• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Intel Processors Hit by "Lazy FP State Restore" Vulnerability

btarunr

Editor & Senior Moderator
Staff member
Joined
Oct 9, 2007
Messages
47,300 (7.53/day)
Location
Hyderabad, India
System Name RBMK-1000
Processor AMD Ryzen 7 5700G
Motherboard ASUS ROG Strix B450-E Gaming
Cooling DeepCool Gammax L240 V2
Memory 2x 8GB G.Skill Sniper X
Video Card(s) Palit GeForce RTX 2080 SUPER GameRock
Storage Western Digital Black NVMe 512GB
Display(s) BenQ 1440p 60 Hz 27-inch
Case Corsair Carbide 100R
Audio Device(s) ASUS SupremeFX S1220A
Power Supply Cooler Master MWE Gold 650W
Mouse ASUS ROG Strix Impact
Keyboard Gamdias Hermes E2
Software Windows 11 Pro
Security researchers have discovered a vulnerability affecting all modern Intel Core and Xeon processors, which is an exploit of a performance optimization feature called "lazy FP state restore," which can be exploited to sniff out sensitive information, including cryptographic keys used to protect sensitive data. The flaw affects all x86 micro-architectures by Intel, "Sandy Bridge" and later.

The "lazy FP state restore" feature is a set of commands used to temporarily store or restore the FPU states of applications running "lazily" (as opposed to "eagerly"). Red Hat put out an advisory stating that numbers held in FPU registers could be used to access sensitive information about the activities of other applications, including encryption keys. Intel began working with popular OS vendors to quickly roll out software patches against the vulnerability.



View at TechPowerUp Main Site
 

btarunr

Editor & Senior Moderator
Staff member
Joined
Oct 9, 2007
Messages
47,300 (7.53/day)
Location
Hyderabad, India
System Name RBMK-1000
Processor AMD Ryzen 7 5700G
Motherboard ASUS ROG Strix B450-E Gaming
Cooling DeepCool Gammax L240 V2
Memory 2x 8GB G.Skill Sniper X
Video Card(s) Palit GeForce RTX 2080 SUPER GameRock
Storage Western Digital Black NVMe 512GB
Display(s) BenQ 1440p 60 Hz 27-inch
Case Corsair Carbide 100R
Audio Device(s) ASUS SupremeFX S1220A
Power Supply Cooler Master MWE Gold 650W
Mouse ASUS ROG Strix Impact
Keyboard Gamdias Hermes E2
Software Windows 11 Pro
One by one, all of the secret-sauce features that made Intel processors faster than AMD are turning out to be exploitable; and being neutered by software patches.
 
Joined
Jul 16, 2014
Messages
8,219 (2.16/day)
Location
SE Michigan
System Name Dumbass
Processor AMD Ryzen 7800X3D
Motherboard ASUS TUF gaming B650
Cooling Artic Liquid Freezer 2 - 420mm
Memory G.Skill Sniper 32gb DDR5 6000
Video Card(s) GreenTeam 4070 ti super 16gb
Storage Samsung EVO 500gb & 1Tb, 2tb HDD, 500gb WD Black
Display(s) 1x Nixeus NX_EDG27, 2x Dell S2440L (16:9)
Case Phanteks Enthoo Primo w/8 140mm SP Fans
Audio Device(s) onboard (realtek?) - SPKRS:Logitech Z623 200w 2.1
Power Supply Corsair HX1000i
Mouse Steeseries Esports Wireless
Keyboard Corsair K100
Software windows 10 H
Benchmark Scores https://i.imgur.com/aoz3vWY.jpg?2
Hopefully that will get fixed in the new architecture, Intel Core Cascade Fake. :D
 
Joined
Aug 13, 2010
Messages
5,481 (1.04/day)
One by one, all of the secret-sauce features that made Intel processors faster than AMD are turning out to be exploitable; and being neutered by software patches.

