AMD Quietly Patched Four Major GPU Security Vulnerabilities with Radeon 20.1.1 Drivers

[sutyi]

right... and you are complaining about it in a thread that informs you about the fixed vulnerabilities while you have a 1060 in your system specs.. makes a lot of sense.. in some universe.

What has this anything to do fit the fact that I have a GTX 1060 in my rig?
Me owning a GeForce card makes my statement somehow less true?
If I were using an RX 580 then my opinion on the matter would turn magically valid? I'm confused.


Were there security holes? Yes.
Were they in the release notes? No.
Did they fix them? Yes.
Would you had known to update for security problems you didn't even know you had? Double No.

So it might not make a lot of sense to you, but for me it makes sense to get informed on security problems preferably directly from the HW vendors that I'm using and not trough an IT news portal sourcing a 3rd party source, that I might want to update drivers in the foreseeable future.

 

[ScaLibBDP]

>>...AMD Quietly Patched Four Major GPU Security Vulnerabilities

AMD has a very Bad reputation of doing such things and this is Not new for experienced IT professionals. Just read this, please...

 

[rutra80]

So, does it allow remote code execution if there's no vmware?

 

[Romulus2K4]

This is a software shader compiler bug, no gpu hardware is involved. Hence no penalty.

Okay, that's reassuring.

 

[efikkan]

One thing that puzzles me is that the source mentions HLSL and WebGL, while the only browser that uses HLSL with WebGL is Edge, which is being phased out. Since HLSL and GLSL is fairly similar (probably also on the compiler side), I do wonder if this potentially could be exploited in GLSL as well.

One important thing to keep in mind when hearing about vulnerabilities and claims of "arbitrary code execution", is that in most cases it only means they have found a buffer overflow problem, which in theory can lead to arbitrary code execution without protections, therefore concluding that this vulnerability can do that as well. All modern desktop operating systems and hardware have "NX bit" to stop this from happening. There may be embedded systems which lacks this kind of protection, but PC owners should not worry about getting compromised, in worst case they will get stability issues from the kernel terminating the processes, which would of course be annoying.

I would like to know more details about what the underlying problem in the compiler was, and how it was fixed. If this was a concrete logical mistake in the compiler which was properly solved, then all should be good. But if all they did was to add a detection of an edge-case, then they really didn't fix anything, leaving the possibility for a chain of new related problems. (Think of the Spectre bug; the first mitigations only targeted a specific condition, not the underlying cause)

Even though HLSL shader code looks similar to assembly, it actually is a relatively high-level language that gets optimized and compiled by the graphics driver.

HLSL prior to compilation is pretty close to the C language. Compiled HLSL is an assembly-like intermediate representation (which is what you see in the examples from Talos), which is then compiled yet again for specific GPUs by the driver.
The classification as a "high level language" depends on your convention. Back in the 60s and 70s a "high level language" usually meant anything that was not architecture specific assembly. When programmers today talk about "high level languages", they think of languages like Java, C#, JavaScript etc., and by that standard HLSL would be a "low level language", just like C.

 

[Darmok N Jalad]

I'm on version 19.12.2 drivers, and it doesn't recommend anything unless I enable "optional" updates. Seems like really strange behavior if there are vulnerabilities that should be patched.

 

[Steevo]

I'm on version 19.12.2 drivers, and it doesn't recommend anything unless I enable "optional" updates. Seems like really strange behavior if there are vulnerabilities that should be patched.

It may only apply to certain hardware functions on certain cards, running in certain environment.

So it could be of you are running edge, in windows 7 with hardware that has X spec them certain websites running malicious code in hardware accelerated code...


So like .0005 percent of all users.

 

[R-T-B]

That's probably the most intelligent response I have yet to come across in this thread. Yeah, why does AMD even bother to include a release note or a changelog to begin with, they should totally do away with that.

because hiding issues promotes a culture of negligence. There is a reason issues are disclosed upon discovery (after a reasonable fix time, of course) as standard practice. This isn't something some dude thought up in his basement, these are time tested principles.

 

[RadeonProVega]

honestly i didn't notice any of that stuff , i just play games lol

 

[Romulus2K4]

because hiding issues promotes a culture of negligence. There is a reason issues are disclosed upon discovery (after a reasonable fix time, of course) as standard practice. This isn't something some dude thought up in his basement, these are time tested principles.

I think you've failed to detect the sarcasm in that comment of mine.

But from your own admission, issues are disclosed upon discovery, so why weren't these vulnerability fixes disclosed? Isn't that the highest form of negligence?

 

[R-T-B]

But from your own admission, issues are disclosed upon discovery, so why weren't these vulnerability fixes disclosed?

They were. Not by AMD though. People had to watch the issue trackers manually.

