AMD Ryzen 5000 Series CPUs with Zen 3 Cores Could be Vulnerable to Spectre-Like Exploit

[R0H1T]

This is the reason why most vulberabilies were found in Intel CPUs; https://www.intel.com/content/www/us/en/security-center/bug-bounty-program.html

Intel actually pays people for finding them. "Intel’s bug bounty awards range from $500 up to $100,000."

AMD had plenty of vulnerabilies, even tho they don't pay people for finding them. Meaning, very few people will spend time trying to find them. Logic 101.

It's sad that AMD does not pay people for finding bugs, when tons of big tech companies do; https://www.guru99.com/bug-bounty-programs.html

No, smeltdown was discovered by Google's project zero! In fact Intel (almost) paid researchers to not disclose similar vulnerabilities out in the open

According to the VU, Intel tried to downplay the severity of the leak by officially paying $40,000 in reward and "$80,000" in addition. That offer was politely refused.

"If it were up to Intel, they would have wanted to wait another six months"

VU ontdekt megalek in Intel-chips

Lekke hardware: Dankzij een foutje bracht de VU een megalek in Intel-chips aan het licht. Intel betaalt de prijs voor een snel maar risicovol ontwerp.

www.nrc.nl

 

[shadow3401]

With Intel’s Rocket Lake CPUs proving to be a big, fat, and underwhelming flop last week all of a sudden "vulnerabilities" are being found in Zen 3 which might be or could be exploited. Compare that to Intel CPUs in which exploits can and will be exploited and does put user’s data at risk, I don't think there's much to see here and AMD did find and report it themselves after so kudos to them. (Not an AMD fan boy by the way I been using Intel CPUs from 1996 to 2018).

 

[JB_Gamer]

Aka literally a "random test variance" amount of difference.

Yeah, nothing to fret about. Just turn it off and move on.

Yes, but how... - anyone?

 

[Camm]

It should be noted that AMD disclosed the vulnerability AND provided effective mitigation strategies for it, both by disabling the function or by enabling things like Address space layout randomization and hardware privileged domains (which AMD's PSP is capable of) .

This is EXCELLENT by AMD to allow enterprise and end users choice in their risk profile versus shit like Intel hiding vulnerability's and providing no full mitigation strategies.

 

[las]

Officially Intel has far more vulnerabilities than AMD. Any statement that AMD has more vulnerabilities because many of them have not yet been found is pure speculation. You say "Logic 101" but you are really making an assumption based on assumption. That's not logic.

Yes, because people actually cared about finding them. So they can collect money. Logic, yeah.

 

[Melvis]

If I had a dollar for every anti Intel post in the News Forum alone on this site I'd have a new RTX 3080 with money to spare.

If I had a dollar for every anti AMD post in the News Forum alone on this site I'd have ALL the new RTX 3080s with money to spare.

 

[Camm]

Yes, because people actually cared about finding them. So they can collect money. Logic, yeah.

The history of recorded payouts vs the resources needed to discover most of these are pretty inverse. The original Spectre disclosure offered the University of the team who disclosed it something like $50k AND to shut the fuck up about it.

 

[mtcn77]

Yes, because people actually cared about finding them. So they can collect money. Logic, yeah.

I bet headhunting is the wrong reference here. People have better pay elsewhere.

 

[Turmania]

1% performance deficit is too much.

 

[R-T-B]

Well, presumably when it was originally enabled, it wasn't a known security risk.

Surely that's obvious? Is that really what you're asking?

It is. It was late though, doh! I assume you are correct.

 

[Aretak]

This is the reason why most vulberabilies were found in Intel CPUs; https://www.intel.com/content/www/us/en/security-center/bug-bounty-program.html

Intel actually pays people for finding them. "Intel’s bug bounty awards range from $500 up to $100,000."

AMD had plenty of vulnerabilies, even tho they don't pay people for finding them. Meaning, very few people will spend time trying to find them. Logic 101.

It's sad that AMD does not pay people for finding bugs, when tons of big tech companies do; https://www.guru99.com/bug-bounty-programs.html

AMD already knew about this potential vulnerability when implementing the feature and pre-built a way to turn it off into the chip for enterprise customers who want to be extra cautious. And it's already been shown that turning it off has a within-margin-of-error effect on performance anyway. Bad day for the Intel fanboys who just read the headline and popped the cork on the champagne.

 

[Deleted member 205776]

Once again, HenrySomeone is here, attempting to make another thread be about fanboyism within the first few replies.