I didn't know that insanely low latency between cores, high IPC, post 4.5Ghz operating frequency and software optimizations by software makers are all exploitable.
 

qubit

Overclocked quantum bit
Joined
Dec 6, 2007
Messages
17,865 (2.87/day)
Location
Quantum Well UK
System Name Quantumville™
Processor Intel Core i7-2700K @ 4GHz
Motherboard Asus P8Z68-V PRO/GEN3
Cooling Noctua NH-D14
Memory 16GB (2 x 8GB Corsair Vengeance Black DDR3 PC3-12800 C9 1600MHz)
Video Card(s) MSI RTX 2080 SUPER Gaming X Trio
Storage Samsung 850 Pro 256GB | WD Black 4TB | WD Blue 6TB
Display(s) ASUS ROG Strix XG27UQR (4K, 144Hz, G-SYNC compatible) | Asus MG28UQ (4K, 60Hz, FreeSync compatible)
Case Cooler Master HAF 922
Audio Device(s) Creative Sound Blaster X-Fi Fatal1ty PCIe
Power Supply Corsair AX1600i
Mouse Microsoft Intellimouse Pro - Black Shadow
Keyboard Yes
Software Windows 10 Pro 64-bit
Since Sandy Bridge - that's my CPU a security risk then. :rolleyes:
 

the54thvoid

Super Intoxicated Moderator
Staff member
Joined
Dec 14, 2009
Messages
13,120 (2.39/day)
Location
Glasgow - home of formal profanity
Processor Ryzen 7800X3D
Motherboard MSI MAG Mortar B650 (wifi)
Cooling be quiet! Dark Rock Pro 4
Memory 32GB Kingston Fury
Video Card(s) Gainward RTX4070ti
Storage Seagate FireCuda 530 M.2 1TB / Samsumg 960 Pro M.2 512Gb
Display(s) LG 32" 165Hz 1440p GSYNC
Case Asus Prime AP201
Audio Device(s) On Board
Power Supply be quiet! Pure POwer M12 850w Gold (ATX3.0)
Software W10
Just like prior AMD concerns, what is required to access this flaw? So many of these are found in highly specific, isolated environments, that are unrealistic to implement.

I'm more concerned about the router hack that is under FBI investigation right now...
 
Joined
Apr 12, 2013
Messages
7,563 (1.77/day)
I didn't know that insanely low latency between cores, high IPC, post 4.5Ghz operating frequency and software optimizations by software makers are all exploitable.
Then you must've missed meltdown & spectre :ohwell:
 
Joined
Apr 19, 2018
Messages
1,227 (0.50/day)
Processor AMD Ryzen 9 5950X
Motherboard Asus ROG Crosshair VIII Hero WiFi
Cooling Arctic Liquid Freezer II 420
Memory 32Gb G-Skill Trident Z Neo @3806MHz C14
Video Card(s) MSI GeForce RTX2070
Storage Seagate FireCuda 530 1TB
Display(s) Samsung G9 49" Curved Ultrawide
Case Cooler Master Cosmos
Audio Device(s) O2 USB Headphone AMP
Power Supply Corsair HX850i
Mouse Logitech G502
Keyboard Cherry MX
Software Windows 11
So Intel stopped designing new CPU's years ago, ever since giving us valued customers 3-6% IPC increases each "generation" of the Core2 architecture, then with these vulnerabilities comes with it the news that these optimizations are half assed, and open the CPU up to security flaws...

If Intel are not careful, all those "massive" 3-6% improvements dating back the last 10 years or so will be gone, and we will be back to 2008 performance levels, with our shiny "new" and very expensive CPUs.
 

Aquinus

Resident Wat-man
Joined
Jan 28, 2012
Messages
13,171 (2.79/day)
Location
Concord, NH, USA
System Name Apollo
Processor Intel Core i9 9880H
Motherboard Some proprietary Apple thing.
Memory 64GB DDR4-2667
Video Card(s) AMD Radeon Pro 5600M, 8GB HBM2
Storage 1TB Apple NVMe, 4TB External
Display(s) Laptop @ 3072x1920 + 2x LG 5k Ultrafine TB3 displays
Case MacBook Pro (16", 2019)
Audio Device(s) AirPods Pro, Sennheiser HD 380s w/ FIIO Alpen 2, or Logitech 2.1 Speakers
Power Supply 96w Power Adapter
Mouse Logitech MX Master 3
Keyboard Logitech G915, GL Clicky
Software MacOS 12.1
numbers held in FPU registers could be used to access sensitive information about the activities of other applications, including encryption keys.
Quick question. Why the hell is an encryption key stored in a FP register? You need exact math for crypto which usually means integer/fixed point. If anything, encryption keys would be stored in an integer register if the register was big enough. I don't know about the rest of you, but most of my keys that I generate myself are 8192 bits long which is a whole lot bigger than FP or integer registers are. Something about this doesn't smell right.

