits on Page Directories without Immediate TLB
Shootdown May Cause Unexpected Processor Behavior.

That's the one that Microsoft was worried about. The problem doesn't affect Linux as it doesn't reduce the privilege of upper-level paging structures without flushing all of the affected TLB entries.

Re:Summary sucks, someone please provide better on

[bl8n8r]

from what I gather...

the MMU simply does not operate as specified
The way the cpu handles memory accesses is borked, or to put it another way:
Deer vey dee zpu verks ees borkin borked.

a write-protect or non-execute bit for a page table entry is ignored
When the cpu is told not to execute the stack, it will anyway.

..outside of the range of permitted writing for the process
This program has performed and illegal instruction. Please tell Microsoft about this problem..

All of this is just unbelievable to many of us.
d00d wtf !?

Re:Intentional?

Would it make you really happy if you were responding to a mentally unstable individual who actually went and self-immolated in front of the UN building?

If you keep saying this kind of destructive shit, one day some lunatic will take you up on it. How will you feel then?

Re:Intentional?

How will you feel then?

Like it was bound to happen some time anyway.

Re:Summary sucks, someone please provide better on

[innocent_white_lamb]

I believe that the CPU would return to its original state after being powered down and back up.
 
You didn't mention that part, but it's worth noting.
 
It could bring down your box, but it wouldn't brick the hardware.
 
Still not a Martha Stewart "good thing", though.

Re:Summary sucks, someone please provide better on

[Billly+Gates]

A spammer/spyware writter could just rewrite the MBR to load its microcode.

ALso I wonder if its possible to use this to run windows in a virtual machine and not be able to delete the rootkits these spyware makers are making.

Scary indeed.

Re: Congratulations

[Douglas+Goodall]

Thank you for your response. You are obviously much smarter than I am and my well considered response has no value in the light of your brilliance.

Re:Yay Sun

[Thundersnatch]

My UltraSPARC boxes just seemed to be running better after hearing this news. :)

Better, perhaps, but still about 1/3* of the speed of my Intel Xeon X5365-based system. Who cares if it's correct, so long as it's fast?

*based on Multi-threaded SPECintRate 2006 benchmark for two-socket systems

Re:Yay Sun

[CompMD]

I use the Suns for structural and computational fluid dynamics analysis of prototype aircraft. Clients aren't particularly picky about speed, and neither am I. We are however, picky about numbers being correct. People aren't fond of airplanes falling out of the sky.

O RLY

[p3d0]

The Pentium and Core processors' huge sales mean that Intel has more debugging resources to throw at debugging the "RISC portion" than most companies have for their entire processor.

Also, you say the "RISC portion" is a false dichotomy, but (even though you were the one who first made that distinction) it's not false at all. There is a separate physical part of the chip that cracks CISC instructions into RISC, and the rest of the chip is a RISC processor. Its a completely valid dichotomy.

The bottom line is, we're both making unfounded claims. If your assertion were true, then there should be some evidence that makers of RISC chips produce fewer errata, all else being equal. If you can find some evidence, I will humbly beg your forgiveness.

Hoist?

[p3d0]

I think the word you're looking for is foist.

Re:Hoist?

[Viv]

That would work too, but I was envisioning lifting it up and dropping it on us, hence hoist ;)