 

[Metroid]

I just bought a r9 5900x to replace a r5 3600 and now this ehhe

 

[R-T-B]

AMD already knew about this potential vulnerability when implementing the feature and pre-built a way to turn it off into the chip for enterprise customers who want to be extra cautious. And it's already been shown that turning it off has a within-margin-of-error effect on performance anyway. Bad day for the Intel fanboys who just read the headline and popped the cork on the champagne.

If that is the case it's outright irresponsible to leave it on.

 

[Deleted member 205776]

I just bought a r9 5900x to replace a r5 3600 and now this ehhe

Enjoy dominating every multicore benchmark.

 

[R-T-B]

The Spectre class of bugs don't really allow people to hack your computer.

Privilege escalation using leaked secrets is not hard.

Spectre

leaky.page

A livedemo example of how easy it is to leak data on affected hardware (older spectre class, not this).

 

[Metroid]

Enjoy dominating every multicore benchmark.

Final overclock is 4.4ghz 1.11v, amd overclocking msi b450 gaming plus, everything is very much stable, temperature full load is 75c, dual 120mm fans aka 240mm aio setup, i need a 360mm aio setup. What I'm sad about is that at auto it gets up to 4.9ghz on 3 threads which is very good, however I'm using 20 threads for AI and I just cant use the auto, so no 4.9ghz single core for me unless I stop using the AI workloads I'm doing, sad. I really wanted to use 4.9ghz on things while I could use 4.4 for other things but at 1.11v and that is not possible, to be able to use 4.9ghz I will need at least 1.4v on auto and manual not sure, did not try it yet but 4.9ghz all all threads, not sure if is safe, i mean, multiplier on bios 45x gives a red connotation which means warning/dangerous, so for them up to 44 x 100mhz is all right more than 4400mhz is dangerous.

 

[mechtech]

Spectre did actually hurt us in the datacenter; We tend to plan servers on 3 or 5 year lifespans for budget and ROI reasons. We had a lot of Xeon and very little Epyc and after the first round of updates we jumped from about half capacity to about 70% capacity with a trickle less capacity every time more patches were added. Since those hosts were running VMs with access to financial data and confidential data under NDA it would have been irresponsible to leave hyperthreading on too - so within 6 months of the first patches our half-capacity became almost maxed out and some of these servers had several years left on the clock before being budgeted for replacment.

The only reason things aren't as dire as they could have been is that COVID-19 has reduced the server loads these last 13 months. Under normal circumstances, the loss of performance from applying mitigation steps and patches would have f***ed us over, hard, and expensively.

Yikes. Scary stuff.

We have yoga 370 notebooks for work and over the past 3 years with bios updates and windows updates it’s noticeably slower then it was at day 1.

 

[Chrispy_]

It is. It was late though, doh! I assume you are correct.

LOL.
I also assume, I haven't bothered doing the research to check

Presumably AMD wouldn't intentionally take security shortcuts like Intel, as they were using their "we're not affected by Spectre" as a pretty big selling point in the server world. Maybe they're just lying asshats and all megacorps are pure evil. Nothing would surprise me or bother me really, we buy stuff because we have to, not because we want to....

 

[R-T-B]

No, smeltdown was discovered by Google's project zero! In fact Intel (almost) paid researchers to not disclose similar vulnerabilities out in the open

VU ontdekt megalek in Intel-chips

Lekke hardware: Dankzij een foutje bracht de VU een megalek in Intel-chips aan het licht. Intel betaalt de prijs voor een snel maar risicovol ontwerp.

www.nrc.nl

Correct. However, google Project zero still accepted the initial standard bounty. It's standard practice to not investigate something without a chance of return in most cases.

 

[Chrispy_]

Yikes. Scary stuff.

We have yoga 370 notebooks for work and over the past 3 years with bios updates and windows updates it’s noticeably slower then it was at day 1.

Absolutely - the Core M-5y71 laptops we have are unusable now. They were barely fast enough in the first place so when you add patch bloat slowdown to Spec-ex mitigations it's dire

 

[R-T-B]

Presumably AMD wouldn't intentionally take security shortcuts like Intel,

Honestly, speculative execution is the shortcut, and all complex chip vendors use it. Some just have had less research done, but the origin is the same.

 

[efikkan]

Presumably AMD wouldn't intentionally take security shortcuts like Intel…

Then that's a product of bias, a bias which unfortunately has become widespread. I've not seen any evidence of Intel taking "security shortcuts".

A shortcut would imply a conscious decision, while the Spectre family is caused by an oversight, an oversight done by numerous companies implementing their own microarchitectures.

 

[dirtyferret]

 

[HD64G]

Everyone should deactivate that feature. Less than 1% effect on performance isn't something to discuss about.