@btarunr, is there a link you can share?

Edit: Found one: https://www.phoronix.com/scan.php?page=news_item&px=Lazy-State-Restore-Spec-Exec

Edit 2: ...and this one: https://blog.cyberus-technology.de/posts/2018-06-06-intel-lazyfp-vulnerability.html

Note how neither of those links say anything about leaking encryption keys but rather just exposing FP register state. Is it a possible vulnerability, yes. Is it going to leak encryption keys? Probably not.
 
Last edited:
Joined
Dec 6, 2016
Messages
748 (0.25/day)
So, it looks like Spectre/Meltdown researchers opened up a massive can of worms. I hope both vendors take security more seriously in the future ...
 
Joined
Jan 8, 2017
Messages
9,505 (3.27/day)
System Name Good enough
Processor AMD Ryzen R9 7900 - Alphacool Eisblock XPX Aurora Edge
Motherboard ASRock B650 Pro RS
Cooling 2x 360mm NexXxoS ST30 X-Flow, 1x 360mm NexXxoS ST30, 1x 240mm NexXxoS ST30
Memory 32GB - FURY Beast RGB 5600 Mhz
Video Card(s) Sapphire RX 7900 XT - Alphacool Eisblock Aurora
Storage 1x Kingston KC3000 1TB 1x Kingston A2000 1TB, 1x Samsung 850 EVO 250GB , 1x Samsung 860 EVO 500GB
Display(s) LG UltraGear 32GN650-B + 4K Samsung TV
Case Phanteks NV7
Power Supply GPS-750C
Quick question. Why the hell is an encryption key stored in a FP register? You need exact math for crypto which usually means integer/fixed point. If anything, encryption keys would be stored in an integer register if the register was big enough. I don't know about the rest of you, but most of my keys that I generate myself are 8192 bits long which is a whole lot bigger than FP or integer registers are. Something about this doesn't smell right.

You do not need a 8192 bit wide register to compute 8192 bit wide calculations , you just need a huge sequence of operations involving smaller registers. And then if you have access to them you can easily infer what those huge numbers are from observing that series of results coming of those registers. Compilers do this all the time when you try , for example to do 64 bit math on 32 bit capable machines. If you look at the machine code generated by it , you can tell where that 64 bit calculation took place even though it involved only 32 bit registers.


Note how neither of those links say anything about leaking encryption keys but rather just exposing FP register state.

Well , that's the whole point of it , you don't need to get the key in it's entirety , you just need to know what was in those registers at the right time.
 
Last edited:
Joined
Dec 22, 2011
Messages
3,890 (0.82/day)
Processor AMD Ryzen 7 3700X
Motherboard MSI MAG B550 TOMAHAWK
Cooling AMD Wraith Prism
Memory Team Group Dark Pro 8Pack Edition 3600Mhz CL16
Video Card(s) NVIDIA GeForce RTX 3080 FE
Storage Kingston A2000 1TB + Seagate HDD workhorse
Display(s) Samsung 50" QN94A Neo QLED
Case Antec 1200
Power Supply Seasonic Focus GX-850
Mouse Razer Deathadder Chroma
Keyboard Logitech UltraX
Software Windows 11
Joined
Apr 12, 2013
Messages
7,563 (1.77/day)
More info, straight from the horse's mouth. So I guess lazy FP restore isn't an AMD thing, that's why they're not vulnerable.
Intel LazyFP vulnerability: Exploiting lazy FPU state switching

Posted on June 6, 2018 by Thomas Prescher, Julian Stecklina, Jacek Galowicz

After Meltdown (see also our article about Meltdown) and Spectre, which were publicly disclosed in January, the Spectre V3a and V4 vulnerabilities followed in May (see also our article about Spectre V4). According to the German IT news publisher Heise, the latter might be part of 8 new vulnerabilities in total that are going to be disclosed in the course of the year.
Earlier this year, Julian Stecklina (Amazon) and Thomas Prescher (Cyberus Technology) jointly discovered and responsibly disclosed another vulnerability that might be part of these, and we call it LazyFP. LazyFP (CVE-2018-3665) is an attack targeting operating systems that use lazy FPU switching. This article describes what this attack means, outlines how it can be mitigated and how it actually works.
For further details, see the current draft of the lazyFP paper: Link withheld by request from Intel

Please check back regularly, we’re going to update this post in coordination with Intel.

