Matthew Dillon on Intel Core Bugs

Home :

: Add Story :

: Archives :

: About :

: Create Account :

: Login :

Matthew Dillon on Intel Core Bugs

Contributed by deanna on Sat Jun 30 13:24:18 2007 (GMT)
from the interesting dept.

Buried deep in a pile of slashdot comments, Matthew Dillon of DragonFly gives a detailed assessment of the Intel Core bugs. While a lot of news sites and bloggers were quick to dismiss the issue as inflated, Dillon's comments provide a much closer look at the actual issues.

"So, in summary, AE3 scares the hell out of me, and for the others AE5, AE8, AE21, and AE30 look serious."

His comments are actually so detailed that it's impractical to reproduce them here. The ones he mentions specifically:

AE3 - POPF/POPFD that sets the trap flag (aka when single-stepping a program) may cause unpredictable behavior. Holy shit. This one is serious.

AE5 - Memory aliasing with inconsistent dirty and Access bits may cause a processor deadlock. This means a PTE with 'D'irty set but with 'A'ccess not set. FreeBSD and DragonFly always set the A bit when setting the D bit and will not be effected but I don't know about other OSs. This is a very serious bug though.

AE8 - FXSAVE after FNINIT without an intervening FP instruction may save uninitialized values for FDP and FDS. This isn't an issue unless the data being written represents a security leak of some sort, such as a portion of the state of another program's FP unit. This could be a security issue with regards to one program snooping another program's cryptography. Statistical snooping possible through this sort of mechanic has been shown to be effective in recent years.

AE21 - The execution disable bit is shared between cores. I'm not sure what this means but Intel seems to think that it compromises an anti-hacker feature. Sounds pretty serious.

AE30 - Global pages in the DTLB may not be flushed by RSM instructions before restoring the architectural state from SMRAM. This is catastrophic for any software that uses global pages in SMM mode. It means that no software can use global pages in SMM mode. Operating systems usually do not have any control over what is run in SMM mode so this is a BIOS issue for the most part.

<< SitesCollide #10 - What is OpenBSD? - Wim Vandeputte | Reply | Flattened | Expanded | New Ports of the Week (Jun 3, Jun 10 & Jun 17) >>

Related Links

more by deanna

	Re: Matthew Dillon on Intel Core 2 Bugs (mod 2/54) by Anonymous Coward (cnst) on Sat Jun 30 13:09:05 2007 (GMT)
	thanks, Deanna, nice catch!
	[ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

	Some other insight, while we're quoting Slashdot (mod -2/58) by Anonymous Coward (71.232.225.252) on Sat Jun 30 14:48:18 2007 (GMT)
	AE3: "unpredictable behavior" is just marketing speak meaning that it doesn't perform exactly to spec. It doesn't mean "flip the processor into supervisor mode" or "turn paging off". Here it is likely something more like you can take a single-step exception immediately after doing a POPF instruction instead of after the following instruction. There are likely other factors that have to coincide for this to be the case. AE5: "may cause" implies that there are other factors involved (i.e. simply having the dirty bit set but not the accessed bit set won't cause the problem). AE21: to me, this means that clearing the EFER.NXE bit on one core will clear it for the other core (in a dual-core chip, of course). Of course, setting it on one would then set it on the other as well.
	[ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

while we're quoting other websites and getting modded down... (-2/46) by Jimbo on Sun Jul 1 11:33:18 2007 (GMT)

Re: while we're quoting other websites and getting modded down... (1/41) by Lars Hansson on Tue Jul 3 05:45:42 2007 (GMT)

	Re: Matthew Dillon on Intel Core Bugs (mod -2/56) by Curt Micol (207.179.121.219) (asenchi@asenchi.com) on Sun Jul 1 01:42:29 2007 (GMT)
	I am very glad he went through these. We need more people standing up for open source and not writing off Theo as a retard, which seems to be the way most people handle his comments. Thank you Matt, and thank you Theo & devs for standing up for all of open source and fighting ridiculous bugs and companies.
	[ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

Re: Matthew Dillon on Intel Core Bugs (-3/43) by Anonymous Coward on Sun Jul 1 07:19:42 2007 (GMT)

	Re: Matthew Dillon on Intel Core Bugs (mod 2/58) by Anonymous Coward (216.68.198.57) on Sun Jul 1 05:07:09 2007 (GMT)
	Interesting and scary stuff. Always more to learn, find, research, or whatever. Now looking at if there are any serious OSS CPU/motherboard diagnostic programs? Sure, one might be able to write some tests, but sure would be nice if CPU manufactures gave out their programs for this. I guess OpenBSD has spoiled me into wanting it all, for free. Don't want anymore foof bugs or haunted computers.
	[ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

	Goodbye, Intel Core 2--Hello, VIA C7! (mod 11/51) by Anonymous Coward (70.169.167.212) on Sun Jul 1 21:27:07 2007 (GMT)
	Hmm...looks like the VIA C7 just got another reason to be considered. Of course an Intel Core 2 Duo will outrun it, clock for clock. But then, if you're doing crypto and want to do so on a budget, VIA's crypto engine is said by Theo, et. al. to be the fastest they've ever worked with. Reasons to use a VIA C7: 1.) Good (not great, but good) general all-around performance. At 2GHz, it actually makes a fine desktop box CPU. 2.) Astonishing crypto performance. If you're building a VPN gateway, the C7 kicks butt. After reading the OpenBSD team's testimonial about the C3, I made an IPSec gateway out of a C7, and yes, it does rock. Totally blows away anything from Intel and AMD. 3.) Very low power usage. When the chip's running at full tilt, it uses 20W. That's less than even the Pentium M. 4.) The ability to run the thing fanless. Granted that the 2GHz version needs a fan, but the 1GHz version--and all of the Eden lines--do not. That's a good thing, especially for a firewall and/or VPN gateway. 5.) Reasonable cost. A motherboard/CPU combination for 1.5GHz can be had for about $230 as of today, 1 July 2007. The 2GHz version isn't much more. 6.) As with the AMD CPU's, I've not heard that the C7 is susceptible to these problems that plague the Core 2 Duo.
	[ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

Re: Goodbye, Intel Core 2--Hello, VIA C7! (0/44) by RC on Mon Jul 2 09:08:21 2007 (GMT)

Re: Goodbye, Intel Core 2--Hello, VIA C7! (-3/41) by Anonymous Coward on Mon Jul 2 12:36:29 2007 (GMT)

Re: Goodbye, Intel Core 2--Hello, VIA C7! (2/40) by Anonymous Coward on Tue Jul 3 19:21:16 2007 (GMT)

Re: Goodbye, Intel Core 2--Hello, VIA C7! (3/39) by Anonymous Coward on Tue Jul 3 23:48:12 2007 (GMT)

Re: Goodbye, Intel Core 2--Hello, VIA C7! (-2/36) by Anonymous Coward on Wed Jul 4 11:40:15 2007 (GMT)

Re: Goodbye, Intel Core 2--Hello, VIA C7! (-2/36) by Anonymous Coward on Wed Jul 4 22:23:28 2007 (GMT)

	Re: Matthew Dillon on Intel Core Bugs (mod 1/45) by Anonymous Coward (83.14.141.170) on Mon Aug 27 22:55:27 2007 (GMT)
	Does those bugs appears to Core Duo and Core 2 Duo? Or only to Core 2 Duo?
	[ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

[ Home | Add Story | Archives | Polls | About ]

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. Some icons from slashdot.org used with permission from Kathleen. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. Search engine is ht://Dig. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]