I think you've failed to detect the sarcasm in that comment of mine.

Probably, sorry. It is the internet, heh. My bad.

 

[cucker tarlson]

>>...AMD Quietly Patched Four Major GPU Security Vulnerabilities

AMD has a very Bad reputation of doing such things and this is Not new for experienced IT professionals. Just read this, please...

care to elaborate what the hell this is ?

What has this anything to do fit the fact that I have a GTX 1060 in my rig?
Me owning a GeForce card makes my statement somehow less true?
If I were using an RX 580 then my opinion on the matter would turn magically valid? I'm confused.


Were there security holes? Yes.
Were they in the release notes? No.
Did they fix them? Yes.
Would you had known to update for security problems you didn't even know you had? Double No.

So it might not make a lot of sense to you, but for me it makes sense to get informed on security problems preferably directly from the HW vendors that I'm using and not trough an IT news portal sourcing a 3rd party source, that I might want to update drivers in the foreseeable future.

don't bother responding.
best way to handle such comments is leave them unanswered.

 

[ScaLibBDP]

care to elaborate what the hell this is ?


don't bother responding.
best way to handle such comments is leave them unanswered.

Techpowerup removed a description of an OpenCL problem that affects ALL notebooks ( gaming, workstations, etc ) with AMD Ryzen 3, 5 and 7 CPUs. Here it is again:

Attention to
OpenCL ( Open Compute Language ) software developers
AMD's CEO and CTO

We regret to see that AMD quietly stopped supporting CPU-type Compute Devices for OpenCL based Hybrid ( aka Heterogeneous ) processing.
The problem was detected in December 2019 on ASUS TUF FX505DU Gaming Notebook with AMD Ryzen 3750H CPU. Initially, it was considered as a problem of ASUS but actually this is Not the case. During recent visit to a nearby BestBuy store the problem was easily seen on MSI, Lenovo, Acer Gaming and HP Envy Notebooks with AMD Ryzen Mobile CPUs.
We contacted AMD's Technical Support and all our attempts to bring attention of that problem to AMD's Software Engineers failed. Technical Support from AMD's Level 1 couldn't reproduce the problem and responded in a very disrespectful way:
"...Since we can't reproduce the problem this is Not our problem...".
It means, that in case of OpenCL based Hybrid processing on computing systems with:
- AMD Ryzen Mobile CPUs up to 0.5 TFLOPs of processing power is Not used
- AMD Ryzen Desktop CPUs more than 2 TFLOPs of processing power is Not used
- AMD Epyc Server CPUs more than 4 TFLOPs of processing power is Not used
That's a Lot of Processing Power Not used for Hybrid processing ( HPC, gaming, etc ) and, unfortunately, AMD doesn't care about it!
Quality of OpenCL support from AMD is at the lowest level since 2015-2016 years and a recent AMD Display driver 26.20.11016.1 disabled NVIDIA's OpenCL Client Driver on an ASUS TUF Gaming system. AMD's Display driver 26.20.11016.1 was rollbacked to a driver from AMD Radeon Adrenalin 19.9.2 package.
Also, AMD stopped supporting AMD Accelerated Parallel Processing SDK ( aka AMD APP SDK ) and the SDK was quietly removed from the AMD's website. All attempts to bring back The Best SDK for OpenCL programming failed.
At the same time NVIDIA and Intel continue to support OpenCL.
For example, on Dell Precision Mobile workstations with Intel CPUs and NVIDIA GPUs all types of OpenCL Compute Devices are available for OpenCL based Hybrid processing.
We really wanted to upgrade current computing systems with Intel CPUs to systems with AMD CPUs ( a resolute departure! ) but due to these problems related to OpenCL support on systems with AMD CPUs all upgrades are on hold...

 

[cucker tarlson]

Technical Support from AMD's Level 1 couldn't reproduce the problem and responded in a very disrespectful way:
"...Since we can't reproduce the problem this is Not our problem...".

well,if they can't reproduce it......

and is this laptops,desktop or server ? you said laptop,and then mention epyc.

either be more coherent or just leave it.

AMD Display driver 26.20.11016.1 disabled NVIDIA's OpenCL Client Driver

wat ?

 

[voltage]

"Quietly" patched. As opposed to what? What would they normally do, take to the streets and start screaming like nut cases?

 

[Romulus2K4]

opposed to what? What would they normally do, take

They'd include the fixes in the release notes and make an announcement that certain vulnerabilities were patched, just like other manufacturers do?

 

[cucker tarlson]

"Quietly" patched. As opposed to what? What would they normally do, take to the streets and start screaming like nut cases?

maybe that's what
no mention of doing so in its changelog
refers to

do people read the OP these days or just the title ?