Summary and Implications
The public disclosure of this vulnerability was initially postponed by a typical responsible disclosure information embargo until August, but first rumors led to this date being dropped.
The register state of the floating point unit (FPU), which consists of the AVX, MMX and SSE register sets, can be leaked across protection domain boundaries. This includes leaking across process- and virtual machine boundaries.
The FPU state may contain sensitive information such as cryptographic keys. As an example, the Intel AES instruction set (AES-NI) uses FPU registers to store round keys. It is only possible to exploit when the underlying operating system or hypervisor uses lazy FPU switching.
Users are affected when they run a combination of affected processor and affected operating systems.
  • Affected operating systems:
    • Currently withheld by request from Intel
  • Affected CPUs when affected operating system or hypervisor is used:
    • Currently withheld by request from Intel
Mitigation requires system software to use eager FPU switching instead of lazy FPU switching.

External References

Technical Background
This vulnerability is similar to Meltdown (CVE-2017-5754). While Meltdown allowed to read protected memory contents from a user space program, this new attack allows to read certain register contents across protection domain boundaries.
Further explanation withheld by request from Intel.​
To have a better understanding of how this attack actually works, it is necessary to dive deeper into the inner workings of the x86 FPU, and how it is used by operating systems.

The Floating Point Unit (FPU)
In the early days of x86, the FPU (also called math coprocessor) was an external co-processor that could be added to Intel’s now widely adopted x86 processor architecture. The Intel 8087 was the first floating point math co-processor of this kind. The purpose of this extension was to accelerate mathematical operations on floating point numbers, such as division and multiplication. With the Intel 486DX CPU model (released in 1989), the FPU got integrated into the microchip itself. This way, no additional co-processor was needed anymore.
Over the years, the processor was extended to support Single Instruction, Multiple Data (SIMD) instruction sets, i.e. MMX/SSE/AVX. SIMD instructions perform the same mathematical operation on multiple pairs of operands at the same time in order to improve performance. Each of these instruction set extensions introduced new register sets that continue to be managed as part of the FPU register state. On recent Intel processors, the FPU register state can contain more than 2 kB of data (AVX2 offers 32 registers of 512 byte, each, which translates into 2 kB additional processor state). Due to the usefulness of these instructions this register set may contain not only floating point values but also other data as e.g. integer values.

Loading and Storing the FPU state
To enable multi-tasking, operating systems periodically interrupt processes to give other processes a chance to run. Otherwise a single process that loops forever could grind the system to a halt.
When the operating system switches from one process to another, it needs to save the state of the previous process and restore the state of the process that is about to be run. This state consists of the values stored in general purpose registers and FPU registers.
The x86 instruction architecture provides several instructions to load/store the register state of the FPU from/to memory. We already know about the large size of the FPU state, hence it is pretty obvious that one does not want to read and write such amounts of data on every context switch unless it is actually necessary, because not all processes use the FPU.

Eager and Lazy FPU Switching
Eager FPU switching is comparable to saving the general purpose register state on a context switch. For each process, the operating system reserves an area in memory to save the FPU state. When switching from one process to another, it executes an FPU store instruction to transfer the current FPU content to the state save area. It then loads the new FPU state from the state save area of the process that is about to be scheduled.
Lazy FPU switching optimizes this procedure for the case where not every process uses the FPU all the time.
After a context switch, the FPU is disabled until it is first used. Only then, the old FPU state will be saved, and the correct one restored from memory. Up to this point, the FPU keeps the register state of the process or VM that used it last.
To implement this optimization, the operating system kernel temporarily disables the FPU by setting a certain control register bit (CR0.TS). If this bit is set, any attempt to access the FPU will cause an exception (#NM, Device Not Available, No Math Coprocessor). When the exception occurs, the kernel can save the old state to the respective state area and restore the state of the current process. Processes that simply do not use the FPU will never trigger this exception and hence never trigger FPU state stores and loads.
Starting with the introducton of the x86-64 architecture, the presence of at least some SIMD instruction set extensions is mandated and their use has become more widespread. As such the underlying assumption of lazy FPU switching is not valid anymore. The performance gain by lazy FPU switching has become negligible, and some kernels already removed it in favor of eager switching.

The Attack
This section is currently withheld by request from Intel.​

Mitigation

Using GNU/Linux with kernel versions >= 3.7, this attack can be mitigated by adding “eagerfpu=on” to the kernel’s boot parameters. We are not aware of a workaround for older versions. For all other operating systems: install the official update(s) from the vendor.
We are not aware of a performance penalty caused by using eager FPU switching. The commit message of the Linux kernel patch that made eager FPU switching the default on Linux systems even points out that the assumptions which justified lazy FPU switching in the past do not hold any longer on the majority of modern systems.

Cyberus Technology GmbH



So erreichen Sie uns
 
Joined
Mar 7, 2010
Messages
993 (0.18/day)
Location
Michigan
System Name Daves
Processor AMD Ryzen 3900x
Motherboard AsRock X570 Taichi
Cooling Enermax LIQMAX III 360
Memory 32 GiG Team Group B Die 3600
Video Card(s) Powercolor 5700 xt Red Devil
Storage Crucial MX 500 SSD and Intel P660 NVME 2TB for games
Display(s) Acer 144htz 27in. 2560x1440
Case Phanteks P600S
Audio Device(s) N/A
Power Supply Corsair RM 750
Mouse EVGA
Keyboard Corsair Strafe
Software Windows 10 Pro
Joined
Aug 14, 2009
Messages
216 (0.04/day)
Location
Denmark
System Name Bongfjaes
Processor AMD 3700x
Motherboard Assus Crosshair VII Hero
Cooling Dark Rock Pro 4
Memory 2x8GB G.Skill FlareX 3200MT/s CL14
Video Card(s) GTX 970
Storage Adata SX8200 Pro 1TB + Lots of spinning rust
Display(s) Viewsonic VX2268wm
Case Fractal Design R6
Audio Device(s) Creative SoundBlaster AE-5
Power Supply Seasonic TTR-1000
Mouse Pro Intellimouse
Keyboard SteelKeys 6G
"The public disclosure of this vulnerability was initially postponed by a typical responsible disclosure information embargo until August,"

Just in time to release another CPU with the bug and go "lol, oops."
 
Joined
Oct 1, 2006
Messages
4,934 (0.74/day)
Location
Hong Kong
Processor Core i7-12700k
Motherboard Z690 Aero G D4
Cooling Custom loop water, 3x 420 Rad
Video Card(s) RX 7900 XTX Phantom Gaming
Storage Plextor M10P 2TB
Display(s) InnoCN 27M2V
Case Thermaltake Level 20 XT
Audio Device(s) Soundblaster AE-5 Plus
Power Supply FSP Aurum PT 1200W
Software Windows 11 Pro 64-bit
I didn't know that insanely low latency between cores, high IPC, post 4.5Ghz operating frequency and software optimizations by software makers are all exploitable.
Some of that high IPC might have came from cutting corners in security.
Software optimizations, in this case god knows what the software companies put in their bloatware anyway.
I am not saying this is definitely the case, but exploitable? Apparently yes.
 
Last edited:
Joined
Aug 13, 2010
Messages
5,481 (1.04/day)
Some of that high IPC might have came from cutting corners in security.
Software optimizations, in this case god knows what the software companies put in their bloatware anyway.
I am not saying this is definitely the case, but exploitable? Apparently yes.

The idea behind my somewhat sarcastic comment was to counter the ridicules claim that Intel's performance edge will disappear after a few security patches.
 

qubit

Overclocked quantum bit
Joined
Dec 6, 2007
Messages
17,865 (2.87/day)
Location
Quantum Well UK
System Name Quantumville™
Processor Intel Core i7-2700K @ 4GHz
Motherboard Asus P8Z68-V PRO/GEN3
Cooling Noctua NH-D14
Memory 16GB (2 x 8GB Corsair Vengeance Black DDR3 PC3-12800 C9 1600MHz)
Video Card(s) MSI RTX 2080 SUPER Gaming X Trio
Storage Samsung 850 Pro 256GB | WD Black 4TB | WD Blue 6TB
Display(s) ASUS ROG Strix XG27UQR (4K, 144Hz, G-SYNC compatible) | Asus MG28UQ (4K, 60Hz, FreeSync compatible)
Case Cooler Master HAF 922
Audio Device(s) Creative Sound Blaster X-Fi Fatal1ty PCIe
Power Supply Corsair AX1600i
Mouse Microsoft Intellimouse Pro - Black Shadow
Keyboard Yes
Software Windows 10 Pro 64-bit
The idea behind my somewhat sarcastic comment was to counter the ridicules claim that Intel's performance edge will disappear after a few security patches.
I'm not able to graph it right now, but this is the result after applying all security patches to Intel processors in a benchmark:

Intel's fastest fancy million core Xeon CPU: 500 points
Any AMD CPU: 1200 points

As you can see, critical damage has been done to Intel.
 
Joined
Jun 12, 2017
Messages
136 (0.05/day)
One by one, all of the secret-sauce features that made Intel processors faster than AMD are turning out to be exploitable; and being neutered by software patches.
Smell of ignorance there. Do you keep a clear account of how many optimizing features Intel kept?
 
Joined
Oct 22, 2014
Messages
14,170 (3.81/day)
Location
Sunshine Coast
System Name H7 Flow 2024
Processor AMD 5800X3D
Motherboard Asus X570 Tough Gaming
Cooling Custom liquid
Memory 32 GB DDR4
Video Card(s) Intel ARC A750
Storage Crucial P5 Plus 2TB.
Display(s) AOC 24" Freesync 1m.s. 75Hz
Mouse Lenovo
Keyboard Eweadn Mechanical
Software W11 Pro 64 bit
Joined
Feb 1, 2013
Messages
1,270 (0.29/day)
System Name Gentoo64 /w Cold Coffee
Processor 9900K 5.2GHz @1.312v
Motherboard MXI APEX
Cooling Raystorm Pro + 1260mm Super Nova
Memory 2x16GB TridentZ 4000-14-14-28-2T @1.6v
Video Card(s) RTX 4090 LiquidX Barrow 3015MHz @1.1v
Storage 660P 1TB, 860 QVO 2TB
Display(s) LG C1 + Predator XB1 QHD
Case Open Benchtable V2
Audio Device(s) SB X-Fi
Power Supply MSI A1000G
Mouse G502
Keyboard G815
Software Gentoo/Windows 10
Benchmark Scores Always only ever very fast
Pretty soon, with all the "security" patches, our desktop CPUs will run like server molasses. Probably worse, due the mitigation being almost entirely in software.
 

eidairaman1

The Exiled Airman
Joined
Jul 2, 2007
Messages
42,630 (6.68/day)
Location
Republic of Texas (True Patriot)
System Name PCGOD
Processor AMD FX 8350@ 5.0GHz
Motherboard Asus TUF 990FX Sabertooth R2 2901 Bios
Cooling Scythe Ashura, 2×BitFenix 230mm Spectre Pro LED (Blue,Green), 2x BitFenix 140mm Spectre Pro LED
Memory 16 GB Gskill Ripjaws X 2133 (2400 OC, 10-10-12-20-20, 1T, 1.65V)
Video Card(s) AMD Radeon 290 Sapphire Vapor-X
Storage Samsung 840 Pro 256GB, WD Velociraptor 1TB
Display(s) NEC Multisync LCD 1700V (Display Port Adapter)
Case AeroCool Xpredator Evil Blue Edition
Audio Device(s) Creative Labs Sound Blaster ZxR
Power Supply Seasonic 1250 XM2 Series (XP3)
Mouse Roccat Kone XTD
Keyboard Roccat Ryos MK Pro
Software Windows 7 Pro 64
And I guess in town knew about this one before they launch the processors way back then too
 
Joined
Mar 29, 2018
Messages
590 (0.24/day)
key thing I see from all this stuff is how a lot of posters say ''upgrading '' $$$$ I now wonder with how it is with this computer hardware and all if all this is a scare tactic to help insure you keep upgrading fast instead of keep running your older works well today hardware . like that spector and meltdown thing , how many post around the forums do you see a lot of folks being affected by it and suffered to have ot go ''upgrade '' $$$ ? . its all now about how much faster they can dupe you in to spending more of your money to them as fast as you can ? if we can dupe you in to a scare tactic to get you to upgrade in 1 or 2 years instead of 4 or 5 ?? ya, .
 
Top